15:01:06 #startmeeting security 15:01:07 Meeting started Thu Jun 13 15:01:06 2019 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:08 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:10 The meeting name has been set to 'security' 15:01:20 #link https://etherpad.openstack.org/p/security-agenda agenda 15:01:25 o/ 15:03:01 aloha security folks 15:05:11 #topic openstack-security mailing list reassigning 15:05:20 fungi: we talked about this last week 15:05:36 yup, you should have received a notification of the password reset 15:05:51 yeah I did last week 15:06:47 if you log into the admin interface with that, you'll see the general page with most of the things we probably want to change 15:06:53 ok 15:07:03 chief amongst those is likely the description 15:07:45 we need some brief (sentence or so worth of) prose explaining that this list receives automated notifications about security-related bugs and code changes 15:08:43 ok 15:09:33 i just now updated the subscription rules so that only admins can see the list of subscribers 15:10:27 sure, I can update the description then today 15:13:10 i've also cleaned up the sender filters just now, as they were full of a bunch of stale whitelisted and blacklisted addresses surely no longer relevant 15:13:33 i left the blanket rules in place for launchpad.net and openstack.org addresses 15:13:55 so that gerrit and lp can continue to send info like they have been 15:15:13 i've also set the moderation bit for all current subscribers and configured it to set the moderation bit for any new subscriber in the future 15:15:35 this way anyone sending to the list other than from those whitelisted sources will hit the moderation queue, even if they're subscribed 15:16:25 i'll endeavor to keep an eye out for any new messages landing in moderation for the next while to make sure we haven't missed whitelisting anything important 15:16:49 and then we can switch the default action from moderate to reject 15:16:57 so we no longer have to keep an eye on that 15:17:49 there were also a bunch of old messages stuck in moderation (probably a thousand or more). i wasn't going to review each and every one so i discarded them to get us a clean slate 15:24:20 ok 15:24:26 sorry got pulled away for a minute 15:24:55 #action gagehugo and fungi to transition the mailing list 15:25:05 I will come up with a nice description today 15:25:17 #topic open discussion 15:25:25 fungi: did you have anything else? 15:25:39 at this point yeah it's mostly just lacking a corrected description and keeping an eye on the moderation queue until we're satisfied nothing important lands there 15:26:21 the security team autoassignment feature landed in storyboard over the weekend 15:26:36 i haven't played around with getting that set up for the vmt yet 15:26:53 er, auto acl addition 15:27:02 i keep saying assignment, it's not assignment 15:27:07 nice 15:27:37 feature so that projects can be marked to auto-add access for specific teams on private stories marked security 15:27:53 this also added separate classifications for private and security stories 15:28:29 if a new story is marked as security when it's being created, it will automatically start out private and has to be edited after creation to make it public 15:28:38 ah ok 15:29:26 so that should help reduce the number of people accidentally filing security stories public due to not understanding the interface 15:30:50 yeah 15:33:45 i don't think i had anything else to bring up this week 15:34:24 ok, thanks fungi! 15:34:30 #endmeeting