#openstack-meeting-alt log

17:01:01 <hyakuhei> #startmeeting openstack security group
17:01:02 <openstack> Meeting started Thu Jul 31 17:01:01 2014 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:03 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:06 <openstack> The meeting name has been set to 'openstack_security_group'
17:01:14 <hyakuhei> Good morning/evening everyone!
17:01:31 <tmcpeak> hey hey
17:01:33 <shohel02> hi
17:01:35 <hyakuhei> Yo
17:01:39 <malini2> :)
17:01:40 <bdpayne> howdy
17:01:57 <bknudson> hi... I'm finally getting dug out from being buried with work
17:02:18 <mxin> hi, all
17:02:19 <tmcpeak> welcome back to the living bknudson
17:02:30 <hyakuhei> :)
17:02:42 <hyakuhei> Ok, lets give people a minute or two longer and then we'll get rolling
17:03:33 <tmcpeak> sounds good
17:03:38 <hyakuhei> Righto, what would people like to talk about today ?
17:03:53 <tmcpeak> maybe status of bug filing for gate test bugs?
17:04:11 <hyakuhei> Great, what else?
17:04:23 <tmcpeak> you or nkinder wanted to do some triage for OSSN, right?
17:04:32 <bdpayne> I can give some quick book updates
17:04:50 <shohel02> I will give some update on Threat Analysis work
17:04:55 <hyakuhei> Cool, looks like we might be on for a short meeting :P
17:05:06 <mxin> nice
17:05:09 <hyakuhei> Ok well lets dive in.
17:05:17 <hyakuhei> #topic Bug filing
17:05:20 <hyakuhei> tmcpeak: go
17:05:26 <tmcpeak> cool
17:05:39 <tmcpeak> so, I think we're moving along pretty well on filing bugs
17:05:53 <tmcpeak> what I was wondering is if we want to tag the ones that we file to indicate they came from gate tests
17:06:01 <tmcpeak> I mean not gate tests, but the gate test tool
17:06:15 <hyakuhei> Yes
17:06:27 <hyakuhei> we should agree some boilerplate, one or two sentances
17:06:43 <hyakuhei> (This bug was found by the OSSG using X, our beta tool for doing Y etc
17:06:43 <tmcpeak> I was thinking more along the lines of a tag
17:06:50 <hyakuhei> Oh i see
17:06:55 <tmcpeak> is that an appropriate use for a tag?
17:07:03 <hyakuhei> Not sure that makes sense as in the long term we intend this to be in CI not bugs
17:07:39 <shohel02> I agree with Rob
17:07:40 <tmcpeak> good point
17:07:49 <tmcpeak> ok cool
17:08:06 <tmcpeak> I think thats pretty much all I had to say
17:08:08 <malini2> Rob +1
17:08:13 <tmcpeak> is there anybody that wants to take on a bug but doesn't know how to start?
17:08:46 <hyakuhei> ok cool
17:08:56 <hyakuhei> So tmcpeak how many bugs are left to file, I know you took a bunch
17:09:10 <tmcpeak> yeah, I'm actually in a Trove rathole
17:09:24 <tmcpeak> I started looking at one and found so much stuff that I don't like I think I'll be here for a while
17:09:43 <hyakuhei> haha good -I think
17:09:48 <tmcpeak> looks like we have filed about… 7
17:09:55 * bdpayne just remembered one more thing we should talk about ... I'll bring it up at the end
17:09:56 <tmcpeak> err 9
17:10:03 <hyakuhei> Ok, maybe I'll see if I can get someone from HP to help, we're a bit thin on the ground atm
17:10:15 <tmcpeak> sounds good
17:10:19 <hyakuhei> bdpayne: how exciting :)
17:10:32 <bdpayne> yeah, right?
17:10:35 <hyakuhei> ok bdpayne want to talk about the security guide?
17:10:46 <hyakuhei> #topic openstack security guide
17:11:11 <bdpayne> sure
17:11:23 <bdpayne> so we've been chugging along on the bugs filed during the meetup
17:11:41 <bdpayne> one key thing worth mentioning is that we have reworked the chapters
17:11:48 <bdpayne> before we have something like 55 chapters
17:11:55 <hyakuhei> Yeah lots of work went into that
17:11:58 <bdpayne> now many of those are sections within a larger chapter
17:12:04 <bdpayne> the end result is great
17:12:25 <bdpayne> big thanks to some guys on the doc team for helping
17:12:29 <hyakuhei> 18 chapters now, looks great
17:12:45 <bdpayne> beyond that, I still have it on my todo list to put together a longer term vision on the book
17:12:50 <dg__> good effort
17:12:54 <bdpayne> 2 others have expressed interest in helping
17:13:03 <bdpayne> so I'll work with them and report back here in a week or two
17:13:16 <bdpayne> and that's about all that I have on the book this week :-)
17:13:21 <hyakuhei> Wonderful
17:13:27 <hyakuhei> #topic Threat Analysis
17:13:34 <hyakuhei> shohel02: You're up....
17:13:36 <shohel02> cool
17:13:53 <shohel02> so we are going through the notes taken in Meetup
17:14:02 <shohel02> some of the action points
17:14:17 <shohel02> one of them was distributing task...
17:14:35 <shohel02> and for that we have created an launchpad ..now anyone can assign themselves
17:14:45 <bdpayne> link?
17:14:52 <shohel02> a part of the work
17:14:58 <shohel02> https://launchpad.net/openstack-threat-analysis
17:15:13 <hyakuhei> #link https://launchpad.net/openstack-threat-analysis
17:15:26 <hyakuhei> ^ for the minutes ;)
17:15:38 <shohel02> I will send email in the security group so people know the stuff
17:15:49 <bdpayne> groovy
17:16:11 <hyakuhei> shohel02: Great work!
17:16:19 <hyakuhei> Anything else for today?
17:16:23 <shohel02> nop
17:16:27 <shohel02> some minor editing work
17:16:29 <hyakuhei> Cool
17:16:31 <shohel02> on the repo
17:16:34 <shohel02> thats it
17:16:39 <hyakuhei> #topic Summit Talks
17:16:49 <hyakuhei> Ok kids, time to pimp your talks
17:16:57 <tmcpeak> how's it done?
17:16:58 <bdpayne> what's this summit you guys are talking about? :-)
17:17:10 <bdpayne> just provide a link to the talk so we can vote
17:17:16 <shohel02> ha ha...pimping
17:17:16 <mxin> yes
17:17:20 <hyakuhei> Just drop a link to your talks in here so people who car can go take a look and decide if it's worth a vote :P
17:17:30 <bdpayne> nice to know which ones are coming from the security group
17:17:37 <hyakuhei> bdpayne: Do you have a talk?
17:17:38 <mxin> https://www.openstack.org/vote-paris/Presentation/openstack-api-security-testing-automation-in-action
17:17:49 <tmcpeak> https://www.openstack.org/vote-paris/Presentation/getting-ahead-of-the-game-finding-security-issues-in-openstack-code-at-the-gate
17:17:50 <viraptor> you all want to hear hyakuhei and me talking about makeing sure SSL is everywhere, right? :) https://www.openstack.org/vote-paris/Presentation/ssl-everywhere-with-ephemeral-pki
17:17:51 <hyakuhei> ^ use #link so it shows up in the minutes
17:17:53 <tmcpeak> tell your friends!
17:17:54 <shohel02> https://www.openstack.org/vote-paris/Presentation/identifying-security-issues-in-the-cloud-threat-analysis-for-openstack
17:17:57 <hyakuhei> viraptor: +1
17:17:58 <tmcpeak> #link https://www.openstack.org/vote-paris/Presentation/getting-ahead-of-the-game-finding-security-issues-in-openstack-code-at-the-gate
17:18:01 <viraptor> #link https://www.openstack.org/vote-paris/Presentation/ssl-everywhere-with-ephemeral-pki
17:18:19 <hyakuhei> #link https://www.openstack.org/vote-paris/Presentation/identifying-security-issues-in-the-cloud-threat-analysis-for-openstack
17:18:19 <dg__> #link https://www.openstack.org/vote-paris/Presentation/openstack-public-cloud-the-security-operations-perspective
17:18:39 <shohel02> #link https://www.openstack.org/vote-paris/Presentation/identifying-security-issues-in-the-cloud-threat-analysis-for-openstack
17:18:46 <bdpayne> #link https://www.openstack.org/vote-paris/Presentation/trustworthy-geographically-fenced-clouds-tgif-cs
17:18:52 * sicarie_ sneaks in apologizing for being late
17:19:02 <hyakuhei> #link https://www.openstack.org/vote-paris/Presentation/ossg-delivering-and-improving-on-security-in-openstack
17:19:02 <bdpayne> ^^ on this one, it is from IBM Research and I've been chatting with them a bit.  Talk sounds interesting.
17:19:11 <hyakuhei> Oh cool, good job!
17:19:13 <hyakuhei> Welcome sicarie_
17:19:14 <bdpayne> well, "this one" being the link I provided above
17:19:20 <hyakuhei> Ok, everyone all done ?
17:19:31 <hyakuhei> Go take a look and vote if you like peoples :)
17:19:37 <tmcpeak> hyakuhei: how many do you have, 5?
17:19:47 <hyakuhei> 3
17:19:48 <mxin> can we create a page to track them?
17:20:16 <mxin> hyakuhei: nice
17:20:16 <hyakuhei> #action mixin to create a wiki page to link to the OSSG authored talks at the Paris Sumit
17:20:19 <bdpayne> you can use the vote tool to walk through the security talks too
17:20:25 <hyakuhei> Yeah
17:20:34 <bdpayne> might be easier / less appearance of bias ;-)
17:20:39 <mxin> got it.
17:20:52 <hyakuhei> So actually, a page listing all the talks by all OSSG members (for all previous summits) might be cool
17:21:01 <hyakuhei> #topic Any Other Business
17:21:03 <malini2> =-O#link https://www.openstack.org/vote-paris/Presentation/trusted-bare-metal-what-s-that
17:21:20 <bdpayne> So I'd like to talk a bit about Stevedore https://github.com/openstack/stevedore
17:21:32 <hyakuhei> cool, please do
17:21:32 <bdpayne> This came up earlier this week
17:21:47 <bdpayne> Bottom line is that several openstack projects are starting to use it (or already do)
17:21:54 <bdpayne> And that is is a ripe place for security issues
17:21:59 <bdpayne> Not saying it is bad, per se
17:22:08 <bdpayne> just that it has the potential for some nasty bugs
17:22:26 <bknudson> keystone has a review in progress for using stevedore
17:22:26 <bdpayne> OSSG was asked if we could do a security audit by the Glance PTL
17:22:39 <tmcpeak> bdpayne: sounds good
17:22:39 <bdpayne> I think it is a reasonable request
17:22:48 <bdpayne> and I'd like to figure out how we can move ahead on such a thing
17:22:49 <tmcpeak> how should we chop it up?
17:23:09 <bdpayne> not sure if this should fall under threat analysis or if it should be more of a code review or ??
17:23:11 <bdpayne> thoughts?
17:23:11 <hyakuhei> shohel02: any thoughts ?
17:23:27 <shohel02> probably both
17:23:27 <tmcpeak> for sure code review
17:23:29 <hyakuhei> So a 1000ft view would be useful for moving things along I imagine
17:23:31 <malini2> bdpayne: code review seems the way here
17:23:40 <viraptor> that may be interesting, because it's only an internal library - nothing should pass unsanitized things into it.... code + external usage review?
17:24:05 <bdpayne> viraptor malini2 I tend to agree
17:24:06 <hyakuhei> Doable. viraptor do you have any cycles this week to do a pass througgh
17:24:10 <shohel02> if we are going to do code review, i can work with the people to make the model at the same time
17:24:11 <mxin> how many lines of codes does it have?
17:24:25 <shohel02> to create threat model
17:24:30 <viraptor> hyakuhei: not really... but later next week should be doable
17:24:36 <tmcpeak> shohel02: +1
17:25:04 <mxin> I agree with code review
17:25:33 <hyakuhei> Yes, Threat Analysis and Code review are good ideas - I'm interested in volunteers....
17:25:38 <malini2> readthedocs implies there is some significant code there
17:25:45 <tmcpeak> I'll take a pass on it
17:25:45 <malini2> i will also dig in
17:25:48 <bdpayne> looks like about 1000 lines of python
17:26:06 <viraptor> mxin: 2.1k in total (comments, empty, ...)
17:26:07 <bdpayne> 1090, to be exact
17:26:12 <mxin> cool
17:26:15 <hyakuhei> That's not too bad.
17:26:31 <hyakuhei> Ok, so anyone up for mapping the entry/exit points?
17:26:36 <mxin> I can help too
17:26:59 <malini2> mxin, will compare notes with you Tuesday?
17:27:09 <hyakuhei> Great, lets have an update next week
17:27:14 <bdpayne> cool, thanks guys
17:27:15 <viraptor> the interface is really nicely defined: see https://github.com/dreamhost/stevedore/blob/master/stevedore/dispatch.py
17:27:22 <hyakuhei> Cool
17:27:26 <mxin> malini2: sure.
17:27:27 <bdpayne> I encourage everyone working on this to coordinate and work as a team
17:27:48 <mxin> by using openstack-security irc channel?
17:27:48 <tmcpeak> congregate in #openstack-security?
17:28:01 <bdpayne> makes sense
17:28:13 <bdpayne> just want to avoid 5 separate efforts
17:28:15 <tmcpeak> cool
17:28:17 <hyakuhei> IRC is ok but not brilliant for timezones, do the best you can :)
17:28:43 <hyakuhei> Any other business ?
17:29:39 <hyakuhei> Well I guess we are done then - that's a wrap, thank you everyone!
17:29:44 <tmcpeak> thanks!
17:29:45 <hyakuhei> #endmeeting