17:02:08 <hyakuhei> #startmeeting Security
17:02:08 <openstack> Meeting started Thu Apr 23 17:02:08 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:10 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:11 <hyakuhei> o/
17:02:12 <openstack> The meeting name has been set to 'security'
17:02:15 <tmcpeak> o/
17:02:40 <hyakuhei> Agenda https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity
17:03:11 <hyakuhei> anything to add to that?
17:03:21 <tmcpeak> Bandit
17:03:54 <hyakuhei> Cool
17:04:13 <hyakuhei> So as I’ve found time I’ve been going through the wiki and updating links etc
17:04:27 <hyakuhei> I’m hoping for a concerted rebranding effort at the summit
17:05:30 <tkelsey> o/
17:05:31 <tmcpeak> cool, what do you need to make that happen?
17:05:45 <hyakuhei> People in the same place at the same time more than anything I thin
17:05:50 <hyakuhei> just a sprint of sorts
17:05:56 <dg_> Figure out what needs rebranding, get everyone together in the security space, hack?
17:06:02 <hyakuhei> Yeah
17:06:16 <hyakuhei> We’ve got a few 1 hour boardrooms
17:06:32 <hyakuhei> hey tkelsey
17:06:52 <hyakuhei> Any questions or concerns re: our transition?
17:07:12 <tkelsey> hey hyakuhei, yeah rebranding sounds like something that could be done in a sprint :)
17:07:50 <hyakuhei> Cool
17:07:57 <hyakuhei> ok, lets move swiftly along then :)
17:08:01 <elmiko> i didn't see it on the planning, but ossg is getting a sprint on friday?
17:08:21 <hyakuhei> I’m not putting anything in stone for Friday Afternoon
17:08:41 <hyakuhei> The summit is pretty much a ghost town on the final day
17:09:34 <elmiko> ack, thanks
17:10:00 <hyakuhei> Though I’m happy to use that time if people are around I don’t want to tell the organisers we want that space and then not fill it
17:10:15 <hyakuhei> I’m happy we got anything, being so late to the party :)
17:10:57 <tkelsey> heh yeah
17:11:10 <hyakuhei> Ok, next up
17:11:22 <hyakuhei> #topic security.openstack.org
17:11:32 <hyakuhei> It would be nice to have some more content there before the summit
17:11:51 <hyakuhei> Suggestions?
17:12:12 <hyakuhei> I’d like to see developer guidance, sec guide links and OSSN on there perhaps?
17:12:26 <tmcpeak> ++ for developer guidance :D
17:12:31 <tkelsey> the dev guide stuff we did could go up there
17:12:35 <elmiko> i think those all sound good
17:13:16 <elmiko> maybe we could just go with a landing page style content to start with, provide a nice central place for links to the other content?
17:13:24 <tkelsey> maybe list security specific projects (Barbican, Anchor etc) and a general sort of resources area
17:13:37 <tkelsey> just throwing out ideas
17:13:37 <hyakuhei> All good ideas
17:14:25 <hyakuhei> Cool, anything else?
17:14:28 <hyakuhei> oh hai gmurphy !
17:14:36 <tkelsey> maybe even have a "completeness" section, covering the state of the guide for the current release
17:14:42 <hyakuhei> We were just talking about uses for security.openstack.org
17:14:43 <gmurphy> o/
17:14:51 <gmurphy> right.
17:14:51 <hyakuhei> As it might be nice to have more there before the summit
17:14:55 <hyakuhei> which isn’t so far away
17:15:12 <hyakuhei> but I don’t understand how/where to add content
17:15:20 <gmurphy> yeah. i can probably help out with this next week. port the security guidelines etc
17:15:21 <hyakuhei> There’s a repo somewhere I think.
17:15:39 <hyakuhei> That would be great :)
17:15:41 <gmurphy> so everything lives git.openstack.org/openstack/ossa
17:15:53 <tkelsey> gmurphy: awesome :)
17:15:57 <gmurphy> can submit reviews etc like anyt other project
17:16:07 <elmiko> nice
17:16:19 <bknudson> https://review.openstack.org/#/q/status:open+project:openstack/ossa,n,z
17:16:26 <hyakuhei> Thanks bknudson
17:16:35 <bknudson> https://review.openstack.org/#/q/project:openstack/ossa,n,z -- there wasn't anything open
17:16:56 <dg_> if we can figure out how to post content, I dont mind trying to get the developer guidance on there before the summit
17:17:07 <bknudson> the reviews of ossas happen in the bug reports
17:17:07 <hyakuhei> I think tmcpeak should take a look at porting the developer guidelines over, as he has the bit between his teeth over that
17:17:22 <hyakuhei> Yeah, OSSA are special cases
17:17:25 <tmcpeak> ok.. I'll take a stab
17:17:53 <gmurphy> i can help out with this. on a call atm ping me later ok?
17:18:04 <tmcpeak> cool, sounds good
17:18:05 <hyakuhei> will do, thanks gmurphy
17:18:08 <dg_> hyakuhei ok I'll teflon that one off to travis
17:18:13 <tmcpeak> lol
17:18:18 <hyakuhei> thanks tmcpeak, dg_ can help :P
17:18:33 <tmcpeak> sweet!
17:18:49 <dg_> tmcpeak I'll take the figurehead role, wave and stuff ;)
17:19:00 <tmcpeak> I expected nothing less :)
17:19:03 <hyakuhei> #action tmcpeak and dg_ to move developer guidance to the OSSA repo
17:19:12 <hyakuhei> There - it’s official now
17:19:29 <tkelsey> lol
17:19:35 <bknudson> who's got +2 on the OSSA repo?
17:19:43 <hyakuhei> VMT I’m guessing
17:19:52 <bknudson> do they want to review all these?
17:20:21 <hyakuhei> Possibly not, fungi, gmurphy, ttx , tristanC ^ thoughts?
17:21:00 <hyakuhei> We want to move some more content, links into security.openstack.org but this might generate a bit more review traffic on the OSSA repo for a while...
17:21:13 <elmiko> side question, could we get gerrit output from the ossa repo to broadcast in openstack-security if it isn't alread?
17:21:17 <tristanC> good question... shouldn't this be links to already hosted document ?
17:21:38 <hyakuhei> Some of the documents have been waiting for a good home
17:21:45 <bknudson> I don't have a problem with them being in the same repo... maybe +2 for a larger group
17:21:49 <hyakuhei> Also, OSSN really should have some more prominence.
17:22:00 <tristanC> because well, the project is actually called ossa
17:22:06 <hyakuhei> Yeah it is
17:22:28 <hyakuhei> Though security.openstack.org should be more inclusive than just OSSA I think ?
17:22:38 <bknudson> yes!
17:22:59 <bknudson> I hope we can have more than just our dirty laundry there.
17:23:12 <tmcpeak> :)
17:23:30 <hyakuhei> I very much want it to be a good place for us to demonstrate all the good security stuff in OpenStack, including our robust OSSA process
17:24:23 <elmiko> +1
17:24:52 <dave-mccowan> o/
17:25:41 <hyakuhei> ok cool, no need to labor that, I’ll chat with the VMT folks about if security.openstack.org should stay under ossa in git (which I don’t personally have anything against) and if it does stay there, the impact of adding some +2’s for the additional content.
17:26:17 <bknudson> maybe just rename it someday
17:26:20 <hyakuhei> Doesn’t look like Mr Security Guide will be joining us
17:26:32 <hyakuhei> sicarie is absent!
17:26:43 <hyakuhei> tmcpeak: want to talk about bandit?
17:27:18 <elmiko> i think the doc update is similar to last meeting, we are still reviewing the chapters and sicarie has a list of things he'd like done before we go to publish.
17:27:19 <tmcpeak> hyakuhei: yep
17:27:23 <tmcpeak> fletcher: you around?
17:27:25 <hyakuhei> #topic Bandit
17:27:26 <fletcher> i am
17:27:36 <tmcpeak> fletcher: want to overview your new plugin really quick?
17:27:43 <fletcher> sure thing
17:27:49 <bknudson> bandit's been running quietly on keystone for a while now.
17:27:56 <hyakuhei> woot!
17:28:05 <fletcher> i basically hijacked all of Christian Heimes' work from defusedxml
17:28:10 <tkelsey> I added the bandit gate to Anchor last week btw
17:28:23 <dave-mccowan> bandit is also running quietly on the gate for barbican
17:28:28 <elmiko> sahara is working towards putting a bandit gate job in as well
17:28:32 <michaelxin> +1
17:28:36 <hyakuhei> Wonderful!
17:28:41 <tkelsey> awesome :D its spreading
17:28:41 <fletcher> So it flags all dangerous XML functions and recommends defusedxml library
17:28:46 <elmiko> although, we might have some feedback about the setup process ;)
17:28:48 <dg_> thats awesome work!
17:28:56 <tkelsey> fletcher: :) awesome
17:29:09 <bknudson> fletcher: have an example of a dangerous XML function?
17:29:15 <tmcpeak> yeah, so this is a really cool new test fletcher has added
17:29:21 <tkelsey> elmiko: feedback is good :D
17:29:23 <hyakuhei> elmiko: feedback is good!
17:29:25 <hyakuhei> heh
17:29:29 <bknudson> there have been vulnerabilities for expansion and derefrencing before.
17:29:30 <fletcher> sure!
17:29:35 <elmiko> hehe, i figured you guys would be up for it
17:29:36 <tmcpeak> and he also added a supporting doc along with it, so IMO this is an excellent example for somebody to follow when adding a new plugin
17:29:42 <fletcher> xml.etree.ElementTree.parse()
17:29:51 <tmcpeak> #link https://review.openstack.org/176404
17:29:55 <tmcpeak> ^ fletcher's change
17:30:07 <bknudson> I can't parse an XML document?
17:30:24 <tmcpeak> bknudson: you can, you just might have a bad time :D
17:30:25 <fletcher> an untrusted XML document, no
17:30:27 <bknudson> that seems like a pretty basic thing to do.
17:30:41 <fletcher> things like the billion laughs attack
17:30:45 <fletcher> and expontential entity expantion
17:30:59 <fungi> sorry, had stepped away
17:31:04 <bknudson> what's the fix?
17:31:09 <fletcher> (gawd I suck at typing/spelling)
17:31:14 <bknudson> (other than don't use XML)
17:31:21 <tmcpeak> there is a library which mitigates known attacks
17:31:28 <fletcher> used defusedxml.ElementTree.parse()
17:31:33 <michaelxin> external entity injection
17:31:38 <bknudson> ahh
17:31:39 <fungi> skimming briefly, i think we could move the non-ossa tooling and content out of the ossa repo and then just use the ossa repo for actual ossa yaml files
17:31:44 <bknudson> is it in global-requirements?
17:31:55 <tmcpeak> bknudson: good q
17:32:03 <fletcher> there is external entity injection and exponential entity injection
17:32:14 <fletcher> but yah, the defusedxml page has nice summaries
17:32:24 <tmcpeak> I did notice that Thierry Carrez is in the "thanked" section
17:32:27 <fletcher> i'm not sure about global-requirements
17:32:30 <tmcpeak> so this must be a known issue
17:32:51 <tmcpeak> it is not on global requirements
17:33:09 <tmcpeak> probably should look at getting it added
17:33:28 <bknudson> y, if any code does xml parsing
17:33:43 <tmcpeak> well xml parsing itself is ok, as long as it isn't from an untrusted srouce
17:33:44 <bknudson> we've been trying to get rid of xml support
17:33:59 <tmcpeak> still, it's hard to know
17:34:12 <fletcher> sorry had to reconnect so I dont' have scrollback. What's hard to know?
17:34:19 <bknudson> that's pretty much anywhere but a local config file... and some people don't even trust their config files.
17:34:30 <tmcpeak> yeah… good point
17:34:41 <tmcpeak> if people want to explicitly mark XML usage as trusted that's what #nosec is for
17:34:50 <chair6> this is where the pinned bandit version is useful, as well as config / profiles functionality
17:35:05 <tmcpeak> and this ^
17:35:08 <chair6> we can push the test into master, run it across openstack repos, figure out what the overall landscape looks like..
17:35:14 <hyakuhei> +1
17:35:19 <fletcher> there's always the argument of "why leave potentially vulnerable code around when the fix is known and simple" :)
17:35:30 <chair6> .. then retain it / keep it / tweak it, and individual projects can still include or exclude the test in their gates based on their config
17:35:43 <tkelsey> chair6: +1
17:35:46 <tmcpeak> fletcher: yeah agree, in OpenStack it might not be as simple because of global requirements and such, but this can at least be a nudge in the right direction
17:36:12 <fletcher> ah ok, that makes sense
17:36:18 <chair6> also on bandit, there is a relatively significant change at https://review.openstack.org/#/c/175612/ .. close to landing it, but feedback still requested
17:36:27 <tmcpeak> also fletcher: I think I'm going to add a reference to this commit as a best practice when committing plugins
17:36:43 <tkelsey> :)
17:36:43 <chair6> completes work that was discussed at the OSSG mid-cycle, moving to having tests report both a severity and a confidence level
17:36:47 <chair6> among a few other things..
17:36:50 <fletcher> awwwww, snap. i'll take it :)
17:37:06 <tmcpeak> yeah chair6 disappeared for a day and dropped a monster improvement :)
17:37:16 <fletcher> yah, i heart that diff
17:37:49 <bknudson> it might be interesting to have a config option to error if confidence level > whatever
17:37:56 <tmcpeak> in other Bandit news, Barbican has switched from experimental Bandit gate to non-voting
17:38:04 <tkelsey> :) nice
17:38:17 <tmcpeak> bknudson: yeah, definitely planned
17:38:28 <chair6> yeah, i haven't added it yet but we'll do filtering on confidence level
17:39:16 <tmcpeak> bknudson: you have any feel to when/if you guys (Keystone) will want to move to a voting gate?
17:39:32 <bknudson> I was hoping that we'd at least see a release of bandit
17:39:43 <tmcpeak> release?
17:39:50 <bknudson> so that we knew you guys weren't going to break us with each release.
17:39:56 <elmiko> hehe
17:39:59 <tmcpeak> we're done releasing for now :)
17:40:07 <tmcpeak> shouldn't matter anyway, you guys are pinned
17:40:18 * fletcher heading to another meeting. talk to everyone next week
17:40:21 <bknudson> I also want to see it in global-requirements.
17:40:23 <tmcpeak> fletcher: cool, thanks!
17:40:29 <dave-mccowan> tmcpeak, when will projects start receiving automatic pushes for bandit-test-requirements.txt ?
17:40:32 <bknudson> and our own files updated.
17:40:34 <gmurphy> back
17:40:43 <dstanek> i think we should do it as soon as we can; since it hasn't been an issue
17:40:45 <bknudson> I wouldn't be too worried about whether it's gating or not.
17:40:51 <tmcpeak> dave-mccowan: as soon as it gets in global-requirements…
17:41:05 <tmcpeak> bknudson: well if it isn't gating, it probably isn't actually accomplishing much
17:41:24 <tmcpeak> how often do people actually check all that stuff on the right side? ;)
17:41:37 <bknudson> I hope that core reviewers are always checking it.
17:41:39 <bknudson> I sure do.
17:41:47 <tkelsey> bknudson: +1
17:41:49 <chair6> yeah, i'd argue that non-voting is still quite useful
17:42:11 <tmcpeak> ok cool, apparently I'm the only one that developed a blind spot for gate jobs that don't reject my change :D
17:42:13 <bknudson> keystone isn't like other projects where they have failing CI all the time.
17:42:53 <bknudson> I'd be fine with making it voting. I can bring it up at the keystone meeting.
17:43:14 <bknudson> although I'd still like to see it in global-requirements first.
17:43:34 <tmcpeak> bknudson: yeah, makes sense :) — also I don't want to push you guys to have it voting if you aren't comfortable yet
17:43:40 <stevemar> bknudson, how is it installed now?
17:43:55 <bknudson> stevemar: it's in tox.ini deps for the bandit env
17:44:30 <bknudson> tmcpeak: Do a point release that doesn't break us and I'll be more comfortable.
17:44:55 <tmcpeak> bknudson: ok cool
17:45:01 <tkelsey> bknudson: cautious is good :)
17:45:06 <bknudson> releasing often makes it easier on users.
17:45:07 <tmcpeak> we'll do a point release with fletcher's new plugin and chair6's change
17:45:28 <tmcpeak> that will be 0.10.2, and keystone should still use 0.10.1 because it's pinned that way
17:45:39 <tmcpeak> when all that works we can discuss again :)
17:45:49 <bknudson> then we can upgrade to 0.10.2 and make sure that process works.
17:46:20 <tkelsey> bknudson: tmcpeak +1 good plan
17:46:23 <bknudson> which requires global-requirements.
17:46:45 <tmcpeak> bknudson: ok I'm a little confused.. why do you want to upgrade to 0.10.2?
17:47:00 <tmcpeak> I was envisioning just using 0.10.1 since it's stable
17:47:03 <bknudson> to pick up the new features.
17:47:29 <tmcpeak> isn't the point of pinning so you don't necessarily get them? :D
17:47:47 <bknudson> the point of pinning is that we get to choose when.
17:48:15 <tmcpeak> ok cool, I think I get it
17:48:20 <bknudson> if there's new features it should be 0.11.0
17:48:29 <tmcpeak> good point...
17:48:34 <tmcpeak> especially for a change as big as Jamie's
17:48:40 <tmcpeak> err chair6's
17:48:40 <tkelsey> so I think bknudson is right with that approach, Bandit needs to do a second release to test the process, then if its looking good people can pull 0.10.2 or whatever
17:49:10 <tmcpeak> cool, works for me
17:49:15 <tkelsey> that way Bandit can test out the process and consumers can get confidence that we know what we are doing :)
17:49:27 <tmcpeak> I wouldn't go that far :P
17:49:44 <hyakuhei> Can we wrap Bandit discussion or take it over to #openstack-security after this meeting (10 minutes left) ?
17:49:51 <tmcpeak> yep, think we're good
17:50:02 <hyakuhei> Sweet
17:50:06 <hyakuhei> #topic Elections
17:50:30 <hyakuhei> So I discussed the process of elections etc with ttx
17:50:52 <hyakuhei> Bascially by the letter of the law we don’t have to do an election until the fall elections
17:51:05 <hyakuhei> Which would mean putting up with me for another 6 months.
17:51:16 <elmiko> lol
17:51:33 <hyakuhei> _but_ I don’t want to get in the way of people who want to get rid of me :P
17:51:53 <tmcpeak> if we really want to get rid of you we'll do it the old fashioned way
17:51:57 <hyakuhei> lol
17:52:00 <dg_> we have people for that
17:52:01 <tmcpeak> err.. I mean — sounds good :D
17:52:33 <elmiko> haha!
17:52:34 <tkelsey> :P
17:53:05 <hyakuhei> I’m happy to stay as PTL for the next 6 months but if anyone has a concern around this please either approach me or nkinder and we’ll arrange some post-summit elections
17:53:12 <hyakuhei> Is that fair?
17:53:14 <dg_> so I think you've done ok so far and you should possibly stick around until the dust settles from the change to Security
17:53:27 <hyakuhei> You’re too kind.
17:53:35 <bknudson> #vote hyakuhei
17:53:45 <dg_> I actually had to re-write that 3 times to be less sarcastic :P
17:53:49 <hyakuhei> haha
17:53:59 <tkelsey> hyakuhei: you get my vote, nothing has exploded or imploded yet, so good job!
17:54:05 <hyakuhei> gee thanks
17:54:08 <hyakuhei> heh
17:54:20 <shelleea007> key word, "yet"
17:54:21 <elmiko> agreed, #vote hyakuhei
17:54:25 <tkelsey> yup :P
17:54:28 <tkelsey> :D
17:54:32 <shelleea007> lol
17:54:36 <elmiko> lol
17:54:38 <bknudson> #vote for hillary
17:54:46 <shelleea007> ...
17:54:56 <hyakuhei> I’m feeling the love right now guys :)
17:55:03 <hyakuhei> Lets move it along then
17:55:07 <hyakuhei> #topic any other business
17:55:14 <hyakuhei> Anything else to quickly discuss?
17:55:28 <bknudson> oh, one thing I have to do for keystone is get the rest of our repos running bandit
17:55:39 <elmiko> i wrote an ossn, still waiting for a core reviwer nudge.nudge...
17:55:40 <bknudson> I also wanted to wait on the g-r change for that.
17:55:53 <tmcpeak> bknudson: sounds good
17:55:59 <tmcpeak> elmiko: link?
17:56:14 <elmiko> #link https://review.openstack.org/#/c/175065/
17:56:35 <elmiko> it's for the issue hyakuhei suggested as low hanging fruit last time
17:57:24 <hyakuhei> Excellent, thank you elmiko ! I’ll review it after this meeting, thank you and congrats on what I think is your first OSSN :)
17:57:27 <tmcpeak> cool, will take a look
17:57:42 <elmiko> thanks =)
17:57:45 <dg_> hyakuhei do we have enough core reviewers now we've lost bdpayne?
17:58:07 <tkelsey> dg_: thats a good point
17:58:11 <hyakuhei> good point
17:58:19 <hyakuhei> Yes, because he’s not done many reviews for a long time
17:58:25 <hyakuhei> However, I’m happy to add some more too
17:58:29 <hyakuhei> just not an emergency.
17:59:08 <hyakuhei> Any last minute stuff to discuss?
17:59:18 <tkelsey> nothing from me
17:59:25 <shelleea007> no
17:59:41 <hyakuhei> Thanks all!
17:59:45 <hyakuhei> #endmeeting