#openstack-meeting log

18:02:21 <bdpayne> #startmeeting OpenStack Security Group
18:02:22 <openstack> Meeting started Thu Jan  9 18:02:21 2014 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:02:23 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:02:25 <openstack> The meeting name has been set to 'openstack_security_group'
18:02:29 <bdpayne> hi everyone
18:02:31 <tristanC> Hello :)
18:02:32 <hyakuhei> Woo, I'm here _again_ :D
18:02:39 <bpb> hi
18:02:43 <bdpayne> hopefully everyone enjoyed a little time off
18:02:52 <nkinder> Hi all
18:02:55 <paulmo> Yep!
18:03:21 <bdpayne> #topic Agenda
18:03:46 <bdpayne> hyakuhei pinged me about an Ironic security review
18:03:52 <bdpayne> I'd like to discuss that a bit today
18:03:58 <bdpayne> anything else on people's radar?
18:04:01 <hyakuhei> Yes I did! There's going to be one, it's very exciting :D
18:04:36 <tristanC> bdpayne: I have a few question on pending ossa bugs
18:04:46 <hyakuhei> OSSA or OSSN?
18:04:55 <tristanC> OSSA
18:04:58 <bdpayne> Re OSSA... note that we shouldn't discuss embargoed things here
18:05:02 <nkinder> bdpayne: I'd like to discuss the cross-project security guidelines too
18:05:23 <nkinder> ...and status on in-progress OSSNs
18:05:33 <bdpayne> ok great, sounds like a full agenda
18:05:49 <bdpayne> #topic Ironic Security Review
18:05:58 <bdpayne> Rob... care to provide some context / details?
18:06:07 <hyakuhei> Devananda has asked me to organise a review of Ironic
18:06:28 <hyakuhei> Initially I was going to do a HP Cloud review but I figured it would be a good platform to try an OSSG review
18:07:02 <hyakuhei> Threat Analysis -> Code Analysis basically, I have a few example documents I can share and I can bring in some resource to help
18:07:17 <hyakuhei> It makes sense to do a security review on Baremetal as a) its actually quite small
18:07:27 <hyakuhei> and b) its terrifingly insecure
18:07:48 <hyakuhei> Format is to be decided yet but I'd like to know who's interested in helping out
18:07:59 <hyakuhei> We've got buy in from several core contributors
18:08:14 <hyakuhei> so it's a great project to start with and refine the process.... thoughts?
18:08:35 <bdpayne> yeah, this sounds interesting
18:08:48 <bdpayne> I'll be happy to be involved in that
18:08:59 <bdpayne> we were already planning on beating up Ironic a bit in the near term
18:09:02 <bdpayne> so this fits in nicely
18:09:05 <bdpayne> :-)
18:09:49 <hyakuhei> Jolly good, more info to follow towards the end of Jan, as Devananda will be back in his home timezone then
18:10:03 <nkinder> hyakuhei: by "process", do you mean the process of OSSG reviewing design/code for a project?
18:10:08 <hyakuhei> yup
18:10:23 <nkinder> I'd like to help with that aspect
18:10:47 <hyakuhei> Establish the scope, the inputs required, various stakeholders that need to be found, and a get a good feel for what the output should look/feel like
18:11:07 <bdpayne> yeah
18:11:13 <bdpayne> in fact, perhaps a small group to do that to start
18:11:25 <bdpayne> and then from there we can figure out what skills are really needed for the full review
18:11:26 <nkinder> That would be great
18:11:37 <hyakuhei> Yeah I'd be up for that - kinda my dayjob anyway...
18:11:49 <bdpayne> you're a lucky man
18:12:05 <hyakuhei> _so_ lucky
18:12:27 <bdpayne> #action hyakuhei bdpayne and nkinder to setup plan of attack for Ironic security review
18:12:34 <hyakuhei> output wise something like http://homes.cs.washington.edu/~aczeskis/research/pubs/UW-CSE-13-08-02.PDF might be worth considering, seems to have been reasonably well received
18:13:22 <bdpayne> nice author list ;-)
18:13:35 <bdpayne> but yeah, that looks nice
18:13:52 <bdpayne> when should we have the plan of attack nailed down?
18:13:59 <bdpayne> let's set a deadline for ourselves here
18:14:13 <hyakuhei> I'd like to have it 'kick off' 1st of feb.
18:14:31 <hyakuhei> That is to say, we've worked out the basic wants/outputs by then, that'll be when the work starts
18:14:43 <bdpayne> ok, that works reasonably well with my schedule
18:14:48 <bdpayne> nkinder good with you?
18:14:58 <nkinder> I'm out of the country for the first 1.5 weeks of Feb, but it'd be nice to work on the plan before then.
18:14:59 <hyakuhei> We could feasibly do it sooner but the stakeholders from Ironic wont be ready any sooner anyway.
18:15:16 <bdpayne> ok, sounds good
18:15:27 <nkinder> I'll be online and around though
18:15:34 <bdpayne> hyakuhei I'll let you take the lead on getting the three of us in motion on this
18:15:42 <bdpayne> but I'm happy to pitch in
18:15:50 <hyakuhei> Cheers, I'll be in touch.
18:16:05 <bdpayne> ok, moving ahead
18:16:18 <bdpayne> #topic OSSA reviews (non embargoed discussion only please!)
18:16:22 <bdpayne> tristanC you had something here?
18:16:40 <tristanC> bdpayne: yes thanks, I meant public OSSA listed there: https://bugs.launchpad.net/ossa
18:16:59 <tristanC> The last one (#1174660 - when client disconnected, garbage collecting is too heavy) is marked as incomplete. I wonder what is missing
18:17:26 <bdpayne> not sure, that would be best answered by the VMT
18:17:57 <bdpayne> perhaps Thierry
18:17:58 <tristanC> I mean, the OSSA is unassigned, and the bug is quite old already...
18:18:08 <bdpayne> I'd suggest commenting on the bug
18:18:12 <hyakuhei> Heh, I commented on that one, this must be from quite a while ago...
18:18:16 <bdpayne> that will invoke a response
18:18:28 <tristanC> bdpayne: ok, good
18:18:37 <bdpayne> excellent, anything else about OSSA?
18:18:41 <tristanC> well that was it, the others are ongoing work
18:18:51 <tristanC> thanks :)
18:18:58 <hyakuhei> Ongoing, but announced.
18:19:06 <bdpayne> #topic Current OSSN Work
18:19:13 <bdpayne> nkinder had some questions here?
18:19:29 <nkinder> First just a status update...
18:19:42 <nkinder> Sriram is updating his OSSN based off of my review.
18:20:03 <nkinder> The other pending Keystone OSSN I am writing up currently.  Should be ready for a review later today.
18:20:05 <hyakuhei> We need a way to up the cadance on these
18:20:16 <hyakuhei> nkinder: Mail me and I'll review it when you're ready.
18:20:18 <nkinder> hyakuhei: +1
18:20:35 <nkinder> hyakuhei: Before the holidays, you had an action to "fix everything". :)
18:20:43 <hyakuhei> nkinder: sssh.
18:20:48 <nkinder> I think that was in relation to defining process around OSSN
18:20:59 <hyakuhei> Incidentally, I will address them this week
18:21:07 <hyakuhei> They're on my list - promise
18:21:13 <nkinder> Ok, I'm happy to help here too.
18:21:21 <malini1> Folks, I can help on OSSNs, back to work in earnest
18:21:47 <nkinder> hyakuhei: If you want me to help writeup some of the process stuff on the wiki, I can take a stab at it today or tomorrow.
18:22:02 <nkinder> ...or I can wait if you have it in progress
18:22:11 <hyakuhei> I won't have the bandwidth until early next week, if you're available go nuts, we'll bash it out between us
18:22:20 <nkinder> Cool.  I'll let you know.
18:22:29 <nkinder> That's it on OSSN related stuff for me.
18:22:53 <tristanC> where can we find the pending ossn ?
18:22:57 <hyakuhei> https://bugs.launchpad.net/ossn/+bugs
18:23:07 <bdpayne> #topic Cross Project Security Guidelines
18:23:22 <bdpayne> ok, we have the rest of the time (~5min) to discuss this
18:23:25 <hyakuhei> Guideline 1. Read the security guide! :D
18:23:31 <bdpayne> heh
18:23:36 <tristanC> hyakuhei: ok thanks
18:23:39 <bdpayne> I think the idea here is code-level security tips
18:23:44 <hyakuhei> Not actually that valuable to a developer.
18:23:49 <nkinder> For the security guidelines, I stole what paulmo started with and started creating a central area on the wiki
18:24:02 <bdpayne> perfect, that was a nice starting place
18:24:04 <paulmo> Reference: https://wiki.openstack.org/wiki/Solum/SecurityRequirements
18:24:04 <nkinder> https://wiki.openstack.org/wiki/Security/Guidelines
18:24:19 <hyakuhei> Yes, are we talking basic python security or 'don't do stupid things like build a broadcast RPC layer without AuthN/Z or source attestation' ?
18:24:21 <nkinder> I took out Solum specific stuff (very little)
18:24:55 <nkinder> paulmo: I think you can clean up the Solum stuff to reference this central area for the OSSG related items.
18:25:01 <bdpayne> hyakuhei a bit of both
18:25:07 <paulmo> Yep!  Will do
18:25:17 <hyakuhei> Sounds good. So who's leading this? I'd like to help
18:25:29 <bdpayne> I would like to see some cross over between these guidelines and the Ironic review
18:25:29 <nkinder> paulmo and I so far
18:25:39 <bdpayne> separate efforts, to be sure
18:25:49 <hyakuhei> Where 'help'==Email me a specific task and I'll get it done
18:25:53 <bdpayne> but, to apply these to Ironic to understand where the shortcomings are
18:26:04 <hyakuhei> Sounds good
18:26:11 <hyakuhei> I like how this could combine with the review work
18:26:18 <bdpayne> and to have the Ironic review team feed back into the guidelines for other areas that need addressing
18:26:19 <bdpayne> etc
18:26:19 <nkinder> Ok.  I think I'd like to populate the "Details Link" pages that don't exist next.
18:26:37 <nkinder> and yes, feedback would be great from projects
18:26:43 <hyakuhei> Ok I'll take a stab and populating one or two tomorrow
18:26:59 <hyakuhei> And will try to get some of our internal people to have a look / feedback
18:27:09 <paulmo> PS: Thanks for maintaining the handy links for use in Gerrit reviews. :)
18:27:14 <nkinder> Great.  This one is a good start - https://wiki.openstack.org/wiki/Security/Guidelines/logging_guidelines
18:27:22 <nkinder> paulmo: yes, I like that idea.
18:27:41 <nkinder> I'm going to go through all OSSNs to see that they all fit into these topics
18:27:54 <nkinder> It would be good to plan on that for OSSAs too
18:28:23 <nkinder> That's it from me.
18:28:33 <bdpayne> #topic Wrapup
18:28:39 <bdpayne> so let's record the other actions
18:29:11 <bdpayne> what else are people committing to here? :-)
18:29:31 <ewindisch> hello - back from the dead.
18:29:35 <hyakuhei> nkinder: love the idea of tying this into OSSNs too
18:29:51 <nkinder> #action nkinder to go through OSSNs to ensure security guidelines cover them
18:29:56 <ewindisch> I still have that long-outstanding action to drive a sprint. I haven't actually forgotten about it.
18:29:56 <hyakuhei> Applyin RCA for OSSA and seeing where guidelines could have helped would be an excellent idea too
18:30:11 <bdpayne> #action hyakuhei to fill in some details links at https://wiki.openstack.org/wiki/Security/Guidelines
18:30:30 <bdpayne> #action kyakuhei and nkinder to organize OSSN process
18:30:43 <hyakuhei> Take that "kyakuhei"
18:30:44 <malini1> hyakuhei: RCA? ewindisch: welcome back and what sprint?
18:30:56 <bdpayne> #action hyakuhei and nkinder to organize OSSN process
18:30:59 <bdpayne> that's better
18:31:00 <nkinder> #action paulmo to cleanup Solum security guidelines to prevent duplication with OSSG page
18:31:02 <hyakuhei> damn it
18:31:08 <ewindisch> malini1: I had proposed driving a security-focused developer sprint back during the summit.
18:31:09 <hyakuhei> malini1: Root Cause Analysis
18:31:14 <paulmo> Will do! :)
18:31:25 <hyakuhei> (who fsked up)
18:31:32 <ewindisch> malini1: then I changed my job and things have been in upheaval for me. I'm just now settling down where I can think about it again.
18:31:41 <bdpayne> #action ewindisch to drive security sprint
18:31:55 <bdpayne> and welcome back ewindsich
18:32:00 <hyakuhei> +1
18:32:03 <ewindisch> bdpayne: thanks.
18:32:13 <malini1> Give me a baby task and I shall warm up
18:32:24 <malini1> may be an OSSN to research and writeup
18:32:24 <hyakuhei> Review the current OSSNs that are pending
18:32:25 <nkinder> #action nkinder to finish Keystone OSSN and send out for review
18:32:38 <bdpayne> #action malini1 to review current pending OSSNs
18:32:46 <malini1> hyakuhei: OK, will do
18:32:55 <bdpayne> ok, that's about all we have time for today
18:32:58 <bdpayne> thanks everyone!
18:33:05 <hyakuhei> good meeting, thanks bdpayne
18:33:08 <nkinder> Thanks!
18:33:15 <bdpayne> #endmeeting