#openstack-security log

15:18:01 <gagehugo> #startmeeting security
15:18:01 <opendevmeet> Meeting started Thu Mar  3 15:18:01 2022 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:18:01 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:18:01 <opendevmeet> The meeting name has been set to 'security'
15:18:17 <gagehugo> #link https://etherpad.opendev.org/p/security-agenda agenda
15:19:43 <fungi> ohai
15:20:05 <gagehugo> Apologies for the late start, in another meeting and lost track of time
15:20:30 <gagehugo> #topic PTG
15:20:31 <fungi> no worries, i'm in two other meetings at the same time
15:20:34 <gagehugo> heh
15:20:51 <gagehugo> So the PTG is in roughly 1 month
15:21:05 <gagehugo> I was going to cancel next month's meeting since we'll have a session that week anyway
15:21:25 <gagehugo> The current time we are scheduled is Monday April 4th 2100-2300 UTC
15:21:43 <gagehugo> #link https://etherpad.opendev.org/p/security-sig-ptg-zed ptg agenda
15:21:48 <gagehugo> I'll get that etherpad setup today
15:21:53 <gagehugo> and an email sent out
15:22:11 <fungi> thanks!
15:22:42 <gagehugo> #topic open discussion
15:22:57 <gagehugo> I believe the security-specs repo is now officially retired?
15:23:08 <gagehugo> unless I missed a step
15:23:08 <fungi> yes, i think so
15:23:32 <fungi> i remember the governance change merging, which is generally the final step
15:23:52 <gagehugo> ok good
15:24:48 <gagehugo> That's all I had for updates, do you have anything fungi?
15:24:55 <fungi> i may have mentioned it late last year, but i'm noodling on starting a discussion with the community about the security landmine that is horizon's xstatic wrappers for javascript libraries
15:25:05 <gagehugo> oh geez
15:26:09 <fungi> i think the idea at the begining was that it would give us a way to reference js libs from python as dependencies, particularly for testing, but that distros would de-vendor the actual javascript and substitute whatever actual versions of those libs they were already packaging separately
15:26:42 <gagehugo> hmm
15:26:45 <fungi> unfortunately the reality is that they seem to have simply packaged the xstatic wrappers along with the embedded javascript
15:27:19 <gagehugo> ah
15:27:29 <fungi> so openstack has become a redistributor of other people's javascript libs, usually outdated versions of them with known security vulnerabilities
15:28:18 <gagehugo> yeah, that's not great
15:28:21 <fungi> and distros are just shipping those as-is
15:29:31 <fungi> this has come to a head with a recent report to ubuntu about how their packages of things like xstatic-angular and xstatic-jquery have known vulnerabilities, but this gets increasingly complicated because the upstream fixes for those are not things horizon has successfully updated to yet
15:30:10 <fungi> unlike our actual python dependencies, we don't have anything along the lines of global-requirements/upper-constraints to push projects to support latest versions of js libs
15:30:20 <fungi> so they just bitrot and are mostly ignored
15:30:54 <fungi> so anyway, i have concerns. i've had concerns for a long time but the situation seems to be getting worse rather than better
15:31:01 <fungi> what i don't really have yet is good suggestions
15:32:08 <gagehugo> ok
15:32:21 <fungi> if people have ideas they want to share here in the meeting, or reach out to me with after, it's appreciated
15:32:46 <fungi> once i bring the subject to a wider audience on the openstack-discuss ml, maybe there will be more ideas
15:32:55 <gagehugo> That is a good idea
15:38:17 <gagehugo> I think I remember us discussing making an OSSN for log4j last meeting as well?
15:38:39 <fungi> yes, i haven't seen any volunteers there
15:38:46 <fungi> also the vulnerability:managed governance tag removal is on hold waiting for the openstack website to no longer rely on it for the project info pages
15:39:26 <fungi> there's a high priority request in to the webdev contracting company the foundation uses to manage that website to remove those bits
15:39:32 <fungi> but i don't have any eta
15:40:28 <fungi> our (vmt/sig) side though is complete. the security site is updated as is the project team guide
15:40:45 <fungi> er, not the project team guide, sorry, it was the security handbook
15:40:56 <gagehugo> ok cool
15:41:01 <fungi> anyway, it's just the governance change which is still not merged
15:42:25 <fungi> i also noticed, in making that change to the security manual, that it's still referring to the security-analysis repo... we could talk about whether that's still relevant too, or whether it's under-utilized and should be retired
15:43:22 <gagehugo> might be a good PTG discussion
15:44:29 <fungi> i'll add it to the pad
15:45:24 <fungi> it was another outgrowth of the now defunct ossg
15:45:57 <fungi> the remnants of the security sig lack the review bandwidth for what that was designed to be
15:46:28 <gagehugo> :(
15:46:33 <gagehugo> yeah
15:47:26 <fungi> but also nobody seems to be using it anyway
15:49:43 <gagehugo> fungi: anything else for this meeting?
15:50:10 <fungi> nothing else from me, nope
15:50:26 <fungi> thanks for chairing, gagehugo!
15:50:41 <gagehugo> Thanks fungi!
15:50:45 <gagehugo> #endmeeting