17:00:28 <tmcpeak> #startmeeting OpenStack Security Group
17:00:28 <openstack> Meeting started Thu Mar 26 17:00:28 2015 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:30 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:33 <openstack> The meeting name has been set to 'openstack_security_group'
17:00:35 <tmcpeak> #topic Roll Call
17:00:39 <elmiko> hi
17:00:41 <nkinder> hi
17:00:44 <sicarie> o/
17:00:48 <bpb_> o/
17:00:51 <singlethink> o/
17:00:51 <tmcpeak> o/
17:01:26 <tmcpeak> we'll give a couple minutes for stragglers like tkelsey and then start collecting agenda items
17:01:45 <tkelsey> o/
17:01:52 <tmcpeak> guess Roll Call is probably Role Call anyway :P
17:02:27 <tmcpeak> allright, maybe small group today, agenda items?
17:02:29 <tmcpeak> Bandit
17:03:11 <tmcpeak> nkinder: you got anything on OSSNs?
17:03:12 <nkinder> OSSN YAML format
17:03:17 <tmcpeak> yep, thought so :)
17:03:23 <ukbelch> o/
17:03:25 <redrobot> o/
17:03:26 <tmcpeak> sicarie, elmiko: sec guide?
17:03:31 <sicarie> sure
17:03:56 <gmurphy> o/
17:04:00 <tmcpeak> sweet
17:04:03 <tmcpeak> any other agenda items?
17:04:38 <tmcpeak> allright, maybe a short one today
17:04:42 <tmcpeak> #topic Bandit
17:04:54 <tmcpeak> we pinned a version, we're live on PyPI :)
17:05:01 <tmcpeak> bknudson: update on your side of the house?
17:05:04 <d-9> omg! good work guys
17:05:05 <sicarie> very cool!
17:05:06 <tmcpeak> bknudson has been doing the good stuff
17:05:10 <tmcpeak> d-9, sicarie: thanks!
17:05:13 <elmiko> nice, grats!
17:05:15 <tmcpeak> lots of hard work from lots of folks
17:05:19 <tkelsey> :)
17:05:24 <redrobot> woot!
17:06:04 <tmcpeak> so.. bknudson is really the person to discuss next steps, because he's been driving it
17:06:38 <tmcpeak> in short he has a few jobs going to get what we need to run Bandit in Keystone
17:06:48 <tmcpeak> we may be blocked on adding Bandit into requirements now
17:06:51 <tmcpeak> due to requirements freeze
17:06:55 <tmcpeak> does anybody know when that ends?
17:07:38 <sigmavirus24> tmcpeak: https://wiki.openstack.org/wiki/Kilo_Release_Schedule would suggest Apr 30
17:07:38 <d-9> tmcpeak I would guess after the Kilo summit
17:07:48 * tmcpeak impatient…
17:07:50 <d-9> thanks sigmavirus24
17:07:57 <sigmavirus24> d-9: or after teh summit
17:07:59 <sigmavirus24> Either
17:08:03 * sigmavirus24 isn't certain
17:08:07 <tmcpeak> sigmavirus24, d-9: thanks guys
17:08:39 <tmcpeak> I guess that's a month ish.. not the end of the world
17:08:48 <tmcpeak> would have been nice to have it running before summit
17:09:05 <tmcpeak> I don't know if that's possible or not without having it in requirements, I'll probably go ping CI guys at some point
17:09:17 <tmcpeak> anywho stay tuned :) good things to follow
17:09:25 <tmcpeak> #topic OSSN YAML format
17:09:29 <tmcpeak> nkinder: ^
17:09:39 <tmcpeak> take it away :)
17:09:56 <nkinder> So tmcpeak created a rough script to do basic conversion of the existing OSSN format to YAML
17:10:16 <tmcpeak> when he says rough, he means it :D
17:10:28 <nkinder> An example of what it does now is here - http://paste.openstack.org/show/196912/
17:10:46 <nkinder> It's got some bugs, as you can see by the duplicated portion in the 'summary' section, but it's a start
17:10:54 <sigmavirus24> tmcpeak: ping me after the meeting about teh depfreeze
17:11:02 <tmcpeak> sigmavirus24: awesome, will do
17:11:15 <nkinder> I'm more interested in looking at how to make the structure useful first
17:11:18 <tmcpeak> nkinder: everything I looked at (all 3 of them) worked perfectly :P
17:11:47 <nkinder> So the affected releases and versions should be broken out instead of just being a CSV lits
17:11:49 <nkinder> list
17:12:03 <tmcpeak> nkinder: ok cool
17:12:06 <tmcpeak> how do you intend to do that?
17:12:08 <nkinder> Here's what I was thinking - http://paste.openstack.org/show/196913/
17:12:25 <hyakuhei> o/
17:12:31 <tkelsey> hey hyakuhei
17:12:36 <tmcpeak> Mr. Rob - wassup
17:12:41 <hyakuhei> Sorry I’m late, thanks for running things tmcpeak
17:12:45 <tmcpeak> nkinder: this looks good
17:12:53 <tmcpeak> what about in the case of our oddball OSSNs where they don't fit into nice format
17:12:57 <nkinder> so I'm playing with some code that can idenfity known services and releases to do the conversion from OSSN->YAML and split these out
17:12:58 <tmcpeak> sure
17:13:01 <hyakuhei> tmcpeak: I’m in and out so please carry on :)
17:13:08 <tmcpeak> k, cool
17:13:10 <nkinder> well, there has to be some "other" category
17:13:25 <nkinder> affected_other or something with a better name
17:13:52 <tmcpeak> sounds reasonable
17:13:53 <nkinder> With the releases and versions split out, it's easy to write a tool to parse it to see if a particular deployment is affected
17:14:13 <nkinder> so that's what I'm working on now, plus general script cleanup
17:14:17 <sigmavirus24> nkinder: one idea: yaml allows you not to have to use super long strings like that. If you want you should be able to use some YAML features to write those as real paragraphs
17:14:22 <tmcpeak> nkinder: cool, sounds good
17:14:30 <sigmavirus24> I forget if it's like discussion: >
17:14:33 <nkinder> sigmavirus24: yeah, tmcpeak and I talked abotu that some
17:14:40 * sigmavirus24 missed it
17:14:42 <sigmavirus24> sorry
17:15:05 <nkinder> We will need to have some logic to do line-wrapping at the appropriate width when we do YAML->e-mail conversion
17:15:26 <nkinder> we don't want to force the e-mail width on the YAML file.  We wan't flexibility there if possible.
17:15:34 <tmcpeak> yeah, it's very difficult to automatically tell which line breaks should be preserved and which shouldn't
17:15:46 <tmcpeak> s/difficult/impossible
17:15:51 <nkinder> yeah
17:16:05 <nkinder> I'm waving my hands on that issue for now :)
17:16:14 <tmcpeak> if we can get a script to do 80% we can clean manually later
17:16:34 <tmcpeak> nkinder: cool, do you need any help from OSSG or you got it for now?
17:17:11 <nkinder> I have it for now.  I might have something to play with here next week.
17:17:22 <tmcpeak> nkinder: awesome, sounds good.  Thanks for taking this
17:17:34 <nkinder> sure, thanks for your first pass at the sript!
17:17:47 <tmcpeak> I <3 hack-jobbing things
17:17:51 <tmcpeak> ;)
17:17:54 <tmcpeak> cool
17:17:59 <tmcpeak> #topic Sec Guide
17:18:06 <tmcpeak> sicarie, elmiko - take it away
17:18:15 <sicarie> Yeah, so we have our current bugs list here: #link https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide
17:18:29 <tmcpeak> that's a pretty solid list
17:18:30 <sicarie> Still mostly structural changes going on
17:18:39 <sicarie> I am trying to review the case studies to ensure they're sane
17:18:59 <sicarie> For example, one of the recurring examples is a federal customer who is supposed to be fedramp certified, and the controls don't match
17:19:00 <tmcpeak> lol, sane case studies are good
17:19:15 <tmcpeak> sounds like a heap of work
17:19:27 <sicarie> So there's an etherpad outlining the current case studies and discussing changes in the bug: #link https://bugs.launchpad.net/openstack-manuals/+bug/1349540
17:19:28 <openstack> Launchpad bug 1349540 in openstack-manuals "Ensure one case study per chapter in security guide" [Medium,In progress] - Assigned to N Dillon (sicarie)
17:19:30 <sicarie> Any input is appreciated
17:19:50 <sicarie> Yep, it keeps me busy
17:19:52 <elmiko> yea, we could probably use one more reviewer/comitter who has time
17:19:58 <sicarie> +1
17:19:59 <tmcpeak> any takers?
17:20:15 <sicarie> Even the general list - most of them should be smaller bugs
17:20:33 <sicarie> Also, anyone who wanted to review some of the chapters we know have issues
17:20:43 <sicarie> Identity, Dashboard, Network, Storage
17:20:49 <sicarie> filing bugs against those would be awesome
17:21:11 <sicarie> But yeah, that's about it
17:21:21 <elmiko> i should be filing some bugs on Identity in the next few days
17:21:27 <tmcpeak> we should do one of these events soon where nkinder comes to your place of employment and rounds up some new OSSG troops
17:21:33 <shelleea007> i can do any one of those
17:21:40 <tmcpeak> shelleea007: awesome!
17:21:43 <elmiko> tmcpeak: lol, nice!
17:21:53 <sicarie> And Priti also said she'd review Identity, so Dashboard, Network, Storage are open
17:21:58 <nkinder> :)
17:22:03 <shelleea007> ill take network
17:22:11 <elmiko> thanks
17:22:15 <nkinder> I can take a look at Identity too
17:22:16 <sicarie> awesome, thanks!
17:22:27 <tmcpeak> #action shelleea007 to review sec guide network section
17:22:27 <sicarie> +1 nkinder: always helps to have eyes on it
17:22:37 <tmcpeak> ok cool
17:22:42 <tmcpeak> sicarie: what am I going to ask about? :P
17:22:55 <sicarie> no idea
17:23:04 <tmcpeak> secure development guidelines
17:23:06 <sicarie> hahaa
17:23:10 <tmcpeak> what's the latest on those?
17:23:32 <sicarie> I put in the pull request against the git repo this morning
17:23:33 <tmcpeak> #action nkinder to review sec guide identity section
17:23:45 <tmcpeak> nkinder, shelleea007: thank ou!
17:23:47 <tmcpeak> you
17:23:51 <sicarie> So if I get an initial +1 on how I'm approaching it I'll continue
17:23:53 <tmcpeak> sicarie: sweet
17:24:09 <tmcpeak> ok, I'll take a look at those
17:24:21 <bknudson> requirements freeze will be lifted once the rc is cut, I think. I don't think I have to wait for requirements update to get the change in keystone or infra.
17:24:22 <sicarie> And there are a few of those that need some attention as well - xss, cert validation
17:24:22 <gmurphy> lgtm i had a quick look just before.
17:24:57 <tmcpeak> bknudson: awesome, let's circle back around in one min
17:24:59 <tmcpeak> I'm curious to hear update
17:25:13 <tmcpeak> gmurphy: thanks for looking at them
17:25:28 <tmcpeak> anybody that has cycles, please look at sicarie's secuire guidelines change
17:25:30 <tmcpeak> sicarie: link?
17:25:43 <gmurphy> we should probably try to add more to those too.
17:26:14 <tmcpeak> gmurphy: +1 , I think once we get them out there it will seem like lower barrier to entry to publish new ones
17:26:15 <sicarie> hyakuhei's is: #link: https://github.com/openstack-security/Developer-Guidance
17:26:19 <sicarie> Not sure how to show the pull request
17:26:24 <sicarie> or the diff from the pull request
17:26:34 <tmcpeak> https://github.com/openstack-security/Developer-Guidance/pulls
17:26:43 <sicarie> That would be it
17:26:58 <gmurphy> #link - https://github.com/openstack-security/Developer-Guidance/pull/1
17:27:08 <tmcpeak> awesome
17:27:13 <tmcpeak> will take a look
17:27:21 <tmcpeak> sicarie: thanks for all your hard work on all of this
17:27:36 <sicarie> no problem
17:27:49 <tmcpeak> #topic Bandit Circle Back
17:27:54 <tmcpeak> bknudson: take it away :)
17:28:17 <bknudson> there's changes proposed for an infra job and for keystone tox env
17:28:37 <bknudson> https://review.openstack.org/#/c/157595/
17:28:49 <bknudson> #link https://review.openstack.org/#/c/157930/
17:29:06 <bknudson> so once the infra job is in there I should be able to recheck experimental
17:29:07 <tmcpeak> this looks great
17:29:16 <bknudson> and see the bandit results in gerrit
17:29:32 <bknudson> I think the changes can go in in any order.
17:29:38 <bknudson> anyway, that's all I'm waiting on
17:29:47 <bknudson> eventually will change the experimental job to a non-voting
17:29:49 <tmcpeak> great work bknudson!
17:29:57 <bknudson> and if that goes well then hopefully to voting.
17:30:21 <tmcpeak> super excited, we're getting very close to having working Bandit gate in Keystone
17:30:25 <tmcpeak> thanks for driving this forward
17:30:28 <elmiko> nice
17:30:31 <bknudson> the rest of the project can do something similar
17:30:44 <bknudson> not sure if anyone is signed up for that
17:30:51 <bknudson> but might as well see it working on keystone first
17:30:57 <tmcpeak> Barbican expressed interest, Anchor is in the bag :D
17:31:04 <elmiko> i have a tangential bandit question
17:31:09 <d-9> sicarie the random sample of your changes that I've just looked at seem pretty good :)
17:31:11 <tmcpeak> elmiko: what's up?
17:31:24 <elmiko> so, let's say we use bandit to expose potential errors in our code base
17:31:33 <elmiko> and we create bugs from those
17:31:40 <elmiko> should we mark those bugs are security related?
17:31:48 <elmiko> or should they be private at first?
17:31:58 <tmcpeak> elmiko: I have been marking them as private security
17:32:01 <sigmavirus24> i think judgement is the better thing to rely on
17:32:03 <redrobot_mobile> I'll take a look at the Keystone job, and maybe add an experimental gate to Barbican as well.
17:32:11 <sigmavirus24> some things might not need private security
17:32:22 <tmcpeak> redrobot_mobile: awesome!
17:32:27 <elmiko> yea, that's kinda my question. what is the cut line for a private bug?
17:32:34 <tmcpeak> yeah, it really depends how exploitable you think it is
17:32:38 <sigmavirus24> yeah
17:32:39 <elmiko> ok
17:32:39 <tmcpeak> if you aren't sure mark it private
17:32:44 <sigmavirus24> yeah
17:32:44 <bknudson> I assume security brings it to vmt attention
17:32:45 <bknudson> ?
17:32:56 <sigmavirus24> bknudson: not sure. it mails the ossg mailing list though
17:33:05 <sigmavirus24> all activity on that bug will then be sent to the mailing list
17:33:09 <bknudson> hopefully private security don't email ossg
17:33:13 <sigmavirus24> nope
17:33:18 <sigmavirus24> they don't
17:33:18 <gmurphy> is you mark a bug a private security the vmt get notified
17:33:24 <gmurphy> public security = ossg
17:33:24 <sigmavirus24> gmurphy: right
17:33:28 <gmurphy> notifications etc
17:33:31 <gmurphy> on openstack-security
17:33:42 <gmurphy> i think
17:33:50 <sigmavirus24> (Same with SecurityImpact on reviews)
17:33:53 <gmurphy> or if you tag the patch #security or whatever
17:33:54 <gmurphy> yeah
17:34:06 <elmiko> ok, thanks. that helps.
17:34:07 <sigmavirus24> Oh that's the other thing, if you report a bug as private security DO NOT SUBMIT A REVIEW FIXING
17:34:18 <sigmavirus24> *IT
17:34:24 <sigmavirus24> Work on the bug itself uploading patches
17:34:33 <gmurphy> yes. otherwise the vmt will find you and kick you.
17:34:36 <sigmavirus24> Yep
17:34:36 <elmiko> good to know
17:34:37 <tmcpeak> lol
17:34:46 <tmcpeak> VMT is good at finding you
17:34:52 <sigmavirus24> tmcpeak: they work for the NSA, right?
17:34:53 <sigmavirus24> =P
17:34:57 <tmcpeak> that's what I heard
17:35:04 * sigmavirus24 googles
17:35:06 <tmcpeak> #topic Other Business
17:35:12 <sigmavirus24> No Such Agency with that acronym
17:35:22 <tmcpeak> anything else anybody wants to discuss before we call it?
17:35:30 <bknudson> there has been discussion about a private gerrit for private security reviews
17:35:53 <sigmavirus24> I have a bug that y'all might want to weigh in on but it's not really OSSG business
17:35:56 <gmurphy> yeah. that has been going on.. forever..
17:36:04 <elmiko> tmcpeak: is there an etherpad up for OSSG break out sessions at summit?
17:36:06 <tmcpeak> sigmavirus24: what's up?
17:36:12 <tmcpeak> elmiko: good question
17:36:12 <sigmavirus24> https://bugs.launchpad.net/glance-store/+bug/1100220
17:36:14 <openstack> Launchpad bug 1100220 in glance_store "Swift+Glance stops working after changing service password" [High,Confirmed] - Assigned to Ian Cordasco (icordasc)
17:36:27 <hyakuhei> elmiko: we’ll have one up early next week
17:36:32 <tmcpeak> I actually don't know anything about the summit.. nkinder - hyakuhei ?
17:36:36 <hyakuhei> Friday is dedicated to me sorting OSSG things
17:36:42 <tmcpeak> sweet
17:36:45 <elmiko> hyakuhei: cool, thanks
17:36:48 <hyakuhei> no worries
17:36:55 * sigmavirus24 will participate if he doesn't leave before the session happens
17:37:26 <tmcpeak> cool, anything else?
17:37:54 <sigmavirus24> opinions on the best way to handle https://bugs.launchpad.net/glance-store/+bug/1100220 would be cool
17:37:55 <openstack> Launchpad bug 1100220 in glance_store "Swift+Glance stops working after changing service password" [High,Confirmed] - Assigned to Ian Cordasco (icordasc)
17:38:17 <tmcpeak> oh, meant to check this out
17:38:18 <sigmavirus24> Also, perhaps we need a guideline to make sure no one ever stores credentials in plain-text anywhere when used in a URI (if we don't have one)
17:38:28 <sigmavirus24> Yeah it's not pressing. Just, feedback appreciated. :D
17:38:57 <tmcpeak> yeah, password in URI's is bad
17:39:03 <sigmavirus24> YEP
17:39:15 <hyakuhei> sigmavirus24: that’s horrible
17:39:35 <sigmavirus24> Nah, it's perfectly fine. ;)
17:40:16 <tmcpeak> why can I see this if OSSA is New
17:40:28 <gmurphy> because it is public
17:40:35 <tmcpeak> he opened it up?
17:40:44 <sigmavirus24> tmcpeak: it wasn't reported as private
17:40:56 <sigmavirus24> and the VMT does not care once it's been publicly reported
17:41:04 <tmcpeak> ahh ok
17:41:07 <sigmavirus24> going public -> private security just gets it re-opened again
17:41:19 <tmcpeak> yeah, once it's public it's public
17:41:55 <sigmavirus24> Also this is two years in the open like this
17:41:58 <tmcpeak> well this is good times :)
17:42:03 <sigmavirus24> yep
17:42:30 <tmcpeak> anything else for today?
17:43:47 <tmcpeak> cool
17:43:49 <tmcpeak> thanks everybody!
17:43:51 <tmcpeak> #endmeeting