20:00:14 #startmeeting barbican 20:00:15 Meeting started Mon Aug 24 20:00:14 2015 UTC and is due to finish in 60 minutes. The chair is redrobot. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:00:16 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:00:18 The meeting name has been set to 'barbican' 20:00:57 heyo/ 20:01:04 \o/ 20:01:13 o/ 20:01:17 Howdy 20:01:20 o/ 20:01:21 o/ 20:01:58 o/ 20:02:49 Yo 20:02:59 welcome back jaosorior ! 20:03:06 o/ 20:03:09 o/ 20:03:21 As usual our agenda can be found here: 20:03:22 #link https://wiki.openstack.org/wiki/Meetings/Barbican 20:03:26 :D 20:03:28 #topic Action Items from last meeting 20:03:44 #link http://eavesdrop.openstack.org/meetings/barbican/2015/barbican.2015-08-17-20.01.html 20:04:08 so.... 20:04:13 o/ 20:04:16 I need to get better at these 20:04:25 #action redrobot to finish prioritizing liberty-2 bugs, and also check them for kilo status 20:04:35 #action redrobot to fix the stable/kilo gate failures during mid-cycle (in-progress) 20:04:42 #action 20:04:46 #action redrobot and alee to backport the DogTag gate fixes into stable/kilo after redrobot fixes the gate 20:04:58 all 3 of these are getting punted, because I'm lame 20:05:06 however 20:05:16 I did work with kfarr to get python-barbicanclient released 20:05:23 Hooray! 20:05:39 #link http://lists.openstack.org/pipermail/openstack-announce/2015-August/000546.html 20:06:05 and the last action item was for hockeynut 20:06:07 \o/ 20:06:14 but I do believe he's at a team-building outing today 20:06:21 so I'll punt that to next week as well 20:06:22 #action hockeynut to review bug tracking policies and give feedback 20:07:04 ok, moving on to the action items for today 20:07:23 #topic Merge Requirements 20:07:37 o/ 20:07:41 We talked about this in Vancouver, but I think it's worth revisiting 20:08:04 I've noticed that Castellan and python-barbicanclient patches have been lingering for along time 20:08:17 we had a Castellan patch with 2x +2 sit in the queue for over a week 20:08:36 before I merged it without waiting for a +W from a third reviewer 20:09:04 As many contributors have noted, we're the only OpenStack project that requires 3 core reviewers for a merge 20:09:11 all other projects only require 2 20:09:34 seems fair though, given the sensitive nature of some patches 20:09:47 slow, but fair ;) 20:09:54 elmiko, but not all patches are that sensitive 20:09:58 true 20:10:20 especially barbicanclient i suppose 20:10:26 elmiko, is what we're doing any less sensitive than what say keystone is doing? 20:10:43 good question 20:11:12 i guess not, but some of the crypto stuff seems like it should have more eyes on it 20:11:12 Maybe elmiko thinks keystone should do 3 +2s??? 20:11:31 :) 20:11:36 rellerreller: lol, no 20:11:53 * elmiko steps away from the land mine 20:12:04 lol 20:12:05 anyway... we don't have to make a decision today, but I did want to bring this up 20:12:14 It could be argued that given the variability of credentials that could be stored, that the aggregate sensitivity rating should be higher than that of Keystone. 20:12:40 * elmiko hands the ball to igueths 20:12:49 Hahaha 20:12:56 I think that perhaps patches with more crypto stuff might need more review, but the overall effect is a slowing down of patches going in. 20:12:57 =) 20:13:14 alee indeed... 20:13:16 alee: true, and i'm not arguing for slowing the process down 20:13:39 maybe a better compromise would be for our reviewers to call out that specific patches should get an additional +2 ? 20:13:45 would be nice if there was a clear way to mark higher sensitivity patches though, then the lower ones could get by with fewer +2s 20:13:53 lol, jinx! 20:14:00 alee: redrobot Sounds reasonable. 20:14:14 maybe SecurityImpact flag means this patch needs 3x +2 20:14:21 ? 20:14:27 that's a nice idea 20:14:31 +1 20:14:40 well that gets the security group involved , doesn't it? 20:14:41 +1 20:14:48 yes 20:14:48 alee indeed it does 20:14:52 well in theory anyway 20:15:57 it alerts the security group, whether they get involved is another step 20:16:05 we don't have to make a decision right now 20:16:11 I'm certainly in favor of getting the security group involved if need be -- and then requiring 3 +2 20:16:22 Some are not always security critical as well. Content types would be one where I would want 3 +2s because that was big change. 20:16:27 as for the rest, I'm inclined to 2 +2s. 20:16:39 ok, it seems we like that suggestion... (or at least I do :) 20:16:50 maybe just mark it BarbicanImpact, then you can search for them easily? 20:17:20 that would be nice -- can we add a new flag like that? 20:17:54 I could certainly see a reviewer thinking that a change was too big to come in without a thrid +2 20:17:58 i thought you could search the commit messages for arbitrary strings through gerrit, is that not the case? 20:18:03 that would not be security related 20:18:22 yeah, you can... we wouldn't get all the nifty notification stuff that security folks get 20:18:28 right 20:18:52 Do we need notifications? 20:19:01 rellerreller nah, I don't think so 20:19:06 redrobot, so yeah - I like this idea -- 2 +2's unless either patch submitter or one review marks it either as security impact or barbican impact. 20:19:12 If it's in the commit message I can easily see that and know what to do. 20:19:17 i was just thinking more in terms of creating a barbican dashboard with gerrit-dashboard-generator or something 20:19:36 alee I like that 20:19:43 rellerreller +1 20:19:58 ok, let's table this until next week, since I want to get input from the rest of the core team 20:20:27 I'll poke at the rest of the core devs and get a tally of support for this 20:20:45 also, if you're not a core reviewer, and feel like reviews are slow, let me know! 20:21:09 I like the idea of a Barbican impact tag 20:21:38 ok, we'll revisit this next week 20:21:42 moving on 20:21:57 #topic Tokyo Sessions Space Requirements 20:22:31 I was just pinged by the summit organizing folk to get our requirements for fishbowls/design sessions/meetups for the Tokyo summit 20:22:46 last summit we had 3 fishbowl, 10 design, and 1 meetup 20:22:54 at least 1 gundam serving tea while we work :3 20:23:40 I was thinking we probably only need 2 fishbowls this time around: 1 for Barbican roadmap (splitting kms/cms in v2), and 1 for Federation 20:24:08 What about encryption as a service? 20:24:15 Or would that fit into v2 discussion? 20:24:35 rellerreller I think it could definitely fit into a v2 discussion 20:24:43 rellerreller do you think it needs a fishbowl of its own? 20:24:47 chellygel: lol 20:25:08 No, but the description you gave I was not sure what was under that tent. 20:25:14 * redrobot prefers maid café over gundam 20:25:30 * silos1 pokes his head in after hearing federation 20:25:32 redrobot, its a gundam dressed as a maid. 20:25:38 * chellygel stops being bad and shuts up 20:25:40 * elmiko facepalms 20:26:17 rellerreller what all is included is open for discussion... just figured v2 would be of interest to the wider community 20:26:52 I agree that lots will be interested. I think v2 discussion is definitely fish bowl worthy. 20:26:54 silos1 I was thinking about using the federation fishbowl to gather use cases from the community 20:27:09 silos that sounds like a good plan. 20:27:20 redrobot, encryption as a service sounds like something we'd want to get feedback/use cases on 20:27:33 silos1 also maybe have a high level architecture ready ... depending on how much we can get done before the summit. 20:27:54 redrobot: I came up with a new design today. I can upload it later on. 20:27:54 redrobot, not sure you could do both v2 and eaas in same fishbowl 20:28:18 redrobot: I don't know if I'm going yet to Tokyo though so I might be with you guys in spirit. 20:30:02 alee I think that actually fleshing out the v2 api would be done in design sessions... I'm thinking the fishbowl would be to tell the community which way we're headed, and get use cases/requirements for v2 20:30:03 probably should talk with reaperhulk about EaaS, he and i talked about it in vancouver and he had some really good thoughts, and criticisms. 20:31:05 elmiko +1 20:31:16 elmiko I'm still crossing my fingers that reaperhulk will be able to attend 20:31:29 redrobot: that would be cool 20:33:09 redrobot, ok thats fine then 20:33:39 cool, I'll only be asking for 2 fishbowls then 20:33:46 I'm going to keep the design sessions at 10 20:34:11 but it seems we may be space challenged (think Paris o_O) ... so we'll see how much time we'll actually get 20:34:29 sounds like there are more, but smaller, rooms 20:35:01 the Vancouver space was ideal... I wish we could just go back there... 20:35:19 sigh... you and me both ;) 20:35:32 but hopefully we'll be able to stay busy all 4 days 20:35:53 and that's all I have for the agenda today 20:35:57 #topic Open Discussion 20:36:20 redrobot, kfarr, since barbicanclient has been updated, i assume castellan will get one soon? 20:36:28 just wanted to introduce myself, I'm Andrew Melton from the magnum team 20:36:42 hi apmelton ! 20:36:45 hi apmelton 20:36:59 elmiko, a new release, you mean? Hi apmelton! 20:37:00 I had a question from the group that's working on our barbican interaction 20:37:04 kfarr: yea 20:37:23 apmelton what's up? 20:37:53 o/ 20:37:57 during our mid-cycle we talked about barbican supporting a different CA per cluster 20:37:57 elmiko I'm just waiting on kfarr to poke me for a release... although I'm half tempted to submit a patch to remove "common" from the namespaces 20:38:05 I was wondering if there's been any progress on that 20:38:07 elmiko, yes, thinking after this one gets in https://review.openstack.org/#/c/208569/ 20:38:09 and/or blueprints I could follow 20:39:11 redrobot: you don't like the common package? 20:39:29 elmiko nope... not sure what it's "common" to... 20:39:30 kfarr: thanks, i'll try to get a few more reviews in ;) 20:39:31 apmelton, yeah - there is a blueprint that I wrote .. 20:39:38 apmelton, just a sec .. 20:39:48 redrobot: oh right, it was part of the patch series for the cert stuff 20:40:30 "common" was really sort of a relic from the cinder and nova implementations 20:40:34 apmelton, https://review.openstack.org/#/c/187236/ 20:40:44 kfarr: interesting.. 20:41:11 apmelton, I'm going to be working on implementing this over the next couple of weeks or so. 20:41:18 2-3 weeks 20:41:39 alee: cool, I'll keep an eye out for the work 20:42:00 I don't think we're blocked on it yet, but if we are I'll be sure to bring it up 20:42:30 apmelton, yup - please do. I'm perfectly happy to have someone ready to test whatever I have 20:42:39 apmelton: i'm interested in your plans for magnum + barbican integration. i noted on your midcycle meetup minutes that it looked like magnum was moving forward with anchor as a phase 1 plan 20:43:16 lisaclark1: yea, phase one is to use a library and have magnum issue CAs itself 20:43:38 I think we've moved from anchor to crytography.io 20:43:38 apmelton: and phase 2 is integration with barbican? 20:43:46 that's correct 20:43:58 and note, this is for CA 20:44:12 I believe we're going to support barbican for storage from the get-go 20:45:03 apmelton: awesome! magnum + barbican for key storage in phase 1, magnum + barbican for CA capabilities as phase 2 20:45:12 that's correct 20:45:46 thanks apmelton. i might ping you offline at some point to better understand the magnum + barbican CA integration needs. 20:45:55 sounds good lisaclark1 20:46:36 alrighty, anything else while we're all here? 20:46:48 Topic: Python 3. Pradeep was on the channel early this morning. He's in Japan (I think), so this meeting time is not good for him. He's been submitting patches to get Barbican Python 3 ready, and has asked for more reviews and feedback on his patches. 20:46:53 redrobot: I'm resurrecting another of my old zombie patches: https://review.openstack.org/#/c/167885/ 20:47:13 rm_work oh nice 20:47:20 because integration is frustrating when projects need to include barbican in their devstack installs :P 20:47:26 rm_work I saw y'all are trying to get a devstack gate going? 20:47:27 so this would make it a lot simpler 20:47:30 yes 20:48:08 might need help making this work with YOUR gates though 20:48:18 so if whoever handles your gate stuff could hit me up 20:48:24 I am not super familiar with it 20:48:39 rm_work you can grab me IRL if you want... I'm pretty familiar with our gate setup 20:48:43 kk 20:49:00 redrobot: review request for barbican client changes. Have not seen review happening on client side. 20:49:07 honestly the actual project changes are pretty trivial 20:49:21 dave-mccowan I saw that 20:49:38 dave-mccowan as we start getting more APAC contributors we may want to consider alternating meetings like other projects do 20:51:36 arunkant I'll try to review soon... we also have some of Fernando's patches in the client that have been pending reviews for a while 20:51:56 arunkant it's part of the reason I was suggesting lowering the core reviews needed to merge 20:53:11 anything else before we call it a day? 20:53:58 Joined late, forgot to... 20:54:05 o/ 20:54:16 woodster_ I'm going to need you to stay after to make up the time. ;) 20:54:28 haha 20:54:44 Ha, will do 20:55:18 alrighty guys, thanks for coming 20:55:24 #endmeeting