15:11:28 <gagehugo> #startmeeting security 15:11:29 <opendevmeet> Meeting started Thu Jun 3 15:11:28 2021 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:11:30 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:11:33 <opendevmeet> The meeting name has been set to 'security' 15:12:23 <gagehugo> o/ 15:13:17 <fungi> ohai 15:14:43 <gagehugo> #link https://etherpad.opendev.org/p/security-agenda agenda 15:15:57 <gagehugo> apologies for the late start 15:16:01 <gagehugo> #topic Folding the openstack-security ML into openstack-discuss 15:16:35 <fungi> so... i go through the moderation queue for it daily and discard spam 15:16:40 <gagehugo> fungi: I guess we haven't really been using the openstack-security ML? 15:16:59 <fungi> but looking back at the archives there's not been a single post to it in over a year 15:19:26 <fungi> anyway what we've done with other lists is to send a message to it saying it's being closed down, then delete the configuration for it (leaving the archives intact for posterity), and we add mail address aliases to direct future messages to openstack-discuss 15:19:39 <gagehugo> I think that is fine 15:19:48 <fungi> i'm happy to take care of all that as long as we have consensus 15:20:03 <gagehugo> one ML to rule them all 15:20:09 <fungi> in that case i'll send a message to the openstack-security ml this week saying we're shutting it down 15:20:50 <fungi> and separately we'll want to use codesearch.o.o to find references to that ml and update them to point to the openstack-discuss ml (saying to use [security-sig] in the subject line) 15:23:58 <gagehugo> ok 15:24:49 <gagehugo> #topic Need to update all the IRC references for security-sig 15:25:15 <gagehugo> This is likely just the same thing, using codesearch.o.o to find/replace any irc references to point to the new ones 15:26:55 <gagehugo> #topic open discussion 15:27:04 <gagehugo> fungi: any other updates? 15:32:48 <fungi> nope, none from me. i sent a batch of reminders to the discuss ml about outstanding public vulnerability reports 15:32:59 <fungi> there's been some movement on a few, so i'll try to keep doing that 15:33:09 <fungi> though others are also free to take a turn if they want 15:34:26 <fungi> eventually it would be great if the people taking bug triage shifts on the individual projects started to include status for outstanding public vulnerability reports in their own periodic bug status reports to raise visibility, but i'm not sure how to get them to do it. i've tried to suggest it and get the opinion i'm being ignored 15:37:06 <gagehugo> Lol 15:37:24 <gagehugo> Do all the projects have bug triage shifts? 15:40:38 <fungi> not all, but the ones who also tend to have a lot of vulnerability reports do 15:41:24 <fungi> the rotating "bug czars/tsars" or whatever fancy titles they like to give them to make it seem like it's not janitorial drudgery ;) 15:45:36 <gagehugo> hmm ok 15:45:50 <gagehugo> I need to hop on another call, thanks fungi as always 15:45:54 <gagehugo> #endmeeting