15:02:00 #startmeeting security 15:02:00 Meeting started Thu Sep 1 15:02:00 2022 UTC and is due to finish in 60 minutes. The chair is fungi. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:02:00 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:02:00 The meeting name has been set to 'security' 15:02:33 #link https://etherpad.opendev.org/p/security-agenda Meeting Agenda 15:02:48 #topic Prior Actions 15:03:20 #link https://meetings.opendev.org/meetings/security/2022/security.2022-07-07-15.00.html Minutes from last meeting 15:03:54 we skipped the august meeting due to my lack of availability, so many apologies 15:04:31 fungi initiate openstack-discuss thread on the topic of xstatic packages and js dependency handling 15:04:37 i finally got around to that 15:04:47 #link https://lists.openstack.org/pipermail/openstack-discuss/2022-August/029825.html XStatic and JS dependencies 15:05:37 i also posted a followup message tagged with a bunch of relevant deployment and packaging teams/sigs in order to hopefully bring it to their attention 15:06:16 that was posted a month ago, and to date there have been zero responses, not even from the horizon maintainers, unfortunately 15:06:46 probably we should see about getting it added as a horizon ptg discussion topic 15:07:12 #action fungi propose xstatic discussion topic on horizon ptg agenda 15:07:36 the other two action items from last meeting are still incomplete, so apologies... i'll re-add them to track 15:07:59 #action fungi add new volunteers to embargo-notice ml 15:08:10 #action fungi update ossn/security-doc members in gerrit and launchpad 15:08:32 i started looking into those, and i should probably clean up old members while i'm at it 15:09:21 in particular, the ossn core review group in gerrit does not contain any current contributors at all, and the security doc group has a lot of retired contributors still in it. i have a feeling i'll discover the same in the corresponding launchpad groups 15:10:00 prometheanfire is also not one of the embargo-notice ml moderators, i can't remember if that was on purpose or merely an oversight 15:10:08 anyway, that 15:10:19 's all i had for action items from last meeting 15:10:32 #topic Pending Reviews 15:10:42 #link https://review.opendev.org/q/is:open+project:openstack/ossa Open change reviews for openstack/ossa 15:11:20 I feel like that's an oversight, I don't remember ever moderating that ml 15:11:22 that's currently empty! i'll try to remember to add our other repos next time, there are probably some we could clean up for ossn and security-doc 15:12:28 prometheanfire: i'll add you to the list owners for it if you like, it's mostly a means for us to review downstream stakeholder messages before sending 15:12:51 I don't need to be an owner / monderator, just member most likely 15:13:20 ahh, okay. the idea was that the vmt members would help maintain that ml, but it's certainly not obligatory 15:13:26 #topic Public Bug Reports 15:13:36 #link https://bugs.launchpad.net/ossa/+bugs?field.information_type%3Alist=PUBLIC&field.information_type%3Alist=PUBLICSECURITY 15:15:00 #link https://launchpad.net/bugs/1981813 Compute service fails to restart if the vnic_type of a bound port changed from direct to macvtap (CVE-2022-37394) 15:15:35 that's in progress but stalled for the past ~6 weeks looks like 15:16:03 #link https://review.opendev.org/850003 Gracefully ERROR in _init_instance if vnic_type changed 15:16:33 is the proposed fix in master, and has review priority set, but no activity there for several weeks 15:17:18 anyone want to prod the nova reviewers to try and not end up carrying this vulnerability into the zed release? 15:18:23 #action fungi reach out to nova reviewers about 850003 15:18:52 #link https://launchpad.net/bugs/1980954 Resource leak with HTTPBadRequest in StaticLargeObject.get_slo_segments 15:19:42 it appears the swift folks merged a couple of fixes for that, and so 2.30.0 (their latest release from master) is supposedly no longer impacted 15:21:44 it's been pretty quiet though, and nobody responded to my question about backports, so we should probably assume the maintainers have limited interest in any backporting for that, switch it to class b1, and encourage interested community members to either write up an ossn about it or make backports (in which case we can switch back to class a and publish an advisory) 15:22:28 #action fungi switch bug 1981813 to class b1 for now 15:24:19 the other 6 public bugs in lp are years old since their last updates, so we should probably assume limited community interest and ignore unless someone revives them 15:24:46 #action fungi switch advisory tasks for old public security bugs to won't fix for now 15:25:34 #topic PTG Planning 15:26:37 #link https://lists.openstack.org/pipermail/openstack-discuss/2022-August/029823.html Any interest in getting together at the PTG? 15:27:29 that was back when it was still going to be in-person 15:27:52 tonyb replied that he's interested in having a security sig session, but maybe now that it's going virtual more of you are interested in participating? 15:28:23 slots are already starting to fill up 15:28:37 #link https://ptg.opendev.org/ptg.html PTG Schedule 15:29:22 i can try to pick an hour at a time when folks think will be convenient. are there any preferences, or conflicts with other teams i should try to avoid? 15:30:05 at a minimum i'll not book it over top the tc sessions or the diversity and inclusion wg session, and try to avoid intersecting barbican or keystone times 15:30:43 #action fungi schedule an hour at the ptg for the security sig 15:31:01 anybody else have anything ptg-related? 15:34:15 i'll take your silence as a resounding no 15:34:21 #topic Open Discussion 15:34:30 what else ya got? 15:38:45 seems like a whole lot of nothing. next meeting will be in here on thursday october 6 at 15:00 utc 15:38:48 thanks everyone! 15:38:51 #endmeeting