#openstack-meeting log

18:00:40 <bdpayne> #startmeeting OpenStack Security Group
18:00:41 <openstack> Meeting started Thu Aug 22 18:00:40 2013 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:42 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:44 <openstack> The meeting name has been set to 'openstack_security_group'
18:01:02 <bdpayne> hi OSSG
18:01:09 <bdpayne> who's here today?
18:01:17 <thomasbiege> hey!
18:01:26 <bpb> hi
18:01:31 <rellerreller> hello
18:02:17 <bdpayne> excellent, let's get started
18:02:26 <thomasbiege> btw, review.openstack.org seems to be down
18:02:44 <anteaya> it was restarted
18:03:01 <thomasbiege> ah, ok
18:03:11 <bdpayne> I only have a few things for the agenda, so let me know if you have others
18:03:13 <bdpayne> I have:
18:03:20 <bdpayne> 1) discussing the new wiki page
18:03:32 <bdpayne> 2) discussing addressing security review requests
18:03:39 <bdpayne> 3) discussing ongoing projects
18:03:49 <bdpayne> 4) discussing the logo effort
18:04:02 <bdpayne> what else would people like to talk about?
18:04:10 <thomasbiege> maybe there is an open action item from our ML
18:04:22 <bdpayne> ?
18:04:29 <thomasbiege> the common state of security slide deck is open AFAIK
18:04:37 <bdpayne> oh, yes
18:04:47 <malini1> greetings
18:05:02 <thomasbiege> hi malini1
18:05:05 <bdpayne> hi, we're just discussing agenda items
18:06:02 <bdpayne> ok, I think I'm organized over here
18:06:08 <bdpayne> we can begin :-)
18:06:16 <bdpayne> #topic new wiki page
18:06:27 <bdpayne> https://docs.google.com/document/d/1TmygsnqU2MeHMYf_mqIV_dZpDaeLEzR7mGSE9n9SWKk/edit?usp=sharing
18:06:40 <bdpayne> I've still been receiving nice feedback on the page.
18:06:56 <bdpayne> Or rather the content that I want to put up
18:07:04 <bdpayne> Is there anyone that hasn't seen it / commented yet?
18:07:51 <bdpayne> ok, I'll take that as a no
18:07:57 <joel-coffman> I've looked through it a couple of times, and it looks good to me
18:07:59 <bdpayne> so, here's my plan on this
18:08:14 <bdpayne> #action bdpayne will move ahead with making some edits and posting the wiki page this week
18:08:42 <bdpayne> Since it is a wiki, we can always work together to improve it over time as well
18:08:49 <bdpayne> and getting something up as a starting place is useful
18:08:59 <sriramhere> hello all - sorry i was in the wrong channel.
18:09:01 <joel-coffman> agreed
18:09:14 <bdpayne> hi sriramhere, welcome and glad you made it
18:09:17 <malini1> :)Good work on the page
18:09:28 <bdpayne> ok, I think that's all about the wiki page
18:09:32 <bdpayne> so I'll move foward
18:09:38 <bdpayne> #topic security slide deck
18:09:52 <bdpayne> malini1 you had volunteered to work on this, any updates?
18:10:04 <malini1> I have a confession -- got started on it, checked the email thread, started, but not enough progress to share this week
18:10:17 <malini1> was distracted by other deliverables at this end, sorry
18:10:23 <bdpayne> np, understandable
18:10:38 <sriramhere> malini1 - if you want an extra hand on that, i can help. would like to contribute
18:11:28 <malini1> :-) will rope you in sriramhere
18:11:35 <sriramhere> thx
18:11:39 <bdpayne> excellent
18:12:01 <bdpayne> @action @malini1 to continue work on slide deck, and will get help from sriramhere
18:12:12 <malini1> late in the day question, how does one get from IM name to email?
18:12:52 <sriramhere> my email is sriram@sriramhere.com if it is easier for u. WHOIS might help
18:13:07 <malini1> never mind sriramhere, have your email contact from a message from bdpayne
18:13:48 <bdpayne> #topic security review requests
18:14:06 <malini1> :)I did a couple of those!
18:14:17 <bdpayne> Question for the group… are you on the openstack-security mailing list?
18:14:27 <thomasbiege> yes :)
18:14:35 <joel-coffman> yes
18:14:39 <bpb> yes
18:14:50 <bdpayne> groovy
18:14:53 <rellerreller> yes
18:15:01 <bdpayne> so, if anyone is not please join http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
18:15:06 <malini1> yes
18:15:29 <bdpayne> the volume is relatively low
18:15:47 <sriramhere> are we tagging [ossg] to the subjects still?
18:15:48 <bdpayne> as you guys have seen, we do get pinged semi-regularly for security review help
18:15:53 <sriramhere> in the emails i meant
18:16:14 <bdpayne> [OSSG] can go in subject on emails to openstack-dev, but not necessary on the openstack-security list
18:16:39 <bdpayne> fwiw, if you put [OSSG] in subject on opentack dev, my email client treats it as higher priority ;-)
18:16:50 <sriramhere> :)
18:16:54 <thomasbiege> I unsubscribed from openstack-dev
18:17:02 <bdpayne> yeah, it's pretty high volume
18:17:12 <bdpayne> anyway, my point is this
18:17:17 <bdpayne> we are being asked to review stuff
18:17:25 <bdpayne> and often we are not following through
18:17:48 <bdpayne> I would argue that these security reviews may be the single most useful thing we can do for the openstack community
18:17:59 <bdpayne> and it's a great way for people to get involved
18:18:16 <sriramhere> ok, n00b question - are the emails to openstack-security list our way to communicate such requests to the groups?
18:18:18 <bdpayne> so… any suggestions for how we can encourage more to take part in this process?
18:18:32 <sriramhere> or do we track them as bugs?
18:18:48 <thomasbiege> maybe involve developers with interest in security. I don't have any python knowledge
18:19:13 <bdpayne> sriramhere not sure I understand your question, but emails are sent to openstack-security mailing list when someone files a security bug or when someone marks a review as having securityimpact
18:19:33 <bdpayne> more developers would be good
18:19:40 <malini1> i will spread the word about the list at Intel to get my colleagues to participate. Some in China wanted to join this meeting, but it is hard, so i represent our team here
18:19:42 <joel-coffman> anyway to find all Gerrit reviews that include "SecurityImpact"
18:19:44 <bdpayne> OSSG has actually grown quite a bit
18:19:52 <sriramhere> ok that answers my question. thx
18:20:08 <thomasbiege> maybe some person are well known for their security knowledge, maybe calling for help on the next summit would help
18:20:31 <bdpayne> we actually have 74 people that are members of OSSG on launchpad
18:20:45 <thomasbiege> and only 20% are active I assume
18:20:49 <bdpayne> and we tend to have about 5-8 in the weekly meetings
18:20:52 <bdpayne> right
18:20:53 <joel-coffman> based on some that I've seen, what we really need are developers who are already familiar with the project *and* have an interest in security
18:21:04 <bdpayne> so, I'd like to explore tapping into that interest a bit more
18:21:18 <bdpayne> joel-coffman I agree
18:21:30 <joel-coffman> I'm not familiar with enough of the code to be much good sometimes
18:21:34 <bdpayne> I'm not sure, but I wonder how many people that are members of the group fit into that category
18:21:45 <bdpayne> perhaps a simple email to the group would help
18:21:51 <bdpayne> specifically to the launchpad group
18:21:52 <thomasbiege> what about goiing back to openstack-dev with the review request and asking for help there
18:21:56 * joel-coffman will try to review more as time allows
18:22:14 <bdpayne> going back to openstack-dev is kind of circular
18:22:20 <thomasbiege> ;) ok
18:22:26 <bdpayne> they are basically the ones asking use for security help
18:22:28 <rellerreller> I think it would be better to be involved in the design phase then the code review.
18:22:37 <bdpayne> yes, this is true too
18:22:39 <thomasbiege> yes, but maybe to the wrong ppl :)
18:22:43 <rellerreller> That way if you don't know the code then it is easier to participate
18:22:54 <joel-coffman> rellerreller: agreed
18:23:02 <bdpayne> the design phase is hard with openstack
18:23:05 <bdpayne> lots of back room discussions
18:23:11 <malini1> that means tag blueprints as security-impact
18:23:18 <rellerreller> +1
18:23:23 <bdpayne> malini1 is that possible?
18:23:33 <thomasbiege> malini1: good idea
18:23:40 <sriramhere> +1, but not sure if that would slow the design discussions
18:23:54 <malini1> not today, but we could ask the Gods of opnestack to add such an alert?/tag?
18:23:58 <bdpayne> slow is sometimes good
18:23:59 <joel-coffman> also need to ensure sufficient information regarding the design is available
18:24:14 <bdpayne> ok, so I see a few separate things here
18:24:16 <joel-coffman> three line blueprint with SecurityImpact won't be much help
18:24:37 <bdpayne> first, we should email the launchpad group to see if there are people wanting to help with code reviews
18:24:45 <bdpayne> perhaps after the wiki page is posted
18:24:49 <bdpayne> so we can refer people there
18:25:05 <bdpayne> #action bdpayne to email launchpad group to attempt to spark interest in code reviews
18:25:16 <thomasbiege> ome of my colleagues do code reviews that have sec impact… maybe I could ask them to get more invovled
18:25:19 <bdpayne> second, we should see if there's a way to get a security impact tag on blueprints
18:25:22 <malini1> joel-coffman -- 3 lines is another discussion, there was commentary on openstack mailing list about how sometimes code born first before blueprint (like a checkbox done)
18:25:34 <thomasbiege> ome=some
18:25:49 <bdpayne> thomasbiege that would be helpful, thanks
18:25:53 <sriramhere> bpayne - whom to ping on adding new tag to bps?
18:26:01 <joel-coffman> yes, just pointing out the difficultly given the *current* state of affairs
18:26:19 <bdpayne> I'm not sure who to ask about the blueprint tagging
18:26:50 <sriramhere> @annegentle?
18:26:51 <malini1> let us try theirry for tagging
18:26:54 <bdpayne> perhaps start with Theirry
18:26:57 <bdpayne> yeah
18:27:04 <bdpayne> anyone want to take that on?
18:27:08 <sriramhere> ok, i can take that
18:27:43 <sriramhere> #action sriramhere to ping Theirry on adding new security tag to blueprints
18:27:47 <bdpayne> #action sriramhere will talk with Theirry about getting a SecurityImpact tag added to blueprints… net affect should be that it emails the openstack-security mailing list
18:27:53 <bdpayne> heh, yeah that!
18:28:05 <sriramhere> ok
18:28:17 <bdpayne> third, of course, is to encourage better blueprints
18:28:33 <bdpayne> this is where I was making a reference to backroom discussions, and code before design and such
18:28:40 <bdpayne> I think that there isn't too much we can do here
18:28:55 <bdpayne> but, one suggestion, is to be a little more strategic with how we attend the upcoming summit
18:29:19 <thomasbiege> related to this, is there a howto to write blueprint?
18:29:31 <sriramhere> i was about to chime on that - when bps get reviews, we can raise security impact there
18:29:34 <bdpayne> we should coordinate to get good coverage of the design sessions and report back to OSSG on how we should engage with new ideas
18:30:05 <bdpayne> thomasbiege there is, but I don't have it handy…see the openstack how to contribute guide
18:30:14 <malini1> bdpayne -- excellent idea on coverage at summit
18:30:20 <bdpayne> #topic Final Words
18:30:25 <thomasbiege> bdpayne:  ok
18:30:27 <bdpayne> look at the time… we're about done here
18:30:31 <bdpayne> one more quick note
18:30:33 <thomasbiege> too bad
18:30:36 <e-vad> blueprints - https://wiki.openstack.org/wiki/Process#Creating_Blueprints
18:30:40 <thomasbiege> thx
18:30:46 <bdpayne> I have an artist lined up for working on the OSSG logo
18:30:57 <malini1> WOW!!!
18:31:03 <sriramhere> woohoo, skulls/ eye patches :)
18:31:03 <joel-coffman> great!
18:31:07 <bdpayne> waiting on approval from the openstack people on the intial design before moving ahead with that
18:31:15 <thomasbiege> cool
18:31:29 <bdpayne> so, hopefully I'll have something pretty to share next week
18:31:31 <bdpayne> stay tuned
18:31:53 <bdpayne> thanks eveyone, feel free to continue these and any other discussions on openstack-security mailing list
18:32:00 <malini1> bye
18:32:03 <sriramhere> thanks
18:32:05 <rlp> bye
18:32:07 <thomasbiege> cya
18:32:07 <bpb> thanks
18:32:08 <e-vad> bye
18:32:11 <bdpayne> #endmeeting