#openstack-security log

15:00:18 <fungi> #startmeeting security
15:00:18 <opendevmeet> Meeting started Thu May  5 15:00:18 2022 UTC and is due to finish in 60 minutes.  The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:18 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:18 <opendevmeet> The meeting name has been set to 'security'
15:01:12 <fungi> not sure who else is around, but i put an agenda together in the usual spot
15:01:22 <fungi> #link https://etherpad.opendev.org/p/security-agenda
15:02:26 <fungi> we skipped the april meeting in favor of (virtually) getting together at the ptg, so this is our first regular meeting since the ptg
15:03:28 <fungi> #topic PTG recap
15:05:17 <fungi> #link https://etherpad.opendev.org/p/security-sig-ptg-zed
15:05:24 <fungi> that's where we took some notes
15:06:25 <fungi> we covered a few topics, some of which are broken out into activities in today's meeting agenda
15:07:13 <fungi> we talked about finding more volunteers to expand the vmt
15:07:36 <fungi> big thanks to d34dh0r53 and dmendiza[m] for expressing interest in getting involved there!
15:08:03 <d34dh0r53> o/
15:08:10 <d34dh0r53> you're welcome
15:08:31 <fungi> thankfully, things have been fairly quiet on the vmt front for the past month, so i haven't had much opportunity for engagement with our new recruits on anything yet
15:08:47 <dmendiza[m]> 🙋‍♂️                                                                                                                             ad
15:09:17 <fungi> it looks like i had one action item from the vmt coverage expansion discussion which i've neglected to work on yet
15:09:36 <fungi> #action fungi adjust the repos-overseen doc to also mention the vmt is available to assist projects even if their repos are not explicitly opted into oversight
15:10:20 <fungi> i'll get into other stuff from the ptg later in today's agenda
15:10:44 <fungi> anyone have anything ptg-related to add which isn't on the meeting agenda already?
15:12:02 <fungi> #topic Interim SIG chair
15:12:53 <fungi> many thanks to gagehugo for chairing the sig (for i can't even remember how many years it's been now)!
15:13:03 <fungi> #link http://lists.openstack.org/pipermail/openstack-discuss/2022-April/028251.html
15:14:13 <fungi> as he mentions in that ml post, he's unable to continue chairing the sig, so we need one or more new (co)chairs
15:15:24 <fungi> given the lack of responses, there's a wip change which i'll amend to set myself as interim chair, though i'm happy to entertain other co-chairing or replacement chairs from anyone with interest
15:15:43 <fungi> #link https://review.opendev.org/839632
15:16:15 <fungi> we'll also need a similar change to the openstack/governance-sigs repository officially setting the chair(s) for the sig
15:16:44 <fungi> #action fungi push/amend sig chair update changes
15:17:29 <fungi> if anyone's up for it, speak up now or feel free to reach out to me any time after the meeting
15:19:36 <fungi> #topic Activities: retiring security-analysis repository
15:19:55 <fungi> this was something we spent some time discussing at the ptg
15:20:47 <fungi> the references to the security-analysis repo were already removed from the ossa repo and thus from the security site when i was working on importing the vulnerability:managed governance tag documentation
15:21:25 <fungi> the repository itself has yet to be retired, so i'll take care of the next steps, which i believe will be as follows:
15:21:58 <fungi> #action fungi send an announcement to the openstack-discuss list about moving documentation out of security-analysis to individual project repos
15:22:24 <fungi> #action fungi follow retirement process from project teams guide/infra manual to retire security-analysis
15:22:53 <fungi> if anyone is interested in doing either or both of those things, i'm happy to help provide guidance
15:24:32 <fungi> #topic Activities: horizon xstatic javascript library wrappers plan
15:25:10 <fungi> we covered this some in the security sig ptg session, and i also had a lengthy discussion with horizon contributors in their session about it
15:28:57 <fungi> i still owe the openstack-discuss ml a discussion starter about what can be done
15:29:09 <fungi> and the current pitfalls with what we have
15:29:44 <fungi> #action fungi initiate openstack-discuss thread on the topic of xstatic packages and js dependency handling
15:31:19 <fungi> #topic Activities: removing references to defunct security blog
15:31:52 <fungi> this has come up in the past, and i just noticed when looking back over the main page of the security.openstack.org site that we still refer to it
15:32:00 <gagehugo> o/
15:32:10 <gagehugo> apologies for being late
15:32:22 <fungi> no worries! i've been taking things slowly
15:33:21 <fungi> the "openstack security blog" was being managed by some of the more active openstack security group folks in years past, but it was abandoned around 5 years ago
15:34:41 <fungi> it would probably be good if someone who's a member of the openstack-security org on github could wind it down more cleanly there, but i don't know who had or still has access to do that (it's not me, at the very least)
15:35:28 <fungi> hyakuhei seems to have probably set it up originally, and i see indication that lhinds might have been the last one approving pull requests in it
15:36:12 <fungi> at any rate, what i *can* do is remove references to it from the security.openstack.org site, so i'll push up a change to do that and further simplify the page in the process
15:36:53 <fungi> #action fungi propose change to remove security blog references from ossa repo
15:38:08 <fungi> #topic Recently public security bug reports
15:38:41 <fungi> we've only had one of note since the ptg, and it was marked invalid by the vmt:
15:38:52 <fungi> #link https://launchpad.net/bugs/1970932
15:39:35 <fungi> i'm looking forward to progress on the rbac work, particularly the idea of dropping the ambiguous "admin" role, which will hopefully solve a lot of this sort of confusion
15:39:54 <gagehugo> more documentation would be nice
15:40:20 <fungi> yeah, if anyone has time and interest in making that particular pitfall more easily spotted by users/operators, that would be awesome
15:42:02 <fungi> #topic Recent vulnerabilities in or related to OpenStack
15:42:24 <fungi> i noticed these advisories for dpdk this morning:
15:42:36 <fungi> #link https://www.openwall.com/lists/oss-security/2022/05/05/1
15:42:47 <fungi> #link https://www.openwall.com/lists/oss-security/2022/05/05/2
15:43:32 <fungi> unfortunately there's not a ton of detail in the ml posts, and their bugzilla requires a login to see whatever's at the urls they linked for more information
15:44:17 <fungi> the first one might be arbitrary code execution, but i'm not sure how the vulnerable function call is reached, so i can't be positive
15:44:53 <fungi> the second is called out as a potential denial of service due to resource exhaustion
15:45:31 <fungi> i'm bringing them up because i know some openstack deployments rely on dpdk features, so this might be of interest to a subset of our operators
15:46:04 <fungi> if anyone's got a burning desire to do a bit more research and write up an ossn (openstack security note) about these, i'm sure that would be welcome
15:46:57 <fungi> #topic Anything else?
15:47:29 <fungi> i'll give everyone a few minutes in case someone has something to bring up before i end the meeting
15:50:25 <fungi> i'll take that as a "no." thanks for coming! see you on thursday, june 2, when we'll have a (hopefully short) meeting to talk about anything of interested related to the summit happening in berlin the following week
15:50:45 <gagehugo> thanks fungi!
15:50:51 <fungi> er, anything of interest, i mean
15:50:59 <fungi> #endmeeting