#opnfv-sec log

14:03:33 <LHinds> #startmeeting security group 02/03/2016
14:03:33 <collabot`> Meeting started Wed Mar  2 14:03:33 2016 UTC.  The chair is LHinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:03:33 <collabot`> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:03:33 <collabot`> The meeting name has been set to 'security_group_02_03_2016'
14:04:05 <LHinds> ok, not many here. but you're here Sona, which is key member!
14:04:20 <Sona> haha :)
14:04:21 <LHinds> let me just get some URL's
14:04:48 <LHinds> so agenda is the Security Guide, and Badging Program
14:04:51 <LHinds> any other additions?
14:04:57 <Sona> unfortunately I haven't done much this week, I was buys patching glibc / openssl critical CVEs
14:05:20 <LHinds> no problem
14:05:26 <LHinds> #topic Security Guide
14:05:40 <LHinds> ok, as requested I have got us a jira to track patches
14:06:08 <LHinds> this will be useful for also tracking the CI badge program, which will kick off soon now that the release is made
14:06:12 <LHinds> #link https://jira.opnfv.org/projects/SECURITY/issues/SECURITY-12?filter=allopenissues
14:06:26 <LHinds> I will start trying to find people to assign chapters too
14:06:36 <Sona> thanks
14:06:37 <LHinds> Sona, you have compute as your issue.
14:06:43 <Sona> yes
14:07:00 <LHinds> in fact this is the label to sort by just the security guide:
14:07:03 <LHinds> #link https://jira.opnfv.org/browse/SECURITY-12?jql=labels%20%3D%20SECGUIDE
14:07:41 <Sona> good I will pick one or more and start looking at it
14:08:20 <LHinds> I think that is it for the Security Guide.
14:08:28 <Sona> yes
14:08:30 <LHinds> #topic CI Badge Program
14:08:54 <Sona> I have one question regarding patching CVEs in the OPNFV
14:08:55 <LHinds> So I spoke with Aric last night and he needs a week to catch up from tickets opened over the week
14:09:20 <LHinds> after that we will start on the CI badge program
14:09:25 <Sona> does critical CVEs such as SSL/TLS affects OPNFV releases?
14:09:29 <LHinds> Jira will be used to track tickets again
14:09:37 <LHinds> #topic CVE patching
14:09:55 <LHinds> #info Sona asked ' does critical CVEs such as SSL/TLS affects OPNFV releases?'
14:10:24 <LHinds> Hi Sona, yes, but we made a decision to let the respective distributions notify and patch the OS
14:10:47 <LHinds> so as the CVE is not in the OPNFV code, we expect operators and distributers to handle that
14:10:48 <Sona> good
14:11:02 <Sona> so we need only care about code added by OPNFV
14:11:08 <LHinds> So everyone should know how to run 'apt-get update', 'yum update' etc
14:11:17 <LHinds> Very much, Sona
14:11:24 <Sona> that's right
14:11:59 <LHinds> Else what might happen is they start to blame us, as we did not tell them to patch gclib or whatever
14:12:06 <LHinds> We don't need that on our hands :)
14:12:20 <Sona> that is right :)
14:12:33 <LHinds> But we can notifiy people in a helpful manner, main thing is that we ask them to refer to the distributer for how to patch
14:12:54 <Sona> sure
14:12:56 <LHinds> So you as a security group member can email the list, to let them know as a friendly tip off.
14:13:19 <Sona> yes we could
14:13:39 <LHinds> We just need to be sure they don't adopt the perspective that we will be a point of notification every time.
14:13:54 <LHinds> Unless of course, its opnfv code
14:14:14 <Sona> most distros send updates anyway
14:15:00 <LHinds> yep, they seem to get them out in sync with public disclosure, so it works well.
14:15:34 <LHinds> #topic any other business?
14:15:46 <LHinds> any other points, or general dicussions to have?
14:16:00 <Sona> not from me thanks
14:16:08 <LHinds> that's me too! :)
14:16:38 <LHinds> I guess aripie maybe has a cold or holidays, so I will put minutes up
14:16:46 <LHinds> last weeks minutes are up as well
14:17:07 <LHinds> ok, good to speak!
14:17:10 <LHinds> over and out
14:17:12 <LHinds> #endmeeting