15:02:19 #startmeeting security 15:02:19 Meeting started Thu Feb 3 15:02:19 2022 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:19 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:19 The meeting name has been set to 'security' 15:02:30 #link https://etherpad.opendev.org/p/security-agenda agenda 15:02:31 o/ 15:02:52 ohai 15:03:17 once again, i'm triple-booked today 15:03:21 how's things? 15:03:31 i saw you got started on the security-specs retirement 15:03:39 Yeah, doing that in my spare time 15:03:46 gonna try to get that done this week 15:04:44 excellent, thanks for working on it 15:06:11 🙋 15:08:24 ohai dmendiza[m] 15:09:34 from what i understood from monday's meeting, the image encryption spec-lite in glance is still on track for yoga 15:10:47 Hi friends! 15:10:55 hey 15:12:39 * fungi tries to remember what else security-relevant is going on 15:13:00 I believe I don't have any updates 15:13:07 Just currently watching it snow here 15:13:10 the thread about log4j vulnerabilities brought up that monasca and cloudkitty often use elasticsearch as a backend 15:13:30 and that kolla-ansible will deploy an elasticsearch container for those or if you ask for centralized logging 15:13:46 also sounds like it deploys apache storm, which was affected as well 15:14:36 there's probably enough material in that thread if someone wants to draft a security note about it, though i don't know that i'll have time to put it together 15:15:04 Just a reminder for folks to keep an eye out for Secure RBAC stuff 15:19:52 yes, thank you. that's one of the topics i meant to mention 15:20:27 seems like more projects are getting on the same page since the big tc discussion before the winter holidays 15:21:30 fungi: So an OSSN for kolla-ansible, monasca, cloudkitty? 15:21:48 OSH has an elasticsearch chart as well 15:23:39 yeah, i think it would be an overarching ossn talking about places openstack deployments might include (non=openstack) java-based software affected by the recent log4j vulnerabilities, and reminding operators to make sure they update those things 15:24:29 makes sense 15:24:36 for example, someone who deploys kolla-ansible and selects "i want central logging" may not know that's being provided by elasticsearch much less that it's affected 15:25:22 so while openstack isn't developing any software which is affected by those vulnerabilities, some openstack installers do deploy affected software written outside openstack 15:29:12 gotcha 15:29:21 any other updates for this meeting? 15:29:48 i can't think of anything else 15:29:59 thanks for chairing, gagehugo! 15:30:18 i'll keep an eye out for the remaining specs retirement changes 15:30:39 Have a good rest of the week everyone! 15:30:41 #endmeeting