#openstack-meeting log

15:00:10 <gagehugo> #startmeeting security
15:00:11 <openstack> Meeting started Thu Sep 17 15:00:10 2020 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:13 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:15 <openstack> The meeting name has been set to 'security'
15:01:56 <gagehugo> #link https://etherpad.opendev.org/p/security-agenda agenda
15:02:29 <gagehugo> o/
15:02:54 <fungi> ohai
15:06:00 <gagehugo> #topic open discussion
15:06:05 <gagehugo> fungi: o/
15:06:09 <gagehugo> Do you have anything for this week?
15:06:58 <fungi> trying to remember
15:07:31 <fungi> nothing recently happened in #openstack-security or on the mailing lists
15:07:49 <fungi> i don't recall switching any new private bugs public yet
15:08:41 <fungi> i'm behind on related items on my to do list (moving the security sig wiki article into git, proposing barbican as a base service addition)
15:08:54 <redrobot> \o
15:09:44 <fungi> oh, possibly worth discussion...
15:09:57 <fungi> the new distributed leadership model the tc approved this week
15:10:20 <fungi> soon some project teams may have no ptl at all. they're required to identify a "security liaison" in such cases
15:11:21 <fungi> #link https://governance.openstack.org/tc/resolutions/20200803-distributed-project-leadership.html
15:11:22 * redrobot is out of the loop on the distributed leadership
15:11:45 <fungi> i also mentioned it in the announcement about ptl/tc nominations coming up
15:17:50 <fungi> but yeah nothing else new, at least nothing i can mention in public yet
15:18:48 <fungi> there have been some interesting qemu breakout and unprivileged crash vulnerabilities announced in the past week or so. that may interest some folks i guess
15:21:49 <fungi> i would link something comprehensive, but the qemu project doesn't do a very good job of making a discoverable list of their advisories
15:23:56 <fungi> #link https://security-tracker.debian.org/tracker/source-package/qemu
15:23:59 <fungi> good enough
15:24:25 <fungi> problem is even querying mitre is useless because they haven't updated the status on the embargoed assignments
15:26:00 <gagehugo> hmm
15:26:07 <gagehugo> sorry double meetings
15:26:13 <fungi> me too, no apologies needed
15:26:21 <gagehugo> the distributed leadership is interesting
15:26:27 <fungi> cdf interop sig meeting is scheduled for the same time as this
15:26:37 <fungi> at least tc office hours got moved
15:30:17 <gagehugo> redrobot fungi: thanks, have a good rest of the week!
15:30:19 <gagehugo> #endmeeting