#openstack-meeting log

18:01:00 <bdpayne> #startmeeting OpenStack Security Group
18:01:01 <openstack> Meeting started Thu Apr 17 18:01:00 2014 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:01:02 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:01:04 <openstack> The meeting name has been set to 'openstack_security_group'
18:01:13 <bdpayne> #topic Roll Call
18:01:19 <bdpayne> o/ everyone
18:01:22 <nkinder> o/
18:01:23 * hyakuhei from HP is here!
18:01:26 <bknudson> bdpayne: hi
18:01:30 <CristianF_> Hi!
18:01:30 <shohel02> o /
18:01:34 <chair6> g'day
18:01:45 <bdpayne> excellent, nice group
18:01:50 <bdpayne> #topic Agenda
18:01:57 <bdpayne> What would people like to discuss today?
18:02:07 <dgraves_> Hi.  I’m David Graves, new here.  I’ve been running the threat analysis program for HP Public Cloud for three years.
18:02:13 <bknudson> anything but heartbleed
18:02:15 <bdpayne> hi, welcome!
18:02:15 <nkinder> Hi dgraves_
18:02:24 <hyakuhei> bknudson: what's heartbleed? Sounds scary
18:02:25 <bdpayne> lol... !heartbleed, I can support that
18:02:43 <nkinder> bdpayne: I can give a small update on OSSN publishing
18:02:44 <chair6> still think it should've been called sleepbleed..
18:02:45 <paulmo> Paul Montgomery here
18:02:57 <hyakuhei> Hey paulmo
18:03:02 <nkinder> hey paulmo
18:03:26 <hyakuhei> I'd like to discuss what the focus of the OSSG should be for the next 6 months
18:03:35 <bdpayne> sounds juicy
18:03:38 <elo1> Eric here...
18:03:45 <elo1> its been awhile..
18:03:45 <bdpayne> also a brief sync on OSSN-0010 would be good
18:04:13 <bdpayne> ok, so let's get rolling
18:04:28 <bdpayne> I'll leave room at the bottom for additional discussion if people come up with other things
18:04:31 <bdpayne> #topic OSSNs
18:04:41 <bdpayne> So right now I believe the only outstanding OSSN is 10
18:04:49 <nkinder> It's on my list to review today
18:04:54 <bdpayne> great
18:04:59 <bdpayne> the recent changes look good
18:05:03 <bdpayne> just needs one more core review
18:05:05 <nkinder> I've been out at a conference all week, so finally catching up again
18:05:12 <chair6> https://review.openstack.org/#/c/85441/
18:05:20 <bdpayne> also, do we have the process for publishing a OSSN listed anywhere?
18:05:31 <chair6> ^ for the record .. pretty much beaten to death at this point, so let's get it out
18:05:42 <nkinder> Yes, I have it documented on the wiki (link coming)
18:05:57 <nkinder> chair6: I'm also happy to publish it if you like
18:06:18 <bdpayne> we have lot on the wiki... we should work to make it all easier to find... perhaps organize the content links from a common security landing page
18:06:19 <hyakuhei> I'm happy with 0010 - I've +2'd it but as I work with Jamie, someone else should approve
18:06:23 * bdpayne is just thinking out loud
18:06:34 <nkinder> hyakuhei: I'll do it right after the meeting
18:06:37 <bdpayne> groovy
18:06:38 <hyakuhei> TY!
18:06:42 <chair6> nkinder: sounds good, yours to publish
18:07:03 <nkinder> ok.  FYI for the publishing details - https://wiki.openstack.org/wiki/Security/Security_Note_Process
18:07:03 <bdpayne> ok, I'm sure the next topic will be lengthy, so I'll keep us moving along here
18:07:07 <bdpayne> ah, thanks
18:07:14 <hyakuhei> I just realised that https://bugs.launchpad.net/glance/+bug/1271426 is waiting for me to write up
18:07:16 <uvirtbot> Launchpad bug 1271426 in ossn "protected property change not rejected if a subsequent rule match accepts them" [High,Confirmed]
18:07:27 <bdpayne> #topic OSSG Plans for Juno
18:07:41 <bdpayne> hyakuhei take it away ;-)
18:07:46 <hyakuhei> Thanks bdpayne
18:08:03 <hyakuhei> So a little while ago I sent around a work topics email with some 5-6 things that I thought we could look into
18:08:41 <hyakuhei> Since then I've spoken with a bunch of people from the OSSG, and the feeling is that we don't quite have the resource to attack all of these things at once
18:09:13 <nkinder> I think that's pretty accurate
18:09:14 <hyakuhei> We should pick a few to focus on, at the moment I think Security Guide updates / edits - OSSNs and perhaps threat analysis seem like the best candidates.
18:09:39 <bdpayne> yeah, I like that
18:09:44 <bdpayne> specifically, I like those three
18:09:47 <hyakuhei> To that end, if people feel these are good places to focus on and really excel, I'd like to look at having individuals lead each one of those three
18:09:51 <nkinder> +1
18:10:09 <dgraves_> I’d like to start contributing directly to the OpenStack threat analysis project.
18:10:29 <shohel02> welcome david
18:10:33 <nkinder> I've already focused on OSSN stuff, so I'd be happy to lead that area
18:10:33 <bdpayne> I know that we have a 3-person team setup to serve of book editors
18:10:38 <dgraves_> (In the past I was working through others; when a threat analysis review found defects, the HP service team would contribute the fix to OpenStack)
18:10:40 <bdpayne> however, progress has stagnated
18:10:40 <hyakuhei> There's good reasons to do these, they build credability in the OpenStack community and also enable us to get more involved with developers, we need as a group, to get closer to most of the lead devs
18:11:04 <hyakuhei> bdpayne: I'd like to help with the book work but I don't want to lead efforts in that area.
18:11:14 <bdpayne> I am willing to take on leading that and trying to push the book work forward, but would want to sync with those other people first
18:11:37 <shohel02> i would be happy to work/lead in threat analysis work
18:11:38 <hyakuhei> shohel02: you and dgraves_ should probably exchange contact details - I think you've got a bunch to talk about :)
18:11:51 <hyakuhei> bdpayne: makes sense
18:12:01 <shohel02> yes, david we should
18:12:09 <bdpayne> hyakuhei yeah, I don't think you should lead any of the efforts... just leading OSSG will keep you plenty busy ;-)
18:12:19 <hyakuhei> bdpayne: +1
18:12:24 <CristianF_> I would be happy to continue contributing with threat model effort also
18:12:45 <hyakuhei> I'm really keen to see where that goes
18:12:48 <shohel02> +1 for Cristian
18:13:03 <hyakuhei> I also want to make sure that the threat work gets a _lot_ of support from the wider OSSG
18:13:10 <bdpayne> sounds like we have some teams forming here, which is great
18:13:38 <hyakuhei> Great - so I'll follow up with an email about this shortly
18:13:59 <bdpayne> hyakuhei perhaps you could coordinate to get some updates to the security wiki pages with specific pages highlighting the work in each of these areas?
18:14:20 <hyakuhei> That seems like a good idea.
18:14:26 <dgraves_> Shohel, are you the one at Ericsson in Finland?
18:14:36 <shohel02> yes
18:14:39 <hyakuhei> #action hyakuhei to email team-focus stuff
18:15:00 <hyakuhei> #action hyakuhei to update security wiki with this information
18:15:10 <hyakuhei> Someone else take some actions :P
18:15:17 <hyakuhei> So the security guidelines are still outstanding
18:15:26 <hyakuhei> Largely because of the bug that shall not be named.
18:15:38 <bdpayne> #action bdpayne to sync with book editor team and find a path forward
18:17:12 <hyakuhei> Is it worth us doing as we have before, putting together a list of all the security-relevant design sessions?
18:17:38 <hyakuhei> Ideally we want OSSG people in basically all design sessions but we will have to prioritize
18:18:25 <bdpayne> we could certainly do that
18:18:31 <bdpayne> but I'm not sure if people find it useful
18:18:51 <hyakuhei> I don't think I've got much to add - maybe shohel02 can give an update on the Threat work for the wider OSSG ?
18:18:55 <bdpayne> oh, there will be an ossg design session
18:19:02 <hyakuhei> :)
18:19:14 <shohel02> Definately
18:19:15 <bdpayne> we should have a brief summit discussion in this meeting
18:19:28 <bdpayne> #topic Threat Work Update
18:19:33 <bdpayne> first, let's discuss the threat work
18:19:58 <shohel02> Ok, so our ongoing, but we have raised the issue of landing the content
18:20:17 <shohel02> last week sent the email, and i guess more or less it is landing in security guide
18:20:35 <shohel02> what do you guys think
18:20:51 <hyakuhei> I think the guide makes a lot of sense
18:20:53 <bknudson> like in appendix?
18:21:00 <bdpayne> I think that there will be some output from that work that will fit nicely in the guide
18:21:03 <hyakuhei> With OSSN/OSSA for actionable output
18:21:18 <shohel02> yes,
18:21:27 <bdpayne> but we'll probably want to see what the specific content looks like to understand if it is a new section or an appendix or ??
18:21:45 <hyakuhei> I was wondering what would work best for documented output - chapter sections (one for each services that has a TM) or a wider TM chapter
18:21:57 <hyakuhei> I'm feeling the former, even though that's slightly more work
18:22:02 <shohel02> appendix is  a good place, because there will be final report and lot of intermediate report for component analysis
18:22:04 <nkinder> I was thinking one chapter or paper per service
18:22:32 <nkinder> It might be larger than an appendix item IMHO
18:22:48 <bdpayne> we do have chapters on the services now, so it could fit within that chapter potentially, as well
18:22:51 <bdpayne> lots of options
18:22:55 <hyakuhei> It's possible that we are getting ahead of ourselves here, maybe when the output from the first TM is complete, we'll have a better idea for how it will fit
18:23:00 <bdpayne> but I'm happy to work with the threat analysis team to see how that shakes out
18:23:07 <hyakuhei> makes sense bdpayne
18:23:08 <bknudson> I was also thinking put it in with each service...
18:23:09 <bdpayne> yeah, I gree
18:23:20 <bknudson> just looking at the chapters that we have
18:23:33 <shohel02> ok, the second thing is quality control, we are talking last time
18:23:52 <shohel02> now that we have big team i think it will be eaiser
18:24:11 <CristianF_> besides the final output of the threat analysis, how would the tracking/reviews be done? gerrit?
18:24:17 <nkinder> formal reviews through gerrit should help
18:24:35 <nkinder> CristianF_: yes, my vote would be to use gerrit for it
18:24:35 <hyakuhei> So my dream is that this process will evolve to the point that large OpenStack deployers will be using this as their primary threat analysis and just performing delta/satellite reviews for their internal secret sauce.
18:24:46 <hyakuhei> s/using/contributing to/
18:25:20 <shohel02> +1
18:25:44 <shohel02> regarding the gerrit/ common repo can we start using security guides repo
18:26:06 <shohel02> or what needs to be done from our side
18:26:20 <bdpayne> we should probably discuss offline
18:26:30 <bdpayne> that may not make sense
18:26:39 <bdpayne> but I want to understand more details first
18:27:07 <bknudson> you might want a topic branch that you can work in
18:27:19 <bdpayne> perhaps
18:27:29 <bdpayne> #topic Summit
18:27:43 <bdpayne> I'd like to chat briefly about the summit
18:27:54 <bdpayne> There is an OSSH focused design session this time
18:27:55 <bdpayne> http://summit.openstack.org/cfp/details/230
18:28:00 <bdpayne> please plan to attend
18:28:13 <bdpayne> I'm hoping that this will be a great way to get us talking with some of the various projects
18:28:20 <bdpayne> and for us to coordinate a bit more in person
18:28:31 <hyakuhei> I'm really looking forward to that
18:28:38 <bdpayne> there is, of course, also many security talks at the summit... largely on Monday
18:28:46 <paulmo> Ironically, that site has security warnings :)
18:28:48 <bknudson> I hope it doesn't conflict with another keystone session
18:29:00 <hyakuhei> Nice to not be at the end of the week for once - attrition at the summit is terrible
18:29:04 <bdpayne> yeah, I haven't seen the dev summit schedule yet
18:29:23 <bknudson> only the cross-project sessions have been accepted
18:29:30 <bdpayne> there is also an operators group meeting going on in the unconference that will have a security discussion
18:29:41 <bknudson> otherwise the sessions are still open until the 20th
18:29:49 <bdpayne> I will be involved in leading that discussion
18:30:44 <bdpayne> #topic Open Discussion
18:31:00 <bdpayne> For those in the bay area, you might find this meetup to be interesting
18:31:01 <bdpayne> http://www.meetup.com/openstack/events/173686002/?_af_eid=173686002&_af=event&a=uc1_te
18:31:15 <bdpayne> featuring some great speakers like myself and nkinder :-)
18:31:21 <nkinder> :)
18:31:26 <chair6> on the 'coordinate a bit more' note .. do we have an OSSG irc room that everyone idles away their time in?
18:31:45 <nkinder> chair6: nope.  We could use openstack-dev
18:31:47 <bdpayne> we don't have a specific room for that, but I do hang out in openstack-dev and openstack-doc
18:31:54 <shohel02> good idea
18:32:05 <hyakuhei> We probably have enough membership to do that now
18:32:09 <bdpayne> feel free to mention me in there
18:32:16 <chair6> k, just curious .. maybe openstack-sec could come to life one day
18:32:22 <hyakuhei> might be interesting to do that so people have somewhere to drop in
18:32:27 <bdpayne> perhaps
18:32:38 <nkinder> It's nice to have things where others will see thenm though
18:32:39 <bdpayne> sounds like something for hyakuhei to investigate ;-)
18:32:40 <hyakuhei> Dead rooms make me sad on the inside though.
18:32:48 <bdpayne> yeah, this is true
18:32:54 <bdpayne> let's use -dev and see how that goes
18:33:00 <hyakuhei> Ok, I've got to go jump on a call
18:33:08 <paulmo> Just bringing this up again: Anything that can give the OSSG some "teeth" in enforcing security requirements would be a very big help.
18:33:21 <hyakuhei> only problem with -dev is there's no easy way to know who is - or isn't - OSSG
18:33:28 <bdpayne> eh, I think that's ok
18:33:35 <bdpayne> we'll be the people that care about security
18:33:50 <hyakuhei> paulmo: We need more credability and to integrate more tightly with development teams first
18:34:03 <hyakuhei> though I certainly agree with your point.
18:34:03 <bdpayne> yeah, and we are moving in those directions
18:34:05 <paulmo> I'm on a dev team and even I can't get security requirements into my own project.
18:34:13 <bdpayne> but it's slow
18:34:22 <bdpayne> which is just the nature of a big open source community
18:34:40 <hyakuhei> paulmo: mail me and lets talk about that, I'd like to understand your issues
18:34:52 <shohel02> heartbleed+++  probably make more attention , just kidding
18:35:11 <bdpayne> ok, I think that's all we have time for today
18:35:16 <bdpayne> thanks everyone for a productive meeting
18:35:24 <nkinder> thanks!
18:35:28 <bdpayne> #endmeeting