15:11:28 <gagehugo> #startmeeting security
15:11:29 <opendevmeet> Meeting started Thu Jun  3 15:11:28 2021 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:11:30 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:11:33 <opendevmeet> The meeting name has been set to 'security'
15:12:23 <gagehugo> o/
15:13:17 <fungi> ohai
15:14:43 <gagehugo> #link https://etherpad.opendev.org/p/security-agenda  agenda
15:15:57 <gagehugo> apologies for the late start
15:16:01 <gagehugo> #topic Folding the openstack-security ML into openstack-discuss
15:16:35 <fungi> so... i go through the moderation queue for it daily and discard spam
15:16:40 <gagehugo> fungi: I guess we haven't really been using the openstack-security ML?
15:16:59 <fungi> but looking back at the archives there's not been a single post to it in over a year
15:19:26 <fungi> anyway what we've done with other lists is to send a message to it saying it's being closed down, then delete the configuration for it (leaving the archives intact for posterity), and we add mail address aliases to direct future messages to openstack-discuss
15:19:39 <gagehugo> I think that is fine
15:19:48 <fungi> i'm happy to take care of all that as long as we have consensus
15:20:03 <gagehugo> one ML to rule them all
15:20:09 <fungi> in that case i'll send a message to the openstack-security ml this week saying we're shutting it down
15:20:50 <fungi> and separately we'll want to use codesearch.o.o to find references to that ml and update them to point to the openstack-discuss ml (saying to use [security-sig] in the subject line)
15:23:58 <gagehugo> ok
15:24:49 <gagehugo> #topic Need to update all the IRC references for security-sig
15:25:15 <gagehugo> This is likely just the same thing, using codesearch.o.o to find/replace any irc references to point to the new ones
15:26:55 <gagehugo> #topic open discussion
15:27:04 <gagehugo> fungi: any other updates?
15:32:48 <fungi> nope, none from me. i sent a batch of reminders to the discuss ml about outstanding public vulnerability reports
15:32:59 <fungi> there's been some movement on a few, so i'll try to keep doing that
15:33:09 <fungi> though others are also free to take a turn if they want
15:34:26 <fungi> eventually it would be great if the people taking bug triage shifts on the individual projects started to include status for outstanding public vulnerability reports in their own periodic bug status reports to raise visibility, but i'm not sure how to get them to do it. i've tried to suggest it and get the opinion i'm being ignored
15:37:06 <gagehugo> Lol
15:37:24 <gagehugo> Do all the projects have bug triage shifts?
15:40:38 <fungi> not all, but the ones who also tend to have a lot of vulnerability reports do
15:41:24 <fungi> the rotating "bug czars/tsars" or whatever fancy titles they like to give them to make it seem like it's not janitorial drudgery ;)
15:45:36 <gagehugo> hmm ok
15:45:50 <gagehugo> I need to hop on another call, thanks fungi as always
15:45:54 <gagehugo> #endmeeting