#openstack-meeting-alt log

17:01:16 <hyakuhei> #startmeeting openstack security group
17:01:17 <openstack> Meeting started Thu Jul 24 17:01:16 2014 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:18 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:20 <openstack> The meeting name has been set to 'openstack_security_group'
17:01:30 <nkinder> hey all
17:01:33 <hyakuhei> Lets start with a roundtable :)
17:01:40 <hyakuhei> Rollcall even
17:01:49 <tmcpeak> \o
17:01:51 <hyakuhei> man. this is going to be a long meeting ;)
17:01:55 <hyakuhei> o/
17:02:02 <nkinder> \o/
17:02:04 <mxin_> Michael from Rackspace is here.
17:02:08 <bdpayne> o/
17:02:21 <mxin_> how are you all?
17:02:24 <sicarie> o/
17:02:27 <hyakuhei> oh hey mxin_ - nice to see a racker here
17:02:28 <tmcpeak> hey Michael
17:02:32 <tkelsey> hi all
17:02:49 <hyakuhei> hi sicarie where are you joining us from?
17:03:02 <bdpayne> Perhaps hyakuhei was thinking of this: https://www.youtube.com/watch?v=lfGpVcdqeS0
17:03:04 <sicarie> hp
17:03:05 <mxin_> I have some urgent stuff to take care. will be back later. Sorry
17:03:51 <hyakuhei> ok cool, welcome clouddon
17:03:54 <clouddon> i
17:04:09 <clouddon> Morning Rob. CloudDon == Sriramhere, FYI
17:04:14 <clouddon> how are you all doing?
17:04:27 <tmcpeak> pretty good, you?
17:04:31 <hyakuhei> Good, we're just giving it a minute or two to let people filter in and doing a bit of a rollcall
17:05:50 <tmcpeak> looks like we're losing more than we're picking up :)
17:05:50 <hyakuhei> ok, so I guess we'll get rolling, what's the agenda for today?
17:05:59 <hyakuhei> Obviously I want to talk about the OSSG Meetup
17:06:09 <tmcpeak> bug filing for the gate test stuff
17:06:10 <tmcpeak> please
17:06:21 <tmcpeak> maybe nkinder or you can take it if I happen to be in demo when that comes up
17:06:23 <hyakuhei> Good call, what elese?
17:06:28 <nkinder> tmcpeak: sure thing
17:06:29 <clouddon> Speaker submissions for the summit
17:06:38 <nkinder> current OSSN status
17:06:55 <nkinder> threat modeling outcomes with regards to keystone trusts
17:07:16 <tmcpeak> +2
17:07:16 <hyakuhei> Great.
17:07:32 <tmcpeak> or +1,+1
17:07:33 <hyakuhei> So I just want to reiterate my thanks to everyone that came to the meetup
17:07:47 <tmcpeak> yeah great stuff! thanks for hosting
17:07:52 <nkinder> +1  I think it was a great get-together
17:07:54 <hyakuhei> I think it was a great success, we achieved a hell of a lot in the time available
17:08:10 <bdpayne> indeed!
17:08:14 <hyakuhei> 60+ bugs against the security guide, several changes already through the process
17:08:22 <hyakuhei> ~3 New OSSNs
17:08:31 <hyakuhei> Threat Analysis progress
17:08:35 <clouddon> yippeee, thanks to Rob and HP for hosting this. From my side, I apologize for not being able to hang out for the evening events.
17:08:40 <hyakuhei> and the gate test // Bandit stuff was awesome
17:08:48 <tmcpeak> 25 bugs
17:08:51 <hyakuhei> clouddon: You came for the free beer as I recall ;)
17:08:51 <tmcpeak> ~25
17:09:14 <hyakuhei> It was my pleasure to host so many awesome people in the same place.
17:09:15 <clouddon> only one evening. Wish i gave you company all the evneings
17:09:27 <hyakuhei> Well, we appreciate you making the time.
17:09:33 <nkinder> hyakuhei: do you plan to write up a summary for the mailing list so those that couldn't attend know what we accomplished?
17:09:49 <tmcpeak> +1
17:09:54 <hyakuhei> I do, I intended to do it on the flight but I've been quite unwell
17:09:54 <tkelsey> +1
17:10:00 <nkinder> :(
17:10:06 <hyakuhei> I will endavour to get something out tomorrow
17:10:16 <bdpayne> uh oh, I hope I'm not responsible for that
17:10:26 <hyakuhei> I'm really proud of what we achieved, I want some content putting in the OpenStack newsletter too
17:10:28 <tmcpeak> bdpayne = plague master
17:10:34 <tmcpeak> ;)
17:10:42 <hyakuhei> bdpayne: Germ warfare between OpenStack vendors :(
17:10:48 <clouddon> this is where everyone 'hides'
17:10:53 <hyakuhei> heh
17:10:55 <nkinder> hyakuhei: I have some summary stuff written up too, but don't want to steal your thunder :)
17:10:57 <bdpayne> heh, sorry!
17:11:23 <hyakuhei> nkinder: Yeah I've already done an internal one, I'll get something out tomorrow
17:11:44 <nkinder> hyakuhei: cool, I'll chime if there's anything I have to add
17:11:50 <hyakuhei> Great.
17:12:10 <hyakuhei> ok, so lets work through the agenda. I'll skip going into more depth on the meet-up - email to follow
17:12:25 <hyakuhei> tmcpeak: Go first
17:12:37 <tmcpeak> can you take over for me?
17:12:42 <tmcpeak> demo imminent
17:12:44 <nkinder> heh, ok
17:12:51 <nkinder> # Gate Tests
17:12:55 <nkinder> let's try that again
17:12:59 <nkinder> #topic Gate Tests
17:13:06 <hyakuhei> #topic Gate Tests
17:13:16 <nkinder> thanks, I'm powerless... :)
17:13:21 <hyakuhei> powar!
17:13:38 <nkinder> How has the filing of issues we found with the hacking tests going?
17:14:19 <hyakuhei> So not many have been filed ye
17:14:20 <hyakuhei> *yet
17:14:27 <hyakuhei> the google dock is largely complete.
17:14:30 <tmcpeak> I have on I'll work on but haven't had time
17:14:31 <nkinder> I know that tmcpeak was able ot get one of the glance shell injection isues actually fixed and merged, which is awesome!
17:14:38 <hyakuhei> Though some are missing, I've deconflicted a few
17:14:41 <tmcpeak> *one
17:14:54 <tmcpeak> nkinder: thanks for the help!
17:15:25 <nkinder> hyakuhei: did you scan through and vet any of the issues after the mid-cycle?
17:15:52 <hyakuhei> nkinder: A few repetitions and one or two non-issues
17:15:57 <hyakuhei> but largely the list was good
17:16:22 <hyakuhei> Those writing up the bugs will be expected to do a bit of verification though
17:16:30 <nkinder> hyakuhei: ok, I see you have them divided between "bug" and "discuss"
17:17:05 <nkinder> ok, so the right approach here is to divide and conquer IMHO
17:17:06 <hyakuhei> Yeah, so not all of them (by any means) are clear vulnerabilities
17:17:11 <hyakuhei> +1
17:17:20 <bdpayne> is there a link to this doc that is sharable?
17:17:25 <bdpayne> or are you keeping it private for now?
17:17:27 <nkinder> tmcpeak: which one(s) were you planning on looking at?
17:17:59 <tmcpeak> nkinder: I'll take the injection ones
17:18:01 <hyakuhei> It is editable by anyone wit hthe link
17:18:04 <nkinder> bdpayne: it's public, but security by obscurity right now...
17:18:05 <tmcpeak> nkinder: trace through the code, etc
17:18:07 <tmcpeak> for starters
17:18:16 <tmcpeak> I think Jason was looking at one also
17:18:26 <hyakuhei> I don't think there were any showstopping vulnerabilities in there?
17:18:35 <tmcpeak> hyakuhei: nope
17:18:52 <tmcpeak> hyakuhei: none warranting OSSA status
17:18:57 <tmcpeak> IMO
17:18:58 <chair6> *waves*, sorry late
17:19:06 <nkinder> chair6: hey!
17:19:12 <tmcpeak> chair6: hola
17:19:17 <bdpayne> ok, well I'm happy to help if someone is willing to share the info... but perhaps you guys have it all covered?
17:19:26 <hyakuhei> So I have no issue with making it more widely available
17:19:32 <nkinder> I can take care of the insecure tmpfile ones
17:19:32 <tmcpeak> bdpayne: could always use the help
17:19:45 <nkinder> bdpayne: just shared it with you out of band
17:19:54 <bdpayne> ok, thanks
17:20:00 <tmcpeak> somebody needs to evangelize the getting rid of crap versions of SSL one
17:20:12 <nkinder> tmcpeak: you mean the md5 ones?
17:20:23 <tmcpeak> nkinder: no the getting rid of SSL 2.3 support
17:20:31 <tmcpeak> if we're still doing that
17:20:31 <nkinder> tmcpeak: oh, yes
17:21:10 <nkinder> should we fill in assignees on the google doc?
17:21:19 <nkinder> seems like a good idea to avoid stepping on each other
17:21:37 <tmcpeak> nkinder: definitely, repeated effort is bad
17:21:39 <hyakuhei> My intention was that people would add their names to them and pick them up ad-hoc
17:21:46 <hyakuhei> ie, before they wrote the bug
17:21:54 <hyakuhei> but I'm happy to carve it up too
17:22:08 <hyakuhei> sicarie: fancy taking a few?
17:22:17 <nkinder> Just added my name ot the tmpfile ones
17:22:17 <sicarie> Absolutely
17:22:37 <tmcpeak> hyakuhei: I'll take all shell injection ones
17:22:56 <tmcpeak> hyakuhei: probably some economy of scale to be had by taking all of one class of bug
17:23:03 <nkinder> tmcpeak: +1
17:23:19 <hyakuhei> Yeah I'm fine with that, thanks for taking it on!
17:23:23 <nkinder> ok, let's see how far we can get by next week on these
17:23:30 <nkinder> other gate test topics...
17:23:30 <tmcpeak> sounds good
17:23:31 <bdpayne> for row 3, is there anything more specific (ref to line of code)?
17:23:38 <nkinder> chair6 is working on getting bandit licensed
17:24:08 <hyakuhei> bdpayne: pan right?
17:24:15 <nkinder> bdpayne: we can re-run the scan and add it in
17:24:25 <bdpayne> ok
17:24:28 <bdpayne> not sure what pan is
17:24:42 <chair6> yup, licensing is in progress .. shouldn't be too far off
17:25:11 <chair6> i'm hoping to get it done by tomorrow, but if not will clean it up when back from vacation
17:25:31 <nkinder> So once bandit is licensed, we can start looking at how to get it running for Keystone as non-voting
17:25:34 <hyakuhei> bdpayne: Thought you were referring to the google doc - nvm
17:25:43 <hyakuhei> nkinder: excellent!
17:25:50 <nkinder> I'm happy to work on that, though I'll be out next week
17:26:01 <tmcpeak> +1 bandit is the way to go
17:26:08 <nkinder> I'll see how far I get on it this week
17:26:41 <nkinder> We still need to compare bandit vs. hacking tests too
17:26:57 <nkinder> Just to see if there are any differences in what they find
17:26:59 <hyakuhei> Yeah, we never looked at the bandit output iirc
17:27:05 <tmcpeak> long goal should probably be bandit, it's more thorough
17:27:08 <hyakuhei> Will be interesting for finding gaps
17:27:11 <hyakuhei> tmcpeak: +1
17:27:14 <bdpayne> hyakuhei I was/am, but still don't know what "pan
17:27:14 <nkinder> Well, we also never added tests for a few things (like the 0.0.0.0 checks)
17:27:16 <hyakuhei> Though I think we're all agreed
17:27:21 <bdpayne> "pan" is ;-)
17:27:30 <bdpayne> oh well
17:27:30 <nkinder> bdpayne: I'm confused too :)
17:27:31 <hyakuhei> bdpayne: the doc has line pointers if you scroll right ?
17:27:36 <hyakuhei> pan == scroll
17:27:43 <nkinder> ah
17:27:44 <bdpayne> ohhh
17:27:44 <tmcpeak> ohhhh
17:27:54 <tmcpeak> need the translator in here
17:27:54 <bdpayne> so this row is missing a reference in that col
17:27:56 <bdpayne> which is why I asked
17:27:57 <tmcpeak> :P
17:28:05 <nkinder> ...must be a british thing ;)
17:28:06 <hyakuhei> Ah I schee, I thought you meant in general
17:28:11 <hyakuhei> nkinder: so many things are!
17:28:21 <hyakuhei> ok, what's next?
17:28:35 <nkinder> hyakuhei: once the licensing is done, we should add the remaining tests to bandit
17:28:52 <nkinder> is anyone interested in writing one of those tests who hasn't written one for bandit before?
17:29:01 <sicarie> nkinder: yes
17:29:01 <nkinder> it might produce some good feedback about bandit
17:29:07 <nkinder> sicarie: great!
17:29:18 <nkinder> sicarie: so the 0.0.0.0 hacking test is definitely a gap
17:29:22 <hyakuhei> nkinder: yup I'd like to write a few
17:29:26 <tmcpeak> I'll pitch in too
17:29:29 <sicarie> nkinder: cool, I can take that
17:29:35 <nkinder> I *think* we caught most of the others
17:29:49 <hyakuhei> What's the IPv6 for 0.0.0.0 ::: ?
17:30:13 <nkinder> hyakuhei: I don't know that there is an equivalent
17:30:22 <tmcpeak> ::0
17:30:23 <nkinder> 0.0.0.0 applies to v4 and v6 families
17:30:41 <nkinder> at least from a socket interface
17:30:45 <hyakuhei> Internet say's its ::
17:31:01 <hyakuhei> Wow, this "google" thing is awesome!
17:31:04 <nkinder> we should see how the socket interface works with that
17:31:17 <hyakuhei> Yeah
17:31:30 <nkinder> since family specifies what families to listen on, and 0.0.0.0 will listen on v6 as well as v4
17:31:39 <nkinder> the same might be true of ::
17:31:39 <tmcpeak> ok finally demo time
17:31:41 <tmcpeak> brb
17:31:46 <hyakuhei> So I want to do some validation on SSL3.0 and what, if anything really needs it. I suspect the list is very small.
17:31:49 <hyakuhei> good luck tmcpeak
17:32:04 <nkinder> I don't have anything more on gate tests for now
17:32:42 <hyakuhei> ok, wanna talk about OSSN while you have the floor?
17:32:59 <nkinder> hyakuhei: sure, please change the topic o powerful one
17:33:01 <hyakuhei> #topic OSSN: OpenStack Security Notes
17:33:14 <nkinder> We have 3 new notes in flight, which is awesome
17:33:25 <nkinder> 0020, 0021, and 0022
17:33:28 <hyakuhei> Need moar
17:33:41 <nkinder> I believe 0022 is in need of review (it was updated this morning)
17:33:59 <nkinder> #link https://review.openstack.org/#/c/108349
17:34:23 <nkinder> the other two need updates by the authors (stan and priti)
17:34:44 <bdpayne> I'll do a review pass on 0022
17:34:54 <nkinder> hyakuhei: there is that private issue that might turn into an OSSN in the works
17:34:54 <hyakuhei> I'll poke stan.
17:35:07 <hyakuhei> Yeah I can see that hapenning
17:35:24 <viraptor> I'll get mine updated today
17:35:26 <hyakuhei> ok, so we talked about ways to generate more OSSNs - any more thoughts on that?
17:35:31 <nkinder> one other potentially good one is related to a bug I've been helping with
17:35:31 <hyakuhei> viraptor: thanks!
17:36:01 <nkinder> https://review.openstack.org/101792
17:36:14 <nkinder> this is the keystone client password logging issue
17:36:30 <nkinder> debug logging logs entire requests, including passwords
17:36:41 <bdpayne> sorry if I'm slow to the game here, but I'm pretty shocked that OSSN-0022 isn't a CVE
17:38:02 <hyakuhei> It's because it's a wierd mode of operaiton I think
17:38:11 <hyakuhei> Start a stopped instance with soft-reboot call
17:38:14 <hyakuhei> iirc
17:38:24 <bdpayne> sure, but... ugh
17:38:29 <bdpayne> this is nasty
17:38:37 <nkinder> bdpayne: there's some background discussion on that decision in the bug
17:38:46 <hyakuhei> Though I'd agree that anything that breaks the ACLs that didn't come from a 'please break my ACL' API call should be an OSSA/CVE
17:38:47 <nkinder> bdpayne: it might be worth arguing the point further
17:39:05 <bdpayne> I'll look into the bug
17:39:06 <bdpayne> thanks
17:39:13 <bdpayne> I've reviewed the OSSN and it lgtm
17:39:18 <bdpayne> (fyi)
17:39:30 <hyakuhei> dg__: we are just discussing your OSSN
17:39:38 <dg__> hey sorry I'm late
17:40:07 <nkinder> dg__: I plan to review it this afternoon
17:40:31 <dg__> nkinder thanks
17:40:47 <nkinder> on the keystoneclient password logging one, what do others think about a note advising about it?
17:40:51 <nkinder> this isn't a huge concern for a normal client, but it's pretty ugly if Horizon has debug logging on
17:41:19 <hyakuhei> nkinder: I'll look now
17:41:24 <nkinder> debug logging in Horizon will then show the requests it makes to keystone with passwords for users
17:41:25 <hyakuhei> dg__: reviewed your OSSN
17:42:17 <nkinder> It's being fixed in the client now, but it's probably worth mentioning to recommend updating the client for older releases
17:42:27 <hyakuhei> I didn't think we were doing OSSNs for client side logging ? I'm happy for that not to be the case but I thought that was the precedent
17:42:31 <tmcpeak> back
17:43:04 <dg__> hyakuhei thanks, I'll fix the line lengths
17:43:19 <nkinder> hyakuhei: client-side logging in this case is Horizon though
17:43:26 <hyakuhei> Ah ok
17:43:35 <hyakuhei> Yeah that sounds bad.
17:43:40 <nkinder> hyakuhei: if you and I log into Horizon, the Horizon admin might have debug logging on which contains our passwords
17:44:13 <nkinder> ok, I'll create an ossn bug for it
17:44:20 <nkinder> hyakuhei: please add an #action for me
17:44:35 <tkelsey> I can pick up that new OSSN if people want
17:44:37 <hyakuhei> #action nkinder to create an OSSN for https://review.openstack.org/101792
17:44:50 <nkinder> tkelsey: sure
17:45:01 <nkinder> tkelsey: I've been working on the bug and unit tests for it
17:45:13 <nkinder> tkelsey: so I can answer any questions for you
17:45:32 <hyakuhei> Great stuff!
17:45:40 <tkelsey> nkinder: cool, I'll contact you for details
17:45:42 <nkinder> hyakuhei: for identifying new OSSNs, we discussed using SecurityImpact reviews to find issues
17:45:55 <nkinder> hyakuhei: We talked about a sub-team that is responsible for reviews
17:46:07 <hyakuhei> Yeah, is there a nice way to see a list of all gerrit items with certain tags?
17:46:10 <hyakuhei> I assume there is
17:46:17 <nkinder> I haven't had a chance to follow up and investigate that yet
17:46:44 <nkinder> hyakuhei: You can add an action for me to look into that
17:46:58 <hyakuhei> Would be good to have over 30 by the summit - I think that should be doable
17:47:10 <nkinder> Once we have a list, we can craft an e-mail with the responsibilities for the sub-team
17:47:15 <nkinder> hyakuhei: over 30 notes?
17:47:17 <hyakuhei> #action nkinder to investigate ways of identifying all the 'security impact' bugs
17:47:19 <nkinder> hyakuhei: that should be no problem
17:47:20 <hyakuhei> nkinder: yup
17:47:34 <nkinder> hyakuhei: ok, that's it on notes from me
17:48:08 * nkinder steps away for 2 minutes
17:48:12 <hyakuhei> ok, what else did we have to discuss?
17:48:20 <hyakuhei> #topic Other business
17:48:35 <dg__> hyakuhei can we add a gate test for line lenght on OSSNs?
17:48:49 <dg__> also, I fixed the line length on ossn-22, please review
17:48:55 <bdpayne> I have a few words on the book
17:49:14 <bdpayne> Is now good?
17:49:31 <hyakuhei> We don't have any gate tests for OSSNs at the moment but yeah that would be high on the list dg__
17:49:36 <hyakuhei> bdpayne: go ahead
17:49:42 <hyakuhei> #topic security guide
17:50:06 <bdpayne> Coming out of the meetup last week, we have lots of bugs filed on the book.  Many of the smaller changes are being plucked off by various people, which is great.
17:50:24 <bdpayne> Moving forward, I'd like to put together a bit of a roadmap about how we want the book to shape up.
17:50:37 <bdpayne> There are some larger questions about content, organization, release schedule, etc.
17:50:51 <bdpayne> We didn't really get a chance to flush this out last week, which is fine.
17:51:06 <bdpayne> So... what I'd like to do is to get more people familiar with the book project by working on the open bugs.
17:51:18 * nkinder back
17:51:20 <bdpayne> And I can put together a strawman proposal for longer term thinking.
17:51:21 <hyakuhei> Yeah, a big discussion should be around if we branch with release cycles
17:51:26 <hyakuhei> bdpayne: sounds good
17:51:36 <bdpayne> Then I'll open that strawman up for larger group comment / review.
17:51:41 <nkinder> bdpayne: yeah, a book v2.0 plan would be a good idea
17:51:47 <bdpayne> There's a lot of moving pieces, so I think this is a reasonable approach.
17:52:06 <bdpayne> But if anyone wants to be engaged with this from the earliest stages, then please just drop me a line.
17:52:08 <bdpayne> Also...
17:52:20 <bdpayne> I received some questions around what it takes to be listed on the authors list
17:52:20 <dg__> bdpayne happy to pick up some of those bugs
17:52:22 <bdpayne> This is an open question
17:52:29 <bdpayne> And something that we should be thinking about
17:52:53 <bdpayne> beyond that, thanks to everyone for pushing the book ahead nicely last week
17:52:55 <hyakuhei> Yeah, so there's probably a difference between contributors and authors
17:52:59 <nkinder> bdpayne: yeah, that seems like a difficult thing to define
17:53:04 <bdpayne> we're getting lots of nice changes!
17:53:21 <bdpayne> we have lots of new contributors as well
17:53:25 <bdpayne> which is great stuff
17:53:26 <hyakuhei> Most of the authors listed wrote one or more entire chapters
17:53:50 <bdpayne> yeah, I think the bar should be set to something similar to what the initial authors did
17:53:54 <bdpayne> just need to define that formally
17:53:55 <hyakuhei> I think that's a reasonable bar at which to be an author, changes and paragrphas here and there are probably contributors
17:54:03 <hyakuhei> At the discression of bdpayne of course.
17:54:08 <bdpayne> heh
17:54:24 <hyakuhei> I.E if someone writes a shed load of content for every chapter they should probably be an author
17:54:26 <bdpayne> 1 beer == contributor, 6 beers == author, etc
17:54:33 <hyakuhei> bdpayne: +1
17:54:39 <hyakuhei> Ok guys, last 5 minutes
17:54:42 <tmcpeak> sounds good
17:54:50 <bdpayne> that's all I have on the book
17:55:07 <nkinder> I'd quickly like to say a few things about threat modelling of keystone trusts
17:55:21 <hyakuhei> #topic Other business
17:55:21 <nkinder> We identified 2 threat scenarios last week
17:55:31 <hyakuhei> go ahead nkinder
17:55:44 <nkinder> I've written unit tests to cover those here - https://review.openstack.org/109120
17:55:56 <nkinder> additional reviews from OSSG folks would be appreciated
17:56:26 <nkinder> Also related, I sent an e-mail out to the dev list yesterday about adding some additional limits to trusts
17:56:34 <hyakuhei> #action hyakuhei to review https://review.openstack.org/109120
17:56:44 <tmcpeak> nkinder: what about limiting trust delegations to prevent resource exhaustion attacks?
17:56:45 <hyakuhei> nkinder: I didn't see it...
17:56:54 <nkinder> no, not resource exhaustion
17:57:09 <nkinder> it's to hve liites on how long a trust can be valid for at a global level
17:57:25 <nkinder> this would be one way of preventing a permanent backdoor for a compromised account
17:57:36 <tmcpeak> I know that one, we have the OSSN on it
17:57:38 <nkinder> s/liites/limits/
17:57:50 <nkinder> that's not the only reason, but it's related to that OSSN
17:57:51 <tmcpeak> but if there is no limiting and they never expire then you could eventually exhaust resources, clog up the DB, etc
17:58:05 <nkinder> ideally, role based limits could be set to put a cap on delegation
17:58:24 <nkinder> right now, it's up to the user to cap a trust (and everyone can put no expiration on it)
17:59:08 <nkinder> the discussion is here - http://lists.openstack.org/pipermail/openstack-dev/2014-July/040944.ht
17:59:21 <nkinder> http://lists.openstack.org/pipermail/openstack-dev/2014-July/040944.html
17:59:26 <nkinder> not truncated this time :P
17:59:46 <nkinder> ok, that's all from me
17:59:53 <tmcpeak> ahh cool
17:59:56 <hyakuhei> Great, thanks for the link nkinder
18:00:05 <hyakuhei> Ok, that's time people! Thank you everyone!
18:00:08 <tmcpeak> thanks everyone
18:00:14 <clouddon> bye all
18:00:16 <clouddon> thanks
18:00:18 <tkelsey> thanks all
18:00:19 <hyakuhei> #endmeeting