15:00:26 <gagehugo> #startmeeting security
15:00:26 <openstack> Meeting started Thu Jan  9 15:00:26 2020 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:28 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:30 <openstack> The meeting name has been set to 'security'
15:00:42 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda
15:01:27 <gagehugo> o/
15:01:31 <fungi> light agenda again this week
15:02:57 <mhen> o/
15:05:02 <gagehugo> #topic open discussion
15:06:08 <gagehugo> floor is open, light agenda today
15:08:10 <fungi> one thing worth thinking about
15:09:33 <fungi> once the vulnerability:managed policy update lands, that'll be a good opportunity for a review of currently covered projects against the remaining requirements
15:10:14 <gagehugo> Good point
15:10:50 <fungi> #link https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management
15:11:44 <fungi> stuff like making sure that's updated, and teams have a reasonable number of members in them, and that defect trackers are configured so that private security issues are initially only shared with them and/or the vmt
15:12:35 <fungi> also closely scrutinize any multi-repo deliverables with the tag
15:13:10 <fungi> and make sure covered deliverables are marked as following some sort of release model
15:15:16 <gagehugo> ok
15:15:23 <fungi> oh, and a big one
15:15:52 <fungi> the vmt is going to need to declassify a bunch of long-private reports of suspected vulnerabilities once the 90-day limit goes into effect
15:16:05 <fungi> so we'll have a bunch of those to talk about when that happens, i expect
15:16:05 <gagehugo> yes that too
15:16:56 <fungi> as soon as that update goes into effect, we'll leave a consistent comment on all currently private security bugs
15:17:06 <fungi> and start the 90-day countdown
15:17:50 <fungi> also we probably should update our embargo preamble template with those details so new reports include the embargo limit timeframe
15:18:01 <gagehugo> sure
15:18:02 * fungi makes a to do note
15:21:04 <gagehugo> couple things to do then
15:22:29 <fungi> yeah, i've added them to my personal to do list, but that doesn't necessarily mean i have to be the one to do them
15:23:08 <gagehugo> I can tackle some in my spare time
15:23:14 <fungi> volunteers welcome (though to update still-embargoed vulnerabilities the volunteer needs to also volunteer to be on the vmt)
15:23:28 <fungi> (or already be on the vmt, sure)
15:26:16 <gagehugo> yup
15:26:23 <gagehugo> mhen: you have anything?
15:26:59 <mhen> nope
15:27:13 <gagehugo> mhen: fungi thanks for coming, have a good weekend!
15:27:15 <gagehugo> #endmeeting