#openstack-security log

15:05:05 <fungi> #startmeeting security
15:05:05 <opendevmeet> Meeting started Thu Jun  2 15:05:05 2022 UTC and is due to finish in 60 minutes.  The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:05:05 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:05:05 <opendevmeet> The meeting name has been set to 'security'
15:05:15 <gagehugo> o/
15:05:30 <fungi> #link https://etherpad.opendev.org/p/security-agenda Meeting Agenda
15:05:51 <fungi> #topic Prior actions
15:06:04 <fungi> fungi adjust the repos-overseen doc to also mention the vmt is available to assist projects even if their repos are not explicitly opted into oversight
15:06:23 <fungi> #link https://review.opendev.org/844444 (openstack/ossa) repos-overseen: VMT is happy to assist any project
15:06:40 <fungi> fungi push/amend sig chair update changes
15:06:59 <fungi> #link https://review.opendev.org/844446 (openstack/governance-sigs) Security SIG chair rotation
15:07:15 <fungi> #link https://review.opendev.org/844448 (opendev/irc-meetings) Security SIG chair rotation
15:07:30 <fungi> fungi propose change to remove security blog references from ossa repo
15:07:46 <fungi> #link https://review.opendev.org/844451 (openstack/ossa) Drop references for the old security blog
15:08:08 <fungi> fungi send an announcement to the openstack-discuss list about moving documentation out of security-analysis to individual project repos
15:08:23 <fungi> #link https://lists.openstack.org/pipermail/openstack-discuss/2022-June/028816.html Retiring security-analysis process and repo
15:08:37 <fungi> fungi follow retirement process from project teams guide/infra manual to retire security-analysis
15:08:53 <fungi> #link https://review.opendev.org/844463 (openstack/governance) Remove security-analysis repo from Security SIG
15:09:06 <gagehugo> I can review those today
15:09:09 <fungi> #link https://review.opendev.org/844468 (openstack/security-doc) Use permalink for Barbican security analysis
15:09:23 <fungi> #link https://review.opendev.org/844490 (openstack/security-analysis) Retirement Step 2: Remove Project Content
15:09:27 <fungi> thanks gagehugo!
15:09:41 <fungi> there will be more, but my network outage was inconveniently timed to push the rest up yet
15:10:04 <fungi> #action fungi complete retirement process for security-analysis
15:12:02 <fungi> also i've been meaning to add d34dh0r53 and dmendiza[m] to the review group in gerrit so they can help review those as well
15:12:24 <fungi> (sorry for the slowness on my end, this wireless modem is pretty terrible)
15:12:54 <fungi> #action fungi add new volunteers to review groups
15:13:07 <d34dh0r53> dmendiza[m] is on PTO but I can take a stab at reviewing those as well
15:13:19 <fungi> #action fungi initiate openstack-discuss thread on the topic of xstatic packages and js dependency handling
15:13:24 <fungi> i did not get to that yet
15:13:56 <fungi> thanks d34dh0r53! i'll let you know once you have +2 privs, hopefully as soon as my isp pulls their head out of their socket
15:14:10 <d34dh0r53> fungi: thanks!
15:14:28 <fungi> #topic Activities: Publishing OSSNs
15:14:59 <fungi> as some of you may or may not be aware, we have redundant copies of security notes presently
15:15:16 <fungi> #link https://opendev.org/openstack/security-doc/src/branch/master/security-notes Security Notes in Git
15:15:37 <fungi> #link https://wiki.openstack.org/wiki/OSSN Security Notes in Wiki
15:15:59 <fungi> also the process info is currently in the wiki rather than in git
15:16:50 <fungi> looking for volunteers interested in moving the process documentation into git (i guess into the security-doc repo), and retiring all the content on the wiki
15:17:33 <fungi> to those of you here now, or anyone reading the minutes after the meeting, feel free to reach out to me if you want to help with that
15:18:22 <fungi> it would be nice to get the ossn review process streamlined to be closer to how we review ossa documents, but even just moving the process documentation over and dropping the wiki copies will help
15:18:42 <fungi> i'll keep this topic on the meeting for next month, and can action any volunteers we happen to get
15:18:55 <fungi> er, on the agenda for the meeting next month i mean
15:19:26 <fungi> anybody have any input on the idea? if not, i'll move on to the next topic on the agenda
15:21:39 <fungi> #topic Recently public security bug reports
15:22:24 <fungi> #link https://launchpad.net/bugs/1975830 Horizon doesn't provide ACL on Instance level
15:22:40 <fungi> this was more of a mis-filed feature request
15:23:05 <fungi> i switched it to a normal bug report and added the security tag for visibility
15:24:01 <fungi> that's the only one i can think of since the last meeting
15:25:01 <fungi> if someone with an interest in instance-level console access security (obviously the api is as much or more of a problem than the dashboard), feel free to follow up there
15:25:32 <fungi> #topic Recent vulnerabilities in or related to OpenStack
15:26:49 <fungi> i'm not aware of any obvious new ones here, but if anything public has come to anyone's attention we can take some time in the meeting to discuss
15:27:30 <fungi> buzz about the log4j vulnerabilities seems to have died down, so an ossn for that is probably no longer particularly urgent
15:30:20 <fungi> okay, seems like nobody else has anything for this either
15:30:33 <fungi> #topic Anything else?
15:30:55 <fungi> i'll give it a few minutes before i wrap it up, in case there are other issues folks want to bring up
15:31:44 <fungi> i'm in berlin next week for the open infrastructure summit, but will be trying to keep an eye on any immediate concerns (vmt-related or otherwise) as time allows
15:32:26 <fungi> if anybody wants to catch up in-person and is also going to be there, i'm happy to coordinate schedules
15:33:02 <fungi> there are also some infosec-oriented talks on the conference schedule we're likely to bump into one another at
15:33:48 <fungi> we actually have a "security" track again for the first time in a while
15:34:42 <fungi> #link https://openinfra.dev/summit-schedule#track=390&view=calendar OpenInfra Summit Security Track Sessions
15:35:44 <fungi> 10 different talks in the track
15:38:23 <fungi> if you filter by title keyword instead, there's another one in the containers track
15:38:34 <fungi> "Lotsa security: confining the extra security layer"
15:39:36 <fungi> and also of course, tons of security-relevant discussions happening at the forum
15:39:49 <fungi> "Next Steps for FIPS in OpenStack"
15:40:52 <fungi> "Unrestricted Ansible in Zuul"
15:41:51 <fungi> "Deprivileging of Service Accounts Between Individual OpenStack Services"
15:42:18 <fungi> i expect there will be some ongoing rbac discussions too
15:45:02 <fungi> since it doesn't appear anyone else has something to bring up, i'll close this down 15 minutes early. thanks everyone!
15:45:06 <fungi> #endmeeting