17:02:20 #startmeeting security 17:02:21 Meeting started Thu Jun 11 17:02:20 2015 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:02:22 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:02:24 The meeting name has been set to 'security' 17:02:28 role call 17:02:32 o/ 17:02:38 hi everyone 17:02:42 hi 17:02:44 o/ 17:02:45 hey nkinder__: glad you could make it 17:02:48 hola 17:02:51 hi 17:02:57 shohel - long time 17:03:00 o/ 17:03:03 yah 17:03:10 start throwing up topics everybody 17:03:14 midcycle 17:03:23 O/ 17:03:41 hi 17:03:42 no update for me. This week is crazy. Sorry. 17:03:53 cool, no worries 17:04:07 -bandit 17:04:22 nkinder__: note update? 17:04:38 not much on notes lately really 17:05:16 ok 17:05:24 maybe a short meeting today then 17:05:26 #topic midcycle 17:05:33 let's do one! 17:05:49 sounds great 17:05:54 Is that the meetup thing I attended? :) 17:06:04 fletcher_ yep, already time to start planning the next one :) 17:06:06 what do we want to cover? 17:06:23 ah snap, that'd be cool. I found the last one useful/fun 17:06:31 #link https://etherpad.openstack.org/p/security-liberty-midcycle 17:06:39 nathaniel and I were discussing working towards v2 of the security guide at the Summit 17:06:57 that would be awesome 17:07:04 +1 a sec guide sprint would be useful 17:07:39 cool so first things first - put your name on the etherpad if you are interested in attending 17:08:01 when are we looking at? towards beginning of august probably? 17:09:03 late august is better? 17:09:44 early august is defcon and blackhat 17:10:11 michaelxin: good point 17:10:20 we don't want to run too close to summit though 17:10:33 anybody know when the other midcycles are? 17:10:49 #link https://wiki.openstack.org/wiki/Sprints#Liberty_sprints 17:11:23 link to etherpad? 17:11:32 https://etherpad.openstack.org/p/security-liberty-midcycle 17:11:34 other midcycles I'm interested in are in mid-july 17:11:48 so august works for me 17:11:56 ok yeah, so maybe mid August early Sept? 17:11:57 thanks! 17:12:03 I would prefer late august too 17:12:36 https://etherpad.openstack.org/p/security-liberty-midcycle shows loading... to me? Does it work for anyone else? Thanks. 17:12:47 michaelxin: works here 17:12:54 works here too 17:12:59 michaelxin: shift-reload it 17:13:03 tmcpeak: nkinder__ Thanks. 17:13:09 ok so let's do this 17:13:16 if you are interested in attending, please add your name to the top 17:13:22 also add your name under any dates that you could attend 17:13:48 we'll likely need some time to figure this out, and I want hyakuhei to drive this, just wanted to get people thinking about it early 17:14:00 Thanks. Firefox worked but Chrome failed. :-) 17:14:16 cooo 17:14:17 cool 17:14:20 @topic Bandit 17:14:25 #topic Bandit 17:14:38 so we've had a lot of good work being done this week 17:15:01 one thing I would like to call attention to are jogo's comments here: https://review.openstack.org/179566 17:15:11 browne has been trying to get other projects to implement a Bandit gate 17:15:14 still making progress on enabling keystone projects (keystoneclient) -- needs reviews 17:15:36 +1 17:15:37 getting reviews in keystone is not as easy as bandit 17:15:43 bknudson: awesome 17:15:45 ! 17:15:49 (can't type today) 17:16:35 browne noticed a problem in keystone bandit.yaml where we weren't actually running something... 17:16:42 I like the proposal to make bandit use threading for parallel scanning 17:16:59 chair6: thoughts on this? I haven't read the threat yet 17:17:08 I wonder if that would meet jogo's performance expectations 17:17:17 it could certainly help 17:17:27 https://review.openstack.org/#/c/187360/ -- Replace blacklist_functions with blacklist_calls 17:17:34 would have been nice if bandit had warned us 17:17:50 that we were using the wrong name 17:18:24 bknudson: ++ we should throw a big nasty warning if we're trying to include a plugin that doesn't exist 17:18:25 nobody has complained about performance on keystone 17:18:51 gate-keystone-tox-banditSUCCESS in 2m 25s (non-voting) 17:19:02 gate-keystone-pep8SUCCESS in 5m 01s 17:19:26 I think the nova job is scanning like 3 times the files or something 17:19:34 actually 2m25s is longer than I would have guessed 17:19:43 that must include some setup 17:20:00 oh right 17:20:18 in particular I'm interested in his comment that printing out the whole statement is too much 17:20:22 do you guys agree with that? 17:20:27 2015-06-03_22_15_10_331 -> 2015-06-03_22_15_27_030 17:20:46 so it's 17 seconds and the rest is overhead 17:20:51 ahh 17:20:58 that makes more sense 17:21:42 ok cool, moving right along here 17:21:46 #topic Other Business 17:21:53 anybody have anything else they'd like to mention here? 17:22:24 one of my guys asked how to get involved with code review. 17:22:36 Do we have a guidance somewhere? Thanks. 17:22:51 oh cool michaelxin: I assume you mean security code review? 17:22:58 http://docs.openstack.org/infra/manual/developers.html#code-review 17:23:01 tmcpeak: yes 17:23:03 Thanks. 17:23:03 nkinder__ was driving something like this a while back 17:24:06 It is the same process as other review? 17:24:18 which other review? 17:24:29 michaelxin: does he want to get involved in one project, or kind of any project? 17:24:44 Right now, it is any project. 17:25:00 He just wants to get involved and learned about openstack. 17:25:08 openstack security 17:25:08 michaelxin: he should look for issues tagged with SecurityImpact 17:25:20 michaelxin: this is basically what is on the openstack-security ML 17:25:35 got it. Thanks. nkinder__ 17:26:06 what else, anything? 17:26:10 looks like we might wrap early 17:26:18 Yeah, I'm about to propose a rather significant change to the secguide 17:26:28 The current Compute chapter has always bothered me 17:26:32 sicarie: cool, what's that 17:26:32 https://review.openstack.org/#/q/message:SecurityImpact,n,z 17:26:39 #link http://docs.openstack.org/security-guide/content/compute.html 17:26:57 The chapter is entirely a discussion of spice vs vnc consoles 17:27:08 so I've written an intro that gives a brief outline, and that's been merged 17:27:10 yeah looks a little thin 17:27:15 what else is there in compute other than the console? 17:27:28 And in addition to a few other things, I plan on pulling the hypervisor chapter in 17:27:31 #link: http://docs.openstack.org/security-guide/content/hypervisor.html 17:27:33 shouldn't this mention sVirt and such? 17:27:39 like getting metadata and such? 17:27:46 tmcpeak: +1 it's in the Hypervisor chapter 17:28:13 setting passwords 17:28:19 ahh ok cool 17:28:39 you must be able to inject a ssh key rather than have a password assigned 17:28:40 yeah, sicarie - compute chapter could definitely be better :) 17:29:03 And the rest of what I want to create is here 17:29:08 #link: https://etherpad.openstack.org/p/secguide-compute 17:29:23 sicarie: nice! 17:29:25 So input on combining the chapters and currently planned sections would be appreciated 17:29:42 this looks like it will be a great change 17:29:44 Please feel free to edit the etherpad, and if you want co-authored credit make sure you leave your name 17:30:14 lol: 6) Containers 17:30:14 - Please don't (yet) 17:30:31 Yeah, that's going to have quite a bit more in it than that 17:30:37 containers - don't do it 17:30:53 haha 17:31:07 it's going to have a breakdown of containerization types as well as coreos+container recommendations 17:31:14 cool, this is good work sicarie 17:31:25 sicarie: +1 17:31:33 thanks 17:31:49 allright cool, anything else to mention? 17:31:58 otherwise we'll call it for the week 17:32:32 thanks 17:32:38 thanks all 17:32:38 allright good stuff.. everybody remember to hit the etherpad if you want to go to the midcycle 17:32:40 #endmeeting