17:00:38 <hyakuhei> #startmeeting openstack security group
17:00:39 <openstack> Meeting started Thu Dec 18 17:00:38 2014 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:40 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:43 <openstack> The meeting name has been set to 'openstack_security_group'
17:00:46 <sweston> o/
17:00:46 <tkelsey> o/
17:00:51 <hyakuhei> o/
17:00:52 <elmiko> o/
17:00:57 <sicarie> o/
17:00:58 <gmurphy> o/
17:00:58 <tmcpeak> o/
17:01:08 <hyakuhei> Good turnout for a pre-holiday meeting :)
17:01:30 <tmcpeak> :)
17:01:36 <tkelsey> well the rumour got out that you were back chairing hyakuhei :P
17:01:46 <elmiko> nice
17:02:04 <hyakuhei> haha thanks tkelsey
17:02:05 <nkinder> hey all
17:02:09 <hyakuhei> Hey nkinder nice to see you!
17:02:12 <tmcpeak> yo nkinder
17:02:22 <nkinder> Yeah, finally a thursday without a conflict!
17:03:09 <hyakuhei> woo, nice
17:03:16 <bknudson> hi
17:03:23 <hyakuhei> Ok, what's the agenda for today then ?
17:03:36 <tmcpeak> allright so I missed a couple of meetings but I'd be curious about: 1) meeting date for OSSG mid-cycle 2) did we get any progress on that calibration exercise?
17:03:51 <hyakuhei> good points tmcpeak
17:04:07 <hyakuhei> 1) The meetup will not run concurrent with Barbican in the same location
17:04:31 <hyakuhei> They (Rack) couldn't get the funding for SFO and are holding it in Austin or San Antonio I forget which
17:04:33 <nkinder> There were also some template changes discussed for OSSNs that we should discuss here
17:04:38 <nkinder> Austin
17:04:56 <hyakuhei> We currently have space reserved at the Geekdom in SF for the _same_ week as Barbican
17:05:04 <tmcpeak> oh cool
17:05:11 <hyakuhei> I'm waiting to hear back if we can more that reservation for the week before or week after
17:05:17 <tmcpeak> although I guess that's no good for some
17:05:23 * bdpayne joins
17:05:57 <nkinder> hyakuhei: so that's the week of Feb 16th currently?
17:06:07 <hyakuhei> So those who want to attend both can do
17:06:10 <hyakuhei> nkinder: Yes.
17:07:00 <nkinder> hyakuhei: I can't do the first 2 days of the previous week
17:07:17 <nkinder> flying back from CZ on the 9th
17:07:25 <hyakuhei> Ok I'm asking for availability for both
17:07:35 <nkinder> but the rest of that week, or the week after are OK with me
17:07:49 <hyakuhei> I want you to be there if you can, you bring a lot of value
17:07:50 <nkinder> hyakuhei: collect availability on an etherpad?
17:07:51 <tmcpeak> maybe a similar approach to last time (availability marks on etherpad) could work
17:08:05 <nkinder> tmcpeak: jinx
17:08:09 <tmcpeak> ;)
17:08:55 <bdpayne> ah shucks... you guys!
17:09:06 <nkinder> hyakuhei: does an etherpad already exist?
17:09:28 <hyakuhei> No sir I've been running around trying to coordinate the dates :(
17:09:38 <tmcpeak> is geekdom the only option for location? or is it just priced right?
17:09:40 <bdpayne> https://etherpad.openstack.org/p/ossg-kilo-meetup
17:09:48 <hyakuhei> tmcpeak: price is free
17:10:19 <tmcpeak> hard to beat that
17:11:04 <bknudson> they make it up in volume.
17:11:39 <hyakuhei> lol cool
17:11:57 <hyakuhei> So to tmcpeak's second point - OSSA metrics calibration
17:12:22 <hyakuhei> I'm asking the community to take a look at the metrics I created, take some previous OSSAs and score them
17:12:31 <bdpayne> hyakuhei sounds like the location is a lock then?  is there still a desire for me to check it out?  getting up there is kind of a pain, but I could do it if needed.
17:12:42 <hyakuhei> And see if the metric that comes out matches the perceived issue
17:12:54 <hyakuhei> bdpayne: Yes please, I'd really like it if you could check it out
17:13:05 <tmcpeak> come on bdpayne: cal train is *great*
17:13:07 <hyakuhei> If we can't move the date we'll have to overlap Barbican
17:13:08 <bdpayne> ok, I'll see what i can work out
17:13:18 <hyakuhei> actually tmcpeak could possibly check it out ?
17:13:27 <hyakuhei> or are you gallavanting?
17:13:44 <tmcpeak> gallavanting
17:13:44 <bdpayne> perhaps... how close are you to the space tmcpeak?
17:13:53 <tmcpeak> I can check it out
17:14:05 <tmcpeak> what should I find out?
17:14:13 <tmcpeak> I'm about a 20 min drive
17:14:14 <nkinder> ok, I filled in some basics on the etherpad
17:14:17 <hyakuhei> Size, shape, smell
17:14:22 <tmcpeak> cool, yeah no problem
17:14:23 <bdpayne> just take some pics, get a feel for the size of the space, etc
17:14:26 <bdpayne> smell is important, yeah :-)
17:14:30 <hyakuhei> Basically will it work - you were at the last ossg meetup :)
17:14:30 <bdpayne> and coffee options
17:14:31 <tmcpeak> will post everything to etherpad
17:14:52 <tkelsey> +1 coffee :)
17:14:55 <bdpayne> does it pass the "would you want to work there for a week" test
17:14:56 <tmcpeak> I can speak to coffee options - I used to work a block away.  Lot's of good coffee and close drinks
17:14:57 <bdpayne> stuff like that :-)
17:15:02 <bdpayne> excellent
17:15:03 <hyakuhei> bdpayne: Yup exactly
17:15:03 <tmcpeak> ok will do
17:15:05 <tmcpeak> I can take an action
17:15:14 <bdpayne> thanks tmcpeak... you just saved me several hours
17:15:20 <tmcpeak> no worries :)
17:15:24 <hyakuhei> Superb, thanks guys!
17:15:34 <bdpayne> ok, carry on with metrics
17:15:37 <hyakuhei> #link https://wiki.openstack.org/wiki/Security/OSSA-Metrics
17:15:58 <tmcpeak> a couple of weeks ago there was talk on standardizing around 5 or so OSSA's
17:16:10 <hyakuhei> Anyone want to take an action to take an OSSA and run it through the metrics?
17:16:11 <tmcpeak> and then whoever had bandwidth applying metrics to them
17:16:23 <tmcpeak> hyakuhei: I think you were away that week
17:16:27 <tmcpeak> was there any action on that front?
17:16:39 <hyakuhei> I've not seen it move much
17:16:42 <bdpayne> someone was going to send out a list to review
17:16:44 <bdpayne> I haven't seen that list
17:16:51 <tmcpeak> yeah, that's what I was wondering about, that list
17:16:57 <bdpayne> but I still think it's a good idea
17:17:19 <tmcpeak> yeah, I like that idea
17:17:24 <tkelsey> yeah a list was talked about, but I guess didnt get out
17:17:34 <bdpayne> no worries
17:17:39 <bdpayne> who wants to do it now?
17:18:24 <gmurphy> i can probably spend a bit of time on this. i'm interested from a vmt perspective and have been working on getting a decent record of ossa data
17:18:34 <tkelsey> thanks gmurphy
17:18:48 <hyakuhei> Excellent - thanks gmurphy
17:18:58 <tmcpeak> awesome!
17:19:02 <tkelsey> I would, but I did one already so I think we need others for a better representative set
17:19:27 <hyakuhei> Yeah
17:19:28 <nkinder> so are these going to be added to the existing wiki page?
17:19:51 <nkinder> It looks like 2 have been gone through already there
17:19:57 <hyakuhei> Yeah
17:20:03 <hyakuhei> I've just been adding them as we go
17:20:11 <bknudson> what's the page?
17:20:27 <nkinder> bknudson: https://wiki.openstack.org/wiki/Designate/Blueprints/IPABackend
17:20:35 <nkinder> err, wrong paste
17:20:39 <hyakuhei> #link http://ttx.re/the-way-forward.html
17:20:42 <nkinder> https://wiki.openstack.org/wiki/Security/OSSA-Metrics
17:20:42 <hyakuhei> balls sorry
17:20:45 <hyakuhei> wrong link too :)
17:20:47 <tmcpeak> bahahaha
17:20:49 <nkinder> haha, you did it too
17:20:49 <bknudson> hehe
17:20:57 <nkinder> double fail.  Time to call it a year
17:21:01 <bknudson> just getting random links
17:21:06 <tkelsey> lol
17:21:16 <bknudson> luckily safe for work.
17:21:21 <gmurphy> haha
17:21:32 <nkinder> both OpenStack related at least!
17:21:34 <tmcpeak> paste roulette anybody?
17:21:52 <gmurphy> so i'd like to try and merge that data into our ossa repository that we've been working on - http://git.openstack.org/cgit/openstack/ossa
17:21:58 <hyakuhei> Incidentally, you should all be aware of the changes the TC is going through http://ttx.re/the-way-forward.html
17:21:59 <gmurphy> but i can add it to the wiki too
17:22:38 <ttx> hyakuhei: that brings interesting questions on which projects in this larger upcoming group will be "security-supported"
17:22:55 <hyakuhei> Exactly
17:22:58 <ttx> so far we (OSSG and VMT) roughly supported the integrated release
17:23:00 <bknudson> I was surprised when I saw that ceilometer has essentially no security considerations.
17:23:21 <ttx> hyakuhei: but we could now be more fine-grained
17:23:32 <bknudson> other than, apparently, don't give access to ceilometer to anybody
17:23:33 <ttx> and support based on audit results
17:23:46 <ttx> and response times to security issues
17:24:08 * gmurphy goes to read this post..
17:24:18 <hyakuhei> It's a long post but worth reading.
17:24:27 <hyakuhei> Not 100% sure what I think of all the changes tbh
17:25:33 <hyakuhei> Anyway, OSSG Meetup and Metrics were the only things I wanted to bring up, not looking to add lots of actions before the holidays.
17:25:55 <bdpayne> ttx interesting, it will take me a bit to digest this all, but it sounds like the goal is to better scope what we support?
17:25:57 <hyakuhei> One thing to mention would be Anchor. Does it make sense for it to become more OSSG oriented in the same way that Bandit is
17:26:22 <tmcpeak> it seems like a good fit
17:26:27 <ttx> bdpayne: the goal is to describe more accurately what we provide
17:26:28 <bknudson> so we've got a couple of metrics... anybody else look at the 2 that are done and agree / disagree?
17:26:34 <bdpayne> hyakuhei perhaps, I'd like to look at it a bit more... it's on my (long) list
17:26:46 <ttx> bdpayne: be more inclusive on one hand, be more precise on the other
17:26:55 <bdpayne> ttx yeah, makes sense
17:27:01 <tkelsey> hyakuhei: humm wouldnt hurt for sure, but worth getting input from a few people on it
17:27:01 <ttx> rather than use a single definitiion to match all stuff
17:29:18 <hyakuhei> tkelsey: definintely
17:29:21 <bknudson> "Discoverability always assumed to be 10 " -- makes sense since they're all public.
17:30:15 <hyakuhei> bknudson: yeah
17:32:55 <bknudson> so we've got 2 ossas scored and for some reason the score is different when they seem similar...
17:33:11 <bknudson> e.g., Affected Users is 4 for one and 6 for the other
17:33:24 <bknudson> but they both say it's same users affected (nova users)
17:34:02 <bdpayne> perhaps some nova users are more important than others? ;-)
17:34:50 <tkelsey> bdpayne: the second is nova users on the node. The first is nova API in general
17:35:01 <bdpayne> ahh
17:35:06 <bdpayne> well that kind of makes sense
17:35:20 <bknudson> personally I think that "OSSA 2013-012" was worse than "OSSA 2014-038".
17:35:41 <bknudson> but "Nova fails to verify image virtual size" is probably harder to exploit.
17:36:04 <tkelsey> bknudson: worth commenting on the discussion probably :)
17:36:05 <bknudson> since you need to get the bad image in the system first.
17:36:43 <hyakuhei> This is exactly the conversation we need to have when we have a few more to calibrate against :)
17:37:03 <tkelsey> hyakuhei: +1
17:39:25 <bdpayne> yeppers
17:39:35 <bknudson> are we supposed to update the discussion part in the wiki with comments? I don't think wiki is the best place for a discussion.
17:39:56 <hyakuhei> We'll discuss on irc or a google hangout or something once we've got 5-6
17:40:10 <tkelsey> bknudson: humm your probably right, hyakuhei +1
17:40:11 <tmcpeak> I'd prefer to have discussion in one of these meetings or in the security room
17:41:36 <bknudson> are we just picking random OSSAs?
17:41:56 <bknudson> or was there a list?
17:41:59 <tmcpeak> I think that previous idea to standardize on 5 or so for all of us to review might be more effective
17:42:33 <hyakuhei> bknudson: jut pick any you have a good feel for
17:42:44 <hyakuhei> once we have a few we'll address any obvious gaps
17:44:48 <gmurphy> ok. well i'll try to pick a few more and add them to the wiki.
17:44:54 <hyakuhei> Thanks guys
17:45:04 <bknudson> I'll work on this one that I reported https://bugs.launchpad.net/ossa/+bug/1354208
17:45:06 <uvirtbot> Launchpad bug 1354208 in ossa "[OSSA 2014-029] Catalog replacement allows reading config (CVE-2014-3621)" [Medium,Fix released]
17:45:19 <gmurphy> probably will go for a few different flaw classes etc.
17:45:30 <tmcpeak> I assume we aren't having a meeting btw?
17:45:34 <tmcpeak> next week I mean
17:45:45 <nkinder> that's a safe assumption
17:45:51 <tmcpeak> (just trying to figure out by when I should recon geekdom)
17:47:14 <hyakuhei> Yeah, this will be the last pre-xmas meeting
17:47:23 <bknudson> week after that is new years day
17:47:34 <bdpayne> yeah, I vote for 2 weeks off
17:47:41 <hyakuhei> +1
17:47:45 <tkelsey> +1
17:47:58 <tmcpeak> ok :)
17:48:14 <tmcpeak> we can check out geekdom together the week after new years
17:49:11 <bdpayne> anything else for today?
17:49:18 <tkelsey> nothing from me
17:49:44 <tmcpeak> nope
17:49:45 <gmurphy> nope.
17:49:47 <elmiko> i just wanted to throw out the link for the pad i'm working on with ideas for the sahara sec doc
17:50:00 <tkelsey> elmiko: ah cool
17:50:02 <elmiko> #link https://etherpad.openstack.org/p/sahara-security-guide-notes
17:50:09 <nkinder> elmiko: awesome
17:50:19 <elmiko> it's a little sparse currently, but i'm hoping to have something ready for review early in january
17:50:35 <tkelsey> elmiko: sounds good
17:50:40 <elmiko> i'm having a little difficulty in determining/developing what is the default position of the project with regards to security
17:51:12 <elmiko> but i'm using the OSSG guide and a little common sense to develop a starting opinion, then i figure we can hash it out from there
17:51:38 <elmiko> i welcome any comments, questions, criticism, in the pad. it really helps out =)
17:52:19 <elmiko> that's all i had
17:53:07 <hyakuhei> Thanks elmiko we can always help with specific questions
17:53:48 <elmiko> awesome, i'll try to work towards something a little more concrete for the SG
17:54:16 <hyakuhei> :D
17:54:26 <hyakuhei> Anything else to discuss today peoples?
17:56:06 <nkinder> nothing here
17:56:14 <tmcpeak> nope
17:56:17 <nkinder> Happy Holidays all
17:56:19 <tkelsey> nope
17:56:25 <tkelsey> nkinder: and you :)
17:56:33 <tmcpeak> happy holidays!  have a good one all
17:56:44 <elmiko> have fun all =)
17:56:58 <sweston> o/
17:59:49 <hyakuhei> Thanks all, happy holidays!
17:59:55 <hyakuhei> #endmeeting