Last two weeks had no meeting activity, however this week we had plenty, so here's the summary. Hope everyone has a great weekend! #Date: 29 Aug 2019 - Security SIG Meeting Info: http://eavesdrop.openstack.org/#Security_SIG_meeting - Weekly on Thursday at 1500 UTC in #openstack-meeting - Agenda: https://etherpad.openstack.org/p/security-agenda - https://security.openstack.org/ - https://wiki.openstack.org/wiki/Security-SIG #Meeting Notes - Summary: http://eavesdrop.openstack.org/meetings/security/2019/security.2019-08-29-15... - OSSA-2019-004 was released this week, more details here: https://security.openstack.org/ossa/OSSA-2019-004.html - The VMT is currently in the process of updating the requirements for a project to obtain the "vulnerability:managed tag, there is a current change in progress here:https://review.opendev.org/#/c/678426/ - The main goal is to reduce the barrier of entry by not explicitly requiring an audit being performed on the project (but still recommending it), as well as clarifications on other guidelines - The security docs are continuing to see updates: https://review.opendev.org/#/q/project:openstack/security-doc - Shoutout to nickthetait for taking on this work, and to those reviewing it as well! - We discussed the default policy file discrepencies in Cinder/Nova in the Queens release, it appears that several projects have different file defaults for policy. - This is causing issues when a policy file works fine in one release, but after upgrading, the file is no longer automatically detected. - One path forward is to open a security docs bug to track these and look for a way to resolve this. #VMT Reports - A full list of publicly marked security issues can be found here: https://bugs.launchpad.net/ossa/ - OSSA-2019-004 was released this week, more details here: https://security.openstack.org/ossa/OSSA-2019-004.html