#openstack-barbican log

15:00:40 <xek> #startmeeting barbican
15:00:40 <opendevmeet> Meeting started Mon Apr 22 15:00:40 2024 UTC and is due to finish in 60 minutes.  The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:40 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:40 <opendevmeet> The meeting name has been set to 'barbican'
15:00:47 <xek> #topic Roll Call
15:00:53 <xek> Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar
15:00:57 <mharley> o/
15:01:07 <xek> As usual our agenda can be found here:
15:01:12 <xek> #link https://etherpad.openstack.org/p/barbican-weekly-meeting
15:01:19 <xek> We have just the usual topics today
15:01:40 <dmendiza[m]> 🙋‍♂️
15:02:48 <xek> o/
15:02:54 <xek> #topic Review Past Meeting Action Item
15:03:01 <xek> There were no action items on our last meeting
15:03:06 <xek> #topic Liaison Updates
15:03:13 <xek> No updates from me today :)
15:04:22 <xek> #topic Open Discussion
15:04:45 <rajiv> Hi All,
15:05:02 <rajiv> i had a great discussion this afternoon, any comments on that ?
15:05:09 <xek> dmendiza I saw some discussion earlier about https://review.opendev.org/c/openstack/barbican/+/914745
15:05:23 <xek> #link https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/message/E7MXNLVWGL7Z2IX5ZDIR6VKPOQN4Y6US/
15:05:51 <rajiv> yes, is this finalised ?
15:06:03 <xek> rajiv hi
15:06:40 <rajiv> hi xek !
15:07:06 <rajiv> we have a customer requirement to support kmip, hence i wanted to understand the roadmap
15:08:04 <rajiv> this commit https://review.opendev.org/c/openstack/barbican/+/916620, costed me almost 2 days of debugging :D
15:08:04 <xek> we need a second core's opinion, dmendiza do you have any concern with removing the kmip secret store plugin  in a future release ?
15:08:25 <rajiv> you mean NOT to remove :)
15:08:59 * dmendiza[m] reads list message
15:09:26 <mharley> Isn't there another way to implement KMIP using something else than the not maintained library?
15:10:31 <rajiv> we are currently using Thales HSM A790 in FIPS Mode which supports pkcs11 plugin, to enhance the support, we are testing kmip
15:11:05 <mharley> Yeah, but that's a specific scenario. I asked more in general.
15:11:20 <rajiv> Thales A790 stores the keys of Thales Cipher Trust Manager which supports KMIP
15:11:45 <rajiv> i shared a general msg, i tried few other packages but had similar issues
15:13:05 <dmendiza[m]> I think it comes down to the same issue as with anything else in open source:  Who is going to do the work?  ...  The team at Red Hat doesn't have any requirements for KMIP, so we don't have a preference either way on deprecating or fixing the backend.
15:13:27 <dmendiza[m]> I am not sure what the current state of maintenance is for PyKMIP
15:14:24 <mharley> I believe we have to have a business decision here. Do we take ownership on keeping implementing this, but with another library (if any), or do we deprecate it? :-)
15:14:52 <dmendiza[m]> #link https://github.com/OpenKMIP/PyKMIP
15:15:05 <dmendiza[m]> seems tkajinam was able to get patches merged recentely
15:15:30 <rajiv> PyKMIP seems to be slow in reviewing the fix for this issue : https://github.com/OpenKMIP/PyKMIP/pull/715
15:15:33 <mharley> There was a charge three weeks ago...
15:15:49 <xek> PyKMIP last release was on Feb 25, 2020
15:16:10 <mharley> Oosh, 58 open issues. :-(
15:16:30 <dmendiza[m]> Has anyone tried reaching out to #pykmip on Freenode?
15:16:38 <dmendiza[m]> are the devs still active there?
15:16:49 <dmendiza[m]> or tried reaching out on X (formerly Twitter)?
15:17:38 <dmendiza[m]> rajiv: well, the bad news is that I don't think anyone from Red Hat will have time to work on this.  (outside of dedicating personal time anyway)
15:18:13 <dmendiza[m]> rajiv: so your options are:  RE: KMIP try to understand the current state of development.  Fix issues yourself and work with their maintainers to merge/release thos fixes.
15:18:28 <rajiv> i will try to followup
15:18:31 <dmendiza[m]> rajiv: Then you could fix the KMIP backend to continue to support KMIP in Barbican
15:19:13 <rajiv> oh ok ok, looks like deprecation is the direction now.
15:19:37 <xek> Yeah, we didn't deprecate it for the 2024.1, so there is still a decision to be made
15:20:32 <xek> We can hold off for a couple of weeks, if you would like to contact the current maintainer and work something out
15:20:46 <rajiv> this will help.
15:22:11 <xek> ok
15:23:17 <xek> #agreed holding off the decision to deprecate KMIP secret store  for a couple of weeks to let rajiv contact the maintainer of the PyKMIP library
15:24:16 <xek> I've also seen a mantion of this bug https://bugs.launchpad.net/barbican/+bug/2036506
15:24:24 <xek> *mention
15:25:30 <xek> dmendiza do you know if this is something on our roadmap?
15:26:01 <rajiv> yes, this is another blocker to upgrade to latest firmware version since FIPS mode is enabled.
15:26:30 <rajiv> the code is complex and difficult to understand the strategies to fix this.
15:26:36 <xek> it references pkcs11, but is it only a pkcs11 issue?
15:26:51 <dmendiza[m]> Yeah, we do support Thales Luna HSMs, so this is something we will want to fix.
15:27:08 <tkajinam> maybe https://review.opendev.org/c/openstack/barbican/+/900107 would address it ? though this is a new feature so may not be backportable.
15:27:31 <tkajinam> (I just noticed the notification and am joining late
15:28:43 <tkajinam> (just fyi. I've not tried reaching out to the pykmip maintainers outside of github. I wasn't aware of their irc channel but I doubt that people still stay at freenode after its governance was messed up some time ago.
15:28:49 <dmendiza[m]> Possibly. The devil is in the details. I'm sure there is some other wrapping algorithm we can use ,but we have to carefully consider the upgrade path.
15:29:19 <dmendiza[m]> Yeah, I have a feeling it's a stale readme.
15:32:58 <xek> Ok, thanks for the input! we'll circle back on this, since it's early in the release cycle and we still have time to make a decision
15:33:13 <xek> #topic Bug Review
15:34:19 <xek> I see one new bug
15:34:20 <xek> #link https://bugs.launchpad.net/barbican/+bug/2063102
15:35:45 <xek> looks like the fix in https://review.opendev.org/c/openstack/barbican/+/916620 addresses this bug
15:36:25 <xek> Allright, that's it for today
15:36:36 <xek> See y'all next week!
15:36:44 <xek> #endmeeting