17:01:40 <hyakuhei> #startmeeting security
17:01:40 <openstack> Meeting started Thu Apr 16 17:01:40 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:41 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:43 <openstack> The meeting name has been set to 'security'
17:01:51 <hyakuhei> Hey everybody!
17:01:54 <tristanC> Hello folks!
17:01:57 <elmiko> heyo/
17:01:59 <fletcher> hola
17:02:18 <singlethink> hey!
17:02:28 <hyakuhei> #link https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity
17:02:29 <hyakuhei> agenda
17:03:05 <hyakuhei> Quiet room, let me go kick the HP people
17:03:10 <elmiko> hehe
17:03:12 <sigmavirus24> o/
17:03:34 <hyakuhei> Anything to add to the agenda ?
17:03:44 <tmcpeak> o/
17:04:01 <hyakuhei> aaah, welcome tmcpeak !
17:04:08 <tmcpeak> hi there!
17:04:11 <dave-mccowan> o/
17:05:34 <hyakuhei> Ok so lets get started
17:06:16 <hyakuhei> I wanted to talk about the OSSN / YAML stuff but I think we’re missing everyone involved with that
17:06:41 <hyakuhei> #topic OSSN
17:06:49 <hyakuhei> We’ve got quite a few outstanding OSSN
17:06:52 <hyakuhei> #link https://bugs.launchpad.net/ossn
17:07:05 <hyakuhei> Anyone fancy taking a run at writing one, there’s some easy ones there
17:07:12 <hyakuhei> #1414532 for example
17:07:23 <hyakuhei> bug/1414532
17:07:31 * tmcpeak looking
17:08:08 <elmiko> hyakuhei: is there any sort of guide for writing one?
17:08:21 <tmcpeak> elmiko: there are templates
17:08:21 <hyakuhei> #link https://wiki.openstack.org/wiki/Security/Security_Note_Process
17:08:30 <tmcpeak> and that ^ :D
17:08:30 <hyakuhei> and a template in the git repo :)
17:08:33 <elmiko> ah, very cool. thanks =)
17:08:45 <hyakuhei> Now we have them go through gerrit the process is pretty painless
17:09:57 <hyakuhei> well, so long as -1 doesn’t cause you pain
17:10:04 <elmiko> hehe ;)
17:10:19 <hyakuhei> So yes, I’m sure nkinder would be happy if we got a few off the queue, I’ve got one in review that I’ll tie up this week
17:10:36 <tmcpeak> nkinder has one nearly out the door too
17:11:15 <elmiko> gotta say, i'm curious but also slightly intimidated by the idea
17:11:17 <tmcpeak> hyakuhei: I have an idea how we could extend Bandit to support a new use case in the gate, if we have a few mins at some point
17:11:44 <hyakuhei> #topic Bandit
17:11:45 <tmcpeak> elmiko: nahhh.. they're easy :)
17:11:52 <tmcpeak> cool
17:11:54 <hyakuhei> elmiko: I’m happy to help you out
17:11:57 <tkelsey> o/
17:12:02 <tmcpeak> so a couple of things for Bandit…
17:12:23 <tmcpeak> first: Magnum and Barbican have put a non-voting Bandit job in their gate
17:12:39 <sicarie> o/ (on mobile)
17:12:52 * sicarie applauds
17:12:55 <tmcpeak> sdake and dave-mccowan were working on that respectively
17:13:03 <elmiko> nice
17:13:07 <tmcpeak> yep
17:13:10 <tmcpeak> good stuff :)
17:13:22 <tmcpeak> so other thing I wanted to mention...
17:13:28 <sdake> experimental - going to a check next
17:13:32 <dave-mccowan> i need a +2 and workflow on my infra-project CR to get Bandit into the Barbican experimental gate
17:13:35 <tmcpeak> sdake: ahh, that's right
17:13:36 <sdake> probably voting gate after rcs are done
17:13:43 <sdake> enjoy
17:13:55 <tmcpeak> was the guide easy enough to follow?
17:14:01 <tkelsey> I'm going to try adding Bandit gate to Anchor as well this week
17:14:08 <tmcpeak> tkelsey: awesome!
17:14:32 <tmcpeak> so other thing I wanted to propose
17:14:40 <tmcpeak> we use Bandit with a more liberal ruleset
17:15:01 <tmcpeak> in the initial gate (before code is opened up for review)
17:15:10 <hyakuhei> fungi: can you help dave-mccowan with his infra CR?
17:15:24 <tmcpeak> and if it finds certain things, it invites people from OpenStack Security to reivew
17:15:44 <tmcpeak> examples of things are.. if the module is importing crypto anywhere, it probably has security significance
17:16:02 <tmcpeak> it's similar to the security impact tag, but done in Gerrit instead of launchpad
17:16:10 <tkelsey> so, its a way of trying to automate the #secimapct tag?
17:16:28 <dave-mccowan> fungi https://review.openstack.org/173166
17:16:30 <tmcpeak> yeah, basically for people that don't know to put #secimpact, or forget to
17:16:52 <tkelsey> sure, makes sense, if its possible to do that from a gate test?
17:16:58 <fungi> looking
17:17:12 <tmcpeak> yeah, it's basically just a Bandit test… and based on the results of that it does something
17:17:37 <tkelsey> sure, it's the "somthing" im interested in
17:17:43 <tmcpeak> like git clone a repo of security people review handles, and adds them to the review
17:17:59 <tkelsey> can we automatically add people like that ?
17:18:01 <fungi> dave-mccowan: lgtm, approved
17:18:24 <tkelsey> it may be possible via the gerrit API perhaps, im not sure
17:18:50 <hyakuhei> thanks fungi :)
17:18:55 <tmcpeak> I'd assume so.. if nothing else it could send emails
17:18:58 <tkelsey> i guess anyone can add anyone as a reviewer, so it should be doable
17:19:12 <tkelsey> im just thinking out loud about it :)
17:19:19 <fungi> yeah, check the gerrit api docs but should be possible
17:19:37 <tmcpeak> cool
17:19:38 <fungi> #link https://review.openstack.org/Documentation/rest-api.html
17:20:05 <tkelsey> cool, thanks fungi
17:20:08 <fungi> looks like you want:
17:20:10 <fungi> #link https://review.openstack.org/Documentation/rest-api-changes.html#suggest-reviewers
17:20:12 <tmcpeak> https://review.openstack.org/Documentation/rest-api-changes.html#suggest-reviewers
17:20:15 <tmcpeak> ^ :)
17:20:19 <tmcpeak> beat me to it
17:20:44 <tkelsey> ah good stuff, looks like it should be easy then :)
17:21:03 <tmcpeak> so yeah, was thinking that might be a nice use for Bandit
17:21:07 <hyakuhei> +1
17:21:08 <fungi> probably also possible over the ssh api, but likely not as friendly
17:21:30 <tmcpeak> I'll probably work on hacking something together and see how it works
17:22:18 <tmcpeak> cool, that's pretty much all I had for Bandit
17:22:22 <tkelsey> tmcpeak: +1
17:22:28 <tmcpeak> bknudson: around?
17:22:35 <bknudson> tmcpeak: yes, kind of
17:22:42 <tmcpeak> how's the Keystone gate been going?
17:22:57 <tmcpeak> you guys having fun with it? :)
17:23:01 <bknudson> I haven't been following it much due to the stable release issues.
17:23:24 <tmcpeak> ahh ok
17:23:30 <bknudson> hopefully next week will get back to it.
17:23:37 <tmcpeak> cool, sounds good
17:23:58 <hyakuhei> cool, ready to talk about elections?
17:24:01 <bknudson> I guess we're waiting on https://review.openstack.org/#/c/171772/
17:24:14 <bknudson> which is waiting on https://review.openstack.org/#/c/167126/
17:24:19 <tmcpeak> ahh ok
17:24:54 <bknudson> the check job has merged, though...
17:24:55 <bknudson> https://review.openstack.org/#/c/170569/
17:25:06 <bknudson> so we should be seeing it on new reviews
17:25:13 <tmcpeak> sweet
17:25:16 <hyakuhei> :D
17:25:19 <fungi> (also, i'm not really here. have an appointment i have to jet off to)
17:25:28 <hyakuhei> Thanks for swinging by fungi
17:25:32 <tmcpeak> thanks fungi
17:25:34 <bknudson> y, here's one: https://review.openstack.org/#/c/170569/
17:25:43 <bknudson> gate-keystone-tox-banditSUCCESS in 2m 02s (non-voting)
17:26:25 <bknudson> so it's running now.
17:26:38 <tmcpeak> awesome!
17:26:48 <hyakuhei> ok, lets chat elections because we ran out of time last time
17:26:53 <tmcpeak> cool
17:27:02 <hyakuhei> Great work everyone on getting Bandit running in gates
17:27:04 <hyakuhei> #topic elections
17:27:19 <hyakuhei> So I’ve very quickly hacked this together from previous elections
17:27:21 <hyakuhei> #link https://wiki.openstack.org/wiki/Security/OSSG_Lead_Election_Spring_2015#Candidates
17:27:25 <ukbelch> I vote Hyakuhei
17:27:34 <hyakuhei> Sorry,
17:27:37 <hyakuhei> #link https://wiki.openstack.org/wiki/Security/OSSG_Lead_Election_Spring_2015
17:27:42 <hyakuhei> thanks ukbelch :P
17:27:51 <hyakuhei> I wanted to talk specifically about the electorate
17:28:14 <hyakuhei> Some projects electorate is made up only of those who have had something accepted through gerrit
17:28:19 <hyakuhei> docs / code et
17:28:21 <hyakuhei> *etc
17:28:32 <tmcpeak> that seems reasonable
17:28:52 <hyakuhei> I’m worried that some people who contribute might be left out
17:29:01 <hyakuhei> Threat analysis I was thinking but actually they use gerrit
17:29:04 * ukbelch is happy to be left out
17:29:24 <hyakuhei> Bandit counts
17:29:37 <elmiko> the electorate guidelines up there seem pretty good, the last one leaves a lot of wiggle room
17:29:37 <hyakuhei> Anchor counts, Security-doc counts, OSSN counts
17:29:42 <tristanC> hyakuhei: left out people could be accounted within an extra-atc file
17:30:14 <hyakuhei> Useful info tristanC thank you
17:30:37 <hyakuhei> I’ve left the “attend a midcycle” there because they typically require significant effort to do
17:30:39 <tmcpeak> so who would be left out then?
17:30:39 <hyakuhei> Thoughts?
17:30:48 <tmcpeak> yeah, looks pretty reasonable
17:30:51 <hyakuhei> I’m not sure, that’s why I want you guys to take a look
17:31:15 <tristanC> #link https://git.openstack.org/cgit/openstack/governance/tree/reference/extra-atcs  (fwiw)
17:31:17 <tmcpeak> yeah, that looks pretty inclusive to me
17:31:19 <hyakuhei> I need to do some reading to make sure we’re doing things the proper OpenStack way regarding how the election takes place etc.
17:31:24 <hyakuhei> tmcpeak: too inclusive?
17:31:43 <tmcpeak> nah, that looks good
17:32:02 <hyakuhei> tristanC: a lot of our projects currently live in stackforge, is it easy enough to include those ?
17:32:03 <elmiko> agreed, they look good
17:32:18 <hyakuhei> ok cool, well that was easy
17:33:06 <dave-mccowan> Bandit and Anchor contributors should be explicitly included on list
17:33:09 <tristanC> hyakuhei: well I don't know how easy it is, though bandit and anchor are referenced in the official projects.yaml while being on stackforge
17:33:42 <hyakuhei> dave-mccowan: I’ll add them
17:33:43 <tristanC> hyakuhei: and electorate for such project are usualy pulled out of that "repo" list
17:33:58 <hyakuhei> ok tristanC thanks that makes sense.
17:34:18 <hyakuhei> The only problem there is that our developer guidance stuff (I want authors there to be included) are currently off reservation
17:34:37 <hyakuhei> #link https://github.com/openstack-security/Developer-Guidance
17:34:54 <hyakuhei> We want to bring them in and plug them into docs/security.openstack somehow
17:35:03 <tmcpeak> why aren't we putting them in the same place OSSN and the sec-guide are?
17:35:41 <hyakuhei> We can do that, at the moment they’re there because they render nicely but it’s not like we’re pointing people at them
17:36:10 <hyakuhei> I _think_ the git history stuff would come accross if we moved the repo into sec-guide … ?
17:36:15 <hyakuhei> Though docs might not like that
17:36:26 <tmcpeak> sicarie: ?
17:36:42 <hyakuhei> I’m not sure if bandit/anchor can move over to openstack/ now too
17:37:01 * hyakuhei is figuring out this project stuff a bit at a time :)
17:37:02 <tmcpeak> oh yeah, that'd be cool
17:37:43 <sicarie> tmcpeak: not sure, would need to talk to docs team
17:38:00 <tmcpeak> oh yeah, that docs team :D
17:38:03 <hyakuhei> sicarie: Can you take that forward along with the wider “where should the sec-guide live” discussion ?
17:38:13 <sicarie> Yep
17:38:15 <hyakuhei> or invite me along at teh relevant time
17:38:16 <hyakuhei> or both
17:38:26 <sicarie> Sure
17:39:01 <hyakuhei> Great, thanks
17:39:50 <hyakuhei> Ok, so anything more on elections? I’ll clarify some of the text after this meeting and hopefully we can move it forward soon, I want to make sure everyone who should be recognised is (for candidates and voting)
17:40:08 <tmcpeak> sounds good
17:40:57 <hyakuhei> Great
17:41:19 <hyakuhei> Ok, so on the agenda I have summit
17:41:22 <hyakuhei> #topic Summit
17:41:53 <hyakuhei> I’ve requested two fishbowls and two boardrooms but space is limited and we’re late to the party so we’ll get we get and damned well appreciate it!
17:41:58 <hyakuhei> To paraphrase...
17:42:00 <hyakuhei> :)
17:42:19 <hyakuhei> sicarie: Anything going on with docs to discuss?
17:42:49 <hyakuhei> Guess not :)
17:42:53 <sicarie> Yeah but need 5 min to get out of this meeting
17:43:03 <hyakuhei> ok
17:43:11 <elmiko> we've got plenty of reviews going on =)
17:43:22 <hyakuhei> Anything you need more eyes on?
17:43:23 <sicarie> Yeah elmiko can do an overview
17:43:41 <elmiko> let's see, big stuff currently is the review of the identity chapter
17:43:52 <elmiko> pdesai has a review up to split the chapter into section files
17:43:56 <sicarie> +2d this morning
17:44:03 <elmiko> oh, nice
17:44:07 <hyakuhei> drop links here if you want reviews :P
17:44:15 <elmiko> we are also doing read throughs for consistency on that chapter
17:44:17 <elmiko> sure
17:45:12 <elmiko> sorry, review.os.o is wrestling with me
17:45:15 <hyakuhei> heh
17:45:29 <ndillon> Okay, just got out
17:45:34 <ndillon> I also have been reivewing the Case studies
17:45:43 <ndillon> I pulled Alice's apart and have somethign I think is reasonable
17:45:50 <hyakuhei> ndillon == sicarie
17:45:55 <ndillon> so any input is appreciated - especially if people want to take a section
17:45:58 <ndillon> Oh, yeah, sorry!
17:46:21 <ndillon> #link: https://etherpad.openstack.org/p/sec-guide-case-studies
17:46:24 <hyakuhei> :)
17:46:40 <ndillon> And if you do take a section please make sure to put your name so I can give co-authored-by attrib
17:46:46 <ndillon> (speaking of elections)
17:46:53 <hyakuhei> :)
17:47:00 <hyakuhei> Excellent, thanks ndillon
17:47:08 <hyakuhei> Anything else on docs?
17:47:16 <ndillon> I have a pull request on the Developer Guidelines
17:47:30 <ndillon> I looked at the XSS one, but didn't do anything with examples (yet)
17:47:34 <ndillon> And that's it for me
17:47:34 <hyakuhei> Cool, I’ll take a look in the next few minutes
17:47:41 <ukbelch> I already pushed an updated XSS one
17:47:52 <ukbelch> are you working on the latest version?
17:47:52 <hyakuhei> Is there a pull request for that?
17:47:55 <ndillon> Oh, I'm going to bet ukbelch's is probably better
17:48:19 <elmiko> looks like many of the doc reviews are complete at this point, we just have bugs to work on...
17:48:42 <hyakuhei> I’ve only got the sicarie update in github
17:49:27 <ukbelch> well, I have never done a "pull request" in my life. I just pushed it heh
17:49:43 <hyakuhei> ukbelch: ok cool, if you still have it locally email it over to me
17:49:51 <hyakuhei> It didn’t get pushed anywhere
17:50:02 <ukbelch> hmm... ok, wilco
17:50:03 <hyakuhei> github != gerrit and basically makes everything hard :P
17:50:14 <hyakuhei> Ok, last 10 minutes
17:50:18 <hyakuhei> #topic Any Other Business
17:50:22 <hyakuhei> #link https://square.github.io/keywhiz/
17:50:30 <hyakuhei> ^ Interesting open source secrets manager…
17:50:39 <ukbelch> interesting... it told me it had pushed heh
17:51:02 <ukbelch> wait, it pushed into hyakuhei/OSSG-Security-Practices.git
17:51:09 <ukbelch> not correct?
17:51:13 <hyakuhei> nope
17:51:24 <ukbelch> well, there ya go :) it's there anyway
17:51:25 <hyakuhei> https://github.com/openstack-security
17:51:27 <hyakuhei> heh
17:51:43 <hyakuhei> can you clone that, add your changes and push it
17:51:47 <ukbelch> yup
17:51:50 <hyakuhei> then you’ll be down as the author instead of me
17:51:52 <hyakuhei> TY
17:52:02 <hyakuhei> ok, any other business ?
17:52:15 <ukbelch> ndillon, send over your updates, ill integrate anything cool :)
17:52:45 <sicarie> ukbelch: https://github.com/openstack-security/Developer-Guidance/commit/d506ea5f173f6d55e108de1107ca1be8601b1c6f
17:52:58 <hyakuhei> That was quick :D
17:53:25 <ukbelch> ty
17:53:28 <hyakuhei> ok cool anything else before we wrap ?
17:54:01 <hyakuhei> TY everyone !
17:54:03 <hyakuhei> #endmeeting