15:18:01 <gagehugo> #startmeeting security 15:18:01 <opendevmeet> Meeting started Thu Mar 3 15:18:01 2022 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:18:01 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:18:01 <opendevmeet> The meeting name has been set to 'security' 15:18:17 <gagehugo> #link https://etherpad.opendev.org/p/security-agenda agenda 15:19:43 <fungi> ohai 15:20:05 <gagehugo> Apologies for the late start, in another meeting and lost track of time 15:20:30 <gagehugo> #topic PTG 15:20:31 <fungi> no worries, i'm in two other meetings at the same time 15:20:34 <gagehugo> heh 15:20:51 <gagehugo> So the PTG is in roughly 1 month 15:21:05 <gagehugo> I was going to cancel next month's meeting since we'll have a session that week anyway 15:21:25 <gagehugo> The current time we are scheduled is Monday April 4th 2100-2300 UTC 15:21:43 <gagehugo> #link https://etherpad.opendev.org/p/security-sig-ptg-zed ptg agenda 15:21:48 <gagehugo> I'll get that etherpad setup today 15:21:53 <gagehugo> and an email sent out 15:22:11 <fungi> thanks! 15:22:42 <gagehugo> #topic open discussion 15:22:57 <gagehugo> I believe the security-specs repo is now officially retired? 15:23:08 <gagehugo> unless I missed a step 15:23:08 <fungi> yes, i think so 15:23:32 <fungi> i remember the governance change merging, which is generally the final step 15:23:52 <gagehugo> ok good 15:24:48 <gagehugo> That's all I had for updates, do you have anything fungi? 15:24:55 <fungi> i may have mentioned it late last year, but i'm noodling on starting a discussion with the community about the security landmine that is horizon's xstatic wrappers for javascript libraries 15:25:05 <gagehugo> oh geez 15:26:09 <fungi> i think the idea at the begining was that it would give us a way to reference js libs from python as dependencies, particularly for testing, but that distros would de-vendor the actual javascript and substitute whatever actual versions of those libs they were already packaging separately 15:26:42 <gagehugo> hmm 15:26:45 <fungi> unfortunately the reality is that they seem to have simply packaged the xstatic wrappers along with the embedded javascript 15:27:19 <gagehugo> ah 15:27:29 <fungi> so openstack has become a redistributor of other people's javascript libs, usually outdated versions of them with known security vulnerabilities 15:28:18 <gagehugo> yeah, that's not great 15:28:21 <fungi> and distros are just shipping those as-is 15:29:31 <fungi> this has come to a head with a recent report to ubuntu about how their packages of things like xstatic-angular and xstatic-jquery have known vulnerabilities, but this gets increasingly complicated because the upstream fixes for those are not things horizon has successfully updated to yet 15:30:10 <fungi> unlike our actual python dependencies, we don't have anything along the lines of global-requirements/upper-constraints to push projects to support latest versions of js libs 15:30:20 <fungi> so they just bitrot and are mostly ignored 15:30:54 <fungi> so anyway, i have concerns. i've had concerns for a long time but the situation seems to be getting worse rather than better 15:31:01 <fungi> what i don't really have yet is good suggestions 15:32:08 <gagehugo> ok 15:32:21 <fungi> if people have ideas they want to share here in the meeting, or reach out to me with after, it's appreciated 15:32:46 <fungi> once i bring the subject to a wider audience on the openstack-discuss ml, maybe there will be more ideas 15:32:55 <gagehugo> That is a good idea 15:38:17 <gagehugo> I think I remember us discussing making an OSSN for log4j last meeting as well? 15:38:39 <fungi> yes, i haven't seen any volunteers there 15:38:46 <fungi> also the vulnerability:managed governance tag removal is on hold waiting for the openstack website to no longer rely on it for the project info pages 15:39:26 <fungi> there's a high priority request in to the webdev contracting company the foundation uses to manage that website to remove those bits 15:39:32 <fungi> but i don't have any eta 15:40:28 <fungi> our (vmt/sig) side though is complete. the security site is updated as is the project team guide 15:40:45 <fungi> er, not the project team guide, sorry, it was the security handbook 15:40:56 <gagehugo> ok cool 15:41:01 <fungi> anyway, it's just the governance change which is still not merged 15:42:25 <fungi> i also noticed, in making that change to the security manual, that it's still referring to the security-analysis repo... we could talk about whether that's still relevant too, or whether it's under-utilized and should be retired 15:43:22 <gagehugo> might be a good PTG discussion 15:44:29 <fungi> i'll add it to the pad 15:45:24 <fungi> it was another outgrowth of the now defunct ossg 15:45:57 <fungi> the remnants of the security sig lack the review bandwidth for what that was designed to be 15:46:28 <gagehugo> :( 15:46:33 <gagehugo> yeah 15:47:26 <fungi> but also nobody seems to be using it anyway 15:49:43 <gagehugo> fungi: anything else for this meeting? 15:50:10 <fungi> nothing else from me, nope 15:50:26 <fungi> thanks for chairing, gagehugo! 15:50:41 <gagehugo> Thanks fungi! 15:50:45 <gagehugo> #endmeeting