#openstack-meeting log

18:01:01 <bdpayne> #startmeeting OpenStack Security Group
18:01:02 <openstack> Meeting started Thu Mar 20 18:01:01 2014 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:03 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:01:06 <openstack> The meeting name has been set to 'openstack_security_group'
18:01:14 <hyakuhei> Heh, I was just cheeking meetbot :)
18:01:16 <bdpayne> happy Thursday everyone
18:01:18 <hyakuhei> *checking
18:01:41 <bdpayne> #topic Roll Call
18:01:46 <nkinder> Hi all
18:01:46 <bdpayne> please check in
18:01:49 <bdpayne> o/
18:01:52 * hyakuhei is here.
18:01:57 <bknudson> hi
18:02:21 <malini1> present :-)
18:02:36 <cfiorent> Hi, Cristian here
18:03:01 <bdpayne> alright... let's get started
18:03:05 <bdpayne> #topic Agenda
18:03:17 <paulmo> Paul Montgomery here
18:03:25 <chair6> <- jamie from HP here
18:03:27 <bdpayne> I can do a quick wrapup from the Lead election
18:03:37 <hyakuhei> OSSNs, Reviews, Future Project suggestions, Infrastructure projects
18:03:38 <bdpayne> what else is on the agenda?
18:03:42 <coasterz> o/
18:03:52 <nkinder> I wanted to talk about SSL
18:04:03 <bdpayne> ok, lots of stuff
18:04:06 <nkinder> ...just in general for services/endpoints
18:04:19 <bdpayne> we'll get rolling right away... and I'll try to leave a little time at the end for other things
18:04:28 <bdpayne> #topic Elections
18:04:51 <bdpayne> As you all probably saw on the mailing list, Rob Clark was elected to the Lead role for the Juno cycle
18:04:55 <bdpayne> Congrats to Rob!
18:05:01 <bknudson> congrats to rob
18:05:03 <nkinder> congrats!
18:05:15 <hyakuhei> :) Thanks guys
18:05:42 <bdpayne> And thanks to everyone for participating in this process... I think we learned that this is truly a healthy group with lots of people wanting to contribute
18:05:51 <hyakuhei> Thanks to malini1 and sriram too
18:06:06 <bdpayne> Since Rob and I have been working closely already, the transition should be pretty straightforward
18:06:24 <bdpayne> But I'll be working with Rob over the next couple of months to formally hand everything over to him
18:07:01 <hyakuhei> It's going to be lots of fun...
18:07:11 <bdpayne> #topic OSSNs
18:07:24 <bdpayne> Where do we stand with OSSNs today?
18:07:28 <hyakuhei> nkinder: what's going on with the git/gerrit stuff?
18:07:38 <nkinder> There is a review request out to create the repo
18:07:46 <hyakuhei> link?
18:07:52 <nkinder> My understanding is that those are looked at on Fridays
18:07:56 <nkinder> fetching it...
18:08:12 <nkinder> https://review.openstack.org/#/c/73157/
18:08:38 <hyakuhei> Thanks nkinder
18:08:46 <nkinder> annegentle will be changing her review to a +1 after a conversation we had earlier this morning
18:09:15 <nkinder> after it's in place, we can get the commit group set up, then look at auto-publishing and such
18:09:23 <hyakuhei> nkinder: yeah, looks like it's just tied up in technical stuff rather than any fundamental objections
18:09:27 <bknudson> who's openstack-security-notes-core
18:09:29 <hyakuhei> nkinder: This is going to be great
18:09:44 <nkinder> bknudson: to start, I asked for hyakuhei, bdpayne, and myself
18:10:25 <bknudson> ok, it's a new group.
18:10:30 <nkinder> bknudson: but we should certainly evaluate that further if others want to regularly get involved in OSSNs
18:10:33 <nkinder> bknudson: yes
18:10:41 <bdpayne> this should really help keep the OSSN process organized
18:10:44 <hyakuhei> The nice thing about this system is it's easy to track participation, the group will pretty much become self selecting over time I imagine :)
18:10:51 <hyakuhei> I'm very excited about it
18:10:56 <nkinder> me too
18:11:10 <bdpayne> are there any OSSNs that need an owner right now?
18:11:24 <bdpayne> s/owner/assignee/
18:11:28 <hyakuhei> I think I saw at least one orphan
18:11:53 <hyakuhei> and bdpayne I think we still have a private one that needs to be addressed?
18:11:55 <nkinder> yes - https://bugs.launchpad.net/ossn/+bug/1287219
18:11:58 <uvirtbot> Launchpad bug 1287219 in keystone "scope of domain admin too broad in v3 policy sample" [Medium,Fix committed]
18:12:07 <hyakuhei> ^ Doesn't look too bad.
18:12:25 <hyakuhei> chair6: Do you have someone that could take a look at this?
18:12:48 <bdpayne> ah gotcha... let's sync on the private on after this meeting
18:12:52 <hyakuhei> yup
18:13:43 <chair6> hyakuhei - sure, i should be able to take that
18:13:55 <bdpayne> thanks chair6
18:14:03 <bdpayne> ok, any other OSSN discussion?
18:14:11 <hyakuhei> #action chair6 to find someone to take on 1287219
18:14:13 <bknudson> looking forward to the repo
18:14:35 <bknudson> I'll put it on my watch list
18:14:47 <bdpayne> nkinder can you send out an email to the list with details about the new setup once that goes through?
18:14:57 <nkinder> bdpayne: yep, will do
18:15:00 <bdpayne> thanks
18:15:04 <bdpayne> #topic Future Projects
18:15:05 <hyakuhei> Yes - nkinder are there any outstanding tasks or things you need support with for the OSSN migration etc?
18:15:31 <nkinder> hyakuhei: no, they're already migrated to the repo that will be used to initialize the new repo
18:15:43 <hyakuhei> Ah yes that's right :)
18:16:04 <bdpayne> hyakuhei wanted to talk about future projects...
18:16:27 <hyakuhei> Absolutely - so this is really an open point for ideas
18:16:58 <hyakuhei> I'd like to see more content around trusted compute pools in the guide, which I'm happy to work with malini1 on
18:17:17 <bdpayne> my #1 request... I'd like to see us get tightly integrated with the core projects
18:17:19 <hyakuhei> I'm also interested in what static analysis/ keyword checkers etc we can introduce into the infrastructure chain
18:17:26 <hyakuhei> bdpayne: yeah me too
18:17:32 <bknudson> what does this group look for for projects? updates/chapters to the security guide?
18:17:43 <bknudson> how about doing audits?
18:17:47 <malini1> bdpayne +1 on closer involvement with other projects
18:17:49 <bknudson> and the threat modeling
18:18:02 <hyakuhei> Actually that's a good point. Who here, in the OSSG, has good PTL contacts in an OpenStack project?
18:18:22 <bdpayne> and we should figure out how to re-kickstart the book editing work
18:18:35 <bdpayne> I work with the Glance PTL
18:18:39 <hyakuhei> bknudson: The threat modelling that's being discussed on the mailing list is very interesting
18:18:45 <malini1> bknudson: at the barbican meeting I raised the subject of a chapter on key manager, it is nearly out of incubation and I have a helper
18:18:51 <nkinder> I have PTL contacts too
18:18:56 <hyakuhei> I have infra, Ironic and Triple-O guys I can talk to
18:18:58 <bknudson> have you guys heard of FIPS 140-2?
18:19:06 <bknudson> and there's a NIST standard, too...
18:19:06 <hyakuhei> malini1: good idea
18:19:18 <hyakuhei> bknudson: what about fips?
18:19:23 <nkinder> bknudson: yes, familiar with fips
18:19:41 <hyakuhei> fips 140-2 use a really old version of openssl-kernel. fips 140-3 use superglue on your server chassis.
18:19:47 <hyakuhei> love fips :)
18:19:52 <bknudson> document how to run openstack in fips mode
18:19:57 <bknudson> if that's not documented already
18:20:09 <hyakuhei> It's certainly worth doing. There are a lot of decisions you can make that easily break fips
18:20:11 <bknudson> and validating it works via openstack CI would be great, too.
18:20:15 <bdpayne> sadly, that would probably be useful
18:20:49 <hyakuhei> With regards to chapters etc, in the guide, I think they're a good way to bring new people in. It's also a nice way to itroduce people to the review process etc
18:21:21 <bdpayne> so this is a great list
18:21:34 <bdpayne> I think my other caution would be to remember the size of our community
18:21:48 <bknudson> potentially, could have a "mode" for oslo.config that would only allow the "secure" setting.
18:21:49 <bdpayne> I think that we should find a small number of things that will have a high impact
18:21:55 <bdpayne> And then we should do those things *very* well
18:22:10 <bdpayne> That will allow our community to grow and get greater acceptance throughout OpenStack
18:22:15 <nkinder> bdpayne: +1
18:22:17 <bdpayne> and then we can gradually expand
18:22:23 <hyakuhei> bdpayne: agreed, but for now lets get everything down and then go through some prioritisation and get people to find what they want to contribute to
18:22:25 <malini1> bdpayne: +1
18:22:30 <bdpayne> so I'd just caution against diluting too fast
18:22:35 <hyakuhei> Yup
18:22:40 <bdpayne> yeah, makes sense
18:22:56 <hyakuhei> It'd be nice to pull out a few easy-wins too
18:23:10 <bdpayne> #topic Infra Improvements
18:23:17 <bdpayne> What, if anything, is needed here?
18:23:48 <hyakuhei> I'm interested in opportunities to hook checks into jenkins etc that check for obvious bad things
18:24:01 <bdpayne> ahh
18:24:10 <bdpayne> like some of the security testing stuff that we've discussed in the past?
18:24:14 <hyakuhei> Yeah
18:24:18 <nkinder> like static checks, or something more?
18:24:22 <bdpayne> I agree that would be nice
18:24:28 <bdpayne> but first step is to put together the tests
18:24:38 <hyakuhei> Yeah so SA _like_ Fortify or Coverity but also checks for stupid things
18:25:00 <hyakuhei> like pickle.loads
18:25:03 <bdpayne> python makes this a bit tricky, but some things can be done
18:25:07 <hyakuhei> Stuff like that which can sneak back in
18:25:12 <malini1> stupid things like "password" in a log statement
18:25:18 <hyakuhei> Exactly
18:25:25 <bdpayne> openstack is still at a point where you can nearly create a CVE generator using grep ;-)
18:25:38 <bdpayne> which means we can add value here
18:25:41 <hyakuhei> I think they are great high-value things to add, write once, catch many :)
18:25:55 <paulmo> I've been proposing identification and isolation of log/notification data up front in Solum to avoid searches for 'password'-like stuff that won't cover every scenario btw.
18:26:19 <hyakuhei> Makes sense
18:26:25 <bdpayne> so we've had a few false starts on security testing... I think we'd just need an owner for this idea that can really push it forward
18:26:41 <malini1> paulmo +1
18:26:46 <hyakuhei> Though in the run-testing we can introduce steps like 'staining' where we put known values in at the front end and see where and if they end up in bad places at the back end
18:26:46 <bknudson> are there any good python code scanners out there?
18:26:50 <bknudson> seems like an impossible task
18:27:10 <hyakuhei> SA for Python is spotty at best
18:27:15 <paulmo> https://github.com/stackforge/solum/blob/master/solum/common/trace_data.py is the link btw for those interested
18:27:19 <hyakuhei> Coverity and HP Fortify both have _some_ support
18:27:34 <bdpayne> yeah, doing this in python is hard
18:27:41 <bdpayne> but, even some basic checks could be useful
18:28:06 <hyakuhei> bdpayne: it is for static, but I think, with the way the OpenStack testing works, there are interesting DA opportunities too, though they may be a ways off
18:28:26 <bdpayne> yes, and yes
18:28:41 <bdpayne> ok... so I think this would be a great thing for someone to step up to do
18:28:42 <hyakuhei> One last thing - those security guidelines we were working on need fleshing out somewhat still I think
18:29:12 <bdpayne> yeah
18:29:26 <bdpayne> if done properly, those could be used as a conversation starter between the projects and OSSG
18:29:28 <nkinder> yes, they do.  They could also be used as a basis for identifying the previously mentioned test areas
18:29:50 <hyakuhei> chair6: Do you think you could find someone to add content to https://wiki.openstack.org/wiki/Security/Guidelines ?
18:30:13 <bdpayne> "What do you, as a PTL, think about these guidelines... are the helpful / practical for your project?  Is there something OSSG could do to help support making these kinds of things happen?  Etc..."
18:30:16 <paulmo> I'll keep contributing as new items pop up in Solum that seem generic across openstack
18:30:32 <hyakuhei> ^ Great stuff.
18:30:44 <chair6> yeah, that looks like something useful to build out .. i'll get someone on it
18:30:54 <bdpayne> time check: we are over time right now... and still have one topic
18:31:03 <bdpayne> nkinder... you want to take the SSL discussion to the ML?
18:31:11 <nkinder> bdpayne: sure.
18:31:16 <bdpayne> ok, thanks
18:31:22 <hyakuhei> Thank you everyone!
18:31:35 <bdpayne> alright everyone... thanks for a nice meeting... let's go do some great work :-)
18:31:45 <bdpayne> #endmeeting