#openstack-security log

15:00:45 <gagehugo> #startmeeting security
15:00:45 <opendevmeet> Meeting started Thu Dec  2 15:00:45 2021 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:45 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:45 <opendevmeet> The meeting name has been set to 'security'
15:01:05 <gagehugo> #link https://etherpad.opendev.org/p/security-agenda agenda
15:01:09 <gagehugo> o/
15:02:53 <fungi> ohai
15:03:11 <gagehugo> fungi: you around?
15:03:33 <fungi> yes
15:04:08 <fungi> are you seeing me?
15:05:21 <fungi> gagehugo: connectivity problems?
15:08:41 <gagehugo> your messages just appeared for me
15:08:51 <gagehugo> o/
15:09:29 <fungi> sounds like oftc may have some lag between servers
15:09:54 <gagehugo> hmm maybe
15:11:08 <gagehugo> Nothing on the agenda, seems to have been a quiet month
15:11:37 <fungi> yeah, there was some clarification obtained in the cinder meeting on forward progress for the image encryption effort
15:12:03 <fungi> also the "trojan source" vulnerability ate a lot of discussion bandwidth in general
15:12:20 <fungi> fips testing is coming along, being disucssed in the tc meeting right now
15:14:55 <fungi> also the opendev collaboratory has made a quiet/soft announcement about how to start using 2fa with launchpad/ubuntuone
15:15:21 <gagehugo> oh neat
15:15:38 <fungi> #link http://lists.opendev.org/pipermail/service-discuss/2021-December/000304.html UbuntuOne/Launchpad two-factor authentication
15:16:58 <fungi> per earlier messages in that thread, several of us have been trying it for more than a year now
15:17:10 <gagehugo> I still have the items from the PTG on my todo list, I'll try to get to those this month.
15:17:33 <fungi> yeah, i think i got some minor site updates pushed up
15:17:41 <gagehugo> how's it working so far?
15:17:46 <fungi> can't remember if those merged before the last meeting or before this one
15:18:17 <fungi> teh 2fa? no problems at all. i enrolled totp slots in two of my librem key devices and have been using those
15:19:13 <fungi> i spent more time working out viable command-line access (they're modified nitrokeys, but needs a very new nitrocli build to recognize them)
15:19:20 <gagehugo> ah ok
15:19:37 <fungi> i think clarkb is using google authenticator on an android phone
15:19:47 <fungi> i don't recall if ianw said what he's using
15:20:10 <fungi> anyway, follow up to that service-discuss thread if anyone wants to talk about it more
15:20:35 <fungi> oh, also we retooled the artifact signing key generation/rotation/attestation process for openstack releases
15:21:20 <fungi> basically coping with the collapse of the sks keyserver network and switching to keys.openpgp.org
15:22:22 <fungi> since no well-connected keyservers still carry third-party key signatures, we've moved to more of a caff-style attestation process, where you checkout the public key from git, import it, sign that, re-export it with your new signature and the ones which were already on it, commit that and push it for review
15:23:09 <fungi> previously we only included the self-sig in the export (since that's what sets the expiration)
15:23:52 <fungi> #link https://docs.opendev.org/opendev/system-config/latest/signing.html Signing System
15:24:02 <gagehugo> hmm
15:24:25 <fungi> that documentation is up to date, with the exception of the attestation section which we're still finalizing
15:25:51 <gagehugo> good to know
15:30:14 <gagehugo> fungi: anything else you want to discuss?
15:31:43 <fungi> nah, sucked into python 3.6 deprecation discussion in the tc meeting
15:32:57 <gagehugo> thanks for the updates! Have a good holiday if I don't talk you to before then!
15:33:03 <fungi> thanks, you too!
15:33:05 <gagehugo> #endmeeting