17:00:14 <tkelsey> #startmeeting openstack security group
17:00:15 <openstack> Meeting started Thu Dec  4 17:00:14 2014 UTC and is due to finish in 60 minutes.  The chair is tkelsey. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:16 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:18 <openstack> The meeting name has been set to 'openstack_security_group'
17:00:34 <tkelsey> Hello OSSG folks, I will be your host today (hyakuhei can’t make it and sends his apologies).
17:00:59 <tkelsey> #topic rollcall
17:01:16 <sweston> o/
17:01:16 <elmiko> o/
17:01:30 <sicarie> o/
17:01:47 <tkelsey> hey sweston elmiko sicarie, just give a few mins for folks to join
17:01:53 <elmiko> np
17:01:54 <chair6> \o
17:01:58 <bpb_> o/
17:02:05 <sweston> tkelsey: of course
17:02:31 <dave-mccowan> o/
17:03:19 <hyakuhei> o/ I'm kind of around but pretty much afk
17:03:27 <hyakuhei> Thanks tkelsey for chairing this!
17:03:40 <tkelsey> hyakuhei: np
17:03:41 <dg_> go tkelsey!
17:04:17 <tkelsey> dg_: heh :)
17:05:06 <tkelsey> ok, i think thats long enough for folks to join
17:05:13 <tkelsey> #topic agenda
17:05:22 <tkelsey> so what do we want to talk about today then
17:05:44 <tkelsey> I have a few things carried over from the last meeting (pre-thanks giving)
17:06:02 <tkelsey> anyone else got topics to discuss?
17:06:45 <elmiko> i've got a question or two about documentation, but it's not huge
17:06:50 <dg_> tkelsey someone mailed the list about change history for the secuirty guide, when to update the changelog in the front, etc
17:07:35 <tkelsey> elmiko, ok cool. Yeah dg_ security guide stuff is on the list
17:07:56 <tkelsey> right, lets start with barbican
17:08:03 <tkelsey> #topic barbican
17:08:51 <tkelsey> so there is a patch to bump PyKMIP to 0.2.0 in the global reqs here, getting some traction
17:09:04 <tkelsey> #link https://review.openstack.org/#/c/137016/
17:09:46 * bdpayne is here... sorry I'm a little late
17:10:14 <tkelsey> any other Barbican related topics people want to mention? do we have redrobot
17:10:38 <tkelsey> hey bdpayne, hyakuhei asked me to chair the meeting this time
17:10:48 <bdpayne> cool, thanks for stepping up
17:11:05 <tkelsey> bdpayne: my pleasure
17:11:58 <tkelsey> ok so I guess thats it for Barbican stuff
17:12:08 <tkelsey> #topic midterm
17:12:50 <ANIsh_> what is midterm ?
17:12:51 <tkelsey> so I dont have much to input on the midterm discussions, but I gather redrobot was going to find out about geekdom availability
17:13:15 <dg_> ANIsh_ the midcycle OSSG meetup
17:13:18 <bdpayne> that's what I recall as well
17:13:19 <tkelsey> ANIsh_: midterm meet up
17:13:21 <redrobot> tkelsey indeed... finally got a response from them last night, trying to work out the details now.
17:13:22 <bdpayne> I guess we're waiting to hear on that before locking in dates?
17:13:34 <ANIsh_> ok does it happen over US
17:13:37 <tkelsey> redrobot: awesome thanks :)
17:13:58 <tkelsey> ANIsh_: yes its in the US
17:14:12 <dg_> current discussion is san antonio or san fran
17:15:19 <ANIsh_> ok
17:16:21 <tkelsey> yeah, I think SF got most of the votes last time we mentioned it
17:16:52 <tkelsey> anyway, lets let redrobot look over the details from geekdom and then revisit it next time
17:16:58 <tkelsey> unless anyone wants to add anything now?
17:17:45 <tmcpeak> wow, blew right through my meeting reminder :)
17:17:48 <tmcpeak> hi folks
17:17:54 <ANIsh_> si the meetup can be attended remotely ?
17:17:58 <tkelsey> heh hi tmcpeak
17:18:14 <tkelsey> ANIsh_: no idea, I have actually never been to one
17:18:22 <tkelsey> anyone else know about that sort of thing?
17:18:33 <tmcpeak> it would probably be pretty difficult
17:19:24 <bdpayne> Re remote attendance... someone tried that last time and it didn't work too well
17:19:37 <bdpayne> I'm not against the idea, but I'd suggest that it has limited utility
17:20:23 <tkelsey> bdpayne: that makes sense, though of course people will be in the IRC room from time to time I would think
17:20:50 <bdpayne> indeed
17:21:19 <tkelsey> ok then, all happy to move on?
17:22:18 <bdpayne> sure!
17:22:20 <tkelsey> ok, so next on my list is Anchor
17:22:27 <tkelsey> #topic anchor
17:22:51 <tkelsey> anchor is the name for the Ephemera PKI now on stackforge
17:23:07 <tkelsey> https://review.openstack.org/#/admin/projects/stackforge/anchor
17:23:17 <tkelsey> #link https://review.openstack.org/#/admin/projects/stackforge/anchor
17:23:36 <bdpayne> #link https://github.com/stackforge/anchor
17:23:59 <tkelsey> this is the short lived certificate system that hyakuhei talked about during the Paris summit
17:24:44 <tkelsey> it now has a name and a home, so anyone with an interest is welcome to check it out and leave bugs for us in LP
17:24:46 <bdpayne> nice, glad to see this posted
17:24:55 <bdpayne> what are the plans for this going forward?
17:24:56 <elmiko> sounds cool
17:25:01 <ANIsh_> i will take a look
17:25:43 <tkelsey> for those who did not get a chance to see the talk the vid can be found here ...
17:25:47 <tkelsey> #link https://www.youtube.com/watch?v=jf_YOzW7I3s
17:26:03 <tkelsey> exciting times :)
17:26:23 <dg_> bdpayne make it work well, test it, document it, etc. We will be looking to deploy this in production systems, and hopefully get this adopted(if that is the correct term?)
17:26:54 <dg_> if anyone wants to contribute, then feel free, it'd be really nice to have some non-hp effort working on this!
17:27:04 <bdpayne> would be nice to see barbican integration (Anchor as a CA backend for Barbican)
17:27:24 <bdpayne> I'll check it out, I've been curious about how you guys are approaching this
17:27:44 <tkelsey> bdpayne: I think there was some discussion of integration with Barbican in their last meeting
17:27:54 <dg_> I would have to have a think about that, I've been thinking about plugging Anchor into a HSM for key storage, but hadnt thought about plugging it into barbican.
17:28:11 <redrobot> bdpayne +1
17:29:42 <elmiko> in terms of helping out with anchor, is there a list of TODOs or something?
17:29:51 <tkelsey> well we have a bunch of preliminary stuff to sort out to make the project more inline with openstack ways of doing stuff
17:30:21 <tkelsey> elmiko: we will be updating with TODOs and documentation
17:30:30 <elmiko> tkelsey: awesome
17:30:47 <tkelsey> #action tkelsey to add some TODOs for Anchor
17:31:18 <bdpayne> yeah, no need to redo all of that hsm work that's already in barbican
17:32:14 <tkelsey> bdpayne: +1 we dont wont to duplicate effort
17:33:29 <tkelsey> ok cool, so plenty of stuff will be happening with Anchor and it would be good to get input from people :)
17:33:33 <tkelsey> moving on
17:33:47 <tkelsey> #OSSA metrics calibration
17:33:50 <tkelsey> nope
17:33:56 <tkelsey> #topic OSSA metrics calibration
17:34:03 <tmcpeak> I tried running through one
17:34:09 <tmcpeak> DREAD is pretty subjective
17:34:18 <tkelsey> so hyakuhei asked about this last meeting
17:34:18 <tmcpeak> it could be helpful to have more specific qualifications for each
17:34:34 <tkelsey> tmcpeak: sure, i guess that why we need some good calibration examples for refferance
17:35:18 <tmcpeak> yeah, so for starters R and E could use some more distinction IMO
17:35:27 <bdpayne> my take is that this stuff will always be subjective at some level
17:35:35 <bdpayne> the idea is to try to reduce / minimize that
17:35:37 <tmcpeak> yeah, for sure
17:35:40 <tkelsey> bdpayne: agreed
17:35:53 <tmcpeak> to be useful though, we should take away as much subjectivity as possible
17:35:56 <bdpayne> I'd look for two things
17:36:18 <bdpayne> 1) if two people review the same bug do they come up with the same score (or similar)
17:36:25 <bdpayne> 2) do the scores that people come up with pass the "smell test"
17:36:31 <bdpayne> that is... do they seem reasonable
17:36:38 <tmcpeak> sure
17:36:55 <tkelsey> bdpayne: sounds like good advice
17:37:00 <tmcpeak> well to that extent then, I'd be curious on other passes on this: https://bugs.launchpad.net/horizon/+bug/1308727
17:37:03 <uvirtbot> Launchpad bug 1308727 in horizon/icehouse "[OSSA 2014-023] XSS in Horizon Heat template - resource name (CVE-2014-3473)" [High,Fix released]
17:37:09 <tmcpeak> I did a pass, and came up with a score
17:37:13 <tmcpeak> I'd be curious what others come up with
17:37:25 <bdpayne> yeah, perhaps we should have several people take a pass over a collection of 5-10 bugs
17:37:32 <bdpayne> and then share the scores when everyone is done
17:37:38 <tkelsey> bdpayne: +1 sounds like a good plan
17:37:45 <tmcpeak> yeah, that sounds good
17:38:02 <bdpayne> I'd be happy to participate
17:38:11 <dg_> +1
17:38:16 <bdpayne> perhaps someone else could put together the list of bugs to score?
17:38:18 <tkelsey> bdpayne: thank you, anyone else like to take part
17:38:21 <tmcpeak> I'll play too, but I'm out for a couple of weeks
17:38:23 <tmcpeak> so might take me a while
17:38:30 <dg_> pull up a set of bugs, send it out to the mailing list with a lync to the dread info?
17:38:34 <tkelsey> i'll join in the effort as well
17:38:44 <tkelsey> dg_ good plan
17:38:48 <bdpayne> yeah... I guess it could just be the last N OSSAs
17:38:50 <dg_> arghh broken autoscroll
17:39:07 <tmcpeak> that's one thing bdpayne: I actually had a hard time finding the last N OSSAs
17:39:11 <dg_> bdpayne yeh that would do the trick, no real need to cherry pick
17:39:13 <tmcpeak> is there a simple way to do it I'm missing?
17:40:18 <bdpayne> normally I'd just search my inbox
17:40:34 <tkelsey> dg_ ok, can you send out a message to the ML with links to the last 5 OSSAs and we can coordinate around that
17:40:50 <dg_> bdpayne I dont think that approach would scale...
17:40:53 <tmcpeak> yeah, that's what I did.  I guess there isn't anything better?  Would be nice to just hit a page and get them
17:41:22 <tkelsey> there may be a better way to do it, but for now a manual list should be fine right?
17:41:54 <dg_> so I would hope that there is a page, they talked about this in the VMT design session in paris, talking about having security.openstack as the destination to get stuff like this
17:42:19 <bdpayne> yeah, I'm thinking that's not done yet
17:42:49 <bdpayne> fyi https://wiki.openstack.org/wiki/SecurityAdvisories/Icehouse
17:42:49 <tmcpeak> ok, as long as it wasn't me just being stupid :)
17:42:52 <bdpayne> and so forth
17:43:01 <tkelsey> heh, I guess have a dig around and find the last 5
17:43:05 <dg_> ok, can we put the action to send out that list on soemone who has the list of the most recent OSSAs, or someone mail them to me and I'll write something up
17:43:21 <tkelsey> dg_ can you take an action to do that please ?
17:43:32 <dg_> ahh there we go, thanks bdpayne
17:43:36 <bdpayne> :-)
17:43:46 <dg_> tkelsey sure
17:44:10 <tkelsey> #action dg_ to send a list of the last 5 OSSAs to the ML for calibration efforts
17:44:25 <tkelsey> ok, quick show of hands, who wants to take part in scoring ?
17:44:31 <tkelsey> o/
17:44:36 <tmcpeak> o\
17:44:43 <tmcpeak> I mean o/
17:44:46 <tkelsey> lol :)
17:44:54 <bdpayne> o/
17:45:15 <sweston> o/
17:45:43 <tkelsey> thanks guys, appreciated :)
17:45:53 <tkelsey> ok next
17:46:27 <tkelsey> #topic security guide
17:46:38 <tkelsey> elmiko: what did you want to being up?
17:46:58 <elmiko> tkelsey: i'm working on a security guidelines document for the Sahara project
17:47:14 <elmiko> and i'm looking for the OSSG guide sources for inspiration
17:47:30 <bdpayne> will this be coding guidelines or ?
17:47:30 <elmiko> not for content, but for a little guidance on the structure of our sources.
17:47:35 <bdpayne> ahh, ok
17:47:38 <elmiko> configuration guides
17:47:48 <bdpayne> elmiko, I'd be happy to help you out
17:48:17 <elmiko> i'm thinking we'd like to have something akin to what is currently produced, a PDF and online docs with the ability for the community to generate patches against the docs.
17:48:18 <bdpayne> sources for the guide are here: https://github.com/openstack/security-doc/tree/master/security-guide
17:48:30 <elmiko> bdpayne: awesome, thanks!
17:48:44 <Randy_Perryman> hello
17:48:44 <tkelsey> thanks bdpayne :)
17:48:46 <bdpayne> so, that takes a while to achieve
17:48:48 <bdpayne> you'd really want doc team support for that
17:49:00 <bdpayne> although, any reason you wouldn't just want this as part of the security guide?
17:49:22 <elmiko> no specific reason, i think we were just considering starting small
17:49:34 <elmiko> it would be awesome to have it part of the main doc though =)
17:49:48 <bdpayne> to be honest, it would be less work to join forces
17:49:51 <bdpayne> otherwise you are reinventing lots of stuff
17:50:01 <bdpayne> what is the status of the sahara project?
17:50:11 <elmiko> sahara is integrated as of Juno
17:50:21 <bdpayne> ok cool
17:50:28 <bdpayne> so we should be able to just make a chapter for it
17:50:47 <elmiko> that would be great
17:50:48 <bdpayne> I'd suggest taking that approach
17:50:50 <bdpayne> then you can also cross reference to other things in the book more easily
17:50:57 <bdpayne> like... you want TLS... see Ch X
17:51:05 <elmiko> exactly
17:51:22 <bdpayne> so yeah, perhaps ping me and I can help you get started
17:51:25 <tkelsey> yes, I was going to ask about TLS next, but i'll let you guys finish up first
17:51:31 <bdpayne> would be good to start by filing some bugs for the work you have in mind
17:51:44 <elmiko> so, i've started a blueprint in the sahara side of launchpad, would it be appropriate to continue with my spec and then attempt to bring things over to the OSSG doc?
17:52:03 <bdpayne> either way
17:52:16 <tkelsey> ok, 10mins folks
17:52:19 <chair6> also on the security guide topic, i ran across some stale content the other day.. not sure if anyone else needs to know about it
17:52:20 <bdpayne> when it comes time to do the actual writing / merging, I'd ask that you file bugs under https://bugs.launchpad.net/openstack-manuals
17:52:27 <dg_> bdpayne have a minor TLS/secuirty guide point to cover too
17:52:30 <bdpayne> and then tag them as security guide bugs
17:52:46 <chair6> #link https://bugs.launchpad.net/openstack-manuals/+bug/1395974
17:52:47 <uvirtbot> Launchpad bug 1395974 in openstack-manuals "OpenStack Security Guide Chapter number mismatch" [High,Triaged]
17:52:48 <bdpayne> "sec-guide" is the correct tag
17:52:54 <elmiko> bdpayne: ok, i'll need time to study the doc/manuals stuff.
17:52:59 <bdpayne> sure, np
17:53:16 <bdpayne> poke me if you have questions... I'm usually in the openstack-security IRC channel
17:53:41 <tkelsey> ok elmiko and bdpayne should talk more on this :)
17:53:41 <elmiko> bdpayne: also, i imagine we will have more content as time goes on, we are just starting to improve security in sahara
17:53:52 <elmiko> sounds like it =)
17:53:58 <bdpayne> sure, sounds good
17:54:03 <tkelsey> in the last 5mins do we have any pressing issues to raise ?
17:54:18 <bdpayne> chair6 what's the question on that bug?
17:54:46 <bdpayne> dg_ perhaps we could chat about your point in the security channel after this meeting?
17:55:05 <chair6> looks like it's being actioned, but just wanted to make sure it's "known about"
17:55:18 <bdpayne> ah, yes, it is
17:55:20 <bdpayne> thanks
17:55:21 <tkelsey> chair6: good stuff
17:55:23 <tkelsey> thanks
17:55:28 <dg_> bdpayne sounds good
17:55:53 <tkelsey> ok so unless we have anything else pressing lets talk about OSSNs
17:56:01 <tkelsey> #topic OSSNs
17:56:17 <tkelsey> so who has outstanding OSSNs in review ?
17:56:47 <tkelsey> please add links here so others can go review them :)
17:56:56 <bdpayne> looks like there are 2
17:57:03 <bdpayne> https://review.openstack.org/#/c/136203/
17:57:18 <bdpayne> https://review.openstack.org/#/c/128636/
17:57:32 <sweston> bdpayne: thank you, didn't know whether it needed more reviews or not
17:57:43 <sweston> for the first one
17:57:48 <bdpayne> sweston, looks like you need another OSSG core review
17:57:51 <bdpayne> I can provide that
17:58:05 <sweston> bdpayne: awesome, thank you :-)
17:58:18 <bdpayne> also may need a review from the project core team? do we have that yet?
17:58:33 <bdpayne> tkelsey for yours... are we wanting on a core project review?
17:58:46 <tkelsey> bdpayne: yes thats right
17:58:56 <bdpayne> ok, how do we get that to happen?
17:59:06 <bdpayne> this has been sitting idle for a while
17:59:23 <tkelsey> bdpayne: yes, I guess I'll go jump into an irc room and ask :)
17:59:37 <bdpayne> ok thanks
17:59:50 <bdpayne> looks like our time is up
17:59:55 <tkelsey> indeed
18:00:01 <tkelsey> thanks everyone
18:00:05 <tkelsey> #endmeeting