18:06:54 <hyakuhei_> #startmeeting OpenStack Security Group 18:06:55 <openstack> Meeting started Thu Aug 1 18:06:54 2013 UTC and is due to finish in 60 minutes. The chair is hyakuhei_. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:06:56 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:06:58 <openstack> The meeting name has been set to 'openstack_security_group' 18:07:03 <elo> Hi 18:07:06 * joel-coffman waves hello 18:07:20 <hyakuhei_> Hi :) My appologies for not starting this sooner. 18:07:30 <hyakuhei_> Do we have anyone else with us today? 18:07:31 <nicolae_> Hi 18:07:38 <thomasbiege> hi 18:07:55 <hyakuhei_> Hi Guys, thanks for waiting around 18:08:16 <hyakuhei_> #topic Booksprint followup 18:08:54 <hyakuhei_> Right, the book is looking reasonably good at the moment. Does anyone have feedback on suggested improvements? 18:09:34 <hyakuhei_> I've written up the various security issues we identified during the sprint, I'll send the non-sensitive ones around the ML as a few require blueprints to be drafted 18:09:52 <hyakuhei_> Any thoughts? 18:10:12 <hyakuhei_> Fantastic, I'll do that then 18:10:15 <joel-coffman> sounds good 18:10:37 <hyakuhei_> #action hyakuhei to send non-sensitive security issues around the OSSG for the group to pick blueprints to run with 18:10:46 <elo> I'll flush out more of the networking stuff as there is a lot of churn with feature in Havana for Neutron 18:10:48 <hyakuhei_> I will see if we can pick up a few at HP too 18:11:02 <hyakuhei_> Great, thanks elo 18:11:15 <hyakuhei_> Are you familiar with the submission process? 18:11:35 <elo> in the process of getting up to speed 18:12:02 <hyakuhei_> ok great, feel free to reach out to the group if you run into problems. You can reach out to me directly too if you want 18:12:19 <hyakuhei_> make sure you ping us when you submit your changes and we'll get the reviewed quickly 18:12:37 <hyakuhei_> #topic Items that require OSSG attention 18:12:56 <hyakuhei_> If you're not already aware of it I'd encourage you all to take a look at https://review.openstack.org/#/c/33532/ 18:13:21 <hyakuhei_> It is a bit of a mess with 9 different patch sets the last time I looked 18:13:36 <hyakuhei_> And some discussion of wether it's ok to have sensitive information in debug output 18:13:45 <hyakuhei_> Any thoughts on that last point specifically? 18:14:38 <hyakuhei_> ok, well if you get the opportunity please dive in and have a look at that 18:15:12 <hyakuhei_> Also, you'll notice we have security-related reviews being delivered to the OSSG mailing list, this is a good thing, if you see one please take the time to take a look at the review. 18:15:32 <hyakuhei_> #topic OSSG Logo 18:15:46 <hyakuhei_> Do we have any budding artists in the group? 18:16:08 <joel-coffman> not me 18:16:11 <thomasbiege> unfortunately not 18:16:15 <hyakuhei_> hah, not me either 18:16:36 <hyakuhei_> ok, well I guess the quest continues. I'm trying to find out if we can use/modify/adapt the OpenStack logo 18:16:45 <thomasbiege> I think a openstack icon with a lock can be made easily 18:16:51 <elo> me either 18:17:18 <hyakuhei_> thomasbiege: sure it can, if we can get permission to use it 18:17:25 <thomasbiege> *nod* 18:17:35 <hyakuhei_> Ok, I'll see if I can find someone 'creative' :) 18:17:54 <hyakuhei_> #topic Wiki / OSSG Organisation 18:18:14 <nicolae_> a lock would be easy to add to the openstack logo, i can try create some prototypese 18:18:26 <nicolae_> *prototypes 18:18:36 <hyakuhei_> Does anyone have thoughts on how the OSSG should operate in future, particularly in regard to onboarding new people into the group? 18:19:05 <joel-coffman> not particularly 18:19:20 <thomasbiege> getting the right people is the interesting part 18:19:45 <nicolae_> I'm going through this process right now -- well basically reading into source code to know the nuts and bolts of a project, that's the first step i thought of 18:19:52 <thomasbiege> people that have fun and time to bring their expertise into the group 18:20:13 <hyakuhei_> So I think the group is~70 people at the moment 18:20:15 <hyakuhei_> which is great 18:20:33 <hyakuhei_> but some induction / tasking / direction is probably required 18:20:39 <thomasbiege> yes 18:20:44 <hyakuhei_> Security peeps are difficult cats to herd at the best of times 18:21:01 <nicolae_> What about assigning some small tasks, like reviews, as a practice? 18:21:06 <hyakuhei_> Ok, I'll try to draft something this week and ping it around the group 18:21:11 <hyakuhei_> nicolae_: excellent idea. 18:21:35 <thomasbiege> depends much on their current function and preference in their daily security job 18:21:53 <nicolae_> They might not be definitive, but getting feedback on the review would surely help "get in" the process 18:22:07 <hyakuhei_> Yeah, but we can try it, if it doesn't work well that's fine too :) 18:22:41 <hyakuhei_> #action hyakuhei and bryan to discuss new-starter options 18:22:48 <hyakuhei_> #topic A.O.B 18:23:01 <thomasbiege> well we need initioation tasks for the different kind of sec people. development of code, secure design, network, etc 18:23:29 <hyakuhei_> Yeah 18:24:08 <hyakuhei_> I think one of the areas we struggle with (OpenStack) is making it easy for the people with the ideas to find the people who can get the work done, reviewed and submitted in the OpenStack world. 18:24:17 <hyakuhei_> It's less than trivial to do. 18:24:39 <thomasbiege> yes, that is a problem I encounter too ATM 18:24:46 <hyakuhei_> joel-coffman: are you guys doing anything in the world of Swift object encryption? 18:24:54 <joel-coffman> not at the moment 18:25:05 <joel-coffman> Cinder and ephemeral storage only right now 18:25:29 <joel-coffman> I think Mirantis had some patches / blueprints for Swift encryption 18:26:11 <joel-coffman> see http://www.mirantis.com/blog/on-disk-encryption-prototype-for-openstack-swift/ 18:26:12 * notmyname lurks 18:26:17 <hyakuhei_> Ah yeah, I think they were pretty bad. 18:26:26 <hyakuhei_> but that's what I had in the back of my mind at least.# 18:26:32 <hyakuhei_> I'll go take another look 18:26:41 <hyakuhei_> In fact, that's a good newbie task :D 18:27:03 <joel-coffman> okay, we didn't look too closely at their proposal since Swift is off our radar at the moment 18:27:05 <nicolae_> +1! :) 18:27:36 <hyakuhei_> Ok, does anyone want to take an action to take a look at that and start an on-ML discussion before next week? 18:27:42 <hyakuhei_> ie. the next meeting 18:28:19 <thomasbiege> not me sorry (vacation) 18:28:42 <notmyname> FWIW, encryption doesn't belong in swift core, most likely. but we can discuss this in more depth when you turn focus to it 18:28:43 <nicolae_> If that's a newbie task then i can take it, but i won't be ablevto attend the next meeting 18:28:53 <joel-coffman> we're all swamped trying to get our Cinder code reviewed / accepted :( 18:29:33 <hyakuhei_> no worries joel-coffman - perhaps reach out to the OSSG explicitly for support on that ? 18:29:56 <hyakuhei_> We've got a good community of people but their quiet, if you mail the ML regarding some of the review challenges I'm sure you'll get help 18:30:08 <hyakuhei_> notmyname: can you elaborate on that in 30 seconds? 18:30:46 <notmyname> hyakuhei_: it either belongs in the client or as the responsibility of the storage volume. either way it is outside the scope of swift 18:31:04 <joel-coffman> will do, right now iterating with Cinder folks to address some of their questions 18:31:23 <hyakuhei_> In the client doesn't work well at all, there are already options for on-premise swift encryption 18:32:14 <thomasbiege> ok, need to go 18:32:19 <thomasbiege> bye! 18:32:25 <notmyname> hyakuhei_: the third possibility has to do with a deployer key per-tennant or something. but that too can be implemented as a plug-in and doesn't need to be in the core code 18:32:37 <hyakuhei_> The volume would need to be aware of the different tenants and how they're indipendantly keyed. Swift needs to be involved because there are all sorts of issues I think, compression, dedupe etc. 18:32:56 <notmyname> hyakuhei_: nope. same story for compression and dedupe ;-) 18:33:08 <hyakuhei_> Yeah, I don't really care where it is as long as a) It's not stupid and b) it actually works 18:33:28 <notmyname> hyakuhei_: valuable features, but not part of the storage engine code base 18:33:30 <hyakuhei_> notmyname: perhaps we can have an on Mailinglist discussion about it? 18:33:38 <hyakuhei_> we're over time here. 18:34:17 <hyakuhei_> Thank you everyone, productive meeting! Please feel free to follow-up any conversations on the ML 18:34:24 <hyakuhei_> #endmeeting