15:02:00 <fungi> #startmeeting security
15:02:00 <opendevmeet> Meeting started Thu Sep  1 15:02:00 2022 UTC and is due to finish in 60 minutes.  The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:00 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:00 <opendevmeet> The meeting name has been set to 'security'
15:02:33 <fungi> #link https://etherpad.opendev.org/p/security-agenda Meeting Agenda
15:02:48 <fungi> #topic Prior Actions
15:03:20 <fungi> #link https://meetings.opendev.org/meetings/security/2022/security.2022-07-07-15.00.html Minutes from last meeting
15:03:54 <fungi> we skipped the august meeting due to my lack of availability, so many apologies
15:04:31 <fungi> fungi initiate openstack-discuss thread on the topic of xstatic packages and js dependency handling
15:04:37 <fungi> i finally got around to that
15:04:47 <fungi> #link     https://lists.openstack.org/pipermail/openstack-discuss/2022-August/029825.html XStatic and JS dependencies
15:05:37 <fungi> i also posted a followup message tagged with a bunch of relevant deployment and packaging teams/sigs in order to hopefully bring it to their attention
15:06:16 <fungi> that was posted a month ago, and to date there have been zero responses, not even from the horizon maintainers, unfortunately
15:06:46 <fungi> probably we should see about getting it added as a horizon ptg discussion topic
15:07:12 <fungi> #action fungi propose xstatic discussion topic on horizon ptg agenda
15:07:36 <fungi> the other two action items from last meeting are still incomplete, so apologies... i'll re-add them to track
15:07:59 <fungi> #action fungi add new volunteers to embargo-notice ml
15:08:10 <fungi> #action fungi update ossn/security-doc members in gerrit and launchpad
15:08:32 <fungi> i started looking into those, and i should probably clean up old members while i'm at it
15:09:21 <fungi> in particular, the ossn core review group in gerrit does not contain any current contributors at all, and the security doc group has a lot of retired contributors still in it. i have a feeling i'll discover the same in the corresponding launchpad groups
15:10:00 <fungi> prometheanfire is also not one of the embargo-notice ml moderators, i can't remember if that was on purpose or merely an oversight
15:10:08 <fungi> anyway, that
15:10:19 <fungi> 's all i had for action items from last meeting
15:10:32 <fungi> #topic Pending Reviews
15:10:42 <fungi> #link     https://review.opendev.org/q/is:open+project:openstack/ossa Open change reviews for openstack/ossa
15:11:20 <prometheanfire> I feel like that's an oversight, I don't remember ever moderating that ml
15:11:22 <fungi> that's currently empty! i'll try to remember to add our other repos next time, there are probably some we could clean up for ossn and security-doc
15:12:28 <fungi> prometheanfire: i'll add you to the list owners for it if you like, it's mostly a means for us to review downstream stakeholder messages before sending
15:12:51 <prometheanfire> I don't need to be an owner / monderator, just member most likely
15:13:20 <fungi> ahh, okay. the idea was that the vmt members would help maintain that ml, but it's certainly not obligatory
15:13:26 <fungi> #topic Public Bug Reports
15:13:36 <fungi> #link https://bugs.launchpad.net/ossa/+bugs?field.information_type%3Alist=PUBLIC&field.information_type%3Alist=PUBLICSECURITY
15:15:00 <fungi> #link https://launchpad.net/bugs/1981813 Compute service fails to restart if the vnic_type of a bound port changed from direct to macvtap (CVE-2022-37394)
15:15:35 <fungi> that's in progress but stalled for the past ~6 weeks looks like
15:16:03 <fungi> #link https://review.opendev.org/850003 Gracefully ERROR in _init_instance if vnic_type changed
15:16:33 <fungi> is the proposed fix in master, and has review priority set, but no activity there for several weeks
15:17:18 <fungi> anyone want to prod the nova reviewers to try and not end up carrying this vulnerability into the zed release?
15:18:23 <fungi> #action fungi reach out to nova reviewers about 850003
15:18:52 <fungi> #link https://launchpad.net/bugs/1980954 Resource leak with HTTPBadRequest in StaticLargeObject.get_slo_segments
15:19:42 <fungi> it appears the swift folks merged a couple of fixes for that, and so 2.30.0 (their latest release from master) is supposedly no longer impacted
15:21:44 <fungi> it's been pretty quiet though, and nobody responded to my question about backports, so we should probably assume the maintainers have limited interest in any backporting for that, switch it to class b1, and encourage interested community members to either write up an ossn about it or make backports (in which case we can switch back to class a and publish an advisory)
15:22:28 <fungi> #action fungi switch bug 1981813 to class b1 for now
15:24:19 <fungi> the other 6 public bugs in lp are years old since their last updates, so we should probably assume limited community interest and ignore unless someone revives them
15:24:46 <fungi> #action fungi switch advisory tasks for old public security bugs to won't fix for now
15:25:34 <fungi> #topic PTG Planning
15:26:37 <fungi> #link https://lists.openstack.org/pipermail/openstack-discuss/2022-August/029823.html Any interest in getting together at the PTG?
15:27:29 <fungi> that was back when it was still going to be in-person
15:27:52 <fungi> tonyb replied that he's interested in having a security sig session, but maybe now that it's going virtual more of you are interested in participating?
15:28:23 <fungi> slots are already starting to fill up
15:28:37 <fungi> #link https://ptg.opendev.org/ptg.html PTG Schedule
15:29:22 <fungi> i can try to pick an hour at a time when folks think will be convenient. are there any preferences, or conflicts with other teams i should try to avoid?
15:30:05 <fungi> at a minimum i'll not book it over top the tc sessions or the diversity and inclusion wg session, and try to avoid intersecting barbican or keystone times
15:30:43 <fungi> #action fungi schedule an hour at the ptg for the security sig
15:31:01 <fungi> anybody else have anything ptg-related?
15:34:15 <fungi> i'll take your silence as a resounding no
15:34:21 <fungi> #topic Open Discussion
15:34:30 <fungi> what else ya got?
15:38:45 <fungi> seems like a whole lot of nothing. next meeting will be in here on thursday october 6 at 15:00 utc
15:38:48 <fungi> thanks everyone!
15:38:51 <fungi> #endmeeting