17:05:09 <nkinder_> #startmeeting OpenStack Security Group
17:05:10 <openstack> Meeting started Thu Sep 11 17:05:09 2014 UTC and is due to finish in 60 minutes.  The chair is nkinder_. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:05:11 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:05:14 <openstack> The meeting name has been set to 'openstack_security_group'
17:05:29 <nkinder_> With that, let's jump into it
17:05:32 <nkinder_> #topic ossn
17:05:55 <nkinder_> So, there are still a good number of OSSNs out there.  I've been making my way through reviewing them.
17:06:00 <hyakuhei> Can ppl make sure they update LP when they pick up an OSSN pls?
17:06:07 <nkinder_> hyakuhei: +1
17:06:43 <nkinder_> I think 0020 is close
17:06:46 <nkinder_> #link https://review.openstack.org/#/c/113422
17:07:06 <nkinder_> I pushed up a new patch for Priti to help move it along
17:07:19 <tmcpeak> cool
17:07:26 <tmcpeak> what does it need? more review?
17:07:55 <nkinder_> Yes, more review.  It has none since I updated it this morning
17:08:15 <nkinder_> It's a pretty simple one, as we backed off of trying to provide an intricate workaround to identity and terminate NAT connections
17:08:47 <nkinder_> I don't think it's possible to reliably kill connections made via floating IP based on my testing
17:08:56 <nkinder_> So, that should make this easy to review. :)
17:09:03 <tmcpeak> cool
17:09:19 <nkinder_> hyakuhei: a review by you would be great.  I'm ok to +2 it given that Priti really wrote it (and I just tweaked it)
17:09:29 <nkinder_> tmcpeak: I'll wait for a +1 from you before that too though
17:09:38 <tmcpeak> nkinder_: ok, sounds good
17:09:41 <viraptor> so on the topic of managing LP, I got used to nova actually marking stuff as in progress after a review is opened, but when I wrote 0023 it neither moved to in-progress, nor closed even though closes-bug is in the message - does anyone know if it's hard to automate?
17:09:43 <nkinder_> and I'll see about getting a Neutron core to review it again
17:09:55 <nkinder_> #action nkinder to ask Neutron devs to review OSSN-0020
17:10:05 <nkinder_> #action tmcpeak to review OSSN-0020
17:10:15 <nkinder_> #action hyakuhei to review OSSN-0020
17:10:18 <hyakuhei> :)
17:10:40 <nkinder_> Ok, so OSSN-0024 is also a fairly easy one from a technical standpoint
17:11:14 <nkinder_> tmcpeak and I have both reviewed it, and it's really just wording issues at this point
17:12:02 <tmcpeak> yeah, not much changes left on that
17:12:09 <nkinder_> Shohel will update that one, and we can hopefully take care of it pretty quickly
17:12:21 <tmcpeak> sicarie: has 25
17:12:28 <nkinder_> I have to make the rounds through the other pending notes today
17:12:45 <tmcpeak> tkelsey has 27
17:12:52 <tkelsey> Yup
17:13:06 <nkinder_> Are there any technical details on the pending notes that we need to discuss?
17:13:09 <tkelsey> Review welcome
17:13:18 <nkinder_> tkelsey: will do
17:13:22 <tkelsey> Ty
17:13:28 <sicarie> nkinder - there is a pending fix on 25
17:13:47 <sicarie> Should I hold off until it's merged, or make a note that there is a 'pending' fix?
17:14:01 <nkinder_> tkelsey: which LP is your note associated with?
17:14:16 <nkinder_> sicarie: same question for you ^^^
17:15:32 <nkinder_> ah, tkelsey has https://bugs.launchpad.net/ossn/+bug/1274034
17:15:33 <uvirtbot> Launchpad bug 1274034 in neutron "Neutron firewall anti-spoofing does not prevent ARP poisoning" [High,In progress]
17:15:49 <sicarie> Bah, the OSSN draft isn't showing up, but here's the bug
17:15:50 <sicarie> https://bugs.launchpad.net/ossn/+bug/1354512
17:15:51 <uvirtbot> Launchpad bug 1354512 in ossn "Anonymous user can download public image through Swift" [Undecided,New]
17:16:00 <tkelsey> Yeaah sorry was finding link
17:16:41 <tmcpeak> would it be useful for us to have a table where we list LP bug, review link, status?
17:16:50 <tmcpeak> and who is working it
17:16:56 <tmcpeak> for each OSSN number
17:17:01 <sicarie> +1 - I'm always forgetting the lgerrit link
17:17:13 <tmcpeak> same, I've had that trouble many times
17:17:14 <nkinder_> sicarie: , set the ossn LP to "in progress" and assign it to yourself please
17:17:21 <tmcpeak> I usually have to go through my browser history
17:17:30 <sicarie> nkinder - apologies, thought I had, will do shortly
17:17:43 <nkinder_> If you add "Closes-bug" in your patch commit message, it will add a link into the LP
17:17:48 <nkinder_> though a table would be nice
17:18:39 <nkinder_> I use this list to see what is being worked on:
17:18:42 <nkinder_> #link https://bugs.launchpad.net/ossn/
17:18:49 <hyakuhei> +1
17:18:55 <sicarie> Ah, my non-familiarity with git - I didn't want to do closes-bug in case that submitted as a patch
17:19:11 <tmcpeak> maybe an etherpad with OSSN#, who has it, what's the status, LP bug, review link
17:19:12 <nkinder_> sicarie: it knows what git repo is tied to which project in LP
17:19:24 <nkinder_> tmcpeak: yeah, though it needs to be maintained...
17:19:31 <tmcpeak> sometimes I have a few mins to kill and would do reviews but laziness associated with finding them is a barrier to entry
17:19:55 <nkinder_> tmcpeak: so a gerrit view of all open security-doc reviews is ideal for that
17:19:59 <tmcpeak> nkinder: true
17:20:25 <nkinder_> #link https://review.openstack.org/#/q/status:open+project:openstack/security-doc,n,z
17:20:57 <nkinder_> Useful titles in your commit message would really help here
17:21:17 <tmcpeak> good point
17:21:38 <nkinder_> I think we should have something consistent like "OSSN-xxxx - <issue title>"
17:21:48 <nkinder_> as you can see, there are some generic ones right now
17:22:48 <nkinder_> ok, so everyone pitch in on reviews and let's get some published before next week.  I think we knocked 2 out last week.
17:23:11 <nkinder_> let's try to at least do the same in the next week (should be easy with 0020 and 0024)
17:23:15 <tkelsey> +1
17:23:23 <tmcpeak> cool
17:23:40 <nkinder_> One other item related to notes is that it's going to be a good time to make a pass through the existing notes to see if things are changing in Juno
17:23:54 <nkinder_> For some existing notes, we might need to add Juno to the list of affected releases
17:24:11 <nkinder_> ...for others, we might be able to add something saying "this issue is fixed in Juno"
17:24:30 <nkinder_> I think we should do that once we start getting Juno RCs
17:24:43 <tmcpeak> nkinder_: +1
17:25:05 <nkinder_> I'll re-raise this in a future meeting as we get closer, because I'd like for us all to split this task up.
17:25:15 <tmcpeak> cool
17:25:25 <nkinder_> ok, I think that's it on notes
17:25:41 <nkinder_> tmcpeak: anything on bandit/gate you want to discuss?
17:25:46 <tmcpeak> sure
17:25:53 <nkinder_> #topic bandit/gate tests
17:26:00 <tmcpeak> chair6 has a review in to get Bandit in Gerrit
17:26:08 <nkinder_> stackforge?
17:26:12 <chair6> #link https://review.openstack.org/#/c/119865/
17:26:15 <tmcpeak> yeah, sorry, stackforge
17:26:15 <chair6> yup, stackforge
17:26:23 <nkinder_> chair6: cool!
17:26:25 <tmcpeak> chair6: didn't know you're here
17:26:30 <tmcpeak> can you fill in a bit on the process?
17:26:38 <chair6> lurking.. :)
17:26:51 <tmcpeak> you? never...
17:27:02 <chair6> yeah, sure
17:27:05 <chair6> #link http://ci.openstack.org/stackforge.html
17:27:10 <chair6> ^ that's the process we're following
17:27:31 <nkinder_> new repos are created on fridays, so hopefully this will be approved and created tomorrow
17:27:39 <chair6> make a few edits to various config files, submit a review .. my muscle memory slipped and i'd type 'sourceforge' instead of 'stackforge', fixed that so we should be good
17:28:05 <chair6> excellent
17:28:11 <chair6> tomorrow would be good
17:28:27 <hyakuhei> chair6: does that needany support?
17:28:32 <tmcpeak> we need more tests, they're easy to write
17:28:42 <tmcpeak> if you think of any and want to write one and want help, let me know
17:28:47 <nkinder_> hyakuhei: you mean to get approved?
17:28:53 <hyakuhei> yeah
17:29:04 <nkinder_> hyakuhei: I just looked over the changes, and they all look correct for repo creation.  I'll +1 it.
17:29:17 <tkelsey_> erg, sorry everyone
17:29:31 <nkinder_> hyakuhei: in my experience, the acks all come in on friday
17:30:03 <nkinder_> ok, any other bandit/gate test discussion at this point?
17:30:06 <chair6> tmcpeak made a few more useful framework imrpovements over the week, i wrote a basic sqli check.. time to keep on building the set of tests out
17:30:26 <tmcpeak> also testing would be useful
17:30:40 <tmcpeak> I've run it against all OpenStack projects and it doesn't die, but more testing is always good
17:30:43 <nkinder_> how is the list of issues that we discovered going?  Have any of those gotten merged?
17:31:03 <nkinder_> My swift changes to avoid insecure mktemp were merged last week
17:31:14 <tmcpeak> I found and fixed the Glance one a while back
17:31:16 <nkinder_> but I didn't go update the google doc we created at the midcycle
17:31:25 <nkinder_> anyone have a link to that google doc?
17:31:36 <tmcpeak> I'll get it
17:31:50 <tmcpeak> https://docs.google.com/spreadsheets/d/1HkKYaUI0fL1wKGq7KrFQkUuxSnRXhr8O6ZO3E5_eyuA/edit?usp=sharing
17:31:53 <tmcpeak> #link https://docs.google.com/spreadsheets/d/1HkKYaUI0fL1wKGq7KrFQkUuxSnRXhr8O6ZO3E5_eyuA/edit?usp=sharing
17:33:04 <nkinder_> ok, so I'll update my item on that.  If anyone else has filed bugs that are referenced there, please check them to see if anything has been done to address them and update the doc appropriately.
17:33:21 <tmcpeak> btw, if anybody still wants to take one, Trove has a ton
17:34:06 <tmcpeak> as in, run the latest Bandit against Trove, and happy hunting
17:34:23 <nkinder_> ok, any other topics from anyone?
17:34:44 <hyakuhei> nope
17:34:46 <nkinder_> no bdpayne today, so I don't know if anyone else can cover the doc update
17:35:02 <hyakuhei> seems to be slowing down
17:35:03 <nkinder_> I also haven't heard anything on the thread modeling side of things
17:35:19 <nkinder_> Does anyone have any news there, or has that effort stagnated?
17:35:58 <tmcpeak> I guess shohel would be the one to say
17:36:37 <hyakuhei> Shohel and priti were doing some hands on stuff
17:38:50 <nkinder_> ok, any other topics from anyone?
17:39:32 <nkinder_> if nothing else, then I'm going to suggest we end early
17:39:41 <tmcpeak> sounds good
17:39:43 <tkelsey> nothing from me
17:39:48 <nkinder_> ...then we can all use the extra time for OSSN reviews. :)
17:39:50 <bknudson> I hada topic
17:39:57 <nkinder_> bknudson: sure
17:40:02 <bknudson> So here's my concern...
17:40:10 <bknudson> I can propose a bunch of security hardening
17:40:25 <bknudson> but at this point they're going to be considered Wishlist / nice to have rather than actual bugs
17:40:47 <tmcpeak> bknudson: +1
17:40:52 <bknudson> so, maybe it would be useful if we had something that documented when some crypto use was inadequate
17:40:58 <bknudson> and was actually a bug and not a nice-to-have
17:41:14 <tmcpeak> great idea
17:41:22 <tkelsey> bknudson: +1
17:41:52 <tmcpeak> I have learned what is considered to be a bug and not, but that knowledge dies with me.  Could save somebody else some effort
17:42:09 <bknudson> probably not something we'll have for juno, but for K should be something we can aim for
17:42:30 <tkelsey> blueprint?
17:42:30 <nkinder_> I think we'll still have to pile onto the bugs to stress that they are important
17:42:32 <bknudson> maybe this would be a good topic for the summit
17:42:50 <nkinder_> bknudson: +1
17:43:56 <nkinder_> bknudson: I'm not sure where that is going to fit from a design session standpoint given the restructuring of how that portion of the summit works
17:44:52 <bknudson> ok, just wanted to bring it up here since I was thinking about it and maybe there were other thoughts / agreement.
17:44:57 <bknudson> I'll try to come up with some next steps.
17:45:04 <tmcpeak> sounds good
17:45:06 <bknudson> maybe something to the mailing list
17:45:10 <nkinder_> bknudson: perhaps we should be bringing the issues to the affected project's IRC meeting to get buy in at the PTL level
17:45:23 <nkinder_> yeah, mailing list would be a good place to start too
17:45:30 <nkinder_> ok, any other topics?
17:46:48 <nkinder_> going once...
17:47:27 <nkinder_> ok then
17:47:29 <nkinder_> #endmeeting