12:00:52 #startmeeting barbican 12:00:52 Meeting started Tue Oct 3 12:00:52 2023 UTC and is due to finish in 60 minutes. The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot. 12:00:52 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 12:00:52 The meeting name has been set to 'barbican' 12:01:05 #topic Roll Call 12:01:15 Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar 12:01:32 hi 12:02:00 o/ 12:02:35 do we have the weekly meeting today ? 12:03:01 o/ 12:04:00 morning :) 12:04:17 @rajiv yep, it has just started 12:04:29 yo! 12:04:29 As usual our agenda can be found here: 12:04:36 #link https://etherpad.openstack.org/p/barbican-weekly-meeting 12:04:42 Just the usual items today 12:04:51 #topic Review Past Meeting Action Items 12:05:11 #link https://meetings.opendev.org/meetings/barbican/2023/barbican.2023-09-05-12.00.html 12:05:36 There was a patch fixing the python-barbicanclient gate, which is already merged 12:06:31 #link https://review.opendev.org/c/openstack/python-barbicanclient/+/894738 12:07:05 #topic Liaison Updates 12:07:15 It's the final week of Bobcat 12:07:50 🙋 12:08:00 Welcome back, Grzegorz Grasza ! 12:08:27 Morning @dmendiza :) 12:08:35 During my PTO secret consumers were reverted in castellan bobcat https://review.opendev.org/q/topic:revert-castellan-bobcat 12:09:11 as it broke services requirements cross-job 12:09:56 Not much we can do at this point, but the changes are still on the main branch, so they're scheduled to go in in the next cycle 12:10:55 That's all from me 12:12:22 @lpiwowar any updates from QA? 12:12:22 From the QE side I do not have any updates 12:12:53 But if there is something urgent you need me to take a look at. I will do so:) 12:13:28 @lpiwowar ack, thanks! 12:13:44 #topic Open Discussion 12:13:57 Hey, i have 3 questions. 12:14:11 1. Can we upgrade from Zed to Bobcat directly now ? 12:14:53 Barbican didn't have any breaking changes in Bobcat, so it should be fine 12:15:10 cool! 12:15:43 2. is there a fix for CVE-2023-1636 ? the associated articles dont provide a fix yet 12:17:05 This CVE is related to how Barbican is deployed, presumably in TripleO 12:18:19 okay, i have a custom policy file with custom roles, which means i am not impacted ? will there be any details updated in the associated CVE links ? 12:18:42 my barbican setup in production runs on kubernetes 12:18:49 There are some details here: https://access.redhat.com/security/cve/cve-2023-1636 12:19:16 if you are running in kubernetes this CVE doesn't apply to you 12:20:23 yes i was referring to this article but wasnt sure. Thanks for confirming. 12:20:35 3. Any update on bug request : https://bugs.launchpad.net/barbican/+bug/2036506 12:20:39 the main issue in TripleO is that the host network namespace is shared with the host and between containers 12:21:31 ack 12:22:43 I don't have any updates on the above bug 12:23:34 @dmendiza is it on your radar? 12:25:09 I saw the report but haven't looked into it 12:25:44 i have QA device if we wish to troubleshoot! 12:26:30 also, i am running barbican on FIPS mode, docu says its not supported. Should i raise a bug request ? 12:26:59 yeah, we'll probably need it to test that any fix is compatible with both versions 12:27:15 i approached Thales if they could push a commit but they denied to associate. 12:27:36 I also found SoftHSM also doesnt support CKM_AES_CBC_PAD wrapping mechanism, more details are provided here : 12:27:41 https://github.com/opendnssec/SoftHSMv2/issues/405 12:27:49 https://github.com/opendnssec/SoftHSMv2/issues/229 12:28:20 thanks, how do we plan to fix this ? is there a project workflow i need to setup ? 12:28:27 @rajiv I think the documentation says it's not supported, since we don't have a voting set of tests for FIPS 12:30:11 okay, i can write few tests, but how can barbican test if FIPS mode is ON ? there isnt any API or DB to check right ? 12:30:14 Next step is to submit a patch, but I can't make any estimate on when and who could create one 12:31:06 apart p11 plugin enabled, or few changes seen in the kek_data table to confirm, know ? 12:31:12 There were some tests using a centos image with fips enabled 12:31:21 Those were running the usual functional test 12:31:31 ade_lee was working on that 12:32:25 i see, but i dont see any now, talking about tests, there isnt any here right ? https://github.com/openstack/barbican-tempest-plugin 12:33:59 yeah, I don't see this either, those would show up as a separate job in the review board 12:34:39 RE: Luna in FIPS mode, I'm not sure it's been tested in a long time. 12:34:57 but I suppose we could update the documentation with any pointers to how to run in fips, with a note that it's not currently tested in CI 12:35:09 okay, do i follow up bi-weekly for Thales patch ? or how do you recommend ? 12:35:31 rajiv If you want to work on a patch we can review it when you have it ready 12:35:57 RE: test, there are no HSM specific tests, we basically just run the same tests against a Barbican deployment that has an HSM 12:36:05 the tests should work regardless of backend 12:36:15 i am unsure on how or where to start, any hints is highly appreciated ? 12:36:24 the reason we don't test at the gate is because we don't have public access to an HSM that can be used on every patch that is submitted to barbican. 12:36:27 ack wrt tests 12:37:08 maybe send the patch across and i could test it ? 12:41:51 I only evoked @dmendiza since he has more experience with HSMs, but I'm not expecting he has the time to prepare a patch 12:42:04 I'm sure we'll have the time to review a patch, but I'm not sure about creating one 12:42:37 oh ok 12:44:15 do we still support storyboard ? or do i need to raise another issue via opendev. 12:44:33 This is another of my old bugs : https://storyboard.openstack.org/#!/story/2009322 12:45:02 Please re-add it to launchpad 12:46:26 Ok, let's continue to the last topic 12:47:17 #topic Bug Review 12:47:42 I don't see any new bugs, apart from those already mentioned 12:48:50 Looks like that's it for today 12:50:23 I'm on PTO for the next 2 weeks 12:51:07 this one was planned a while ago :) 12:51:46 So it looks like we'll be skipping the next 2 weekly meetings 12:52:22 Unless @dmendiza wants to chair? 12:52:23 I can cover for you 12:52:39 ok, cool, thanks! 12:53:22 We skipped a bunch of meetings last month, but I just had to take this unexpected PTO... 12:53:48 Anyway, thanks for attendance, see you in 3 weeks! 12:54:38 #endmeeting