18:01:01 <bdpayne> #startmeeting OpenStack Security Group 18:01:02 <openstack> Meeting started Thu Mar 20 18:01:01 2014 UTC and is due to finish in 60 minutes. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:01:03 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:01:06 <openstack> The meeting name has been set to 'openstack_security_group' 18:01:14 <hyakuhei> Heh, I was just cheeking meetbot :) 18:01:16 <bdpayne> happy Thursday everyone 18:01:18 <hyakuhei> *checking 18:01:41 <bdpayne> #topic Roll Call 18:01:46 <nkinder> Hi all 18:01:46 <bdpayne> please check in 18:01:49 <bdpayne> o/ 18:01:52 * hyakuhei is here. 18:01:57 <bknudson> hi 18:02:21 <malini1> present :-) 18:02:36 <cfiorent> Hi, Cristian here 18:03:01 <bdpayne> alright... let's get started 18:03:05 <bdpayne> #topic Agenda 18:03:17 <paulmo> Paul Montgomery here 18:03:25 <chair6> <- jamie from HP here 18:03:27 <bdpayne> I can do a quick wrapup from the Lead election 18:03:37 <hyakuhei> OSSNs, Reviews, Future Project suggestions, Infrastructure projects 18:03:38 <bdpayne> what else is on the agenda? 18:03:42 <coasterz> o/ 18:03:52 <nkinder> I wanted to talk about SSL 18:04:03 <bdpayne> ok, lots of stuff 18:04:06 <nkinder> ...just in general for services/endpoints 18:04:19 <bdpayne> we'll get rolling right away... and I'll try to leave a little time at the end for other things 18:04:28 <bdpayne> #topic Elections 18:04:51 <bdpayne> As you all probably saw on the mailing list, Rob Clark was elected to the Lead role for the Juno cycle 18:04:55 <bdpayne> Congrats to Rob! 18:05:01 <bknudson> congrats to rob 18:05:03 <nkinder> congrats! 18:05:15 <hyakuhei> :) Thanks guys 18:05:42 <bdpayne> And thanks to everyone for participating in this process... I think we learned that this is truly a healthy group with lots of people wanting to contribute 18:05:51 <hyakuhei> Thanks to malini1 and sriram too 18:06:06 <bdpayne> Since Rob and I have been working closely already, the transition should be pretty straightforward 18:06:24 <bdpayne> But I'll be working with Rob over the next couple of months to formally hand everything over to him 18:07:01 <hyakuhei> It's going to be lots of fun... 18:07:11 <bdpayne> #topic OSSNs 18:07:24 <bdpayne> Where do we stand with OSSNs today? 18:07:28 <hyakuhei> nkinder: what's going on with the git/gerrit stuff? 18:07:38 <nkinder> There is a review request out to create the repo 18:07:46 <hyakuhei> link? 18:07:52 <nkinder> My understanding is that those are looked at on Fridays 18:07:56 <nkinder> fetching it... 18:08:12 <nkinder> https://review.openstack.org/#/c/73157/ 18:08:38 <hyakuhei> Thanks nkinder 18:08:46 <nkinder> annegentle will be changing her review to a +1 after a conversation we had earlier this morning 18:09:15 <nkinder> after it's in place, we can get the commit group set up, then look at auto-publishing and such 18:09:23 <hyakuhei> nkinder: yeah, looks like it's just tied up in technical stuff rather than any fundamental objections 18:09:27 <bknudson> who's openstack-security-notes-core 18:09:29 <hyakuhei> nkinder: This is going to be great 18:09:44 <nkinder> bknudson: to start, I asked for hyakuhei, bdpayne, and myself 18:10:25 <bknudson> ok, it's a new group. 18:10:30 <nkinder> bknudson: but we should certainly evaluate that further if others want to regularly get involved in OSSNs 18:10:33 <nkinder> bknudson: yes 18:10:41 <bdpayne> this should really help keep the OSSN process organized 18:10:44 <hyakuhei> The nice thing about this system is it's easy to track participation, the group will pretty much become self selecting over time I imagine :) 18:10:51 <hyakuhei> I'm very excited about it 18:10:56 <nkinder> me too 18:11:10 <bdpayne> are there any OSSNs that need an owner right now? 18:11:24 <bdpayne> s/owner/assignee/ 18:11:28 <hyakuhei> I think I saw at least one orphan 18:11:53 <hyakuhei> and bdpayne I think we still have a private one that needs to be addressed? 18:11:55 <nkinder> yes - https://bugs.launchpad.net/ossn/+bug/1287219 18:11:58 <uvirtbot> Launchpad bug 1287219 in keystone "scope of domain admin too broad in v3 policy sample" [Medium,Fix committed] 18:12:07 <hyakuhei> ^ Doesn't look too bad. 18:12:25 <hyakuhei> chair6: Do you have someone that could take a look at this? 18:12:48 <bdpayne> ah gotcha... let's sync on the private on after this meeting 18:12:52 <hyakuhei> yup 18:13:43 <chair6> hyakuhei - sure, i should be able to take that 18:13:55 <bdpayne> thanks chair6 18:14:03 <bdpayne> ok, any other OSSN discussion? 18:14:11 <hyakuhei> #action chair6 to find someone to take on 1287219 18:14:13 <bknudson> looking forward to the repo 18:14:35 <bknudson> I'll put it on my watch list 18:14:47 <bdpayne> nkinder can you send out an email to the list with details about the new setup once that goes through? 18:14:57 <nkinder> bdpayne: yep, will do 18:15:00 <bdpayne> thanks 18:15:04 <bdpayne> #topic Future Projects 18:15:05 <hyakuhei> Yes - nkinder are there any outstanding tasks or things you need support with for the OSSN migration etc? 18:15:31 <nkinder> hyakuhei: no, they're already migrated to the repo that will be used to initialize the new repo 18:15:43 <hyakuhei> Ah yes that's right :) 18:16:04 <bdpayne> hyakuhei wanted to talk about future projects... 18:16:27 <hyakuhei> Absolutely - so this is really an open point for ideas 18:16:58 <hyakuhei> I'd like to see more content around trusted compute pools in the guide, which I'm happy to work with malini1 on 18:17:17 <bdpayne> my #1 request... I'd like to see us get tightly integrated with the core projects 18:17:19 <hyakuhei> I'm also interested in what static analysis/ keyword checkers etc we can introduce into the infrastructure chain 18:17:26 <hyakuhei> bdpayne: yeah me too 18:17:32 <bknudson> what does this group look for for projects? updates/chapters to the security guide? 18:17:43 <bknudson> how about doing audits? 18:17:47 <malini1> bdpayne +1 on closer involvement with other projects 18:17:49 <bknudson> and the threat modeling 18:18:02 <hyakuhei> Actually that's a good point. Who here, in the OSSG, has good PTL contacts in an OpenStack project? 18:18:22 <bdpayne> and we should figure out how to re-kickstart the book editing work 18:18:35 <bdpayne> I work with the Glance PTL 18:18:39 <hyakuhei> bknudson: The threat modelling that's being discussed on the mailing list is very interesting 18:18:45 <malini1> bknudson: at the barbican meeting I raised the subject of a chapter on key manager, it is nearly out of incubation and I have a helper 18:18:51 <nkinder> I have PTL contacts too 18:18:56 <hyakuhei> I have infra, Ironic and Triple-O guys I can talk to 18:18:58 <bknudson> have you guys heard of FIPS 140-2? 18:19:06 <bknudson> and there's a NIST standard, too... 18:19:06 <hyakuhei> malini1: good idea 18:19:18 <hyakuhei> bknudson: what about fips? 18:19:23 <nkinder> bknudson: yes, familiar with fips 18:19:41 <hyakuhei> fips 140-2 use a really old version of openssl-kernel. fips 140-3 use superglue on your server chassis. 18:19:47 <hyakuhei> love fips :) 18:19:52 <bknudson> document how to run openstack in fips mode 18:19:57 <bknudson> if that's not documented already 18:20:09 <hyakuhei> It's certainly worth doing. There are a lot of decisions you can make that easily break fips 18:20:11 <bknudson> and validating it works via openstack CI would be great, too. 18:20:15 <bdpayne> sadly, that would probably be useful 18:20:49 <hyakuhei> With regards to chapters etc, in the guide, I think they're a good way to bring new people in. It's also a nice way to itroduce people to the review process etc 18:21:21 <bdpayne> so this is a great list 18:21:34 <bdpayne> I think my other caution would be to remember the size of our community 18:21:48 <bknudson> potentially, could have a "mode" for oslo.config that would only allow the "secure" setting. 18:21:49 <bdpayne> I think that we should find a small number of things that will have a high impact 18:21:55 <bdpayne> And then we should do those things *very* well 18:22:10 <bdpayne> That will allow our community to grow and get greater acceptance throughout OpenStack 18:22:15 <nkinder> bdpayne: +1 18:22:17 <bdpayne> and then we can gradually expand 18:22:23 <hyakuhei> bdpayne: agreed, but for now lets get everything down and then go through some prioritisation and get people to find what they want to contribute to 18:22:25 <malini1> bdpayne: +1 18:22:30 <bdpayne> so I'd just caution against diluting too fast 18:22:35 <hyakuhei> Yup 18:22:40 <bdpayne> yeah, makes sense 18:22:56 <hyakuhei> It'd be nice to pull out a few easy-wins too 18:23:10 <bdpayne> #topic Infra Improvements 18:23:17 <bdpayne> What, if anything, is needed here? 18:23:48 <hyakuhei> I'm interested in opportunities to hook checks into jenkins etc that check for obvious bad things 18:24:01 <bdpayne> ahh 18:24:10 <bdpayne> like some of the security testing stuff that we've discussed in the past? 18:24:14 <hyakuhei> Yeah 18:24:18 <nkinder> like static checks, or something more? 18:24:22 <bdpayne> I agree that would be nice 18:24:28 <bdpayne> but first step is to put together the tests 18:24:38 <hyakuhei> Yeah so SA _like_ Fortify or Coverity but also checks for stupid things 18:25:00 <hyakuhei> like pickle.loads 18:25:03 <bdpayne> python makes this a bit tricky, but some things can be done 18:25:07 <hyakuhei> Stuff like that which can sneak back in 18:25:12 <malini1> stupid things like "password" in a log statement 18:25:18 <hyakuhei> Exactly 18:25:25 <bdpayne> openstack is still at a point where you can nearly create a CVE generator using grep ;-) 18:25:38 <bdpayne> which means we can add value here 18:25:41 <hyakuhei> I think they are great high-value things to add, write once, catch many :) 18:25:55 <paulmo> I've been proposing identification and isolation of log/notification data up front in Solum to avoid searches for 'password'-like stuff that won't cover every scenario btw. 18:26:19 <hyakuhei> Makes sense 18:26:25 <bdpayne> so we've had a few false starts on security testing... I think we'd just need an owner for this idea that can really push it forward 18:26:41 <malini1> paulmo +1 18:26:46 <hyakuhei> Though in the run-testing we can introduce steps like 'staining' where we put known values in at the front end and see where and if they end up in bad places at the back end 18:26:46 <bknudson> are there any good python code scanners out there? 18:26:50 <bknudson> seems like an impossible task 18:27:10 <hyakuhei> SA for Python is spotty at best 18:27:15 <paulmo> https://github.com/stackforge/solum/blob/master/solum/common/trace_data.py is the link btw for those interested 18:27:19 <hyakuhei> Coverity and HP Fortify both have _some_ support 18:27:34 <bdpayne> yeah, doing this in python is hard 18:27:41 <bdpayne> but, even some basic checks could be useful 18:28:06 <hyakuhei> bdpayne: it is for static, but I think, with the way the OpenStack testing works, there are interesting DA opportunities too, though they may be a ways off 18:28:26 <bdpayne> yes, and yes 18:28:41 <bdpayne> ok... so I think this would be a great thing for someone to step up to do 18:28:42 <hyakuhei> One last thing - those security guidelines we were working on need fleshing out somewhat still I think 18:29:12 <bdpayne> yeah 18:29:26 <bdpayne> if done properly, those could be used as a conversation starter between the projects and OSSG 18:29:28 <nkinder> yes, they do. They could also be used as a basis for identifying the previously mentioned test areas 18:29:50 <hyakuhei> chair6: Do you think you could find someone to add content to https://wiki.openstack.org/wiki/Security/Guidelines ? 18:30:13 <bdpayne> "What do you, as a PTL, think about these guidelines... are the helpful / practical for your project? Is there something OSSG could do to help support making these kinds of things happen? Etc..." 18:30:16 <paulmo> I'll keep contributing as new items pop up in Solum that seem generic across openstack 18:30:32 <hyakuhei> ^ Great stuff. 18:30:44 <chair6> yeah, that looks like something useful to build out .. i'll get someone on it 18:30:54 <bdpayne> time check: we are over time right now... and still have one topic 18:31:03 <bdpayne> nkinder... you want to take the SSL discussion to the ML? 18:31:11 <nkinder> bdpayne: sure. 18:31:16 <bdpayne> ok, thanks 18:31:22 <hyakuhei> Thank you everyone! 18:31:35 <bdpayne> alright everyone... thanks for a nice meeting... let's go do some great work :-) 18:31:45 <bdpayne> #endmeeting