15:01:32 <gagehugo> #startmeeting security
15:01:33 <openstack> Meeting started Thu Jun  6 15:01:32 2019 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:34 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:36 <openstack> The meeting name has been set to 'security'
15:03:10 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda
15:03:53 <gagehugo> o/
15:05:20 <fungi> it's a packed agenda
15:05:31 <fungi> (packed so tightly you can barely see it!)
15:05:40 <gagehugo> microscopic agenda
15:06:05 <fungi> so i guess... plenty of time for anyone to raise topics on the fly in here
15:06:17 <gagehugo> yup
15:06:48 <gagehugo> I guess we can talk about the openstack-security mailing list?
15:07:10 <gagehugo> I've been getting emails from it, so someone still uses it
15:07:17 <gagehugo> I think so anyway
15:07:52 * gagehugo could be mixing it up with oss-security
15:08:32 <fungi> oss-security != openstack-security
15:08:44 <gagehugo> yeah
15:09:03 <gagehugo> I have them both routed to a folder for security stuff
15:09:21 <fungi> i get messages from openstack-security, but they're pretty much exclusively from the fact that its address is subscribed to all launchpad bugs for projects which are listed as benig part of openstack when the "security" bugtag is applied
15:09:22 <gagehugo> I see launchpad emitted one this month http://lists.openstack.org/pipermail/openstack-security/2019-June/005846.html
15:09:29 <gagehugo> yeah
15:09:52 <gagehugo> Did we want to see about discontinuing that list?
15:10:09 <fungi> right, the only other messages it receives are from well-meaning people who have mistakenly thought it was our security contact address
15:10:18 <gagehugo> heh
15:10:25 <fungi> so it is somewhat of an attractive nuisance in that regard
15:10:43 <fungi> right, so here's the current state of the openstack-security ml:
15:11:10 <fungi> it's basically only being used as to aggregate automated messages and then disseminate them
15:11:24 <gagehugo> yeah, looking back through the months and that seems to be the case
15:11:49 <fungi> that's actually been the case for something like 4 years now
15:12:05 <fungi> its current description does not reflect that however
15:12:08 <fungi> #link http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
15:12:17 <fungi> "A central point for security discussion within OpenStack. Used primarily for project co-ordination within the OpenStack Security Group."
15:12:36 <fungi> also, the list owner is no longer involved:
15:12:44 <fungi> "Openstack-security list run by robert.clark at hp.com, hyakuhei at gmail.com"
15:12:56 <gagehugo> ah
15:13:24 <fungi> as an administrator of the server that's hosted on, i have the ability to reassign ownership of the list to one or more of us
15:13:35 <fungi> we have a few options...
15:13:53 <fungi> we can try to revive the list for its stated purpose (for the record i don't think that's a good idea)
15:14:30 <fungi> we can keep it for its current actual use and just correct the description and maybe improve the configuration a bit (i'm ambivalent about this one)
15:14:58 <gagehugo> or just reroute the current notifications to -discuss?
15:15:02 <gagehugo> and retire it?
15:15:11 <fungi> or we can shut it down entirely and just leave the archive, yes
15:15:43 <gagehugo> I think that would be beneficial for getting more info out on public bugs
15:15:44 <fungi> i don't think we need to alias its addresses to openstack-discuss since almost no humans try to send messages to it
15:15:57 <gagehugo> ok
15:16:14 <fungi> i'm less okay with having launchpad send automated messages to the discussion ml
15:16:24 <gagehugo> ok
15:16:43 <gagehugo> is it worth launchpad to continue sending those out?
15:17:18 <fungi> for example, we do maintain an openstack-stable-maint ml and a release-announce ml and a release-job-failures ml for automated messages
15:17:35 <fungi> so the current use of openstack-security is in line with those examples if we want to keep it around
15:18:01 <gagehugo> I think the automated announcements are probably worth keeping imo
15:18:22 <fungi> in that case, probably the second option i outlined
15:18:26 <gagehugo> so changing the mailing list's stated purpose
15:18:30 <gagehugo> ok
15:18:41 <fungi> we keep it around for now, but correct the config and get active maintainers for it
15:18:46 <gagehugo> yeah
15:18:50 <gagehugo> I'm fine with that
15:19:21 <fungi> i thnik it'll be very low-maintenance because we can explicitly whitelist the senders for those automated systems and then automatically reject mail from anyone else
15:19:31 <fungi> so no moderation activities required
15:20:12 <gagehugo> nice
15:20:17 <fungi> it currently has 586 subscribers (no idea how many of those are defunct and just not bouncing messages back)
15:20:56 <fungi> for comparison, that's basically half the number of openstack-discuss subscribers, though again it's been around for faaaaar longer
15:21:14 <gagehugo> hmm ok
15:21:15 <fungi> and these lists tend to accumulate cruft subscribers
15:22:15 <fungi> of those 586 subscribers, 17 are set not to receive mail
15:23:00 <fungi> 120 are set to receive only periodic digests
15:23:05 <gagehugo> ok
15:23:24 <fungi> but anyway, it's a fairly large number of subscribers, some proportion of whom do find value in it presumably
15:23:40 <fungi> and the effort involved in keeping it is minimal
15:23:53 <fungi> so i'm okay with sprucing it up a little
15:26:03 <gagehugo> sounds good then
15:30:04 <gagehugo> fungi: internet died for a minute if you said anything
15:30:55 <fungi> #info gagehugo's and fungi's addresses from the VMT contact list have been set as the new owners of the openstack-security ML and the administrative password reset
15:31:12 <fungi> i was silently doing ^
15:31:14 <gagehugo> ok cool
15:31:47 <fungi> we can sync up later (maybe early next week?) on how we want to reword things there and what options we may want to set/change
15:32:12 <gagehugo> sure, otherwise it can be a meeting item next week if it's another quiet week haha
15:32:34 <fungi> i have no problem with that
15:33:53 <gagehugo> ok
15:36:12 <gagehugo> #action discuss rewording the mailing list description and options to set/change next week
15:36:30 <gagehugo> fungi: anything else?  I will wordsmith this into the weekly newsletter
15:36:41 <fungi> nothing else from me, thanks!
15:36:56 <fungi> oh, there are a few things i guess could be mentioned
15:37:07 <fungi> though also fodder for the newsletter...
15:37:08 <gagehugo> sure
15:37:43 <fungi> the scientific sig meeting this week featured a discussion on secure computing environments, if anyone here is interested in the transcript or wants to reach out to the participants about anything:
15:38:12 <fungi> #link http://eavesdrop.openstack.org/meetings/scientific_sig/2019/scientific_sig.2019-06-05-11.00.log.html#l-93 scientific sig discussion on secure computing environments
15:38:49 <fungi> also, the pop-up team proposal for image encryption could use some input:
15:39:02 <fungi> #link https://review.opendev.org/661983 Adding Image Encryption as a popup team
15:39:54 <fungi> oh, and storyboard work is nearly in place for a mechanism to auto-assign security teams to private stories marked "security":
15:40:24 <gagehugo> nice
15:40:52 <fungi> #link https://review.opendev.org/#/q/topic:security-teams security teams feature for storyboard
15:41:20 <fungi> the api side is in place, and the webclient part is currently under review
15:41:46 <fungi> and that's all the security-related news i can think of off the top of my head
15:42:02 <gagehugo> awesome, I added those to the news section
15:42:50 <gagehugo> thanks fungi!
15:42:53 <fungi> thanks gagehugo!
15:42:57 <gagehugo> #endmeeting