17:12:19 <ccneill> #startmeeting OpenStack Security Project
17:12:20 <openstack> Meeting started Thu Mar 10 17:12:19 2016 UTC and is due to finish in 60 minutes.  The chair is ccneill. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:12:21 <redrobot> ccneill #startmeeting security
17:12:22 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:12:25 <openstack> The meeting name has been set to 'openstack_security_project'
17:12:31 <ccneill> derp..
17:12:34 <lhinds> thanks ccneill
17:12:41 <michaelxin> mvaldes: +1
17:12:58 <ccneill> so.. Anchor :D
17:13:16 <ccneill> sorry, getting ahead of myself. summit planning.
17:13:19 <diazjf> Summit Planning :) :)
17:13:26 <ccneill> #topic Summit Planning
17:13:26 <mvaldes> #topic Summit Planning
17:13:29 <redrobot> ccneill for future reference the name ends up being used for the directory where the logs are stored.  For consistency this meeting should use "security"
17:13:35 <krotscheck> o/
17:13:36 <redrobot> ccneill http://eavesdrop.openstack.org/meetings/security/2016/
17:13:52 <ccneill> redrobot: dang, knew I got that wrong. thanks for the heads-up ><
17:14:01 <ccneill> anyone have anything on summit planning?
17:14:15 <michaelxin> Did everyone already register for the summit?
17:14:18 <redrobot> yes, has anyone submitted the BYOK spec for the cross-project track?
17:14:24 <michaelxin> The early bird price will end tomorrow.
17:14:26 <diazjf> ccneill, I wanted to talk about BYOK
17:14:43 <ccneill> well, I think you have the floor :)
17:14:44 <redrobot> if not picked for cross-project, I'd like to see BYOK be a fishbowl
17:14:50 <krotscheck> All I have is that a threat analysis session on CORS was proposed.
17:15:06 <diazjf> I have a spec up for BYOK
17:15:07 <diazjf> https://review.openstack.org/#/c/271517/
17:15:56 <ccneill> krotscheck: I've been meaning to take a look at the CORS stuff some more. is there a CR or something up for that re: security?
17:16:04 <mvaldes> #link https://review.openstack.org/#/c/271517/
17:17:15 <krotscheck> ccneill: Not certain what you mean. There's patches in all of the various API's?
17:17:38 <michaelxin> From last time, the agreement is to have a threat modeling session for CORs
17:17:40 <ccneill> krotscheck: sorry, I was just wondering if there was an explicit action item for OSSP to review CORS
17:17:43 <ccneill> all I've seen is the spec
17:17:45 <ccneill> #link http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html
17:18:18 <ccneill> is your concern individual implementations for each project? or the implementation in general
17:18:24 <krotscheck> ccneill: All i know is the discussion from last week about "Hey, we should do a Thread Analysis at the summit, that'd be a neat exercise"
17:18:36 <ccneill> krotscheck: gotcha. agreed!
17:19:22 * krotscheck won't really have much time to organize it, but is willing to be there as an expert on the spec.
17:19:29 <krotscheck> (The W3C spec that is)
17:20:00 <michaelxin> There might not be too much to talk besides implementation
17:20:09 <michaelxin> The spec is solid.
17:20:10 <ccneill> cool, well I think I'll leave the duty of officially setting up that session to our friend hyakuhei since I'm not even doing a great job running this meeting ;)
17:20:15 <michaelxin> The implementation is key
17:20:30 <michaelxin> Bad implementation will have big impact.
17:21:03 <ccneill> ok, anything else for summit?
17:21:14 <ccneill> going once..
17:21:21 <michaelxin> Not sure
17:21:28 <ccneill> cool, Anchor time
17:21:31 <ccneill> #topic Anchor
17:21:55 <ccneill> redrobot? anyone else?
17:22:38 <michaelxin> let's move on
17:22:42 <ccneill> cool
17:22:44 <ccneill> #topic Bandit
17:22:49 <michaelxin> Tim?
17:22:49 <ccneill> hmm
17:22:53 <ccneill> no tmcpeak it appears
17:23:03 <lhinds> I have something quickly..
17:23:07 <ccneill> anyone else have Bandit news?
17:23:10 <ccneill> cool
17:23:31 <browne> so on bandit
17:23:40 <lhinds> request was made to put some release notes together, so I digged out a format I have used before, and apache F releases typically go for
17:23:56 <lhinds> #link http://paste.openstack.org/show/489522/
17:23:58 <browne> i've been trying to fix projects to get rid of bandit.yaml
17:24:11 <lhinds> not sure if this is what we want, here is a live example
17:24:18 <lhinds> #link https://db.apache.org/ojb/release-notes.txt
17:24:24 <lhinds> so its a rolling release note
17:24:33 <ccneill> browne: has YAML-free config landed in the version PyPI is shipping now?
17:24:35 <michaelxin> browne: What's your take about lhinds's release note?
17:24:37 <lhinds> you add each new release and it stays in the project root
17:24:51 <ccneill> lhinds: is this related to / in the same format as "reno"?
17:25:04 <ccneill> this thing
17:25:05 <browne> ccneill: not totally until 1.0, but most projects can get away without it.  so been changing that
17:25:08 <ccneill> #link http://docs.openstack.org/developer/reno/
17:25:10 <lhinds> I don't know what reno is yet :S
17:25:12 <browne> and putting bandit in the pep8 testenv
17:25:28 <ccneill> lhinds: it came up last week when we were talking about release notes, but I'm not familiar with it either
17:25:35 <browne> the integration test is still failing so, i'm still working to fix projects and bandit
17:25:41 <lhinds> ahh I see, so looks like we have a format already
17:25:48 <michaelxin> browne: +1
17:26:11 <cjschaef> browne: the problem I have with bandit in the pep8 testenv, is when bandit checks for dirty repo's
17:26:15 <ccneill> browne: cool cool. what projects are you working with at this point?
17:26:51 <browne> ccneill: mainly focused on the ones in our integration test that are broken
17:27:00 <browne> so magnum, magnum client, etc
17:27:02 <ccneill> Designate was interested in implementing it, but I told them to hold off til 1.0 to land for the YAML-free config
17:27:37 <browne> cjschaef: yeah, not sure i like it in pep8 either, but think infra wants to cut down on the number of jenkins jobs
17:28:03 <cjschaef> browne: that makes sense, and I wasn't thinking of gates initially too
17:28:09 <ccneill> browne / cjschaef: do you think it might be worthwhile/feasible to propose a "security" gate job?
17:28:17 <ccneill> including bandit, syntribos, other tools to come?
17:29:14 <browne> ccneill: we'd have to run it by infra, but sounds good to me once we have these other sec scans (syntribos) running
17:29:33 <cjschaef> ccneill: I like that idea, and agree with browne on getting those tools ready first
17:29:47 <ccneill> mdong and I will be working on Syntribos more starting next week
17:30:14 <mvaldes> nice idea
17:30:17 <ccneill> so we'll definitely keep everyone posted as we go
17:30:45 <browne> ccneill: cool.  is there a guinea pig project you'll start with?  keystone?
17:31:13 <ccneill> browne: so we've been testing it internally on Solum
17:31:46 <ccneill> I think we're kind of using that as our guinea pig, and then we'll go from there
17:31:51 <michaelxin> After Solum, it will be keystone.
17:31:55 <browne> xool
17:31:57 <browne> cool
17:32:00 <ccneill> what he said ^ :)
17:32:33 <ccneill> cool, anything else on bandit?
17:32:45 <ccneill> going once..
17:33:05 <ccneill> cool
17:33:08 <ccneill> #topic Docs
17:33:48 <ccneill> so I know I said I'd try to get a changelog going for bandit last week... unfortunately, I didn't have time this week
17:34:12 <ccneill> but I will have a lot more time for OSSP-related projects starting next week
17:34:19 <michaelxin> eelmiko?
17:34:19 <ccneill> for the foreseeable future
17:34:25 <ccneill> _elmiko ?
17:34:26 <michaelxin> elmiko?
17:34:31 <hyakuhei> Hey. Sorry. Crazy morning - accident in seattle
17:34:38 <hyakuhei> elmiko can’t make it today.
17:34:40 <ccneill> oh no
17:34:48 <lhinds> ccneill I can help with anything you might have that needs doing
17:34:54 <lhinds> inbetween jobs just now
17:34:56 <hyakuhei> unrelated (accident and elmiko)
17:35:17 <ccneill> hyakuhei: well, hope everyone's okay
17:35:23 <lhinds> + 1
17:35:28 <michaelxin> sorry to hear it
17:35:31 <hyakuhei> ccneill: Not sure. Traffic was closed for a long time.
17:35:35 <ccneill> hyakuhei: you want to take over? I'm not great at this whole chairing thing
17:35:37 <michaelxin> hope everyone is fine.
17:35:42 <hyakuhei> +1
17:35:52 <hyakuhei> Who’s chairing the meeting today?
17:35:56 <ccneill> o/
17:36:00 <michaelxin> hyakuhei: ccneill
17:36:12 <hyakuhei> excellent! Thank you ccneill
17:36:13 <michaelxin> he is doing great so far.
17:36:17 <mvaldes> doing a stand-up job
17:36:23 <ccneill> no problem. we're on Docs
17:36:28 <hyakuhei> Please keep on rolling :)
17:36:40 <michaelxin> ccneill: move on next topic
17:36:58 <ccneill> lhinds: I'll look into this reno thing next week and I'll post it in os-sec if I come up with anything
17:36:59 <ccneill> okay
17:37:01 <ccneill> moving on
17:37:09 <ccneill> #topic Syntribos
17:37:37 <michaelxin> mdong: Can give detailed updates.
17:37:40 <hyakuhei> btw most of the HP people are in meeting this morning
17:37:54 <hyakuhei> (annual onsite this week)
17:37:55 <mdong> So as ccneill said earlier we’re gonna dedicate more time to Syntribos
17:38:07 <michaelxin> For resrouces, ccneill and mdong will work almost full time on syntribos
17:38:17 <hyakuhei> That’s awesome!
17:38:19 <ccneill> hyakuhei: gotcha. we realized how much we miss you all when you're not around this morning! :)
17:38:25 <michaelxin> We are also expecting two more developers from Intel joining the project.
17:38:28 <hyakuhei> awwww
17:38:37 <mvaldes> +1
17:38:42 <michaelxin> Still working on it.
17:38:53 <hyakuhei> That’s very cool
17:38:55 <ccneill> lots of big ideas for Syntribos :)
17:39:13 <michaelxin> Now, mdong is testing Solum using Syntribos
17:39:17 <ccneill> off the top of my head, we'll probably try to rip out the CAFE pieces to make it more palatable to OS projects
17:39:32 <michaelxin> He is working on some payload generation stuff.
17:40:00 <mdong> we’ll be testing Solum as a guinea pig, which hopefully will be a learning experience about how the tool can be improved
17:40:01 <michaelxin> There is a blueprint about payload automatic generation.
17:40:46 <nsun1> wiki for Syntribos?
17:41:07 <ccneill> michaelxin: do you have the link for that BP?
17:41:22 <mdong> there’s no syntribos wiki yet
17:41:36 <mdong> but all our blueprints can be found at https://blueprints.launchpad.net/syntribos
17:41:39 <mvaldes> where do we put a wiki?
17:41:51 <ccneill> mdong / michaelxin: I see the "create-payloads-cinder/glance/keystone/etc" BPs
17:42:04 <mvaldes> nsun1:  just this so far https://github.com/openstack/syntribos
17:42:10 <michaelxin> That will be a good action item for ccneill and mdong
17:42:14 <ccneill> ah
17:42:15 <ccneill> this?
17:42:17 <ccneill> #link https://blueprints.launchpad.net/syntribos/+spec/research-ways-to-generate-payload
17:42:27 <michaelxin> ccneill: yes
17:42:32 <hyakuhei> It’s really great to see this moving forward, I especially like that Intel will be getting involved too. Making it more than just “that Rackspace thing” will be great for addoption. Not that I don’t appreciate all the work Rack is doing.
17:42:45 <ccneill> hyakuhei: +1
17:42:46 <mvaldes> +1
17:43:19 <mvaldes> also thanks to browne for helping review some of the CR's
17:43:29 <michaelxin> ccneill: That's all for syntribos
17:43:31 <michaelxin> move on please
17:43:41 <ccneill> hyakuhei: brought this up earlier, but would like your thoughts
17:43:50 <nsun1> sure
17:43:58 <ccneill> do you think it makes sense for us to propose a "security" gate, running bandit + syntribos + future tools(?)
17:44:31 <ccneill> browne mentioned infra was trying to cut down on Jenkins jobs, so I figured it might make sense to consolidate at some point
17:44:45 <hyakuhei> I think I’d prefer it to be compositional _but_ we can certainly create white papers on best practice combinations and perhaps even offer that as a bundle. So long as that bundle isn’t the _only_ way to use Syntribos/Bandit etc
17:45:49 <ccneill> hyakuhei: compositional? so jobs for each project?
17:46:15 <ccneill> hyakuhei: I agree, shouldn't be the only way to implement it, but would set bar for total adoption pretty low
17:46:45 <ccneill> in any case, we can probably hold off until Syntribos is in a more finished state
17:46:50 <ccneill> since we only have Bandit at the moment
17:47:04 <ccneill> okay, moving on unless anyone has more on Syntribos?
17:47:15 <michaelxin> hyakuhei: https://review.openstack.org/#/c/288150/ still shows Needs Workflow
17:47:44 <michaelxin> What do we need to get the CR move on? Thanks.
17:48:50 <ccneill> did we lose everyone?
17:48:54 <hyakuhei> michaelxin: I’ll check now
17:49:04 <michaelxin> hyakuhei: Thanks.
17:49:07 <hyakuhei> ok I’ll poke $people
17:49:07 <ccneill> #topic Publicity
17:49:09 <hyakuhei> I can’t +2
17:49:24 <ccneill> anything for Publicity?
17:49:50 <michaelxin> hyakuhei: who should we include for +2? Thanks.
17:50:01 <hyakuhei> michaelxin: that ’s what I need to find out
17:50:09 <hyakuhei> ttx: ^ Any idea?
17:50:40 <michaelxin> hyakuhei: cool, Thanks.
17:51:44 <ccneill> anything on publicity? got ~8 minutes
17:51:52 <hyakuhei> I don’t think that’s moved anywhere since last week
17:52:05 <michaelxin> ccneill: Do you still have friends in UT-Austin?
17:52:05 <hyakuhei> I did ask for budget for cool swag at the summit
17:52:07 <mvaldes> we did an internal tech talk and gave OSSP another plug
17:52:12 <ccneill> cool, yeah I guess we're waiting on bandit 1.0
17:52:14 <ccneill> hyakuhei: nice
17:52:19 <hyakuhei> mvaldes: cool!
17:52:24 <ccneill> michaelxin: not really? :\ I'm an old man
17:52:34 <michaelxin> haha
17:52:46 <michaelxin> Maybe, we can ask professor Matt T
17:52:53 <ccneill> haha yes!
17:53:12 <ccneill> ok, moving on
17:53:14 <ccneill> #topic OSSN
17:53:23 <ccneill> #link https://review.openstack.org/#/q/status:open+project:openstack/security-doc,n,z
17:53:32 <ccneill> any movement here?
17:53:33 <hyakuhei> https://bugs.launchpad.net/ossn
17:53:55 <hyakuhei> Seems to have stalled out a little. I’ll see if I can get a spring on that in the next few days.
17:54:46 <michaelxin> we only have three
17:54:51 <michaelxin> it is good
17:55:08 <ccneill> ok cool
17:55:13 <ccneill> sounds like we have that on lock
17:55:16 <ccneill> #topic Blog
17:55:17 <hyakuhei> Yeah, we just need to clear them out, some are a little bit old.
17:55:40 <hyakuhei> It’s still going forward, we need to get some more content in there though :)
17:55:42 <ccneill> how's the blog? any posts you want eyes on, hyakuhei ?
17:56:11 <ccneill> we can probably get a blog post together about Syntribos in the coming weeks
17:56:13 <hyakuhei> The TA one needs some polish
17:56:25 <ccneill> e.g. a guide on how to use it, or what is different about it
17:56:25 <michaelxin> ccneill: +1
17:56:27 <hyakuhei> https://openstack-security.github.io/threatanalysis/2016/02/07/anchorTA.html
17:56:32 <hyakuhei> ccneill: great idea
17:57:05 <ccneill> hyakuhei: yeah, I liked this post. where do you do review?
17:57:11 <hyakuhei> github
17:57:25 <hyakuhei> https://github.com/openstack-security/openstack-security.github.io
17:57:31 <ccneill> ah so just do a PR on the post? gotcha\
17:57:52 <ccneill> I'll try to add some thoughts, though I think this is a pretty solid start already
17:57:57 <hyakuhei> Yeah, standard Github workflow I guess :)
17:57:58 <ccneill> ok 2 minutes
17:58:00 <hyakuhei> Thanks ccneill
17:58:06 <ccneill> #topic CORS
17:58:14 <ccneill> sorry we didn't save much time for this diazjf
17:58:48 <ccneill> oops, I mean krotscheck
17:58:56 <krotscheck> Now orries :)
17:58:59 <krotscheck> yay 2 minutes!
17:59:13 <ccneill> yay! good news is, I won't be chair next week :)
17:59:20 <ccneill> so we'll probably actually get to it
17:59:22 <krotscheck> So, what'll it take to get a fishbowl at the summit?
17:59:31 <krotscheck> (tick tock tick tock)
17:59:41 <ccneill> let's take it to #openstack-security
17:59:46 <ccneill> think we gotta wrap up here
17:59:58 <ccneill> thanks, all!
18:00:00 <ccneill> #endmeeting