17:00:57 <hyakuhei> #startmeeting Security
17:00:58 <openstack> Meeting started Thu Aug  6 17:00:57 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:59 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:02 <openstack> The meeting name has been set to 'security'
17:01:03 <tmcpeak> yo yo
17:01:05 <browne> hi
17:01:05 <hyakuhei> sup peeps!
17:01:09 <elmiko> heyo/
17:01:11 <tkelsey> o/
17:01:12 <Daviey> Hola \o
17:01:21 <gmurphy> hi
17:01:33 <tmcpeak> lol, hola
17:02:02 <hyakuhei> Right, first off thanks for tmcpeak for filling in during these meetings, from what I’ve read he’s done a stand up job!
17:02:16 <tmcpeak> that's way overblown, but my pleasure :P
17:02:19 * hyakuhei has to talk to these pesky customers!
17:02:19 <elmiko> here here
17:02:33 <hyakuhei> :)
17:02:43 <hyakuhei> I’m actually on the road again today
17:02:45 <hyakuhei> so
17:02:47 <hyakuhei> #chair tmcpeak
17:02:48 <openstack> Current chairs: hyakuhei tmcpeak
17:02:51 <elmiko> lol
17:02:55 <dg_> hey
17:02:55 <gmurphy> hah
17:02:58 <hyakuhei> Just in case my internet explodes :)
17:03:00 <tmcpeak> :)
17:03:35 <hyakuhei> ok, lets get an agenda going, we’ve got the standard activities: OSSN, Anchor, Bandit + That intel CVE stuff + Some wiki stuff + mid cycle
17:03:37 <hyakuhei> What else?
17:03:50 <tmcpeak> sounds like a reasonable lineup
17:03:57 <elmiko> sec doc
17:04:01 <hyakuhei> good call
17:04:10 <tkelsey> api fuzzing ?
17:04:11 <hyakuhei> I think Nathaniel is PTO atm
17:04:23 <hyakuhei> tkelsey: yes if michaelxin is here
17:04:24 <elmiko> hyakuhei, yea, i've been filling in for him
17:04:30 <hyakuhei> elmiko: superb
17:04:47 <hyakuhei> No nkinder either
17:05:13 <hyakuhei> #topic OSSN
17:05:24 <hyakuhei> We have 14 OSSN open at the moment, that’s pretty high
17:05:27 <hyakuhei> #link https://bugs.launchpad.net/ossn
17:05:29 <tmcpeak> :\
17:05:41 <elmiko> ooph
17:05:52 <elmiko> i'll make an effort to pick another one up
17:05:53 <dg_> gosh
17:06:01 <hyakuhei> If we’re offering this service to the community and to the VMT we need to be able to close these out
17:06:06 <gmurphy> i haven't written one yet.. so I could probably step and and do one..
17:06:14 <hyakuhei> Awesome
17:06:24 <hyakuhei> I doubt you need any mentoring gmurphy but reach out if you need any help
17:06:31 <tmcpeak> yeah, I'll prioritize taking one also
17:06:35 <Daviey> I've got two inflight that need to be closed out.. blocked on me now i think
17:06:43 <hyakuhei> I’ll try to get one written on the plane
17:06:56 <gmurphy> is there a priority to these or is it just pick one at random?
17:06:57 <hyakuhei> If you’re stuck on one, send a mail to -dev
17:07:01 <hyakuhei> link to the review
17:07:18 <hyakuhei> Plenty of developers like to correct OSSNs :) I’m sure they’ll help
17:07:23 <gmurphy> lol
17:07:25 <hyakuhei> No one expects security to be experts on everything.
17:07:38 <hyakuhei> (They do, they shouldnt)
17:07:52 <elmiko> +1
17:07:54 <hyakuhei> Ok, So yeah, lets see if we can close out on a bunch of OSSN before the mid-cycle that would be great
17:08:07 <hyakuhei> tkelsey: much to say on Anchor this week?
17:08:20 <tkelsey> nope, lots of stuff in review though
17:08:28 <tkelsey> i've been kinda busy this week
17:08:38 <hyakuhei> #topic Anchor
17:08:39 <Daviey> Anchor now has working Keystone Auth.. if a little crappy still.
17:08:58 <Daviey> The Devstack integration has been tested with dg.. but other feedback welcome!
17:09:04 <hyakuhei> I think this #link https://review.openstack.org/#/projects/openstack/anchor,dashboards/important-changes:review-inbox-dashboard will work for anyone who wants to look at anchor, it might only work for cores though ?
17:09:06 <tkelsey> https://review.openstack.org/#/q/project:openstack/anchor+status:open,n,z
17:09:25 <hyakuhei> tkelsey: that’s a better #link https://review.openstack.org/#/q/project:openstack/anchor+status:open,n,z
17:09:27 <Daviey> hyakuhei: link works for sll
17:09:36 <Daviey> *all
17:09:40 <hyakuhei> Did you discuss the API changes last week?
17:09:54 <tmcpeak> a little
17:09:55 <dg_> yes
17:09:59 <dg_> we decided jfdi
17:10:00 <hyakuhei> Basically, we’re about to break the API, kthnxbye.
17:10:05 <tmcpeak> oh yeah, JFDI
17:10:07 <Daviey> +1
17:10:08 <elmiko> lol
17:10:12 <hyakuhei> Rolling on...
17:10:14 <hyakuhei> #topic Bandit
17:10:22 <tmcpeak> new version of Bandit (0.13.0)
17:10:24 <tmcpeak> hit yesterday
17:10:39 <tmcpeak> mostly good, but there seems to be some cases where old profiles don't have what they need for new tests
17:10:50 <tmcpeak> so we're working on more sensible notification rather than spamming exceptions
17:10:56 <tmcpeak> then we'll get (sigh) 0.13.1 out
17:11:09 <tmcpeak> also Bandit landed in Cinder
17:11:16 <tmcpeak> well landed as in there is now a tox profile
17:11:21 <tmcpeak> not gate yet, but browne is working on it
17:11:30 <tmcpeak> tkelsey is a mad man with docs...
17:11:44 <tmcpeak> and we've discovered we really need some gates that test integration points with other project
17:11:49 <tkelsey> tmcpeak: heh yeah, i'll be back on those soon :)
17:11:54 <tmcpeak> will probably hack on that in midcycle
17:12:23 <tmcpeak> I think that's it.. anything I'm forgetting?
17:12:39 <Daviey> tmcpeak: is .1 being done for teh config issue?
17:13:10 <tmcpeak> Daviey: yeah
17:13:17 <Daviey> ta
17:13:24 <browne> at what point would we ever update g-r with a newer bandit?
17:14:02 <tmcpeak> browne: I don't think we need to
17:14:07 <bknudson> when I change keystone to use any new config or tests I'll update g-r.
17:14:08 <tmcpeak> most projects should pull the latest
17:14:33 <bknudson> or if any other project wants to do it then they can update g-r
17:14:46 <tmcpeak> do we need to? projects can use whatever Bandit they want
17:14:50 <tmcpeak> no reason they can't use older if they want
17:15:07 <tmcpeak> 0.10.0 was broken, but other than that they're all good
17:15:38 <bknudson> g-r has bandit>=0.10.1
17:15:41 <Daviey> g-r contains bandit>=0.10.1
17:16:03 <tmcpeak> yeah, so that should be fine, right?
17:16:26 <Daviey> Yeah, any version above that is good.. but most projects will take latest
17:16:32 <browne> so if g-r is >=0.10.1, can a project only support 0.10.1 checks.  or is it ok to support newer checks found in say 0.13?
17:16:34 <tmcpeak> even better :D
17:16:43 <Daviey> ERR
17:16:52 <Daviey> *STOP PRESS*.. upper-requirements has bandit===0.12.0
17:16:55 <bknudson> browne: no, you can't expect 0.13 to be used unless g-r has 0.13.0
17:16:56 <Daviey> SO that does need updating
17:16:59 <tmcpeak> wut
17:17:14 <tmcpeak> yikes
17:17:19 <Daviey> bknudson: g-r is not the issue here
17:17:27 <tmcpeak> well if that's the case how did Cinder even get 0.13.0?
17:17:27 <bknudson> does upper-requirements get updated automatically?
17:17:47 <tmcpeak> nobody knows ;)
17:17:53 <tmcpeak> I heard elves come in and update it randomly
17:17:53 <Daviey> Shall we take this offline? :)
17:17:56 <bknudson> I thought there was a job that updated it.
17:18:00 <tmcpeak> yeah fair enough
17:18:13 <tmcpeak> cool, so that's good for Bandit I think
17:18:19 <hyakuhei> Sweet
17:18:21 <hyakuhei> #topic CVE Check tool
17:18:26 <hyakuhei> #link http://permalink.gmane.org/gmane.comp.cloud.openstack.devel/60983
17:18:30 <hyakuhei> Thoughts on this ?
17:18:53 <Daviey> It can't belong in/near bandit IMO.. which was an idea.. 500MB of metadata to download? :o
17:18:57 <tmcpeak> it could be useful, but it's got a big download requirement, so we really want to make sure we run it as infrequently as possible
17:19:06 <tmcpeak> yeah, definitely shouldn't be part of Bandit
17:19:11 <bknudson> CVEaaS
17:19:14 <hyakuhei> I responded on list, honestly I’m not sure it makes as much sense in the infra gates as it does as a tool for vendors - perhaps even on the customer side as the libraries you ship with might become vulnerable over time
17:19:15 <gmurphy> Doesn't this tool just work for .deb / .rpm packages?
17:19:23 <gmurphy> I haven't really checked it out.
17:19:25 <hyakuhei> gmurphy: no, it looks at the lib versions I think
17:19:26 <dg_> hyakuhei +1
17:20:06 <hyakuhei> I mean, if say, Nova explicitly requires a very specific, very broken library, I guess that’s a good change to flag ahead of +2 and integration
17:20:08 <tmcpeak> hyakuhei: sure, but I think there's arguably some value to making sure blessed versions don't have CVE's upstream supposing it works reliably
17:20:11 <bknudson> Are they trying to get this picked up by the OSSG?
17:20:14 <hyakuhei> So I can see where it might be used
17:20:20 <bknudson> as in, OSSG owns it now?
17:20:20 <hyakuhei> bknudson: we swallow up everything!
17:20:23 <hyakuhei> bknudson: no
17:20:33 <hyakuhei> but it’s relevant to our conversations
17:20:43 <tmcpeak> yeah, we don't have bandwidth for it, we can't even write notes reliably :P
17:20:48 <bknudson> do they want us to submit CVEs for openstack to it?
17:20:51 <hyakuhei> tmcpeak: back in the corner!
17:20:56 <tmcpeak> :#
17:21:12 <hyakuhei> bknudson: No - it’s mainly a back-stop tool
17:21:26 <bknudson> I'm just wondering what they wanted... just to tell us it exists?
17:21:35 <gmurphy> hang on where is a link to this tool.. is it this? https://github.com/ikeydoherty/cve-check-tool
17:21:39 <Daviey> I think the discussion was going down, should openstack/requirements changes have a gate check on it
17:21:40 <bknudson> if I was an operator I'd be interested just like I'm interested in nessus, etc.
17:21:42 <hyakuhei> To see if there was interest in it and how to leverage it
17:21:44 <tmcpeak> bknudson: good point, maybe they wanted validation that it's useful first?
17:21:49 <hyakuhei> or where might be best to leverage it
17:21:53 <hyakuhei> tmcpeak: +1
17:22:12 <tmcpeak> and yeah, as hyakuhei said, to find the best integration points
17:22:22 <bknudson> it's written in c.
17:22:27 <Daviey> It seems entirely reasonable for the project to do some validation of known bad libraries... but not the project as a whole-job.  That is what vendors are for IMO :)
17:22:29 <bknudson> these people are masochists
17:22:39 <hyakuhei> lol
17:22:54 <tmcpeak> C is an interesting choice for something like this
17:22:58 <tmcpeak> bknudson: lol
17:23:10 <hyakuhei> We work with those tools that are closest to us
17:23:29 <tmcpeak> fair enough
17:23:37 <hyakuhei> ok, so I guess continue discussion on thread, keep an eye on it to see if it turns into something more useful
17:23:46 <tmcpeak> sounds good
17:23:48 <dg_> lol c
17:23:53 <hyakuhei> Write an exploit that uses a BOF in a CVE to wown the C based CVE tool
17:23:56 <bknudson> there's lots of useful security tools out there.
17:24:04 <elmiko> hyakuhei, ouch...
17:24:13 * elmiko is an old school C hacker =(
17:24:20 <hyakuhei> Ok, lets move swiftly along
17:24:25 <hyakuhei> #topic Wiki
17:24:42 <hyakuhei> I’ve spent some time trying to update our wiki
17:24:44 <hyakuhei> #link https://wiki.openstack.org/wiki/Security
17:24:49 <hyakuhei> I think it’s a lot less crap now
17:25:03 <tkelsey> ruh roh, hit another issue with Barbican/Cinder/Nova in devstack. http://paste.openstack.org/show/411216/
17:25:13 <tkelsey> damn, wrong room, sorry!
17:25:16 <hyakuhei> but my writing skills aren’t perfect so please jump in and tidy it as required.
17:25:43 <hyakuhei> Anyway yeah, please feel free to add or correct content on the wiki
17:25:45 <elmiko> ack
17:25:54 <bknudson> hyakuhei: it looks good!
17:25:57 <tmcpeak> hyakuhei: thanks! less crap is good
17:26:14 <tmcpeak> oooooh, you've sprinkled shinies in it
17:26:32 <hyakuhei> I tried to order it a bit more sanely, highlight more of what we do, spread the credit around etc but yes, someone who’s good at technical writing needs to go through it
17:26:44 <gmurphy> looks better. we should probably figure out what needs to be done with security.o.o too..
17:26:49 <tmcpeak> hyakuhei: looks legit
17:26:50 <Daviey> ooo, that is a pretty picture.
17:26:51 <elmiko> gmurphy, +1
17:27:00 <elmiko> and yea, the intro pic is nice on the wiki =)
17:27:18 <hyakuhei> Old version for reference : https://wiki.openstack.org/w/index.php?title=Security&oldid=75645
17:27:25 <hyakuhei> (and in case I missed anything)
17:27:30 <tmcpeak> eww
17:27:32 <Daviey> hyakuhei: Blog coming soon?  Is this news?
17:27:35 <elmiko> night and day
17:27:39 <hyakuhei> Yeah
17:27:49 <hyakuhei> So I’m attempting to get us some proper blog space
17:27:55 <elmiko> cool!
17:28:04 <hyakuhei> Over on #link http://www.openstack.org/blog/
17:28:18 <Daviey> Somewhere to announce OSSN's! :)
17:28:20 <hyakuhei> There’s some discussion as to wether our content would be too technical, the blog is for higher level stuff
17:28:25 <hyakuhei> Daviey: exactly
17:28:49 <tmcpeak> hyakuhei: a subdomain of that maybe?
17:28:52 <bknudson> we already do have ways to advertise our stuff.
17:28:52 <hyakuhei> So we’ll see what happens, we will have a multi-user blog somewhere soon. openstack.org is my preference but if not we’ll put it elsewhere
17:29:09 <bknudson> e.g. our stuff winds up on openstack-announce.
17:29:11 <tmcpeak> I'd like to read a security blog but maybe not some of the rest of that stuff :P
17:29:16 <hyakuhei> tmcpeak: So my preference is to have Security as one of the listed catagories on the blog
17:29:22 <hyakuhei> Failing that we have lots of options
17:29:35 <hyakuhei> Potentially hanging something off of security.openstack.org for example
17:29:43 <tmcpeak> http://i1.wp.com/openstackreactions.enovance.com/wp-content/uploads/2015/07/h3imQSu.gif?resize=320%2C240
17:29:44 <hyakuhei> Though that’s fraught with potential issues
17:30:14 <elmiko> thanks tmcpeak, i'm scarred now...
17:30:18 <tmcpeak> :D
17:30:20 <hyakuhei> So anyway yes, exciting super sexy blog on its way
17:30:28 <elmiko> hyakuhei++
17:30:28 <hyakuhei> To which you’ll all be invited to attend
17:30:36 <tmcpeak> sounds good
17:30:40 <hyakuhei> s/attend/write
17:30:47 <elmiko> haha
17:30:49 <hyakuhei> Ok, next up lets have elmiko talk about docs
17:30:53 <hyakuhei> #topic Security Docs
17:30:56 <elmiko> alrighty
17:31:05 <elmiko> we are closing in on the last few fixes for the rst conversion
17:31:17 <bknudson> might be interesting to get a blog about how OSSG is helping companies deploying / developing openstack
17:31:27 <bknudson> e.g., if you're running bandit, etc.
17:31:27 <elmiko> i think we just have 2 outstanding issues, and then some smaller fixes that can be done once the rst is in place
17:31:36 <tmcpeak> bknudson: +1
17:31:36 <elmiko> bknudson, awesome idea +1
17:31:48 <Daviey> The last blocker on the theme is about to be merged, which was something else we were blocking on.
17:31:55 <hyakuhei> That’s excellent
17:32:00 <hyakuhei> well done elmiko
17:32:04 <elmiko> we will most likely wait until sicarie is back from black hat/defcon before we make the jump to hyperspace (siwtch to rst)
17:32:06 <hyakuhei> So glad to see this progressing
17:32:13 <hyakuhei> bdpayne would be so proud :’(
17:32:22 <tmcpeak> :'(
17:32:33 <elmiko> yea, good point Daviey
17:32:43 * elmiko sniffles
17:32:45 <hyakuhei> So is there anything we can do to help elmiko ?
17:33:07 <elmiko> i don't think so, we are steadily moving towards the big unfreeze and switchover
17:33:29 <elmiko> maybe more reviews, when things go up. but it's pretty small at this point
17:33:44 <Daviey> elmiko: Wasn't it agreed that it was now unfrozen, just don't expect to see changes until the switchover?
17:33:50 <elmiko> oh, and we'll need eyes to check the consistency of the final rst stuff, but we have been trying to do that as well
17:33:55 <hyakuhei> Great, I’m looking forward to getting some reviews in. When’s the expected date for the switchover?
17:34:20 <elmiko> Daviey, good question, i think we can unfreeze but all new changes should go to RST only
17:34:38 <elmiko> although we probably shouldn't do that until we switch
17:34:45 <elmiko> hyakuhei, i'm guessing another week, perhaps
17:34:53 <elmiko> gotta find out when sicarie is back
17:35:04 <hyakuhei> coolio
17:35:10 <hyakuhei> Anything else elmiko ?
17:35:13 <dg_> elmiko i think he is back next week
17:35:24 <elmiko> i don't think so, unless Daviey has something more
17:35:29 <elmiko> dg_, ack, thanks
17:35:40 <Daviey> Just that the current draft switchover can be reviewed already, http://docs.openstack.org/draft/security-guide-rst/
17:35:57 <Daviey> catch stuff early etc.
17:35:58 <elmiko> excellent, thanks Daviey
17:36:26 <elmiko> we're using this etherpad for collecting bugs if people find any
17:36:29 <elmiko> #link https://etherpad.openstack.org/p/sec-guide-rst
17:36:37 <hyakuhei> looks good
17:37:00 <elmiko> agreed, i really like the rst format for the guide
17:37:09 <bknudson> rst >> xml
17:37:20 <Daviey> * > xml
17:37:24 <elmiko> so true....
17:37:36 <hyakuhei> RST is going to make this so much easier
17:37:43 <hyakuhei> ok, so - mid-cyle?
17:37:46 <hyakuhei> #topic Mid-Cycle
17:37:53 <hyakuhei> #link https://etherpad.openstack.org/p/security-liberty-midcycle
17:37:59 <hyakuhei> #tlink https://wiki.openstack.org/wiki/Sprints/SecurityLibertySprint
17:38:23 <tmcpeak> thans for getting the agenda started hyakuhei
17:38:24 <hyakuhei> I’ve put some agenda stuff up, I think the way we ran things last time went well
17:38:32 <tmcpeak> +1
17:38:57 <tmcpeak> so day one we can do an initial description and see what people are interested in?
17:39:03 <hyakuhei> Put some vauge feel for how much effort is required for each activity and we can break them up so that people get involved with as many things as they want
17:39:06 <elmiko> looks nice
17:39:22 <tmcpeak> how about social gathering? we doing one?
17:39:26 <hyakuhei> People proposing topics should fill out the ether pad, we’ll use them as the basis for an unconference
17:39:44 <hyakuhei> tmcpeak: I’m not asking HP to sponsor as they’re covering the room and breakfast/lunch
17:40:16 <hyakuhei> Social gatherings are normally a good idea though, we could pay for ourselves? *gasp*
17:40:16 <tmcpeak> yeah fair enough, I don't think HP needs to sponsor.  Maybe we can just all go out somewhere/
17:40:19 <tmcpeak> ?
17:40:32 <tmcpeak> yeah, +1 pay for ourselves
17:40:43 <dg_> so I will go to a bar at some point in that week, you are welcome to join tmcpeak ;)
17:40:45 <hyakuhei> Works for me, I’ll get someone seattle based to look into it. Plenty of nice places for food
17:40:55 <hyakuhei> We could go to whatever von-trapps is called now and play some bocce
17:40:59 <tmcpeak> dg_ Tuesday early morning per normal? :P
17:41:00 <hyakuhei> I think we did that last time though?
17:41:04 <dg_> standard
17:41:15 <tmcpeak> von-trapps is always fun
17:41:16 <hyakuhei> Anyway, any questions about the mid-cycle ?
17:41:19 <dg_> kells?
17:41:32 <tkelsey> dg_ +1
17:41:33 <tmcpeak> elmiko: you coming?
17:41:47 <hyakuhei> Lets work out which bar to drink dry in the #openstack-security room
17:41:48 <elmiko> still wish i knew...
17:41:58 <bknudson> http://www.capitolhillseattle.com/2014/08/von-trapps-changes-name-to-rhein-haus-following-name-dispute/
17:41:59 <elmiko> i keep pestering, but i keep getting the brush off
17:42:07 <hyakuhei> Though I don’t have much else to cover over today :P
17:42:14 <hyakuhei> #topic Any Other Business
17:42:26 <Daviey> No API fuzzing demo?
17:42:43 <hyakuhei> So the votes are in for the Security track, I’ve not been able to do much analysis other than to recognise that voting just doesn’t work very well.
17:42:56 <elmiko> boo =(
17:43:05 <elmiko> hyakuhei, is any of this public yet?
17:43:06 <tmcpeak> hyakuhei: you know when we'll find out?
17:43:12 <hyakuhei> Thankfully we’ve got some good track chairs and some great content so I’m confident of a good show at the conference, its just a lot of work for the chairs
17:43:23 <bknudson> so the vote doesn't matter?
17:43:24 <hyakuhei> elmiko: no
17:43:29 <hyakuhei> bknudson: It’s a guide
17:43:36 <hyakuhei> but when there’s 1500 things to vote on
17:43:40 <hyakuhei> It’s a pretty terrible guide
17:43:54 <bknudson> 1500 things all with 1 vote by the submitter
17:43:57 <hyakuhei> We do our best to represent interest, deconflict talks and make a compelling track
17:44:17 <tmcpeak> who's on security track (where do I send bribes)?
17:44:19 <hyakuhei> The votes don’t get made public but the track selections do
17:44:24 <bknudson> I'm glad it's not just the votes.
17:44:34 <hyakuhei> bknudson: +1
17:44:41 <hyakuhei> one second I’ll see if I can find the release date
17:44:46 <elmiko> bknudson, yea, that would be rough
17:45:21 <bknudson> otherwise we'd wind up with donald trump
17:45:26 <elmiko> haha
17:45:30 <tmcpeak> :)
17:45:37 <browne> ha!
17:45:40 <hyakuhei> My understanding is that the official notifications go out the week of august 26th though that’s subject to slippage etc
17:45:57 <tmcpeak> not leaving a ton of time for booking, is it
17:46:37 <browne> tmcpeak: is your attendance dependent on an approved session?
17:46:49 <tmcpeak> browne: yeah
17:46:55 <elmiko> ooph =(
17:46:55 <browne> ouch
17:47:10 <tmcpeak> Japan flights don't come cheap ;)
17:47:12 <hyakuhei> Off US soil…
17:47:24 <hyakuhei> My vote is for hawaii next
17:47:28 <elmiko> +1
17:47:30 <browne> +2
17:47:31 <gmurphy> +1
17:47:35 <tmcpeak> yeah, that'll work
17:47:47 <hyakuhei> fwiw Chairs are from Intel, HP, Redhat and one other I dont remember
17:48:08 <hyakuhei> We’re going to have a summit track too
17:48:08 <tmcpeak> it'll probably end up being like Philadelphia or something ;)
17:48:25 <hyakuhei> We’ll discuss more about that after the mid-cycle unless forced to do it sooner by the scheduling gods
17:48:29 <hyakuhei> tmcpeak: hush
17:48:46 <elmiko> next is austin i thought?
17:48:53 <bknudson> austin and then barcelona
17:48:54 <Daviey> Nah, Mars One.
17:48:59 <elmiko> haha
17:49:04 <hyakuhei> What’s the Tokyo +1 location ?
17:49:09 <hyakuhei> Cool
17:49:15 <hyakuhei> Not been to either of those places yet
17:49:21 <elmiko> likewise
17:49:37 <browne> Tokyo, Austin, then Barecelona
17:49:42 <hyakuhei> Tidy
17:49:54 <hyakuhei> Then USA then Asia I guess?
17:50:05 <bknudson> north america
17:50:14 <bknudson> or south america?
17:50:15 <hyakuhei> HK was really under-subsribed iirc
17:50:27 <hyakuhei> *subscribed
17:50:38 <elmiko> i feel that won't be the case for tokyo
17:50:42 <hyakuhei> tmcpeak: As we’re on AOB do you want to talk about your PyPI stuff?
17:50:46 <hyakuhei> elmiko: I hope so
17:50:50 <tmcpeak> hyakuhei: sure
17:51:08 <browne> surprised Chicago hasn't been selected yet.  right in the middle of the US
17:51:20 <bknudson> hopefully we can have a more productive design summit to make the flight worth it
17:51:29 <tmcpeak> so I worked with dstufft and got a change merged into PyPI that blocks IP and user after 10 failed logins
17:51:31 <elmiko> browne,  yea curious
17:51:41 <bknudson> but it's always hard to get a lot done in a short amount of time
17:51:47 <elmiko> tmcpeak, nice!
17:52:01 <tmcpeak> primary concern is that somebody will target a crap password in one of the upstream requirements and merge some malicious code, etc
17:52:10 <tmcpeak> so this is one step closer to preventing that attack
17:52:27 <tmcpeak> next up I'm going to set up email notifications for repo owners when a new package is uploaded or their password is changed
17:52:35 <bknudson> tmcpeak: sounds like you're talking about a cve checking tool
17:53:03 <tmcpeak> bknudson: no, basic security controls for PyPI is what I'm currently thinking about :)
17:53:23 <tkelsey> tmcpeak: good stuff
17:53:38 <Daviey> tmcpeak: How many Users does that help vs just developers?
17:53:59 <Daviey> I mean, it sounds like a good control to have.
17:54:00 <bknudson> I think there are groups planning to continuously deploy from master and using pypi for packages
17:54:01 <elmiko> tmcpeak, that's awesome
17:54:18 <hyakuhei> Yeah it’s pretty useful
17:54:28 <tmcpeak> yeah, it's kind of scary how central PyPI is in everything
17:54:32 <hyakuhei> +1
17:54:34 <tmcpeak> dstufft is doing great work, but he's so understaffed
17:54:56 <tmcpeak> PyPI has kind of grown to massive importance over time, was never designed for the key role in open source software it currently has
17:55:33 <tmcpeak> so yeah, until PyPI 2.0 (warehouse) hits, might as well get the one everybody is using to implement some basic controls
17:55:39 <elmiko> is it a one person operation?
17:55:44 <tmcpeak> elmiko: yeah, basically
17:55:49 <elmiko> oh wow...
17:55:51 <Daviey> crikey
17:56:06 <tmcpeak> if you ever meet dstufft buy him beers :)
17:56:07 <elmiko> they have a bug log, or accept patches or anything?
17:56:12 <hyakuhei> All the beer
17:56:16 <elmiko> hyakuhei++
17:56:24 <tmcpeak> elmiko: yeah, you can talk to dstufft, he was very helpful in getting my change merged
17:56:26 <hyakuhei> ok, I think that’s a wrap!
17:56:29 <tmcpeak> he hangs in in #openstack-security too
17:56:37 <tmcpeak> cool, thanks hyakuhei
17:56:40 <elmiko> tmcpeak, awesome, thanks. i might hit you up later for some info
17:56:49 <tmcpeak> elmiko: sounds good
17:57:02 <Daviey> lets go home?
17:57:05 <hyakuhei> #endmeeting