15:00:40 #startmeeting barbican 15:00:40 Meeting started Mon Apr 22 15:00:40 2024 UTC and is due to finish in 60 minutes. The chair is xek. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:40 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:40 The meeting name has been set to 'barbican' 15:00:47 #topic Roll Call 15:00:53 Courtesy ping for dmendiza[m] ade_lee d34dh0r53 Luzi tosky tobias-urdin jjung mharley lpiwowar 15:00:57 o/ 15:01:07 As usual our agenda can be found here: 15:01:12 #link https://etherpad.openstack.org/p/barbican-weekly-meeting 15:01:19 We have just the usual topics today 15:01:40 🙋‍♂️ 15:02:48 o/ 15:02:54 #topic Review Past Meeting Action Item 15:03:01 There were no action items on our last meeting 15:03:06 #topic Liaison Updates 15:03:13 No updates from me today :) 15:04:22 #topic Open Discussion 15:04:45 Hi All, 15:05:02 i had a great discussion this afternoon, any comments on that ? 15:05:09 dmendiza I saw some discussion earlier about https://review.opendev.org/c/openstack/barbican/+/914745 15:05:23 #link https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/message/E7MXNLVWGL7Z2IX5ZDIR6VKPOQN4Y6US/ 15:05:51 yes, is this finalised ? 15:06:03 rajiv hi 15:06:40 hi xek ! 15:07:06 we have a customer requirement to support kmip, hence i wanted to understand the roadmap 15:08:04 this commit https://review.opendev.org/c/openstack/barbican/+/916620, costed me almost 2 days of debugging :D 15:08:04 we need a second core's opinion, dmendiza do you have any concern with removing the kmip secret store plugin in a future release ? 15:08:25 you mean NOT to remove :) 15:08:59 * dmendiza[m] reads list message 15:09:26 Isn't there another way to implement KMIP using something else than the not maintained library? 15:10:31 we are currently using Thales HSM A790 in FIPS Mode which supports pkcs11 plugin, to enhance the support, we are testing kmip 15:11:05 Yeah, but that's a specific scenario. I asked more in general. 15:11:20 Thales A790 stores the keys of Thales Cipher Trust Manager which supports KMIP 15:11:45 i shared a general msg, i tried few other packages but had similar issues 15:13:05 I think it comes down to the same issue as with anything else in open source: Who is going to do the work? ... The team at Red Hat doesn't have any requirements for KMIP, so we don't have a preference either way on deprecating or fixing the backend. 15:13:27 I am not sure what the current state of maintenance is for PyKMIP 15:14:24 I believe we have to have a business decision here. Do we take ownership on keeping implementing this, but with another library (if any), or do we deprecate it? :-) 15:14:52 #link https://github.com/OpenKMIP/PyKMIP 15:15:05 seems tkajinam was able to get patches merged recentely 15:15:30 PyKMIP seems to be slow in reviewing the fix for this issue : https://github.com/OpenKMIP/PyKMIP/pull/715 15:15:33 There was a charge three weeks ago... 15:15:49 PyKMIP last release was on Feb 25, 2020 15:16:10 Oosh, 58 open issues. :-( 15:16:30 Has anyone tried reaching out to #pykmip on Freenode? 15:16:38 are the devs still active there? 15:16:49 or tried reaching out on X (formerly Twitter)? 15:17:38 rajiv: well, the bad news is that I don't think anyone from Red Hat will have time to work on this. (outside of dedicating personal time anyway) 15:18:13 rajiv: so your options are: RE: KMIP try to understand the current state of development. Fix issues yourself and work with their maintainers to merge/release thos fixes. 15:18:28 i will try to followup 15:18:31 rajiv: Then you could fix the KMIP backend to continue to support KMIP in Barbican 15:19:13 oh ok ok, looks like deprecation is the direction now. 15:19:37 Yeah, we didn't deprecate it for the 2024.1, so there is still a decision to be made 15:20:32 We can hold off for a couple of weeks, if you would like to contact the current maintainer and work something out 15:20:46 this will help. 15:22:11 ok 15:23:17 #agreed holding off the decision to deprecate KMIP secret store for a couple of weeks to let rajiv contact the maintainer of the PyKMIP library 15:24:16 I've also seen a mantion of this bug https://bugs.launchpad.net/barbican/+bug/2036506 15:24:24 *mention 15:25:30 dmendiza do you know if this is something on our roadmap? 15:26:01 yes, this is another blocker to upgrade to latest firmware version since FIPS mode is enabled. 15:26:30 the code is complex and difficult to understand the strategies to fix this. 15:26:36 it references pkcs11, but is it only a pkcs11 issue? 15:26:51 Yeah, we do support Thales Luna HSMs, so this is something we will want to fix. 15:27:08 maybe https://review.opendev.org/c/openstack/barbican/+/900107 would address it ? though this is a new feature so may not be backportable. 15:27:31 (I just noticed the notification and am joining late 15:28:43 (just fyi. I've not tried reaching out to the pykmip maintainers outside of github. I wasn't aware of their irc channel but I doubt that people still stay at freenode after its governance was messed up some time ago. 15:28:49 Possibly. The devil is in the details. I'm sure there is some other wrapping algorithm we can use ,but we have to carefully consider the upgrade path. 15:29:19 Yeah, I have a feeling it's a stale readme. 15:32:58 Ok, thanks for the input! we'll circle back on this, since it's early in the release cycle and we still have time to make a decision 15:33:13 #topic Bug Review 15:34:19 I see one new bug 15:34:20 #link https://bugs.launchpad.net/barbican/+bug/2063102 15:35:45 looks like the fix in https://review.opendev.org/c/openstack/barbican/+/916620 addresses this bug 15:36:25 Allright, that's it for today 15:36:36 See y'all next week! 15:36:44 #endmeeting