15:01:40 <gagehugo> #startmeeting security
15:01:41 <openstack> Meeting started Thu Feb 18 15:01:40 2021 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:42 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:45 <openstack> The meeting name has been set to 'security'
15:02:09 <gagehugo> #link https://etherpad.opendev.org/p/security-agenda agenda
15:02:28 <fungi> ohai
15:08:03 <fungi> i'm guessing it's just us today
15:09:56 <gagehugo> o/
15:10:15 <belmoreira> o/
15:10:23 <fungi> oh, welcome belmoreira!
15:11:01 <gagehugo> fungi: thanks for sending out those emails
15:11:01 <belmoreira> :) actually sorry... late and in the wrong channel
15:11:20 <fungi> aww, you're still welcome to talk security belmoreira, but i understand
15:11:38 <fungi> gagehugo: yeah, and i did a bunch of housecleaning old public reports of suspected vulnerabilities, setting won't fix for our advisory tasks if they'd sat for a very long time without anyone able to confirm the problem, or where we'd proposed various non-vulnerability report classes and gotten deafening silence for months/years
15:11:56 <fungi> we're now down to 14 public reports of suspected vulnerabilities:
15:12:06 <fungi> #link https://bugs.launchpad.net/ossa
15:12:24 <gagehugo> I saw, thanks for the housekeeping too :)
15:12:26 <fungi> (that number may be higher if you're logged in as an account with view of any private security bugs)
15:13:08 <fungi> and yeah, the requests for help to the mailing lists are targeted individually at the 7 project teams who have deliverables implicated in specific bugs from that list
15:13:25 <fungi> some bugs impact more than one team's deliverables
15:13:49 <fungi> so hopefully we can whittle that number down even more in the coming days/weeks
15:15:09 <gagehugo> that would be great
15:15:11 <fungi> as always, anyone in the community, regardless of their involvement with openstack, is welcome to help us out with those bug reports in any way they're able
15:16:06 <fungi> a majority of those remaining 14 have been sitting for a long time, so a lot of them are probably able to be closed
15:16:40 <fungi> even if it's just a pragmatic "this is a very low risk and we're not going to get around to fixing it"
15:17:22 <gagehugo> yeah
15:17:33 <gagehugo> it would be good to close them out if able
15:18:09 <fungi> if we keep the count low like this, sending out periodic reports/reminders shouldn't be hard
15:18:29 <gagehugo> agreed
15:18:45 <fungi> i could probably even script something up to generate those from api queries to lp/sb
15:20:50 <gagehugo> fungi: any other updates for this week?
15:20:54 <gagehugo> I don't have anything
15:21:26 <gagehugo> Still debating about maybe changing the meeting to every other week or 1x a month
15:21:57 <fungi> i didn't have anything else, and happy to switch to a two-week, four-week, or one-month cadence
15:22:32 <fungi> it does seem attendance is extremely low for these, and we often have nothing on the agenda. no need to meet for the sake of meeting
15:22:44 <gagehugo> yeah
15:22:56 <gagehugo> plus I'm usually double booked at this time (but more available post DST)
15:23:32 <gagehugo> I'll send out an email fishing for opinions
15:26:39 <fungi> we can also reschedule, sure
15:26:49 <fungi> sounds good, thanks!
15:27:28 <gagehugo> I have meetings on a lot of days haha but sure, I'd be up for potential rescheduling
15:29:36 <gagehugo> thanks fungi! Have a good rest of the week
15:29:45 <gagehugo> also thanks belmoreira for attending :)
15:30:02 <gagehugo> #endmeeting