#openstack-meeting-alt log

17:02:20 <tmcpeak> #startmeeting security
17:02:21 <openstack> Meeting started Thu Jun 11 17:02:20 2015 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:22 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:24 <openstack> The meeting name has been set to 'security'
17:02:28 <tmcpeak> role call
17:02:32 <tmcpeak> o/
17:02:38 <nkinder__> hi everyone
17:02:42 <singlethink> hi
17:02:44 <michaelxin> o/
17:02:45 <tmcpeak> hey nkinder__: glad you could make it
17:02:48 <fletcher_> hola
17:02:51 <shohel> hi
17:02:57 <tmcpeak> shohel - long time
17:03:00 <sicarie> o/
17:03:03 <shohel> yah
17:03:10 <tmcpeak> start throwing up topics everybody
17:03:14 <tmcpeak> midcycle
17:03:23 <shelleea007> O/
17:03:41 <bknudson> hi
17:03:42 <michaelxin> no update for me. This week is crazy. Sorry.
17:03:53 <tmcpeak> cool, no worries
17:04:07 <tmcpeak> -bandit
17:04:22 <tmcpeak> nkinder__: note update?
17:04:38 <nkinder__> not much on notes lately really
17:05:16 <tmcpeak> ok
17:05:24 <tmcpeak> maybe a short meeting today then
17:05:26 <tmcpeak> #topic midcycle
17:05:33 <tmcpeak> let's do one!
17:05:49 <michaelxin> sounds great
17:05:54 <fletcher_> Is that the meetup thing I attended? :)
17:06:04 <tmcpeak> fletcher_ yep, already time to start planning the next one :)
17:06:06 <nkinder__> what do we want to cover?
17:06:23 <fletcher_> ah snap, that'd be cool. I found the last one useful/fun
17:06:31 <tmcpeak> #link https://etherpad.openstack.org/p/security-liberty-midcycle
17:06:39 <nkinder__> nathaniel and I were discussing working towards v2 of the security guide at the Summit
17:06:57 <tmcpeak> that would be awesome
17:07:04 <sicarie> +1 a sec guide sprint would be useful
17:07:39 <tmcpeak> cool so first things first - put your name on the etherpad if you are interested in attending
17:08:01 <tmcpeak> when are we looking at? towards beginning of august probably?
17:09:03 <michaelxin> late august is better?
17:09:44 <michaelxin> early august is defcon and blackhat
17:10:11 <tmcpeak> michaelxin: good point
17:10:20 <tmcpeak> we don't want to run too close to summit though
17:10:33 <tmcpeak> anybody know when the other midcycles are?
17:10:49 <bknudson> #link https://wiki.openstack.org/wiki/Sprints#Liberty_sprints
17:11:23 <fletcher_> link to etherpad?
17:11:32 <tmcpeak> https://etherpad.openstack.org/p/security-liberty-midcycle
17:11:34 <bknudson> other midcycles I'm interested in are in mid-july
17:11:48 <bknudson> so august works for me
17:11:56 <tmcpeak> ok yeah, so maybe mid August early Sept?
17:11:57 <fletcher_> thanks!
17:12:03 <nkinder__> I would prefer late august too
17:12:36 <michaelxin> https://etherpad.openstack.org/p/security-liberty-midcycle shows loading... to me? Does it work for anyone else? Thanks.
17:12:47 <tmcpeak> michaelxin: works here
17:12:54 <nkinder__> works here too
17:12:59 <nkinder__> michaelxin: shift-reload it
17:13:03 <michaelxin> tmcpeak: nkinder__ Thanks.
17:13:09 <tmcpeak> ok so let's do this
17:13:16 <tmcpeak> if you are interested in attending, please add your name to the top
17:13:22 <tmcpeak> also add your name under any dates that you could attend
17:13:48 <tmcpeak> we'll likely need some time to figure this out, and I want hyakuhei to drive this, just wanted to get people thinking about it early
17:14:00 <michaelxin> Thanks. Firefox worked but Chrome failed. :-)
17:14:16 <tmcpeak> cooo
17:14:17 <tmcpeak> cool
17:14:20 <tmcpeak> @topic Bandit
17:14:25 <tmcpeak> #topic Bandit
17:14:38 <tmcpeak> so we've had a lot of good work being done this week
17:15:01 <tmcpeak> one thing I would like to call attention to are jogo's comments here: https://review.openstack.org/179566
17:15:11 <tmcpeak> browne has been trying to get other projects to implement a Bandit gate
17:15:14 <bknudson> still making progress on enabling keystone projects (keystoneclient) -- needs reviews
17:15:36 <michaelxin> +1
17:15:37 <bknudson> getting reviews in keystone is not as easy as bandit
17:15:43 <tmcpeak> bknudson: awesome
17:15:45 <tmcpeak> !
17:15:49 <tmcpeak> (can't type today)
17:16:35 <bknudson> browne noticed a problem in keystone bandit.yaml where we weren't actually running something...
17:16:42 <nkinder__> I like the proposal to make bandit use threading for parallel scanning
17:16:59 <tmcpeak> chair6: thoughts on this? I haven't read the threat yet
17:17:08 <nkinder__> I wonder if that would meet jogo's performance expectations
17:17:17 <tmcpeak> it could certainly help
17:17:27 <bknudson> https://review.openstack.org/#/c/187360/ -- Replace blacklist_functions with blacklist_calls
17:17:34 <bknudson> would have been nice if bandit had warned us
17:17:50 <bknudson> that we were using the wrong name
17:18:24 <tmcpeak> bknudson: ++ we should throw a big nasty warning if we're trying to include a plugin that doesn't exist
17:18:25 <bknudson> nobody has complained about performance on keystone
17:18:51 <bknudson> gate-keystone-tox-banditSUCCESS in 2m 25s (non-voting)
17:19:02 <bknudson> gate-keystone-pep8SUCCESS in 5m 01s
17:19:26 <tmcpeak> I think the nova job is scanning like 3 times the files or something
17:19:34 <tmcpeak> actually 2m25s is longer than I would have guessed
17:19:43 <bknudson> that must include some setup
17:20:00 <tmcpeak> oh right
17:20:18 <tmcpeak> in particular I'm interested in his comment that printing out the whole statement is too much
17:20:22 <tmcpeak> do you guys agree with that?
17:20:27 <bknudson> 2015-06-03_22_15_10_331 -> 2015-06-03_22_15_27_030
17:20:46 <bknudson> so it's 17 seconds and the rest is overhead
17:20:51 <tmcpeak> ahh
17:20:58 <tmcpeak> that makes more sense
17:21:42 <tmcpeak> ok cool, moving right along here
17:21:46 <tmcpeak> #topic Other Business
17:21:53 <tmcpeak> anybody have anything else they'd like to mention here?
17:22:24 <michaelxin> one of my guys asked how to get involved with code review.
17:22:36 <michaelxin> Do we have a guidance somewhere? Thanks.
17:22:51 <tmcpeak> oh cool michaelxin: I assume you mean security code review?
17:22:58 <fletcher_> http://docs.openstack.org/infra/manual/developers.html#code-review
17:23:01 <michaelxin> tmcpeak: yes
17:23:03 <michaelxin> Thanks.
17:23:03 <tmcpeak> nkinder__ was driving something like this a while back
17:24:06 <michaelxin> It is the same process as other review?
17:24:18 <tmcpeak> which other review?
17:24:29 <tmcpeak> michaelxin: does he want to get involved in one project, or kind of any project?
17:24:44 <michaelxin> Right now, it is any project.
17:25:00 <michaelxin> He just wants to get involved and learned about openstack.
17:25:08 <michaelxin> openstack security
17:25:08 <nkinder__> michaelxin: he should look for issues tagged with SecurityImpact
17:25:20 <nkinder__> michaelxin: this is basically what is on the openstack-security ML
17:25:35 <michaelxin> got it. Thanks. nkinder__
17:26:06 <tmcpeak> what else, anything?
17:26:10 <tmcpeak> looks like we might wrap early
17:26:18 <sicarie> Yeah, I'm about to propose a rather significant change to the secguide
17:26:28 <sicarie> The current Compute chapter has always bothered me
17:26:32 <tmcpeak> sicarie: cool, what's that
17:26:32 <bknudson> https://review.openstack.org/#/q/message:SecurityImpact,n,z
17:26:39 <sicarie> #link http://docs.openstack.org/security-guide/content/compute.html
17:26:57 <sicarie> The chapter is entirely a discussion of spice vs vnc consoles
17:27:08 <sicarie> so I've written an intro that gives a brief outline, and that's been merged
17:27:10 <tmcpeak> yeah looks a little thin
17:27:15 <bknudson> what else is there in compute other than the console?
17:27:28 <sicarie> And in addition to a few other things, I plan on pulling the hypervisor chapter in
17:27:31 <sicarie> #link: http://docs.openstack.org/security-guide/content/hypervisor.html
17:27:33 <tmcpeak> shouldn't this mention sVirt and such?
17:27:39 <bknudson> like getting metadata and such?
17:27:46 <sicarie> tmcpeak: +1 it's in the Hypervisor chapter
17:28:13 <bknudson> setting passwords
17:28:19 <tmcpeak> ahh ok cool
17:28:39 <bknudson> you must be able to inject a ssh key rather than have a password assigned
17:28:40 <tmcpeak> yeah, sicarie - compute chapter could definitely be better :)
17:29:03 <sicarie> And the rest of what I want to create is here
17:29:08 <sicarie> #link: https://etherpad.openstack.org/p/secguide-compute
17:29:23 <tmcpeak> sicarie: nice!
17:29:25 <sicarie> So input on combining the chapters and currently planned sections would be appreciated
17:29:42 <tmcpeak> this looks like it will be a great change
17:29:44 <sicarie> Please feel free to edit the etherpad, and if you want co-authored credit make sure you leave your name
17:30:14 <tmcpeak> lol: 6) Containers
17:30:14 <tmcpeak> - Please don't (yet)
17:30:31 <sicarie> Yeah, that's going to have quite a bit more in it than that
17:30:37 <tmcpeak> containers - don't do it
17:30:53 <michaelxin> haha
17:31:07 <sicarie> it's going to have a breakdown of containerization types as well as coreos+container recommendations
17:31:14 <tmcpeak> cool, this is good work sicarie
17:31:25 <michaelxin> sicarie: +1
17:31:33 <sicarie> thanks
17:31:49 <tmcpeak> allright cool, anything else to mention?
17:31:58 <tmcpeak> otherwise we'll call it for the week
17:32:32 <bknudson> thanks
17:32:38 <nkinder__> thanks all
17:32:38 <tmcpeak> allright good stuff.. everybody remember to hit the etherpad if you want to go to the midcycle
17:32:40 <tmcpeak> #endmeeting