15:01:32 <gagehugo> #startmeeting security 15:01:33 <openstack> Meeting started Thu Jun 6 15:01:32 2019 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:34 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:36 <openstack> The meeting name has been set to 'security' 15:03:10 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda 15:03:53 <gagehugo> o/ 15:05:20 <fungi> it's a packed agenda 15:05:31 <fungi> (packed so tightly you can barely see it!) 15:05:40 <gagehugo> microscopic agenda 15:06:05 <fungi> so i guess... plenty of time for anyone to raise topics on the fly in here 15:06:17 <gagehugo> yup 15:06:48 <gagehugo> I guess we can talk about the openstack-security mailing list? 15:07:10 <gagehugo> I've been getting emails from it, so someone still uses it 15:07:17 <gagehugo> I think so anyway 15:07:52 * gagehugo could be mixing it up with oss-security 15:08:32 <fungi> oss-security != openstack-security 15:08:44 <gagehugo> yeah 15:09:03 <gagehugo> I have them both routed to a folder for security stuff 15:09:21 <fungi> i get messages from openstack-security, but they're pretty much exclusively from the fact that its address is subscribed to all launchpad bugs for projects which are listed as benig part of openstack when the "security" bugtag is applied 15:09:22 <gagehugo> I see launchpad emitted one this month http://lists.openstack.org/pipermail/openstack-security/2019-June/005846.html 15:09:29 <gagehugo> yeah 15:09:52 <gagehugo> Did we want to see about discontinuing that list? 15:10:09 <fungi> right, the only other messages it receives are from well-meaning people who have mistakenly thought it was our security contact address 15:10:18 <gagehugo> heh 15:10:25 <fungi> so it is somewhat of an attractive nuisance in that regard 15:10:43 <fungi> right, so here's the current state of the openstack-security ml: 15:11:10 <fungi> it's basically only being used as to aggregate automated messages and then disseminate them 15:11:24 <gagehugo> yeah, looking back through the months and that seems to be the case 15:11:49 <fungi> that's actually been the case for something like 4 years now 15:12:05 <fungi> its current description does not reflect that however 15:12:08 <fungi> #link http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security 15:12:17 <fungi> "A central point for security discussion within OpenStack. Used primarily for project co-ordination within the OpenStack Security Group." 15:12:36 <fungi> also, the list owner is no longer involved: 15:12:44 <fungi> "Openstack-security list run by robert.clark at hp.com, hyakuhei at gmail.com" 15:12:56 <gagehugo> ah 15:13:24 <fungi> as an administrator of the server that's hosted on, i have the ability to reassign ownership of the list to one or more of us 15:13:35 <fungi> we have a few options... 15:13:53 <fungi> we can try to revive the list for its stated purpose (for the record i don't think that's a good idea) 15:14:30 <fungi> we can keep it for its current actual use and just correct the description and maybe improve the configuration a bit (i'm ambivalent about this one) 15:14:58 <gagehugo> or just reroute the current notifications to -discuss? 15:15:02 <gagehugo> and retire it? 15:15:11 <fungi> or we can shut it down entirely and just leave the archive, yes 15:15:43 <gagehugo> I think that would be beneficial for getting more info out on public bugs 15:15:44 <fungi> i don't think we need to alias its addresses to openstack-discuss since almost no humans try to send messages to it 15:15:57 <gagehugo> ok 15:16:14 <fungi> i'm less okay with having launchpad send automated messages to the discussion ml 15:16:24 <gagehugo> ok 15:16:43 <gagehugo> is it worth launchpad to continue sending those out? 15:17:18 <fungi> for example, we do maintain an openstack-stable-maint ml and a release-announce ml and a release-job-failures ml for automated messages 15:17:35 <fungi> so the current use of openstack-security is in line with those examples if we want to keep it around 15:18:01 <gagehugo> I think the automated announcements are probably worth keeping imo 15:18:22 <fungi> in that case, probably the second option i outlined 15:18:26 <gagehugo> so changing the mailing list's stated purpose 15:18:30 <gagehugo> ok 15:18:41 <fungi> we keep it around for now, but correct the config and get active maintainers for it 15:18:46 <gagehugo> yeah 15:18:50 <gagehugo> I'm fine with that 15:19:21 <fungi> i thnik it'll be very low-maintenance because we can explicitly whitelist the senders for those automated systems and then automatically reject mail from anyone else 15:19:31 <fungi> so no moderation activities required 15:20:12 <gagehugo> nice 15:20:17 <fungi> it currently has 586 subscribers (no idea how many of those are defunct and just not bouncing messages back) 15:20:56 <fungi> for comparison, that's basically half the number of openstack-discuss subscribers, though again it's been around for faaaaar longer 15:21:14 <gagehugo> hmm ok 15:21:15 <fungi> and these lists tend to accumulate cruft subscribers 15:22:15 <fungi> of those 586 subscribers, 17 are set not to receive mail 15:23:00 <fungi> 120 are set to receive only periodic digests 15:23:05 <gagehugo> ok 15:23:24 <fungi> but anyway, it's a fairly large number of subscribers, some proportion of whom do find value in it presumably 15:23:40 <fungi> and the effort involved in keeping it is minimal 15:23:53 <fungi> so i'm okay with sprucing it up a little 15:26:03 <gagehugo> sounds good then 15:30:04 <gagehugo> fungi: internet died for a minute if you said anything 15:30:55 <fungi> #info gagehugo's and fungi's addresses from the VMT contact list have been set as the new owners of the openstack-security ML and the administrative password reset 15:31:12 <fungi> i was silently doing ^ 15:31:14 <gagehugo> ok cool 15:31:47 <fungi> we can sync up later (maybe early next week?) on how we want to reword things there and what options we may want to set/change 15:32:12 <gagehugo> sure, otherwise it can be a meeting item next week if it's another quiet week haha 15:32:34 <fungi> i have no problem with that 15:33:53 <gagehugo> ok 15:36:12 <gagehugo> #action discuss rewording the mailing list description and options to set/change next week 15:36:30 <gagehugo> fungi: anything else? I will wordsmith this into the weekly newsletter 15:36:41 <fungi> nothing else from me, thanks! 15:36:56 <fungi> oh, there are a few things i guess could be mentioned 15:37:07 <fungi> though also fodder for the newsletter... 15:37:08 <gagehugo> sure 15:37:43 <fungi> the scientific sig meeting this week featured a discussion on secure computing environments, if anyone here is interested in the transcript or wants to reach out to the participants about anything: 15:38:12 <fungi> #link http://eavesdrop.openstack.org/meetings/scientific_sig/2019/scientific_sig.2019-06-05-11.00.log.html#l-93 scientific sig discussion on secure computing environments 15:38:49 <fungi> also, the pop-up team proposal for image encryption could use some input: 15:39:02 <fungi> #link https://review.opendev.org/661983 Adding Image Encryption as a popup team 15:39:54 <fungi> oh, and storyboard work is nearly in place for a mechanism to auto-assign security teams to private stories marked "security": 15:40:24 <gagehugo> nice 15:40:52 <fungi> #link https://review.opendev.org/#/q/topic:security-teams security teams feature for storyboard 15:41:20 <fungi> the api side is in place, and the webclient part is currently under review 15:41:46 <fungi> and that's all the security-related news i can think of off the top of my head 15:42:02 <gagehugo> awesome, I added those to the news section 15:42:50 <gagehugo> thanks fungi! 15:42:53 <fungi> thanks gagehugo! 15:42:57 <gagehugo> #endmeeting