<div dir="ltr">Last two weeks had no meeting activity, however this week we had plenty, so here's the summary.<div>Hope everyone has a great weekend!</div><div><br></div><div><div id="gmail-magicdomid253" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px">#Date: 29 Aug 2019<br></div><div id="gmail-magicdomid255" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent1" style="margin:0px 0px 0px 1.5em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">Security SIG Meeting Info: </span><span class="gmail-url" style="margin:0px;padding:1px 0px"><a href="http://eavesdrop.openstack.org/#Security_SIG_meeting" style="margin:0px;padding:0px;white-space:pre-wrap">http://eavesdrop.openstack.org/#Security_SIG_meeting</a></span></li></ul></div><div id="gmail-magicdomid256" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent1" style="margin:0px 0px 0px 1.5em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">Weekly on Thursday at 1500 UTC in #openstack-meeting</span></li></ul></div><div id="gmail-magicdomid257" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent1" style="margin:0px 0px 0px 1.5em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">Agenda: </span><span class="gmail-url" style="margin:0px;padding:1px 0px"><a href="https://etherpad.openstack.org/p/security-agenda" style="margin:0px;padding:0px;white-space:pre-wrap">https://etherpad.openstack.org/p/security-agenda</a></span></li></ul></div><div id="gmail-magicdomid258" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent1" style="margin:0px 0px 0px 1.5em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-url" style="margin:0px;padding:1px 0px"><a href="https://security.openstack.org/" style="margin:0px;padding:0px;white-space:pre-wrap">https://security.openstack.org/</a></span></li></ul></div><div id="gmail-magicdomid259" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent1" style="margin:0px 0px 0px 1.5em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-url" style="margin:0px;padding:1px 0px"><a href="https://wiki.openstack.org/wiki/Security-SIG" style="margin:0px;padding:0px;white-space:pre-wrap">https://wiki.openstack.org/wiki/Security-SIG</a></span></li></ul></div><div id="gmail-magicdomid39" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><br style="margin:0px;padding:0px"></div><div id="gmail-magicdomid260" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><span class="gmail-" style="margin:0px;padding:1px 0px">#Meeting Notes</span></div><div id="gmail-magicdomid261" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent1" style="margin:0px 0px 0px 1.5em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">Summary: </span><span class="gmail-url" style="margin:0px;padding:1px 0px"><a href="http://eavesdrop.openstack.org/meetings/security/2019/security.2019-08-29-15.00.html" style="margin:0px;padding:0px;white-space:pre-wrap">http://eavesdrop.openstack.org/meetings/security/2019/security.2019-08-29-15.00.html</a></span></li></ul></div><div id="gmail-magicdomid262" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent1" style="margin:0px 0px 0px 1.5em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">OSSA-2019-004 was released this week, more details here: </span><span class="gmail-url" style="margin:0px;padding:1px 0px"><a href="https://security.openstack.org/ossa/OSSA-2019-004.html" style="margin:0px;padding:0px;white-space:pre-wrap">https://security.openstack.org/ossa/OSSA-2019-004.html</a></span></li></ul></div><div id="gmail-magicdomid263" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent1" style="margin:0px 0px 0px 1.5em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">The VMT is currently in the process of updating the requirements for a project to obtain the "vulnerability:managed tag, there is a current change in progress here:</span><span class="gmail-url" style="margin:0px;padding:1px 0px"><a href="https://review.opendev.org/#/c/678426/" style="margin:0px;padding:0px;white-space:pre-wrap">https://review.opendev.org/#/c/678426/</a></span></li></ul></div><div id="gmail-magicdomid264" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent2" style="margin:0px 0px 0px 3em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">The main goal is to reduce the barrier of entry by not explicitly requiring an audit being performed on the project (but still recommending it), as well as clarifications on other guidelines</span></li></ul></div><div id="gmail-magicdomid265" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent1" style="margin:0px 0px 0px 1.5em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">The security docs are continuing to see updates: </span><span class="gmail-url" style="margin:0px;padding:1px 0px"><a href="https://review.opendev.org/#/q/project:openstack/security-doc" style="margin:0px;padding:0px;white-space:pre-wrap">https://review.opendev.org/#/q/project:openstack/security-doc</a></span></li></ul></div><div id="gmail-magicdomid266" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent2" style="margin:0px 0px 0px 3em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">Shoutout to nickthetait for taking on this work, and to those reviewing it as well!</span></li></ul></div><div id="gmail-magicdomid267" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent1" style="margin:0px 0px 0px 1.5em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">We discussed the default policy file discrepencies in Cinder/Nova in the Queens release, it appears that several projects have different file defaults for policy.</span></li></ul></div><div id="gmail-magicdomid268" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent2" style="margin:0px 0px 0px 3em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">This is causing issues when a policy file works fine in one release, but after upgrading, the file is no longer automatically detected.</span></li></ul></div><div id="gmail-magicdomid269" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent2" style="margin:0px 0px 0px 3em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">One path forward is to open a security docs bug to track these and look for a way to resolve this.</span></li></ul></div><div id="gmail-magicdomid50" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><br style="margin:0px;padding:0px"></div><div id="gmail-magicdomid270" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><span class="gmail-" style="margin:0px;padding:1px 0px">#VMT Reports</span></div><div id="gmail-magicdomid271" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent1" style="margin:0px 0px 0px 1.5em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">A full list of publicly marked security issues can be found here: </span><span class="gmail-url" style="margin:0px;padding:1px 0px"><a href="https://bugs.launchpad.net/ossa/" style="margin:0px;padding:0px;white-space:pre-wrap">https://bugs.launchpad.net/ossa/</a></span></li></ul></div><div id="gmail-magicdomid272" class="gmail-ace-line" style="margin:0px;padding:0px;color:rgb(0,0,0);font-family:"Helvetica Neue",Arial,sans-serif;font-size:12px"><ul class="gmail-list-indent1" style="margin:0px 0px 0px 1.5em;padding:0px;list-style-type:none"><li style="margin:0px;padding:0px"><span class="gmail-" style="margin:0px;padding:1px 0px">OSSA-2019-004 was released this week, more details here: </span><span class="gmail-url" style="margin:0px;padding:1px 0px"><a href="https://security.openstack.org/ossa/OSSA-2019-004.html" style="margin:0px;padding:0px;white-space:pre-wrap">https://security.openstack.org/ossa/OSSA-2019-004.html</a></span></li></ul></div></div></div>