18:00:36 #startmeeting OpenStack Security Group 18:00:37 Meeting started Thu Apr 3 18:00:36 2014 UTC and is due to finish in 60 minutes. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:38 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:41 The meeting name has been set to 'openstack_security_group' 18:01:02 hi 18:01:02 for those that have been hanging out, you may have noticed that hyakuhei held and OSSG meeting here an hour ago 18:01:12 http://eavesdrop.openstack.org/meetings/openstack_security_group/2014/openstack_security_group.2014-04-03-17.02.log.html 18:01:21 ahaa ! 18:01:21 He is time zone impaired ;-) 18:01:28 But, this is the normal meeting time 18:01:43 So I wanted to touch base and make sure that we covered everything that people would like to discuss 18:01:57 With that said... 18:02:03 #topic Roll Call 18:02:08 Who is here? 18:02:20 hi 18:02:24 Hi, Cristian here 18:03:43 Brant - IBM 18:03:46 ok... so I was just reading through the previous meeting's minutes 18:03:51 #topic Agenda 18:04:10 Looks like they discussed OSSNs and a few other smaller topics 18:04:51 Is everyone aware of the new OSSN process? 18:05:02 we are now setup to review OSSNs in gerrit 18:05:07 and they are all stored in git 18:05:12 a much nicer setup 18:05:18 we already ran on through the system this week 18:05:21 and it's working nicely 18:05:21 what's the gerrit project? 18:05:29 one sec, I'll find it 18:06:04 https://review.openstack.org/#/q/status:merged+project:openstack/openstack-security-notes,n,z 18:06:12 found it 18:06:25 ah yeah 18:06:29 you're faster than I 18:06:31 :-) 18:06:33 see also http://git.openstack.org/cgit/openstack/openstack-security-notes/ 18:06:59 I'll add it to the watch list. 18:07:34 +1, i will too 18:07:45 great 18:07:56 anything else in particular that people would like to discuss today? 18:07:56 what's the format? plain text? 18:08:27 there's a template 18:08:38 http://git.openstack.org/cgit/openstack/openstack-security-notes/tree/templates 18:08:52 but yes, structured text 18:09:00 well, lightly structured ;-) 18:09:02 just wondering if it's rst or the doc xml 18:09:17 docbook xml 18:09:41 oh, nothing like that 18:09:45 basically plaint text 18:10:15 ok, I don't have an argument for docbook or rst. 18:11:08 so I don't have a specific agenda for today, and it appears that much of the discussion happened in the meeting an hour ago 18:11:21 are there other topics you guys want to discuss here? 18:11:28 referring to Security Guidelines, I went ahead and added a new guideline I found was missing (about input validation); just wanted to know if there is any process for reviewing info in this wiki? 18:11:35 https://wiki.openstack.org/wiki/Security/Guidelines 18:11:49 oh thanks 18:12:02 so there's nothing formal for reviewing that yet 18:12:12 as you make changes, it could be nice to just mention it on the ML 18:12:17 that way people can discuss / track 18:12:31 in time, we may want to move stuff like this into git 18:12:39 but right now it's an early stage WIP 18:12:43 so the wiki feels right 18:12:50 ok, fine. Thanks. 18:12:55 having said all of that 18:13:01 input validation is a very good one to have 18:13:10 on a related note 18:13:15 adding input validation is a great addition... 18:13:16 Nova is putting together a formal BP template 18:13:22 now we just have to do it in keystone 18:13:36 And I added a section to their template to discuss security impact 18:13:42 In that section, I reference this wiki page 18:13:56 I think it would be great if all of the projects did something similar 18:14:10 are they expecting OSSG to verify the bps? 18:14:11 bknudson Does keystone have a formal BP template? 18:14:28 bdpayne: keystone uses launchpad for blueprints still 18:14:29 For keystone Input validation would be good addition bknudson 18:14:31 we aren't quite there yet (OSSG verification of BPs) 18:14:44 but I'd like for it to start moving that way 18:14:54 at least getting people thinking about security at the design stage is important 18:15:05 and can help direct OSSG efforts 18:16:31 yes, i have one question, do we have any session in the Atlanta summit to discuss about ongoing security works/future works 18:16:46 mainly discussion session 18:16:56 normally I setup an OSSG lunch 18:17:01 and I will be doing that again this time 18:17:09 but we don't have a specific session devoted to that 18:17:24 I'm happy to setup a more formal OSSG meeting though 18:17:26 could be useful 18:17:33 yes definately 18:17:43 now that we have many security works ongoing 18:17:45 so the security track at the summit is basically Monday 18:17:46 for the developer conference? 18:18:03 I'm not sure where this would fit in the dev summit, unfortunately 18:18:16 we might just do it informally, or setup a session at the unconference 18:18:32 unless... is there a good slot for something like this at the dev summit? 18:18:39 we aren't really a project, unfortunately 18:19:15 anyway, I'll take this as an action item to figure out 18:19:23 that would be great 18:19:31 #action bdpayne to Plan a formal OSSG meeting at the summit, in addition to the lunch 18:20:24 here's the topics http://summit.openstack.org/ 18:20:49 ahh, they do have a cross project workshop topic 18:20:57 cool, I may be able to make that work 18:22:04 anything else to discuss? 18:22:08 shohel: is there threat model meeting tomorrow? 18:22:30 yes, we have short one tomorrow 18:23:00 I have started with an analysis for Nova, I would like to know then how to add draft for that 18:23:07 we can discuss then tomorrow then 18:23:26 also now possible 18:23:29 or tomorrow 18:23:36 as you prefer 18:23:56 There is a draft currently in the Git repo 18:24:11 a template kind of thing 18:24:54 https://github.com/shohel02/OpenStack_Threat_Modelling 18:25:02 yes, I have been working on this template for Nova 18:25:34 the OSSAs in nova seem to be related a lot to image management 18:26:38 at least the recent ones 18:26:49 I suspect some people have been looking in that area more 18:26:54 yes, i think Nova has good amount code base and it would be tough call 18:27:04 Nova is probably also one of the more mature projects 18:28:01 the images themselves could be the source of the attack 18:28:29 so are you suggesting not be focusing on Nova? 18:28:39 yeah, that's the most recent one that came out for Nova 18:28:50 oh, I think it is useful to look at Nova 18:28:56 i am not saying that... i am saying its useful 18:28:59 just commenting that you may find less 18:29:06 which would be great 18:29:14 I was suggesting someplace to focus on. 18:29:15 but it is very important to review, in my opinion 18:29:15 it would be hard job with huge code base 18:29:23 very important one 18:29:37 like keystone was looking at auth_token 18:29:53 so yeah, image handling, also looking at interactions with the drivers (esp libvirt) and how the users can influence that 18:29:57 also looking at scheduling 18:30:05 those are the areas I'd focus on, personally 18:30:18 got it, yes this is big.. I am following a top-down approach, for later taking drilling down on some specific area 18:30:33 ok, thanks for the feedback 18:31:12 np 18:31:12 bknudson has good point, 18:32:55 well, I think that's about all we have time for today 18:33:06 thanks everyone... cya next time 18:33:11 thanks 18:33:13 thanks 18:33:17 #endmeeting