#openstack-meeting-alt log

17:04:51 <tmcpeak> #startmeeting openstack security group
17:04:52 <openstack> Meeting started Thu Feb 12 17:04:51 2015 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:04:53 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:04:55 <openstack> The meeting name has been set to 'openstack_security_group'
17:05:00 <tmcpeak> Rob will come soon
17:05:07 <tmcpeak> roll call!
17:05:09 <tmcpeak> o/
17:05:12 <sigmavirus24> o/
17:05:12 <redrobot> o/
17:05:13 <shelleea007> o/
17:05:14 <sicarie> o/
17:05:16 <bknudson> hi
17:05:23 <bdpayne> o/
17:05:26 <ljfisher> o/
17:05:27 <elmiko> yo/
17:05:45 <tmcpeak> awesome
17:05:50 <tmcpeak> topics for today?
17:06:00 <tmcpeak> Midcycle
17:06:10 <elmiko> security guide
17:06:22 <chair6> \o
17:06:38 <hyakuhei> Hey :)
17:06:44 <tmcpeak> yo
17:06:51 <tmcpeak> we completed roll call and are collecting topics
17:06:54 <hyakuhei> Sorry I”m late all
17:06:55 <hyakuhei> Great
17:07:00 <tmcpeak> we have midcycle and guide so far
17:07:09 <hyakuhei> So I’d like to talk a little about the midcycle too
17:07:52 <hyakuhei> Anything else? tkelsey is just joining now
17:07:52 <sigmavirus24> I'd like to talk about an issue with bandit that I want some feedback on before sending a change :)
17:07:58 <hyakuhei> great!
17:08:01 <tmcpeak> +1
17:08:12 <tkelsey> o/ sorry im late!
17:08:33 <sigmavirus24> shame on you tkelsey
17:08:35 <sigmavirus24> =P
17:08:41 <tkelsey> :)
17:08:52 <tmcpeak> #topic Midycle
17:09:13 <tmcpeak> take it away maestro :)
17:09:23 <hyakuhei> So we’re going to lay on food (breakfast and lunch) at the midcycle
17:09:36 <tmcpeak> lay on?
17:09:46 <hyakuhei> It’s british for sit on your food
17:09:59 <bdpayne> still not making sense ;-)
17:10:03 <tmcpeak> lol, yeah
17:10:19 <sigmavirus24> You're expecting us to consume it through our buttocks?
17:10:22 <bdpayne> perhaps there will be breakfast and lunch provided for free?
17:10:22 <hyakuhei> lol, so HP is going to pay for and provision breakfast and lunch at the midcycle
17:10:23 <elmiko> lol
17:10:25 <sigmavirus24> (not that I'm attending)
17:10:29 <tmcpeak> sweet!
17:10:37 <tkelsey> awesome
17:10:39 <tmcpeak> I like those HP guys, they're going places
17:10:39 <bknudson> breakfast at start time -- 9?
17:10:43 <sigmavirus24> That makes more sense
17:10:47 * bdpayne thanks the overlords at HP
17:11:06 <bknudson> wonders where HP gets all this money -- probably selling stuff.
17:11:15 <hyakuhei> I’d still like some other organisation *cough* redhat, *cough* nebula to pony up some sort of social evening though
17:11:48 <tmcpeak> oh yeah, we also need to come to some consensus about when we're doing the social
17:12:01 <tmcpeak> if you haven't added your name to that section on the wiki, please do so
17:12:03 <hyakuhei> So yeah, 9am start time, food on-site. I don’t know the split of vegetarians we have but I’m thinking I’ll aim for about 30-50% vedgy food
17:12:05 <tmcpeak> looks like Tues is winning so far
17:12:11 <hyakuhei> +1 for Tuesday
17:12:17 <bdpayne> hyakuhei I'll take an action item to investigate, and I'll PM you after this meeting
17:12:22 <hyakuhei> Thank you
17:12:56 <bknudson> will eat extra meat if it helps.
17:12:59 <ukbelch> oops, o/ (missed roll call)
17:13:11 <hyakuhei> HP is committed to keeping security folks well fed. I’ll be ordering from a bunch of places, various bits. We’ll also have stock of drinks/snacks for the week
17:13:22 <tmcpeak> +1
17:13:35 <hyakuhei> I’m guessing some of you more local to the event can find homes for the left over drinks etc
17:14:15 <hyakuhei> I don’t recall anyone from the last meetup having any major dietary issues, new people should let me know if any food I order is likely to kill them.
17:14:17 <ukbelch> Tea for breakfast, Gin for lunch
17:14:26 <tkelsey> lol
17:14:46 <hyakuhei> The agenda is shaping up nicely I think and that’s me done on the midcycle I think. I’m really looking forward to seeing everyone.
17:14:59 <tkelsey> hyakuhei: +100
17:15:06 <bdpayne> indeed
17:15:26 <redrobot> hyakuhei agenda link?
17:15:27 <tmcpeak> yeah big time
17:15:30 * redrobot needs to bookmark it
17:15:35 <tmcpeak> https://www.team-cymru.org/Services/ip-to-asn.html
17:15:39 <tmcpeak> damit
17:15:42 <hyakuhei> #link etherpad.openstack.org/p/ossg-kilo-meetup
17:15:46 <tmcpeak> ^ that
17:17:33 <hyakuhei> I’ll put some contact info up on the wiki in case people need to reach out / have last minute problems etc
17:17:45 <hyakuhei> ok tmcpeak take us on to the next item
17:17:52 <tmcpeak> #topic Security Guide
17:17:58 <bdpayne> (next slide)
17:17:59 <tmcpeak> elmiko bdpyane sicarie
17:18:02 <elmiko> hey
17:18:03 <tmcpeak> take it away
17:18:17 <bdpayne> oh, yeah, that's us
17:18:21 <bdpayne> elmiko has proposed a new chapter
17:18:28 <elmiko> #link https://review.openstack.org/#/c/155052
17:18:29 <tmcpeak> awesome
17:18:30 <elmiko> =)
17:18:31 <bdpayne> reviews would be great since it is a lot of new content
17:18:47 <bdpayne> and I'd like lots of eyeballs on it
17:19:00 <bdpayne> beyond that, we have completed triaging the existing open tickets on the guide
17:19:00 <tkelsey> bdpayne: will look
17:19:04 <tmcpeak> cool, will do
17:19:13 <bdpayne> there's some good work that needs to be done
17:19:17 <hyakuhei> Great, I’ll try to take a look too
17:19:21 <sicarie> #link https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide
17:19:32 <bdpayne> and our primary goal for the meetup will be to plan for how we manage the book going forward
17:19:53 <bdpayne> so anyone with inputs on that (release schedule, what content to include, how to maintain quality, etc) should join us next week!
17:20:12 <tmcpeak> sounds good
17:20:17 <bdpayne> and that's all that I have on the book... sicaries elmiko anything to add?
17:20:27 <sicarie> I did ask someone who knows Neutron relatively well to take a look at the Networking chapter, it'd be nice to get someone familiar with Nova quirks to submit anything on the Compute chapter
17:20:34 <elmiko> nothing more from me
17:20:53 <tmcpeak> so any nova people here?
17:20:57 <bdpayne> sicarie agreed, let's discuss that in more detail next week, but I like the idea
17:20:58 <tmcpeak> for sicarie's thing?
17:21:12 <sicarie> Sounds good to me
17:21:13 <shelleea007> I have several bugs assigned to me and I plan on doing a good deal of work on them within the next few weeks
17:21:20 <bdpayne> groovy
17:21:22 <bdpayne> thanks!
17:21:23 <tmcpeak> cool
17:21:28 <tmcpeak> ok anything else for the guide?
17:21:33 <ukbelch> I assume having a quick intro from all attending delegates is part of the agenda? I know for me at least it would be good to know who everyone else is, and what they do :)
17:21:35 <bdpayne> I think that's all
17:21:49 <tmcpeak> ukbelch: yeah, we definitely will
17:21:51 <bdpayne> ukbelch, yeah, that would make sense ot me too
17:22:03 <tmcpeak> #topic Bandit Question
17:22:13 <tmcpeak> was this you elmiko?
17:22:28 <elmiko> not me
17:22:36 <bdpayne> it was sigmavirus24
17:22:39 <sicarie> I think it was sigmavirus24
17:22:41 <tmcpeak> sigmavirus24
17:22:42 <sigmavirus24> Yes
17:23:00 <sigmavirus24> So I'm not sure how familiar everyone is with the ssl module but I take strong objection to https://github.com/stackforge/bandit/blob/24ba70179fbdcbc90e0e08637eb1ff35c5a9feb6/bandit.yaml#L93
17:23:01 <tmcpeak> cool, what's up?
17:23:24 <sigmavirus24> PROTOCOL_SSLv23 negotiates the highest supported protocol automatically depending on what is supported by both client and server
17:23:33 <tmcpeak> yeah, actually you're right
17:23:33 <sigmavirus24> That is not negotiating only SSLv2 or SSLv3
17:23:35 <bknudson> y, SSLv23 doesn't mean just 2 & 3.
17:23:41 <tmcpeak> good catch
17:23:43 <bdpayne> correct
17:23:54 <tmcpeak> so you can submit a bug or make the change yourself
17:23:58 <sigmavirus24> So that seems like a terrible false positive. I'm happy to fix it, but I wanted to make sure I wasn't missing another reason
17:24:00 <tmcpeak> either would be awesome
17:24:04 <tkelsey> yeah, you can use it conjunction with other flags to prohibit v2 or whatever and allow others
17:24:10 <sigmavirus24> tkelsey: exactly
17:24:14 <sigmavirus24> requests is working on adding that functionality
17:24:15 <tmcpeak> sigmavirus24: no, I don't think you're missing anything.  Good catch
17:24:18 <sigmavirus24> I've just been too busy lately
17:24:29 <rlpple> hello
17:24:35 <sigmavirus24> That's the only reason I caught this
17:24:40 <sigmavirus24> Anyway that's all
17:25:00 <tmcpeak> sigmavirus24: great, thanks for brining it to attention
17:25:05 <tkelsey> sigmavirus24: you propose we remove that check? the reasoning seems valid
17:25:14 <tkelsey> to remove it, that is
17:25:22 <sigmavirus24> tkelsey: yes
17:25:30 <sigmavirus24> just that one check, none of the others stood out to me
17:25:38 <tmcpeak> cool
17:25:42 <tkelsey> ok, I can put up a patch to do that if no one objects
17:25:48 <bknudson> maybe a check could be added for a protocol use that allows SSLv2.
17:25:50 <sigmavirus24> tkelsey: was already working on it
17:25:51 <sigmavirus24> :)
17:25:52 <tmcpeak> tkelsey: awesome
17:26:08 <bknudson> that would be a more difficult check
17:26:08 <tkelsey> ah ok sigmavirus24, I'll leave it with you then :)
17:26:25 <shelleea007> an interesting tidbit for those going for PCI requirements for OpenStack, TLS will only be allowed, SSL will no longer be acceptable.
17:26:27 <sigmavirus24> bknudson: yeah but also Python 2.6+ disables SSLv2 forcefully
17:26:40 <shelleea007> i know its off topic but the SSL thing reminded me
17:26:40 <sigmavirus24> shelleea007: that is interesting and helpful to know :)
17:27:11 <tmcpeak> also for Bandit ljfisher has been bringing some great changes
17:27:36 <bknudson> any progress on gating on bandit?
17:27:36 <ljfisher> :)
17:27:38 <tkelsey> tmcpeak: +1 yeah ljfisher has added some good stuff
17:28:07 <tmcpeak> bdknuson: nah, I haven't done anything.  Next step is still getting Gerrit and PyPI talking
17:28:14 <tmcpeak> I'm mostly going to work Bandit all of next week
17:28:21 <tmcpeak> so I'm expecting to make some good progress
17:28:36 <ljfisher> I think we will need a profile for bandit for gating to limit to the more accurate tests
17:28:46 <tmcpeak> ljfisher: +1
17:28:52 <tkelsey> +1
17:29:10 <tmcpeak> whenever we get into global requirements we're basically frozen for 6 months
17:29:22 <tmcpeak> so let's make sure we're happy with the version that will be usable by other projects
17:29:41 <chair6> sounds like a worthy goal for next week :)
17:30:01 <tmcpeak> yeah, looking forward to some nice focused Bandit work
17:30:01 <sigmavirus24> Oh have y'all heard back about the "bandit" name yet?
17:30:09 <tmcpeak> yeah, bdpayne pulled strings and got it for us
17:30:15 <redrobot> nice
17:30:19 <tkelsey> :D awesome!!
17:30:55 <bdpayne> :-)
17:31:05 <tmcpeak> cool, so anything else for Bandit?
17:31:22 <tmcpeak> #topic Anchor
17:31:27 <tmcpeak> tkelsey: go!
17:31:42 <tkelsey> so, lots of tests going in still, coverage rising slowly
17:32:11 <tmcpeak> awesome
17:32:21 <tkelsey> a few bug fixes, nothing major really. As always, I encourage people to look over the code and patches if they are interested
17:32:35 <tkelsey> I will be happy to answer questions and give more info at the meet up
17:32:37 <tmcpeak> cool, sounds good
17:32:48 <tmcpeak> yeah, you're still planning to give an intro?
17:32:57 <tkelsey> yup
17:33:00 <tmcpeak> sweet
17:33:04 <ljfisher> good
17:33:19 <tmcpeak> okies
17:33:22 <tmcpeak> #topic Other Business
17:33:25 <tkelsey> thats all i got
17:33:45 <tmcpeak> last week there were a couple of side projects
17:33:49 <tmcpeak> bknudson had one and...
17:34:03 <tmcpeak> about rootwrap
17:34:13 <tmcpeak> and there was one about sharing security info
17:34:15 <bknudson> I haven't had time to look at it.
17:34:21 <tmcpeak> bknduson: fair enough :)
17:34:25 <tmcpeak> plenty of time next week
17:34:49 <ljfisher> is there an agenda item for rootwrap next week?
17:35:10 <tmcpeak> oh yeah, bknudson: did you have time to put one up? / do you still want to do it?
17:35:18 <bknudson> it's on the agenda:  Rootwrap rearchitecting
17:35:19 <bdpayne> yes, I believe there is an agenda item for rootwrap
17:35:40 * sigmavirus24 sneaks https://review.openstack.org/#/c/155419/ in
17:36:00 <tmcpeak> awesome, we'll review this shortly
17:36:03 <tmcpeak> thanks sigmavirus24
17:36:31 <hyakuhei> thanks tmcpeak
17:36:48 <tmcpeak> cool, other business today all or we good?
17:36:51 <bknudson> wanted to mention I got a small security hardening default config into horizon: https://review.openstack.org/#/c/154943/
17:36:59 <bknudson> default config change
17:37:10 <tmcpeak> awesome! will take a look
17:37:16 <tmcpeak> fighting the good fight bknudson
17:37:19 <sigmavirus24> bknudson: awesome!
17:37:20 <bknudson> we ran AppScan tool on horizon internally and it complained.
17:38:00 <bknudson> rather than just fix it internally with a config change, figured we'd fix it in community
17:38:39 <tmcpeak> +1
17:39:43 <tmcpeak> cool, any other stuff?
17:40:51 <tmcpeak> well looking forward to seeing a bunch of you next week
17:40:57 <tmcpeak> #endmeeting