15:01:06 <gagehugo> #startmeeting security
15:01:07 <openstack> Meeting started Thu Jun 13 15:01:06 2019 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:08 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:10 <openstack> The meeting name has been set to 'security'
15:01:20 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda
15:01:25 <gagehugo> o/
15:03:01 <fungi> aloha security folks
15:05:11 <gagehugo> #topic openstack-security mailing list reassigning
15:05:20 <gagehugo> fungi: we talked about this last week
15:05:36 <fungi> yup, you should have received a notification of the password reset
15:05:51 <gagehugo> yeah I did last week
15:06:47 <fungi> if you log into the admin interface with that, you'll see the general page with most of the things we probably want to change
15:06:53 <gagehugo> ok
15:07:03 <fungi> chief amongst those is likely the description
15:07:45 <fungi> we need some brief (sentence or so worth of) prose explaining that this list receives automated notifications about security-related bugs and code changes
15:08:43 <gagehugo> ok
15:09:33 <fungi> i just now updated the subscription rules so that only admins can see the list of subscribers
15:10:27 <gagehugo> sure, I can update the description then today
15:13:10 <fungi> i've also cleaned up the sender filters just now, as they were full of a bunch of stale whitelisted and blacklisted addresses surely no longer relevant
15:13:33 <fungi> i left the blanket rules in place for launchpad.net and openstack.org addresses
15:13:55 <fungi> so that gerrit and lp can continue to send info like they have been
15:15:13 <fungi> i've also set the moderation bit for all current subscribers and configured it to set the moderation bit for any new subscriber in the future
15:15:35 <fungi> this way anyone sending to the list other than from those whitelisted sources will hit the moderation queue, even if they're subscribed
15:16:25 <fungi> i'll endeavor to keep an eye out for any new messages landing in moderation for the next while to make sure we haven't missed whitelisting anything important
15:16:49 <fungi> and then we can switch the default action from moderate to reject
15:16:57 <fungi> so we no longer have to keep an eye on that
15:17:49 <fungi> there were also a bunch of old messages stuck in moderation (probably a thousand or more). i wasn't going to review each and every one so i discarded them to get us a clean slate
15:24:20 <gagehugo> ok
15:24:26 <gagehugo> sorry got pulled away for a minute
15:24:55 <gagehugo> #action gagehugo and fungi to transition the mailing list
15:25:05 <gagehugo> I will come up with a nice description today
15:25:17 <gagehugo> #topic open discussion
15:25:25 <gagehugo> fungi: did you have anything else?
15:25:39 <fungi> at this point yeah it's mostly just lacking a corrected description and keeping an eye on the moderation queue until we're satisfied nothing important lands there
15:26:21 <fungi> the security team autoassignment feature landed in storyboard over the weekend
15:26:36 <fungi> i haven't played around with getting that set up for the vmt yet
15:26:53 <fungi> er, auto acl addition
15:27:02 <fungi> i keep saying assignment, it's not assignment
15:27:07 <gagehugo> nice
15:27:37 <fungi> feature so that projects can be marked to auto-add access for specific teams on private stories marked security
15:27:53 <fungi> this also added separate classifications for private and security stories
15:28:29 <fungi> if a new story is marked as security when it's being created, it will automatically start out private and has to be edited after creation to make it public
15:28:38 <gagehugo> ah ok
15:29:26 <fungi> so that should help reduce the number of people accidentally filing security stories public due to not understanding the interface
15:30:50 <gagehugo> yeah
15:33:45 <fungi> i don't think i had anything else to bring up this week
15:34:24 <gagehugo> ok, thanks fungi!
15:34:30 <gagehugo> #endmeeting