15:05:05 <fungi> #startmeeting security 15:05:05 <opendevmeet> Meeting started Thu Jun 2 15:05:05 2022 UTC and is due to finish in 60 minutes. The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:05:05 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:05:05 <opendevmeet> The meeting name has been set to 'security' 15:05:15 <gagehugo> o/ 15:05:30 <fungi> #link https://etherpad.opendev.org/p/security-agenda Meeting Agenda 15:05:51 <fungi> #topic Prior actions 15:06:04 <fungi> fungi adjust the repos-overseen doc to also mention the vmt is available to assist projects even if their repos are not explicitly opted into oversight 15:06:23 <fungi> #link https://review.opendev.org/844444 (openstack/ossa) repos-overseen: VMT is happy to assist any project 15:06:40 <fungi> fungi push/amend sig chair update changes 15:06:59 <fungi> #link https://review.opendev.org/844446 (openstack/governance-sigs) Security SIG chair rotation 15:07:15 <fungi> #link https://review.opendev.org/844448 (opendev/irc-meetings) Security SIG chair rotation 15:07:30 <fungi> fungi propose change to remove security blog references from ossa repo 15:07:46 <fungi> #link https://review.opendev.org/844451 (openstack/ossa) Drop references for the old security blog 15:08:08 <fungi> fungi send an announcement to the openstack-discuss list about moving documentation out of security-analysis to individual project repos 15:08:23 <fungi> #link https://lists.openstack.org/pipermail/openstack-discuss/2022-June/028816.html Retiring security-analysis process and repo 15:08:37 <fungi> fungi follow retirement process from project teams guide/infra manual to retire security-analysis 15:08:53 <fungi> #link https://review.opendev.org/844463 (openstack/governance) Remove security-analysis repo from Security SIG 15:09:06 <gagehugo> I can review those today 15:09:09 <fungi> #link https://review.opendev.org/844468 (openstack/security-doc) Use permalink for Barbican security analysis 15:09:23 <fungi> #link https://review.opendev.org/844490 (openstack/security-analysis) Retirement Step 2: Remove Project Content 15:09:27 <fungi> thanks gagehugo! 15:09:41 <fungi> there will be more, but my network outage was inconveniently timed to push the rest up yet 15:10:04 <fungi> #action fungi complete retirement process for security-analysis 15:12:02 <fungi> also i've been meaning to add d34dh0r53 and dmendiza[m] to the review group in gerrit so they can help review those as well 15:12:24 <fungi> (sorry for the slowness on my end, this wireless modem is pretty terrible) 15:12:54 <fungi> #action fungi add new volunteers to review groups 15:13:07 <d34dh0r53> dmendiza[m] is on PTO but I can take a stab at reviewing those as well 15:13:19 <fungi> #action fungi initiate openstack-discuss thread on the topic of xstatic packages and js dependency handling 15:13:24 <fungi> i did not get to that yet 15:13:56 <fungi> thanks d34dh0r53! i'll let you know once you have +2 privs, hopefully as soon as my isp pulls their head out of their socket 15:14:10 <d34dh0r53> fungi: thanks! 15:14:28 <fungi> #topic Activities: Publishing OSSNs 15:14:59 <fungi> as some of you may or may not be aware, we have redundant copies of security notes presently 15:15:16 <fungi> #link https://opendev.org/openstack/security-doc/src/branch/master/security-notes Security Notes in Git 15:15:37 <fungi> #link https://wiki.openstack.org/wiki/OSSN Security Notes in Wiki 15:15:59 <fungi> also the process info is currently in the wiki rather than in git 15:16:50 <fungi> looking for volunteers interested in moving the process documentation into git (i guess into the security-doc repo), and retiring all the content on the wiki 15:17:33 <fungi> to those of you here now, or anyone reading the minutes after the meeting, feel free to reach out to me if you want to help with that 15:18:22 <fungi> it would be nice to get the ossn review process streamlined to be closer to how we review ossa documents, but even just moving the process documentation over and dropping the wiki copies will help 15:18:42 <fungi> i'll keep this topic on the meeting for next month, and can action any volunteers we happen to get 15:18:55 <fungi> er, on the agenda for the meeting next month i mean 15:19:26 <fungi> anybody have any input on the idea? if not, i'll move on to the next topic on the agenda 15:21:39 <fungi> #topic Recently public security bug reports 15:22:24 <fungi> #link https://launchpad.net/bugs/1975830 Horizon doesn't provide ACL on Instance level 15:22:40 <fungi> this was more of a mis-filed feature request 15:23:05 <fungi> i switched it to a normal bug report and added the security tag for visibility 15:24:01 <fungi> that's the only one i can think of since the last meeting 15:25:01 <fungi> if someone with an interest in instance-level console access security (obviously the api is as much or more of a problem than the dashboard), feel free to follow up there 15:25:32 <fungi> #topic Recent vulnerabilities in or related to OpenStack 15:26:49 <fungi> i'm not aware of any obvious new ones here, but if anything public has come to anyone's attention we can take some time in the meeting to discuss 15:27:30 <fungi> buzz about the log4j vulnerabilities seems to have died down, so an ossn for that is probably no longer particularly urgent 15:30:20 <fungi> okay, seems like nobody else has anything for this either 15:30:33 <fungi> #topic Anything else? 15:30:55 <fungi> i'll give it a few minutes before i wrap it up, in case there are other issues folks want to bring up 15:31:44 <fungi> i'm in berlin next week for the open infrastructure summit, but will be trying to keep an eye on any immediate concerns (vmt-related or otherwise) as time allows 15:32:26 <fungi> if anybody wants to catch up in-person and is also going to be there, i'm happy to coordinate schedules 15:33:02 <fungi> there are also some infosec-oriented talks on the conference schedule we're likely to bump into one another at 15:33:48 <fungi> we actually have a "security" track again for the first time in a while 15:34:42 <fungi> #link https://openinfra.dev/summit-schedule#track=390&view=calendar OpenInfra Summit Security Track Sessions 15:35:44 <fungi> 10 different talks in the track 15:38:23 <fungi> if you filter by title keyword instead, there's another one in the containers track 15:38:34 <fungi> "Lotsa security: confining the extra security layer" 15:39:36 <fungi> and also of course, tons of security-relevant discussions happening at the forum 15:39:49 <fungi> "Next Steps for FIPS in OpenStack" 15:40:52 <fungi> "Unrestricted Ansible in Zuul" 15:41:51 <fungi> "Deprivileging of Service Accounts Between Individual OpenStack Services" 15:42:18 <fungi> i expect there will be some ongoing rbac discussions too 15:45:02 <fungi> since it doesn't appear anyone else has something to bring up, i'll close this down 15 minutes early. thanks everyone! 15:45:06 <fungi> #endmeeting