17:01:38 <nkinder_> #startmeeting OpenStack Security Group
17:01:39 <openstack> Meeting started Thu Jul  3 17:01:38 2014 UTC and is due to finish in 60 minutes.  The chair is nkinder_. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:40 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:42 <openstack> The meeting name has been set to 'openstack_security_group'
17:01:58 <nkinder_> #topic Roll Call
17:02:01 <tmcpeak> o/
17:02:02 <nkinder_> Hi all
17:02:04 <tmcpeak> :D
17:02:06 <chair6> ello
17:02:23 <shohel> hi
17:03:03 <nkinder_> small crowd today
17:03:12 <tmcpeak> lots of 4 day weekends most likely
17:03:14 <nkinder_> I guess US folks are starting the long weekend early ;)
17:03:27 <tmcpeak> I'm here recreationally today
17:03:29 <nkinder_> ok, well let's get started
17:03:34 <nkinder_> #topic OSSG Meetup
17:03:56 <nkinder_> Has everyone confirmed if they are going on the etherpad?
17:04:20 <nkinder_> #link https://etherpad.openstack.org/p/ossg-juno-meetup
17:04:42 <nkinder_> bknudson: are you able to attend the mid-cycle?
17:04:51 <nkinder_> bknudson: I see you on the list, but you're not confirmed
17:05:26 <bknudson> nkinder_: I wasn't able to get approval
17:05:31 <nkinder_> bknudson: bummer :(
17:06:03 <nkinder_> hotels are filling up according to some traffic on the mailing list, so anyone that hasn't booked should jump on it
17:06:17 <tmcpeak> yeah, even SpringHill is up to like $320 a night
17:07:03 <nkinder_> shohel: I see that you filled in a bunch of stuff about threat modeling
17:07:11 <shohel> yes
17:07:18 <shohel> some ideas
17:07:33 <shohel> planning the stuff beforehand :P
17:07:35 <tmcpeak> nkinder_: I'll try to do the same for Gate Testing sometime next week
17:07:57 <nkinder_> yeah, I need to do the same for my topics, though I'll be in the woods with no computer next week...
17:08:02 <nkinder_> might make that tough
17:08:14 <tmcpeak> nice!
17:08:20 <shohel> Woods sounds nice
17:08:35 <nkinder_> ok, any other mid-cycle discussion?
17:08:47 <shohel> i was looking for some keystone core dev during the session
17:09:01 <shohel> bknudson seems cannot join now :(
17:09:02 <nkinder_> I've been told that chair6 is the man for any Seattle info that people may have
17:09:21 <nkinder_> shohel: the keystone mid-cycle is next week, so back to back travel could be tough
17:09:53 <nkinder_> shohel: I manage two of the core Keystone developers though, so I can be sure to engage with them after the mid-cycle
17:10:13 <shohel> sounds good
17:10:16 <nkinder_> shohel: I also contribute to Keystone and have a fairly good understanding of it's internals
17:10:55 <shohel> excellent
17:11:19 <nkinder_> #topic Threat Analysis
17:11:30 <nkinder_> might as well switch the topic since we're discussing it already
17:11:43 <shohel> yes... just doing some cleaning of the repo
17:12:03 <shohel> planned to add it to the security guide
17:12:04 <nkinder_> hyakuhei mentioned that Doug (dg_) is interested in getting more involved with the effort
17:12:09 <tmcpeak> what's the context?
17:12:30 <shohel> yes....
17:13:06 <nkinder_> shohel: which repo is it in now?
17:13:15 <nkinder_> shohel: the "old" doc repo?
17:13:17 <shohel> still in my own repo
17:13:28 <shohel> so moving to security doc repo
17:13:31 <nkinder_> shohel: ok, so the cleanup is in preparation for moving it to the new repo
17:13:39 <nkinder_> I need to do the same for OSSNs
17:13:48 <shohel> https://github.com/openstack/security-doc
17:14:17 <nkinder_> yep, so I'm going to make a ossn subdir in there
17:14:47 <bknudson> we're moving the ossn reviews?
17:15:01 <nkinder_> bknudson: yes, we will be (more in a minute about that)
17:15:22 <nkinder_> shohel: do you have an eta for when you will be moving the threat analysis stuff into the new repo?
17:15:23 <shohel> nkinder: there is no more update from my side
17:15:44 <shohel> nop.... thinking should we do it before or after the meetup
17:16:01 <nkinder_> shohel: +1.  We should get that all in shape at the meetup
17:16:06 <shohel> another thing is about md to docbook format
17:16:14 <shohel> anyone look at that
17:16:15 <shohel> ?
17:16:25 <nkinder_> shohel: pandoc is supposed to help with that
17:16:37 <nkinder_> shohel: we should discuss/hack at the mid-cycle
17:16:44 <shohel> yes , definately
17:16:47 <nkinder_> I need to do the same thing for publishing OSSNs
17:16:54 <nkinder_> on that note...
17:16:56 <nkinder_> #topic OSSNs
17:17:17 <nkinder_> bknudson: We will be moving the notes to a new combined OSSG doc repo
17:17:42 <nkinder_> we want to consolidate all OSSG produced documentation in a single repo to make publishing easier
17:17:45 <bknudson> ok. that should make it a little easier to follow
17:17:55 <nkinder_> This includes the security guide, OSSNs, and threat modeling
17:18:21 <shohel> +1
17:18:27 <tmcpeak> nkinder_: oh cool, that's a good idea
17:18:30 <nkinder_> bdpayne created the initial repo, so now it's up to me to migrate the OSSNs and shohel to migrate the threat analysys stuff
17:18:54 <bknudson> threat analysis was already in the ossn repo?
17:18:58 <nkinder_> Yeah, we can then leverage the doc build scripts to publish OSSNs as an appendix in the security guide
17:19:03 <nkinder_> bknudson: no
17:19:12 <nkinder_> bknudson: it's in shohel's github
17:19:23 <bknudson> the ossns were reviewed in gerrit, the threat analysis wasn't
17:19:33 <nkinder_> bknudson: correct
17:19:44 <bknudson> seems like unreviewed things should go through review to get in the repo
17:20:00 <bknudson> but it's easy enough to change anything anyways
17:20:13 <nkinder_> gerrit has been working really well with OSSNs IMHO, and I think it will be very valuable for the threat analysis stuff too
17:20:29 <shohel> definitely same line thinking
17:20:31 <bknudson> other than it's been slower!
17:20:51 <nkinder_> bknudson: not really though
17:21:01 <nkinder_> Our OSSN/month rate has been going up
17:21:13 <nkinder_> they take longer to write/review, but out putput is higher
17:21:18 <nkinder_> we have 4 OSSNs in June
17:21:47 <tmcpeak> nkinder_: probably due to increased participation in OSSG mostly
17:21:49 <nkinder_> We've had new authors as well
17:22:03 <nkinder_> yep!  That's been great
17:22:10 <nkinder_> What we need is more notes
17:22:34 <bknudson> we need fewer problems
17:22:37 <nkinder_> We need to identity issues that are worthy of OSSNs and log them as bugs to keep the queue full
17:22:42 <nkinder_> bknudson: that goes without saying :)
17:23:00 <tmcpeak> nkinder_: what's a good process to feeding security bugs into OSSN requests?
17:23:09 <tmcpeak> *for
17:23:29 <nkinder_> tmcpeak: great question
17:23:51 <nkinder_> first would be monitoring the discussions on the mailing list, security-impact bugs, etc.
17:23:55 <tmcpeak> nkinder_: right now they trickle down mostly from OSSA, right?
17:24:04 <nkinder_> it you see something that warrants a note, file an OSSN bug in launchpad
17:24:16 <nkinder_> tmcpeak: probably 60-70% come from VMT
17:24:20 <tmcpeak> nkinder_: +1
17:24:38 <nkinder_> tmcpeak: but https://bugs.launchpad.net/ossn/+bug/1334926 came from a mailing list discussion
17:24:40 <uvirtbot> Launchpad bug 1334926 in neutron "floatingip still working once connected even after it is disociated" [High,In progress]
17:25:05 <nkinder_> there is no harm in filing an LP and then deciding it
17:25:09 <nkinder_> it's not note-worthyu
17:25:21 <nkinder_> sigh... fingers are starting the weekend early
17:25:30 <tmcpeak> cool, sounds good
17:25:43 <tmcpeak> probably some good ones will come from the dev ML too
17:25:48 <nkinder_> Ideally, we would have a list to triage through in this meeting each week
17:26:14 <nkinder_> We can discuss this more at the mid-cycle to brainstorm other ideas, but don't hesitate to file LPs in the meantime
17:26:22 <tmcpeak> nkinder_: sounds good
17:26:26 <nkinder_> There is the one outstanding OSSN bug that I linked to above
17:26:30 <nkinder_> #link https://bugs.launchpad.net/ossn/+bug/1334926
17:26:31 <shohel> +1
17:26:32 <uvirtbot> Launchpad bug 1334926 in neutron "floatingip still working once connected even after it is disociated" [High,In progress]
17:26:47 <nkinder_> tmcpeak: Priti grabbed that one.  Is she working on it?
17:26:47 <tmcpeak> nkinder_: maybe an etherpad for possible OSSN bugs
17:27:06 <tmcpeak> nkinder_: she is, but as I know it the problem is that neutron is actually working on afix
17:27:07 <nkinder_> tmcpeak: eh, just file them in LP and we can use that instead of maintaining another list
17:27:20 <nkinder_> tmcpeak: that is fine though.  We can simply advise people of the issue
17:27:26 <tmcpeak> I was wondering if we should even write an OSSN if it will be fixed
17:27:33 <nkinder_> tmcpeak: not knowing how it behaves and thinking you're safe is no good
17:27:59 <tmcpeak> nkinder_: I mean I think they're going to fix it so that is does disconnect sessions
17:28:05 <tmcpeak> *it
17:28:11 <tmcpeak> my fingers gone for the weekend as well
17:28:11 <nkinder_> tmcpeak: agreed, but we don't need to wait on that for a note
17:28:28 <tmcpeak> nkinder_: ok cool, yeah I touched base with her yesterday and she said she's on it
17:28:48 <tmcpeak> nkinder_: can we remove notes that are no longer valid?
17:29:08 <nkinder_> tmcpeak: That gets into some interesting publishing areas
17:29:20 <tmcpeak> nkinder_: yeah, that's what I was wondering about
17:29:30 <tmcpeak> nkinder_: then maybe we have to reclaim OSSN numbers or something
17:29:31 <nkinder_> Right now, it's just a big list.  People might be running on something old (essex, etc.), so removing them is not a good idea
17:29:52 <nkinder_> Having a list of OSSNs that apply to a particular release would be ideal
17:29:59 <tmcpeak> nkinder_: ahh, ok, then just amend the versions
17:30:21 <nkinder_> What I'm thinking for that is to publish the pertinent OSSNs into the appendix of the security guide for a particular release
17:30:42 <tmcpeak> nkinder_: oh, that's a cool idea.  We could even automatically generate the OSSNs based on tags
17:30:45 <nkinder_> This gets into the auto-publishing scripting
17:30:50 <tmcpeak> not generate, but automatically pull them in
17:31:04 <bknudson> this info should be available in launchpad
17:31:07 <nkinder_> We would have it parse the CSV of affected releases to decide where to publish
17:31:13 <bknudson> by constructing the right query
17:31:48 <bknudson> also, some projects don't have normal icehouse, havana releases (the clients)
17:32:02 <bknudson> and I think swift also releases on its own sched
17:32:08 <nkinder_> there are all great topics of discussion for the mid-cycle
17:32:13 <nkinder_> bknudson: yes, there are outliers
17:32:35 <tmcpeak> yeah we could probably get some cool stuff working with a little mid-cycle hackathon
17:32:59 <nkinder_> ok, any more OSSN discussion?
17:33:22 <nkinder_> #topic Gate Tests
17:33:26 <nkinder_> take it away tmcpeak
17:33:31 <tmcpeak> cool
17:33:39 <tmcpeak> not much update here unfortunately
17:33:51 <tmcpeak> viraptor has some good knowledge of the mechanics of getting them set up in non-blocking gate tests
17:33:53 <tmcpeak> so he's helping me
17:34:16 <tmcpeak> I have the PoC done for the shell injection test, which actually found something in Glance
17:34:39 <tmcpeak> I spoke with nkinder_ probably not a big deal security-wise, but we could probably get some good bang for our buck with writing a few other tests in the hacking framework at the meetup
17:34:48 <bknudson> glance just had a fix for shell injection
17:34:53 <tmcpeak> and then running them against current code and submitting LP bugs
17:35:10 <tmcpeak> bknudson: unless it was this week, this one may be different
17:35:47 <bknudson> it wasn't this week
17:35:58 <tmcpeak> bknudson: I saw that one, it's a different one
17:36:10 <bknudson> :(
17:36:21 <tmcpeak> before we actually run these in gate tests though, we should make sure that the relevant projects don't have these problems from the start
17:36:27 <tmcpeak> otherwise they'll just be very noisy
17:36:45 <nkinder_> tmcpeak: let's also assume that there might be a valid usage of shell=True
17:36:48 <tmcpeak> so first thing we should probably do is run them against OpenStack projects and file bugs to get the low hanging fruit problems cleared up
17:36:52 <bknudson> btw - how does this test work?
17:37:04 <tmcpeak> nkinder_: totally, there are some times when shell=True is fine
17:37:07 <nkinder_> tmcpeak: perhaps the input is static for example
17:37:10 <tmcpeak> we just want these gate tests to flag for review
17:37:31 <nkinder_> tmcpeak: so we need to think of ways to tell the test to ignore if we ever decide to do voting jobs
17:37:32 <tmcpeak> bkudson: how does the shell=True test work or how does the hacking test work?
17:37:55 <tmcpeak> nkinder_: solid point, viraptor was mentioning that we can have categories or tests
17:37:58 <bknudson> oh, I thought you had found the new bug by going through the api.
17:37:58 <nkinder_> tmcpeak: do you have a link to your hacking test
17:38:17 <nkinder_> bknudson: he has a hacking test that was written that looks for patterns
17:38:44 <bknudson> you can # noqa to disable the hacking check on a line
17:38:58 <bknudson> so if you know it's a valid use of shell=True, # noqa it
17:39:04 <tmcpeak> bknudson: +1
17:39:07 <tmcpeak> that's awesome!
17:39:11 <tmcpeak> I didn't know about that :)
17:39:21 <nkinder_> ah, great
17:39:53 <tmcpeak> also if it's valid it should probably contain a comment nearby, just to show that it has a valid reason to be used and it has been looked at and isn't a security risk
17:40:04 <tmcpeak> so that people that come after don't see it and freak out
17:40:10 <bknudson> y
17:40:28 <nkinder_> ok, well we should identify other tests that we want to add at the hackfest.  I'd suggest folks brainstorm in the meantime
17:40:48 <tmcpeak> yeah, if people want to add some gate test candidates to the etherpad that would be awesome
17:40:54 <nkinder_> +1
17:40:57 <tmcpeak> I'll sit down for a few hours next week and try to come up with some myself
17:41:24 <nkinder_> tmcpeak: any more gate testing discussion?
17:41:33 <tmcpeak> cool, that's pretty much all I have for the gate tests
17:41:38 <tmcpeak> nope
17:41:41 <tmcpeak> :)
17:41:48 <nkinder_> #topic Open Discussion
17:42:12 <nkinder_> anyone have any other topics?
17:42:51 <tmcpeak> what hours are we thinking for the meetup?
17:43:24 <tmcpeak> we should schedule some team building session :) possibly at night
17:43:32 <nkinder_> tmcpeak: good question.  I'm guessing 9am-5pm?  I don't know what hours others are used to
17:43:32 <bdpayne> 9a - 6p ?
17:43:43 <tmcpeak> sounds good
17:43:52 <nkinder_> I'm used to 6:30am onwards... :)
17:43:57 <nkinder_> I won't propose that though
17:44:12 * bdpayne is greatful
17:44:20 <tmcpeak> lol
17:44:36 <tmcpeak> do we just show up at HP
17:44:46 <nkinder_> I think 9a and a plentiful supply of coffee would be good
17:44:52 <tmcpeak> tell them we're here for the security and the lolz
17:44:58 <chair6> lolz come first
17:45:11 <chair6> yeah, show up .. address is in the etherpad
17:45:13 <tmcpeak> :)
17:45:16 <chair6> 9am
17:45:22 <tmcpeak> cool
17:45:25 <chair6> we'll have coffee and breakfast, i believe
17:45:40 <nkinder_> we can name-drop hyakuhei I suppose
17:45:40 <tmcpeak> nice!
17:45:50 <tmcpeak> that's a given
17:46:26 <nkinder_> bdpayne: did you have anything to discuss on the book?
17:47:52 <nkinder_> ok, well I guess that's it for today then
17:48:05 <tmcpeak> cool
17:48:09 <tmcpeak> have a good weekend everyone!
17:48:15 <bknudson> keep all your fingers
17:48:22 <tmcpeak> ;)
17:48:27 <nkinder_> I'll be out next week, but looking forwarding to getting together in WA in a week and a half!
17:48:35 <tmcpeak> yeah, it's going to be awesome
17:48:37 <shohel> sure
17:48:41 <nkinder_> Thanks everyone
17:48:42 <tmcpeak> have fun in the woods
17:48:48 <nkinder_> #endmeeting