Open Hour 2020-NOV-05

January 23, 2021 - slangadmin



General News

SaltConf20 Recap

  • Very positive feedback and turnout for the conference
  • SaltConf20 videos should be available by this weekend

If anyone has content they would love to share with the community, inspired by SaltConf20 or otherwise, we’d love to hear! Please reach out to Janae on the Salt Community Slack, or via email: ???

  • Randy Thompson said he’d love to talk and present more on Tiamat

Point Release: Nov. 18th, Wed.

  • Fix for the memory leak planned, with point-release on November 18th
  • There will be a community retrospective after the point release, during the Open Hour on Nov. 19th

CVE Release

CVE-release Feedback

What’s the best release method going forward, for an open-source project?

This was a messy release due to discovering a new CVE in the process of preparing an initial release fixing some of the CVEs. There was also the timing around the acquisition, and on timelines where SaltStack provides CVE fixes early to SaltStack Enterprise customers so that they have time to apply fixes before public releases/announcements.


  • Provide impacted libraries or components of Salt, without giving details on the nature of the CVE.
    • This can help provide users of Salt a heads up on what to secure/review before release, to ensure best practices and security hardening is in place.
  • Salt has leaned toward saying little before CVE release, in order to not tip off bad actors. This is a topic that is heavily debated. Salt has followed the philosophy that we only release public information once the fix is publicly released.
  • With this release being salt-api related, it may be a good idea to make/keep salt-api as a separate, standalone project outside of salt itself.
  • In the world of tech today, there has become a large focus on using APIs. salt-api should be revisited, rewritten, and likely separated from salt. Randy Thompson suggested a rewrite of it with FastAPI, or even a pop-focused approach to the development of it.
  • How do we provide release candidates in a fashion that gains further adoption? The first major release, before point release, seems to be generally considered the Release Candidate. This leads to people waiting to upgrade until the point release, due to the expectation that the initial release will be buggy.
  • We need more smoketests/functional tests. We have plenty of unit tests, but we don’t have easy ways to run the latest version of salt with several states, execution module calls, etc. in a demo/test salt environment that stands up with the latest and greatest.
  • What is fuzzing was introduced against salt in tests to help reveal problems?

Third-party Security Audits of Salt

SaltStack has recently been acquired by VMware, and we are are deploying auditing tools created and used internally by VMware. VMware will be assisting, moving forward, with continual security audits, scans, and checks mandated by VMware. We now have full access to the internal security suite and teams internally at VMware, and this will result in better security posture with the Salt project.

Working groups, community calendar, and general community

SEP for an Advisory Board for Salt: SEP 27: Create Community Advisory Board

If people are interested in starting a new group like a Security Working Group, which could also collab with a Testing Working Group? Would you like to join a working group that is working on these sort of problems? Please reach out to

Checkout the SaltStack community Google calendar for upcoming events and streams.

Do you want to get more involved in salt and the SaltStack community? Get involved:

The Documentation Group, and Docs Clinics

Existing SEPs

All PRs in the SEPs repo represent open discussions on Salt Enhancement Proposals.