#openstack-meeting log

18:00:19 <bdpayne> #startmeeting OpenStack Security Group
18:00:20 <openstack> Meeting started Thu Jan 30 18:00:19 2014 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:21 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:23 <openstack> The meeting name has been set to 'openstack_security_group'
18:00:34 <bdpayne> Hi security people :-)
18:00:39 <bdpayne> #topic Roll Call
18:00:48 <bknudson> hi
18:01:12 <bdpayne> o/
18:01:53 <bdpayne> While we are waiting for a few others to join in... I wanted to take a moment to mention that we have been doing these OSSG meetings for 1 year now
18:01:57 <bdpayne> Just passed 1 year last week
18:02:09 <bdpayne> Lots have happened in that short time!
18:02:49 <bknudson> this project sure seems to have a lot of people looking for vulnerabilities
18:03:02 <bdpayne> this project?
18:03:03 <bdpayne> OSSG?
18:03:11 <bknudson> the whole openstack project
18:03:15 <bdpayne> ahh
18:03:18 <bdpayne> that's a good thing
18:03:54 <hyakuhei> Hey, here. sorry.
18:04:04 <bdpayne> hi there!
18:04:07 <hyakuhei> :D
18:04:19 <bdpayne> #topic Today's Agenda
18:04:22 <bpb> hi
18:04:27 <bdpayne> What would people like to discuss today?
18:04:31 <shohel> hi bryan
18:05:22 <bdpayne> No topics for discussion?
18:05:33 <bdpayne> Ok, I'd like to review status of OSSNs
18:05:41 <nkinder> We still need to figure out summit talks.
18:05:43 <bdpayne> And look at how well we are addressing security review requests
18:05:44 <hyakuhei> We need moar!
18:06:01 <bdpayne> Yes, I have been completely negligent on the summit talk issue
18:06:12 <bdpayne> What is the deadline for summit talks again?
18:06:15 <nkinder> 2/14
18:06:28 <bdpayne> ok, I *will* get that discussion going this week
18:06:33 <hyakuhei> :)
18:06:45 * bdpayne needs to clone himself
18:07:13 <bdpayne> #topic OSSN
18:07:29 <bdpayne> hyakuhei what's the latest on the OSSN front?
18:07:35 <bdpayne> any more in the queue?
18:08:37 <bdpayne> I ran into an issue this week where it is all too easy to configure keystone to log db sql statements... which results in password hashes getting logs... may be a useful OSSN
18:09:24 <bdpayne> anyone else have comments on OSSNs?
18:09:29 <bdpayne> quiet group today
18:10:05 <bdpayne> very well then, I'll file a bug for my idea separately
18:10:08 <bknudson> how do you get keystone to log db sql statements?
18:10:11 <bdpayne> #topic Security Reviews
18:10:25 <bdpayne> bknudson it is through the sqlalchemy logging options
18:10:41 <bknudson> ok
18:11:12 <hyakuhei> sorry was afk. juggling calls.
18:11:23 <bdpayne> #topic Back to OSSN
18:11:35 <bdpayne> ok, hyakuhei I'll give you a second chance
18:11:38 <bdpayne> anything on OSSN to report?
18:11:40 <hyakuhei> I don't think we have much at all in the queue atm
18:11:55 <hyakuhei> Process for refining still requires me and nkinder to get together.
18:12:22 <hyakuhei> We still have the vnc one but that's it
18:12:32 <bdpayne> there is the one issue that hyakuhei and I have been in discussion with the VMT on... but I think that's still embargoed so I won't mention it here
18:12:35 <hyakuhei> I like the idea of moving to gerrit for this, having stuff in git, commenting etc.
18:12:38 <bdpayne> likely to result in an OSSN, I think
18:12:40 <hyakuhei> Yes. Thats a mess.
18:12:57 <bdpayne> who's taking to lead on getting things setup on gerrit?
18:13:05 <bdpayne> and git
18:13:13 <hyakuhei> I'd like for it to be someone that isn't me...
18:13:16 <bdpayne> nkinder?
18:13:41 <hyakuhei> I shouldn't think it'll be too hard. We've got a few PTLs around here, I'm sure I can bug some of them for help.
18:14:06 <bdpayne> sure, we just need someone to take ownership of that
18:14:12 <bdpayne> otherwise it won't happen
18:14:13 <nkinder> Yes, this is on my plate.
18:14:17 <bdpayne> ah, great
18:14:18 <nkinder> Been sick this week
18:14:23 <bdpayne> ahh, sorry to hear that
18:14:36 <bdpayne> ok, so nkinder is on it
18:14:41 <nkinder> yep
18:14:48 <bdpayne> anything else on OSSNs?
18:15:00 <bdpayne> ok, pushing ahead...
18:15:05 <hyakuhei> Get less sick soon nkinder
18:15:06 <bdpayne> #topic Security Reviews
18:15:22 <bdpayne> This topics has two points
18:15:23 <hyakuhei> I'll send an email around about the security review tomorrow
18:15:26 <bdpayne> 1) Ironic security review
18:15:29 <bdpayne> is this happening?
18:15:51 <bdpayne> hyakuhei what is the security review tomorrow?
18:15:53 <hyakuhei> Introducing ironic people and a few others to the OSSG, suggesting possible approaches in a general getting the ball moving sort of way.
18:16:04 <hyakuhei> bdpayne: no, I'll actually do some work on starting it tomorrow
18:16:20 <bdpayne> gotcha... so yeah, please do send out that email
18:16:31 <bdpayne> a little more advance notice is always nice, when possible ;-)
18:16:53 <bdpayne> 2) the other issue on my mind is the general code security reviews
18:17:05 <bdpayne> Many of you are seeing the emails about security impact in a PR
18:17:16 <bdpayne> I'd like to track how well we are responding to those requests
18:17:27 <bdpayne> Is there anyone that is willing to do a little digging on that front?
18:17:30 <hyakuhei> Yeah they're kinda clunky because we get hit with every change.
18:17:45 <bdpayne> Basically to look at PRs that are tagged, and see if there's reviews on them from OSSG members?
18:18:30 <bdpayne> ok, I think this would be valuable information to have
18:18:40 <bdpayne> as I'd like to understand if this mechanism is working or not
18:18:50 <bdpayne> let's keep it in mind as a potential task for a new member
18:18:56 <nkinder> my guess is that a lot of them are slipping through
18:19:03 <bdpayne> this is my guess as well
18:19:10 <bdpayne> which brings me to my next point
18:19:25 <bdpayne> I think it would be useful to have a person or a small team that is respondible for that process
18:19:40 <bknudson> I do a lot of reviews in keystone... but not because of the SecurityImpact.
18:19:47 <bdpayne> so they would track the PRs and either provide the reviews them selves or find the right person to provide that review
18:20:03 <bdpayne> bknudson, yeah, that makes sense
18:20:05 <hyakuhei> +1 good idea
18:20:23 <bknudson> is the SecurityImpact review a full review or more of a quick look to see if there's a problem?
18:20:31 <bdpayne> perhaps this is where I need to email the group and solicit some people that are willing to take this on
18:20:42 <bdpayne> #action bdpayne to build out a security impact review team
18:20:46 <bknudson> if it's not a full review (since we're not familiar with the code in the project), I'd think you wouldn't want to even leave a vote.
18:21:05 <bknudson> unless you noticed a security problem.
18:21:16 <bdpayne> in that case, I would want the team to try to find a good person to do that review
18:21:22 <bdpayne> but, yes, I agress
18:21:40 <bdpayne> #topic Open Discussion
18:21:55 <bdpayne> So I'd like to get an update on from the book editors
18:21:59 <bdpayne> I haven't seen them in a while
18:22:00 <bknudson> so there's one in nova right now... https://review.openstack.org/#/c/40467/
18:22:24 <bdpayne> yeah, that one has been going through review for a long time
18:22:43 <bdpayne> Beyond the book, anything else that people would like to see in here in future weeks?
18:22:44 <bknudson> 68 patch sets, wow.
18:23:08 <bdpayne> I'd like to start pulling in the right people so that we can have the discussions needed to keep things moving forward
18:23:22 <bdpayne> And I just want to make sure that I'm not missing important ongoing efforts
18:24:43 <bknudson> so if this was a security review of 40467, I'd ask if "aes-xts-plain64" was a good default cipher and 512 was a good default size for the key
18:25:02 <bdpayne> ha
18:25:06 <bdpayne> those would be reasonable questions
18:25:21 <bknudson> are those the kind of things you'd expect of a security review? (I don't know the answer to either)
18:25:46 <bdpayne> ideally, I'd want a security reviewer to find stuff like that and suggest the right options
18:25:54 <bdpayne> I'd also want them to look for general security coding issues
18:26:04 <bdpayne> like shelling out, input validation, etc
18:26:36 <bdpayne> ok, sounds like there's not much more on people's minds today
18:26:49 <bdpayne> that's all that I have for today
18:26:54 <bdpayne> #endmeeting