2023-07-18 Meeting notes
Date
Jul 18, 2023
Attendees
Name | Present |
|---|---|
@Craig McNally | Y |
@Julian Ladisch | Y |
@Axel Dörrer | Y |
@Ryan Berger |
|
@Chris Rutledge | Y |
@Jakub Skoczen |
|
@John Coburn |
|
@Skott Klebe |
|
|
|
Discussion items
Time | Item | Who | Notes |
|---|---|---|---|
* | Timing of releases | Team | Should we release both fixes together, or independently?
Now that the question has been posed to #Sys-Ops, how long do we wait for responses before making a decision/plan?
From the Security team's perspective it would be preferred to release both modules at the same time on Thursday. @Craig McNally will convey this to Oleksii P. and the two development teams involved once a decision has been made. We agree with the approach of announcing the module releases to the sys-ops community prior to announcing the CSP in which these module releases will eventually be part of. The CSP release announcements are made to a broader swath of the community. |
* | Preparing notifications to send out when releases are available | Team | The fix involves not only updating the module, but also additional operational changes. How do we want to communicate this w/o essentially describing the exploit?
|
* | How to improve this process going forward | Team | A google doc has been created and shared in our (private) slack channel. Please add notes/suggestions/concerns/idea/etc. there while this is all fresh in our minds. Once the dust settles we'll need to have a retrospective about this and see how the processes can be improved.
N.B. I don't think there's anything sensitive in that document but please keep it internal to the security team for now since it's a "live" document and someone could potentially add sensitive information by mistake/inadvertently. |
Action items