2023-07-18 Meeting notes



Discussion items

*Timing of releasesTeam

Should we release both fixes together, or independently?

  • A fix for the first module (more critical) can be released as soon as tomorrow AM ET.
  • A fix for second module can be released no sooner than Thursday

Now that the question has been posed to #Sys-Ops, how long do we wait for responses before making a decision/plan?

  • Give it a few hours (3:00 PM ET) and make a call.

From the Security team's perspective it would be preferred to release both modules at the same time on Thursday.

Craig McNally will convey this to Oleksii P. and the two development teams involved once a decision has been made.

We agree with the approach of announcing the module releases to the sys-ops community prior to announcing the CSP in which these module releases will eventually be part of.  The CSP release announcements are made to a broader swath of the community.

*Preparing notifications to send out when releases are availableTeam

The fix involves not only updating the module, but also additional operational changes.  How do we want to communicate this w/o essentially describing the exploit?

  • There's nothing we can do about it.  We need to describe how to patch the vulnerability.  It's inevitable that some will read between the lines and gain an understanding of the exploit from this information.
*How to improve this process going forwardTeam

A google doc has been created and shared in our (private) slack channel.  Please add notes/suggestions/concerns/idea/etc. there while this is all fresh in our minds.   Once the dust settles we'll need to have a retrospective about this and see how the processes can be improved. 

N.B. I don't think there's anything sensitive in that document but please keep it internal to the security team for now since it's a "live" document and someone could potentially add sensitive information by mistake/inadvertently. 

Action items