#openstack-meeting log

18:01:22 <bdpayne> #startmeeting OpenStack Security Group
18:01:23 <openstack> Meeting started Thu Dec 12 18:01:22 2013 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:24 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:01:26 <openstack> The meeting name has been set to 'openstack_security_group'
18:01:26 <bknudson> hi
18:01:36 <bdpayne> #topic Rollcall
18:01:43 <bknudson> present
18:01:45 <bdpayne> Hi everyone, please checkin if you're here for the OSSG meeting
18:01:51 <hyakuhei> Good morning/afternoon/evening from Rob @ HP
18:02:05 <sriramhere> morning
18:02:09 <tristanC> Hello folks!
18:02:30 <nkinder> o/
18:02:51 <bdpayne> excellent, looks like we have a nice group
18:02:58 <bdpayne> #topic Agenda
18:03:06 <malini1> good morning, back from all my travels
18:03:07 <paulmo> Paul Montgomery here a bit late
18:03:27 <bdpayne> So for today I wanted to mention one thing that I've just started working on (a new wiki page)
18:03:32 <bdpayne> Anything else people want to discuss?
18:03:55 <hyakuhei> OSSNs at some point
18:04:03 <bdpayne> ok, noted on OSSNs
18:04:05 <sriramhere> I wanted to update on the meeting with OSSG editors
18:04:12 <bdpayne> sounds good
18:04:32 <bdpayne> ok, so we'll just take these from top to bottom
18:04:38 <nkinder> bdpayne: I'm also working on a new wiki page for OSSNs
18:04:45 <bdpayne> #topic Wiki Pages
18:04:55 <bdpayne> nkinder you have the link?
18:05:09 <nkinder> bdpayne: https://wiki.openstack.org/wiki/Security_Notes
18:05:17 <bdpayne> excellent
18:05:23 <nkinder> I only have one OSSN posted thus far, but I'm going through all of the older ones
18:05:39 <bdpayne> So I wanted to mention that I have just started putting together a wiki page to list the various projects people in OSSG are working on
18:05:42 <bdpayne> https://wiki.openstack.org/wiki/Security/Projects
18:05:55 <bdpayne> I listed the book editors as an example
18:06:05 <bdpayne> But would like to see this filled out with other security projects
18:06:13 <bdpayne> I know there are many, so I'll go back and check my notes
18:06:21 <bdpayne> My goal is for this to serve 2 purposes
18:06:40 <bdpayne> 1) To help advertise the work that's happening and perhaps draw in more people to participate
18:06:56 <bdpayne> 2) To bring these efforts more formally into the group
18:07:06 <hyakuhei> I like it, nkinder shouldn't take long to add in the other OSSNs :)
18:07:14 <bdpayne> On (2), I'll be aiming to have the project leads checkin at this meeting from time to time
18:07:26 <hyakuhei> Obvious things would be the VMT involvement (which needs to be pushed)
18:07:29 <hyakuhei> and the threat analysis work
18:07:38 <bdpayne> yeah
18:07:54 <bdpayne> so, I encourage anyone in OSSG to edit this page and add in other projects
18:08:03 <bdpayne> try to use the same template that I've put together
18:08:09 <bdpayne> just to keep it looking clean
18:08:21 <bdpayne> any thoughts / questions on that?
18:08:26 <hyakuhei> Looks good thus far
18:08:36 <nkinder> yeah, sounds like a good idea
18:08:40 <sriramhere> bryan - just to be clear, this will be the landing projects for all the little projects OSSG is involved
18:08:55 <sriramhere> like editing, OSSN, threat analysis etc
18:08:55 <bdpayne> landing page, yeah
18:09:00 <bknudson> a project I've been thinking about is a tempest scenario test that configures the system securely
18:09:01 <bdpayne> exactly
18:09:08 <nkinder> We should add a link from the OSSG team page on launchpad
18:09:28 <bdpayne> yeah, once this is fillout out some more, I'd like to link to it from a variety of places
18:09:29 <sriramhere> OSSG page already exists rr?
18:09:45 <sriramhere> https://launchpad.net/~openstack-ossg
18:09:46 <hyakuhei> bknudson: A secure distribution?
18:10:22 <hyakuhei> sriramhere: yeah but putting it on the wiki is a better idea imho
18:10:24 <bknudson> hyakuhei: not sure what would be the way to do it, but I think tempest uses devstack... so it would involve making sure devstack can configure system
18:10:56 <tristanC> +1 for a landing page, it's isn't easy to understand what is the OSSG (beside the launchpad page)
18:10:58 <bknudson> configure a system with SSL everywhere.
18:11:03 <sriramhere> sorry, i mistook that you wanted a new opage in launchpad
18:11:14 <nkinder> bdpayne: I'll work on filling in the cross-project security guidelines placeholder
18:11:36 <bdpayne> nkinder great, thanks
18:11:51 <bdpayne> #topic OSSNs
18:11:53 <hyakuhei> bknudson: For that to be a useful project you really need a lot of moving pieces that aren't part of the standard distro (like a CA) I think perhaps looking at releasing hardened chef recipies or something might actually have move value
18:11:57 <hyakuhei> Right
18:12:03 <hyakuhei> We have two open OSSNs
18:12:10 <hyakuhei> sriramhere and nkinder assigned
18:12:24 <hyakuhei> Neither have drafts yet, guys is there anything you need?
18:12:32 <hyakuhei> Editing / Research etc?
18:12:41 <nkinder> hyakuhei: yeah, I just grabbed that Keystone one the other day.  I need to start researching it.
18:12:59 <nkinder> hyakuhei: I was wrapping up the glance one I sent out yesterday first.
18:13:05 <bdpayne> Just a comment on the OSSNs...
18:13:08 <hyakuhei> ok cool, if you need help feel free to post on the OSSG ML.
18:13:15 <bdpayne> I think that running the drafts by the PTLs should be the policy
18:13:22 <nkinder> bdpayne: +1
18:13:31 <bdpayne> We got some very good feedback by doing that with the Glance one
18:13:38 <hyakuhei> Makes sense
18:13:39 <bdpayne> and it's just good politics too
18:13:42 <nkinder> bdpayne: I want to document a list of how to write a OSSN on the wiki
18:13:43 <hyakuhei> +1
18:13:54 <sriramhere> no, i will work on sending the draft for review before next meeting. Fallen back due to thanksgiving break
18:13:55 <nkinder> So template, where to publish, who to contact for reviews
18:14:04 <hyakuhei> sriramhere: great :)
18:14:12 <hyakuhei> bdpayne: I'll take that action
18:14:16 <bdpayne> cool
18:14:17 <nkinder> I think a review by PTL and one peer from OSSG is a good idea.
18:14:24 <bdpayne> yeah
18:14:31 <hyakuhei> I've been thinking do we want some sort of numbering for them too?
18:14:42 <nkinder> hyakuhei: Yes, agreed
18:14:47 <nkinder> hyakuhei: even date based
18:14:48 <sriramhere> numbering? you mean +1 -1?
18:14:55 <sriramhere> or order?
18:14:58 <hyakuhei> No I mean OSSN-2013-22...
18:15:04 <bdpayne> like the CVE numbering scheme?
18:15:10 <hyakuhei> Yeah
18:15:11 <sriramhere> ok, good
18:15:13 <nkinder> sriramhere: VMT numbers OSSA's IIRC
18:15:19 <hyakuhei> indeed they do
18:15:29 <nkinder> Yeah, we should be in-line with what they do
18:15:37 <hyakuhei> Ok so I think we can keep on top of this as a manual process for now
18:15:47 <nkinder> I think this is important if we start publishing using a structured format like CVRF as well.
18:15:59 <hyakuhei> I'll continue to 'manage' the OSSNs, help where editing etc is required and I'll get that wiki page thrown together
18:16:22 <nkinder> hyakuhei: should we retroactively number the previous OSSNs?
18:16:38 <hyakuhei> nkinder: yeah. I'm not sure a structured format is as important for OSSN vs OSSA but I have no objection to adopting it either
18:16:56 <sriramhere> bug ids wont suffice for now?
18:17:00 <hyakuhei> nkinder: Probably. However, as we're about to go into 2013, we've got a natural brake line
18:17:19 <bdpayne> I think using a common structured format for both OSSN and OSSA would be useful
18:17:27 <hyakuhei> sriramhere: Having an ID makes it easier when people start discussing which OSSNs apply where.
18:17:38 <hyakuhei> Thinking ahead to when we have one per week (potentially)
18:17:52 <hyakuhei> bdpayne: yeah, I've got no big objection to using CVRF
18:17:56 <nkinder> bdpayne: It would also allow us to generate the other published formats (wiki, e-mail, etc.)
18:18:00 <sriramhere> ok coo. just it is 2014 not 2013 :)
18:18:04 <hyakuhei> pffft
18:18:08 <hyakuhei> off by ones happen!
18:18:18 <bdpayne> still 2013 where I'm sitting :-)
18:18:32 <hyakuhei> ok cool, so what did I just agree to do.
18:18:44 <hyakuhei> I'll put together a wiki page, describing how I think the process should look in the future
18:18:49 <bdpayne> #action hyakuhei to fix everything
18:18:49 <hyakuhei> and we can go over it next week
18:18:56 <hyakuhei> including numbering and format etc
18:18:57 <bdpayne> :-)
18:19:04 <hyakuhei> wow, just like being at work
18:19:06 <bdpayne> yeah, that sounds reasonable
18:19:13 <nkinder> hyakuhei: let me know if you want a review or any help on it before then
18:19:22 <hyakuhei> Cheers :)
18:19:33 <bdpayne> #topic Book Editors
18:19:57 <bdpayne> sriramhere you wanted to discuss this?
18:20:03 <sriramhere> update: David Mortman, Bryan and Myself synced up earlier this week on what are the steps here
18:20:22 <hyakuhei> I've done a bunch of editing and I'd like to do more. I just need to get better at wranging my inbox to see when things come up.
18:20:39 <sriramhere> Once Ben is back from conference next week, we are going to start diving up to start style/ grammatical fixes first
18:20:59 <sriramhere> we will firs come up with a plan/ schedule and publish it to the team and go from there
18:21:12 <sriramhere> hoping to get hold of Ben before next thurs
18:21:18 <hyakuhei> Seems reasonable. I wonder how much technical-proof readers charge.
18:21:19 <bdpayne> So we do have this team of three editors to help drive the effort... but anyone is welcome to continue making contributions
18:21:41 <hyakuhei> oh, teams! I like teams, they feel so inclusive!
18:21:54 <sriramhere> rob - you are on fire tooday!
18:22:00 <bdpayne> hyakuhei I could actually find out the answer to that question (cost for technical editors)
18:22:06 <bdpayne> but does anyone actually have $$ for that?
18:22:09 * hyakuhei has had a long week
18:22:31 <hyakuhei> bdpayne: depends on the cost, it's worth having some idea of the cost
18:22:46 <sriramhere> i thought thtat was a fun question -
18:22:54 <hyakuhei> because, if we're collectively burning FTE that could be more easily purchased by someone else...
18:23:04 <sriramhere> i have some friends in publishing (non--tech) industry
18:23:10 <sriramhere> can find out.
18:23:18 <bdpayne> I'll explore too
18:23:33 <bdpayne> #topic Open Discussion
18:23:36 <sriramhere> as of now, it was volunteer/ interest
18:23:44 <bdpayne> Anything else people would like to discuss today?
18:23:54 <paulmo> I had a few quick things
18:23:57 <sriramhere> who runs http://www.secstack.com/?
18:24:36 <paulmo> I'm not sure if anyone has seen these automated database exploitation tools but they may be useful in OpenStack: https://github.com/tcstool/NoSQLMap and http://sqlmap.org/
18:25:00 <bdpayne> Worth mentioning that Barbican is trying to get incubated http://lists.openstack.org/pipermail/openstack-dev/2013-December/020830.html
18:25:09 <hyakuhei> sriramhere: Matt Joyce
18:25:24 <sriramhere> thanks Rob
18:25:32 <bknudson> does anyone here know of a good static analysis tool for python?
18:25:46 <hyakuhei> Such things do not really exist...
18:25:50 <paulmo> I think pylint is about as good as it gets from what I've found
18:25:51 <hyakuhei> Fortify has _some_ support
18:25:55 <bknudson> hyakuhei: that is my guess
18:25:58 <clarkb> bknudson: yes, there is one laying around that I was playing with recently
18:26:06 <clarkb> now I have to find it and remember what it was called
18:26:07 <nkinder> I've also been doing a lot of review on the KDS side of things for Keystone.
18:26:26 <bknudson> There's a tool called RATS that we (IBM) ran recently
18:26:29 <hyakuhei> but applying SA to a language like Python is always going to be tricky, there are some interesting, if immature, DA projects though - making use of various introspection capabilities
18:26:36 <bdpayne> nkinder good to know on the KDS stuff
18:26:37 <bknudson> and we wound up opening a few bugs
18:26:39 <hyakuhei> bknudson: any good?
18:26:40 <bdpayne> they need eyes there!
18:26:46 <bknudson> hyakuhei: I was not impressed.
18:26:49 <hyakuhei> KDS is scary looking
18:26:56 <hyakuhei> I've asked Jeff to have a look into it
18:27:04 <nkinder> bdpayne: I've been looking at the API side of things mostly at this point.
18:27:14 <clarkb> bknudson: https://pypi.python.org/pypi/radon
18:27:15 <hyakuhei> nkinder: makes sense
18:27:23 <nkinder> hyakuhei: ok, I have a pretty good understanding of the approach, so I can help answer any questions.
18:27:40 <bknudson> clarkb: thanks!
18:27:49 <hyakuhei> Goes without saying but if anyone needs compute resource to run tools like this, I'll hook you up on the HP Cloud.
18:27:54 <morganfainberg> clarkb, Oh nice! ++ on the thanks.
18:28:26 <bdpayne> ok, I think that about wraps it up for today
18:28:33 <tristanC> also, I didn't introduced myself, I joined the OSSG group today so hi folks :)
18:28:38 <hyakuhei> Nicely timed meeting, thanks bdpayne
18:28:44 <hyakuhei> Welcome tristanC !
18:28:50 <bdpayne> oh welcome!
18:28:50 <sriramhere> hi tristan
18:28:55 <bdpayne> brief intro tristanC?
18:28:59 <hyakuhei> Good meeting to attend!
18:29:01 <tristanC> thanks, nice to meet you
18:29:16 <nkinder> tristanC: welcome!
18:29:25 <tristanC> I work at eNovance, and I should specialise on open stack security matters
18:29:35 <bdpayne> great, glad to have you on board
18:29:40 <hyakuhei> +1
18:29:53 <sriramhere> +1
18:29:53 <bdpayne> perhaps chat on the ML about your interests so we can help you find ways to get involved
18:30:21 <bdpayne> ok, thanks all... have a good week
18:30:24 <bdpayne> #endmeeting