17:02:20 <tmcpeak> #startmeeting security
17:02:21 <openstack> Meeting started Thu Jul 30 17:02:20 2015 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:22 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:24 <openstack> The meeting name has been set to 'security'
17:02:33 <tmcpeak> I'll hand it over when he comes
17:02:36 <Daviey> \o
17:02:38 <elmiko> cool
17:02:40 <timkennedy> o/
17:02:41 <tmcpeak> #topic Roll-Call
17:02:53 <sicarie> o/
17:03:00 <bknudson> hi
17:03:03 <elmiko> ~O~
17:03:15 <tmcpeak> ^ this is fun :D
17:03:21 <tmcpeak> ok cool
17:03:29 <tmcpeak> #topic Anchor
17:03:38 <tmcpeak> tkelsey, dg_, Daviey, viraptor
17:04:31 <tkelsey> hey, so there was a spec for the API changes
17:04:35 <tkelsey> i'll dig it up
17:05:19 <tkelsey> #link https://review.openstack.org/190473
17:05:37 <tmcpeak> ok cool, where we at on this?
17:05:44 <dg_> hey guys, sorry Im late, I got distracted watching a video from our HR director talking about the dress code
17:05:51 <tmcpeak> :D
17:05:54 <elmiko> lol
17:05:54 <tkelsey> oh wait thats not the spec
17:06:00 <Daviey> dg_: I hope you are wearing a shirt & tie for this meeting
17:06:09 <dg_> changing right now!
17:06:34 <tmcpeak> if dg_ is wearing pants he's probably above industry average
17:06:43 <dg_> lol
17:06:53 <tkelsey> #link https://review.openstack.org/#/c/205328/
17:06:56 <tkelsey> that one
17:07:25 <tmcpeak> cool, how's it progressing?
17:07:35 <tkelsey> slowly, we are discussing things
17:07:45 <tkelsey> its a big change
17:07:58 <tmcpeak> yeah fair enough
17:08:05 <dg_> Im still uncomfortable with with ASN1 change
17:08:29 <dg_> is rob here?
17:08:32 <tmcpeak> are you guys exercising your constitutionally guaranteed right to argue on the internet about it?
17:08:38 <tmcpeak> dg_ not yet
17:08:43 <Daviey> I share similar concerns to dg
17:08:50 <tmcpeak> he's *here* but not "here"
17:09:19 <tmcpeak> allright Anchors, anything you want to summarize for the rest of us to get input or bikeshed city?
17:09:28 <dg_> ok, so lets shelve discussion on the ASN1 change for the moment. tkelsey did you cover the api change?
17:09:36 <Daviey> TL;DR cryptography.io doesn't quite have all the humanised functions that we need, so we are stepping deeper into the libraries it abstracts
17:09:45 <tkelsey> nope, take it away dg_
17:09:50 <tmcpeak> Daviey: ahh
17:10:02 <bknudson> +1 to improving cryptography
17:10:17 <dg_> Daviey agreed - and personally I'd rather submit patches to cryptography unless theres a very good reason we should switch to something else
17:10:28 <dg_> bknudson +1
17:10:51 <tmcpeak> cryptography really seems to suit our needs well, so seems to make sense to double down on that with our effort
17:11:26 <Daviey> I think the argument that Stan had was that anything in crypto'.io would be mostly transparent anyway
17:11:32 <dg_> so Rob/viraptor will need to come defend this one, so lets shelve it until one of them is here
17:11:44 <Daviey> Agreed
17:11:45 <tkelsey> dg_ +1
17:11:46 <tmcpeak> ok, fair enough
17:11:52 <dg_> right, Anchor API change
17:11:59 <dg_> +2 from me tbh
17:12:25 <tkelsey> same from me, its a good change and gives us API versioning to protect future changes
17:12:31 <dg_> Im at the point where I think we should just do it, providing the docs are updated in the patch
17:12:36 <Daviey> +1
17:13:05 <Daviey> The worry Rob had was that he wanted to check with users that it wouldn't be a problem... but i kinda think they need to just accept this change :)
17:13:36 <dg_> Daviey agreed, thats my big worry. currently I know of two users, I've had a long chat with both of them, so they know that its happening
17:14:14 <dg_> however the longer we leave it, the more awkward it gets
17:15:17 <tmcpeak> cool, well seems like most in agreement there
17:15:21 <Daviey> So.. JFDI?  Anything else blocking?
17:15:42 <bknudson> jfdi is always the answer
17:15:49 <tmcpeak> +1
17:15:51 <dg_> +!
17:16:01 <Daviey> Just as this meeting started, dg_ whacked me with a -1 Workflow on https://review.openstack.org/#/c/206141/ .
17:16:02 * sigmavirus24 is here but forgot to say helo
17:16:18 <tmcpeak> great well...
17:16:19 <Daviey> I'm not sure I agree with blocking it.. but not had a chance to discuss it with dg_ yet
17:16:20 <dg_> Daviey its because i think your change is so freaking awesome
17:16:24 <tmcpeak> #action dg_ To JFDI
17:16:42 <dg_> thanks tmcpeak
17:16:43 <Daviey> dg_: *la* *la* *la* no sarcasms heard *la*
17:16:45 <tmcpeak> :)
17:16:53 <tmcpeak> cool, so anything further for Anchor?
17:17:04 <tkelsey> not from me
17:17:06 <Daviey> Just that one ^^
17:17:16 <Daviey> but dg_, do you want to discuss it offline
17:17:17 <Daviey> ?
17:17:19 <bknudson> we've got auth_token middleware for authenticating tokens
17:17:24 <Daviey> Indeed
17:17:25 <dg_> seriously, its great, but its taken me a bunch of days to get my keystone system working to the point where I can test it
17:17:26 <bknudson> you don't have to write this yourself
17:17:38 <Daviey> dg_: Didn't the devstack branch work?
17:18:00 <Daviey> bknudson: I know.. i just wanted to FIX what was currently broken with least intrusion
17:18:13 <Daviey> THEN, switch to something supportable
17:18:23 <bknudson> ok, sounds good
17:18:24 <tmcpeak> allright, let's take this offline bc there might be a fair amount of Bandit and other things to discuss as well
17:18:31 <tmcpeak> fair?
17:18:31 <Daviey> Just one more thing?
17:18:32 <dg_> yeah, the issue was my lack of knowledge of keystone, and my plan was to -1 this, add documentation stepping through how to actually use keystone auth with anchor, and adding some more helpful errors into the keystone anchor module
17:18:39 <Daviey> Did anyone else try the devstack branch?
17:19:00 <Daviey> Guess not.. Please do!
17:19:10 <dg_> however I take your point about merging this so it works, then fixing the docs and debugging
17:19:25 <dg_> I will talk to tkelsey, but i think your approach is probably right
17:19:40 <Daviey> cool
17:19:46 <Daviey> move on?
17:19:48 <tmcpeak> allright
17:19:50 <tkelsey> im ok with iterating on things
17:19:50 <tmcpeak> #topic Bandit
17:19:55 <dg_> and bknudson - please point me at some examples, I had a hunt earlier for examples of using the middleware
17:20:01 <tmcpeak> so two things (at least) to mention here
17:20:09 <tmcpeak> 1) tkelsey is killing it on the doc effort
17:20:13 <Daviey> +1
17:20:15 <tmcpeak> if you haven't seen his work yet go check it out
17:20:16 <bknudson> dg_: everything uses middleware... could check glance paste.ini
17:20:34 <tkelsey> heh thanks tmcpeak
17:20:35 <dg_> bknudson thanks
17:20:46 <tmcpeak> tkelsey you want to mention anything on that?
17:20:47 <tkelsey> yeah please go take a look and play spot the typo :)
17:20:51 <bknudson> dg_: http://git.openstack.org/cgit/openstack/glance/tree/etc/glance-api-paste.ini#n76
17:20:53 <tmcpeak> are you blocked on anything there?
17:21:11 <tkelsey> no, nothing stopping me pushing full speed on it
17:21:16 <tmcpeak> awesome
17:21:21 <sigmavirus24> :D
17:21:33 <tmcpeak> second thing that is probably worth a mention is the IRC discussion we had the other day
17:21:47 <tkelsey> I plan to update each test as a change set so, I can work on them while I wait for reviews on other stuff
17:21:50 <bknudson> any plan for a release of bandit?
17:21:53 <tmcpeak> there was some ambiguity about where functions that are definable with config only belong
17:22:07 <tmcpeak> bknudson: we'll push one after the doc stuff lands
17:22:22 <tmcpeak> we're looking at moving some settings into sub-configs to prevent config bloat
17:22:27 <tmcpeak> might wait for that as well
17:22:48 <browne> tmcpeak: i'd rather see a model such that a project doesn't have to even have its own bandit.yaml
17:22:58 <bknudson> if you keep pushing back the release for every new feature there will never be a release
17:23:08 <tmcpeak> bknudson: true
17:23:22 <tmcpeak> I'm happy to draw the line at the doc then
17:23:30 <tkelsey> bknudson: agreed, though there is a lot happening right now. \
17:23:31 <dg_> tmcpeak JFDI...
17:23:33 <Daviey> I'd really like to see doc's and /etc/ branch land before release
17:23:36 <tmcpeak> LD
17:23:46 <tkelsey> Daviey: +1
17:23:46 <Daviey> In Debian 7! bugs got raised against the package.. Some of which are upstream issues and mostly all inflight.
17:23:50 <tmcpeak> :D rather
17:24:06 <tmcpeak> Daviey: orly
17:24:10 <tmcpeak> link?
17:24:12 <browne> i also think this bug needs to merge before next release https://bugs.launchpad.net/bandit/+bug/1479625
17:24:13 <openstack> Launchpad bug 1479625 in Bandit "hardcoded_sql_expressions dumping traceback errors" [High,In progress] - Assigned to Tim Kelsey (tim-kelsey)
17:24:14 <uvirtbot> Launchpad bug 1479625 in bandit "hardcoded_sql_expressions dumping traceback errors" [High,In progress]
17:24:16 <uvirtbot> Launchpad bug 1479625 in bandit "hardcoded_sql_expressions dumping traceback errors" [High,In progress] https://launchpad.net/bugs/1479625
17:24:24 <Daviey> tmcpeak: https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=bandit
17:24:27 <tmcpeak> browne: yeah, 100% that needs to get fixed first
17:24:46 <tkelsey> I have a fix for that SQL one #link https://review.openstack.org/#/c/207513/
17:25:11 <tmcpeak> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794084 interesting
17:25:12 <openstack> Debian bug 794084 in bandit "bandit: dubious "subprocess call without a subshell"" [Normal,Open]
17:25:13 <uvirtbot> Debian bug 794084 in bandit "bandit: dubious "subprocess call without a subshell"" [Normal,Open]
17:25:27 <tmcpeak> I mean it's just a wording issue
17:25:56 <Daviey> tmcpeak: Do you want to own that issue?
17:26:01 <Daviey> (pls)
17:26:10 <tmcpeak> Daviey: sure
17:26:30 <tmcpeak> it's just a wording tweak, we're just flagging subprocess calls
17:27:17 <tmcpeak> so Bandit team, let's put priority on the Debian bugs
17:27:30 <tmcpeak> I'll try to take a couple myself
17:27:46 <tkelsey> OK, ill find time amongst the docs to look at stuff
17:27:55 <tmcpeak> ok cool
17:28:05 <tmcpeak> I'll circle back on IRC later and randomly bug people ;)
17:28:12 <Daviey> cool
17:28:14 <tkelsey> but please check out the sql fix here https://review.openstack.org/#/c/207513/ simple fix
17:28:33 <tmcpeak> yeah, just need an approval on that, I'm already +2
17:28:35 <tmcpeak> looks simple enough
17:28:43 <tmcpeak> ok cool
17:28:43 <sigmavirus24> warning, we should not be approving changes because zuul is backed up to hell
17:28:54 <tmcpeak> sigmavirus24: ok good to know
17:28:55 <sigmavirus24> infra asked everyone to avoid approving changes until the backlog clears up
17:28:58 <tkelsey> sigmavirus24: yeah
17:29:07 <tmcpeak> but.. but.. we're special
17:29:13 <tmcpeak> #topic Sec Guide
17:29:13 <tkelsey> OK, lets sit on things till tomorrow lol
17:29:26 <tmcpeak> sicarie, elmiko, Daviey
17:29:35 <elmiko> hey
17:29:43 <tmcpeak> why does Daviey always come up in every project :P the man is everywhere
17:29:56 * Daviey blushes
17:29:58 <elmiko> i think sicarie has read through the converted docs
17:30:02 <elmiko> and so are a few others as well
17:30:07 <bknudson> Daviey is jfdi'ing
17:30:12 <Daviey> hah
17:30:15 <elmiko> we have some bugs noted on our etherpad
17:30:18 <tmcpeak> bknudson: lol
17:30:22 <Daviey> dg_ has been all over this aswell
17:30:28 <elmiko> some minor cleanups that need to happen in the rst
17:30:30 <tmcpeak> oh yeah, dg_
17:30:33 <tmcpeak> forgot
17:30:42 <sicarie> and pdesai
17:30:50 <Daviey> I think we decided that we were blocking migrating it over until there was a Contents on the sidebar.
17:30:53 <sicarie> Yep, there are 7 issues of content not being there after the RST migration
17:31:03 <sicarie> The sidebar does not exist, I'm not sure we should block for that
17:31:11 <Daviey> Err, the nav bar
17:31:18 <sicarie> Daviey has put a possible solution, but I have not had time to review
17:31:26 <Daviey> sicarie: It has landed..
17:31:28 <dg_> sicarie did you hear from the docteam?
17:31:36 <dg_> Daviey lol
17:31:38 <Daviey> dg_: I JFDI
17:31:52 <sicarie> dg_ the docteam said "doesn't exist, ping the list" and from that Daviey put up his code
17:31:59 <Daviey> It isn't perfect by style guidelines, but it does what we need
17:32:07 <dg_> linky/
17:32:10 <elmiko> ^^
17:32:13 <Daviey> But, we need to wait for a release to be cut
17:32:28 <sicarie> So I'd like to fix the 7 missing content changes, post the guide, and then fix the sidebar as soon as it is possible
17:32:31 <Daviey> dg_: daviey.com/tmp/bug.1422454/
17:32:39 <Daviey> err http://+
17:33:18 <tmcpeak> he's also the evil genius behind daviey.com
17:33:41 <Daviey> tmcpeak: I can sell you a subdomain, with self service ephemeral PKI.
17:33:46 <dg_> Daviey lgtm
17:33:58 <Daviey> sicarie: issues all on http://etherpad.openstack.org/p/sec-guide-rst ?
17:34:00 <tmcpeak> Daviey: great, I'll take 150 of them
17:34:21 <sicarie> Daviey: yep, and in the email I sent out asking for opinions on my rankings
17:34:37 <Daviey> I think i missed that
17:34:37 <sicarie> There were quite a bit more issues than the 7, but the rest were (in my opinion) stylistic and could be changed later
17:34:51 <sicarie> the 7 were missing content, and therefore (again IMO) critical to have in place before we cut over
17:34:57 <Daviey> sicarie: which list?
17:35:09 <sicarie> It's at the bottom of the etherpad
17:35:23 <Daviey> derp
17:35:24 <sicarie> but I'll re-ping the email where I called out the 7 specifically
17:35:39 <tmcpeak> this looks really good guys
17:35:40 <sicarie> for some reason the etherpad isn't conencting for me right now, otherwise I'd put them in a separate section
17:36:23 <bknudson> is http://daviey.com/tmp/bug.1422454/dashboard_demo.html the security guide?
17:37:01 <Daviey> bknudson: No, that is the sample from the theme project
17:37:23 <Daviey> bknudson: just exercising the different RST, CSS and JSS features etc
17:37:52 <tmcpeak> now I'm busy trying to assess the security of daviey.com :P
17:38:17 <Daviey> uho.
17:38:47 <bknudson> Daviey: maybe you'll be the topic of a black hat talk
17:39:07 <Daviey> Fame.
17:39:10 <bknudson> "security weaknesses in daviey.com"
17:39:11 <tmcpeak> lol
17:39:17 <elmiko> lol
17:39:31 <tmcpeak> allright anything else for doc pplz?
17:40:06 <sicarie> Daviey: just re-ping'd that email
17:40:09 <sicarie> tmcpeak: nope
17:40:10 <Daviey> thanks sicarie
17:40:16 <tmcpeak> cool
17:40:27 <tmcpeak> #topic Midcycle
17:40:46 <tmcpeak> how's the flight booking/travel etc coming?
17:40:49 <tmcpeak> we had a few maybes
17:40:52 <tmcpeak> elmiko looking at you
17:40:58 <tmcpeak> browne
17:41:05 <elmiko> i brought it up again today, i should here back soon(TM)
17:41:12 <elmiko> *hear
17:41:40 <tmcpeak> cool
17:41:41 <dg_> I will book travel soon
17:41:54 <dg_> just as soon as our admn gets back from vacation :)
17:42:00 <tmcpeak> cool, I'm booked
17:42:04 <tmcpeak> doing Crown Plaza
17:42:09 <dg_> not the yacht?
17:42:20 <tmcpeak> I'm getting in stupid early Monday btw in case anybody wants to go grab lunch or something
17:43:04 <tmcpeak> dg_: no, yacht only made sense if there were 4 of us and hyakuhei likes the comforts of hotel rooms
17:44:06 <tmcpeak> the yacht: https://www.airbnb.com/rooms/5534463?guests=4&s=CuzQ
17:44:38 <dg_> hyakuhei  lame
17:44:41 <elmiko> lol
17:44:41 <bknudson> that's awesome
17:44:56 <bknudson> Bathrooms: 4
17:45:16 <timkennedy> that's a big assed yacht.
17:45:22 <tmcpeak> "Moored for the duration of your stay, but available for a cruise of local waters ,or a trip thru the locks to Lake Washington, for a added fee."  we'll see about that with 4 security guys on board
17:45:38 <elmiko> haha
17:45:46 <dg_> we need to invite that dude who hacks the cars
17:46:02 <elmiko> charlie miller?
17:46:04 <tkelsey> :D
17:46:07 <tkelsey> yeah
17:46:13 <bknudson> looks comfy enough: https://www.airbnb.com/rooms/5534463?guests=4&s=CuzQ
17:46:27 <tmcpeak> haha yeah, although with his skills he'd probably already be there waiting for us with the thing jailbroken already
17:46:32 <Daviey> bknudson: did you see the airbnb on the site?
17:47:11 <Daviey> https://www.airbnb.co.uk/rooms/7038709
17:47:12 <dg_> elmiko the other one turns out hes mates with our boss
17:47:29 <elmiko> dg_: neat!
17:47:36 <tmcpeak> ^ that might still be an option for elmiko :P
17:47:59 <bknudson> charge to sleep in a tent
17:48:08 <elmiko> haha, maybe!
17:48:14 <bknudson> "Entire home/flat"
17:48:19 <Daviey> I won't be there, unless anyone wants to pay my airfare :)
17:48:20 <tmcpeak> allright cool, well let's set up a social event sometime in Seattle
17:48:22 <bknudson> at least you get the whole place
17:48:26 <tmcpeak> but we can do that later
17:48:35 <dg_> i was about to say 'try sleeping in a tent in downtown seattle otherwise', but then I remembered what downtown seattle is like!
17:48:53 <bknudson> there's a fence to keep the dogs out
17:48:56 <tmcpeak> I like pic 2/7 on this
17:48:57 <sicarie> Yeah, it's a little bit sketchy
17:49:05 <tmcpeak> https://www.airbnb.co.uk/rooms/7038709  the dog is like "what are you waiting for?"
17:49:18 <dg_> tmcpeak LOL
17:49:40 <tmcpeak> allright
17:49:44 <tmcpeak> #topic Other Business
17:49:50 <tmcpeak> open floor, what's up?
17:50:03 <sicarie> API upate?
17:50:04 <elmiko> so, the tent is basically in someone's backyard?
17:50:15 <tmcpeak> elmiko: yeah, seems to be
17:50:21 <elmiko> rofl
17:50:21 <sicarie> elmiko: that neighborhood? probably a side yard with open street access
17:51:01 <Daviey> Hmm
17:51:10 <Daviey> Were we not expecting a demo today?
17:51:27 <Daviey> The RAX API fuzzing thing?
17:51:33 <sicarie> ^^
17:51:34 <tmcpeak> yeah, supposed to be
17:51:49 <tmcpeak> that's mvaldes?
17:51:53 <tmcpeak> I don't think he showed up today
17:52:04 <elmiko> =(
17:52:37 <Daviey> Shall we go home then?
17:52:41 <tmcpeak> yep
17:52:42 <elmiko> +1
17:52:43 <tmcpeak> may as well
17:52:45 <tmcpeak> #endmeeting