17:00:29 <tmcpeak> #startmeeting security
17:00:36 <openstack> Meeting started Thu Aug 13 17:00:29 2015 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:37 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:40 <openstack> The meeting name has been set to 'security'
17:00:40 <Daviey> \o
17:00:42 <tmcpeak> #charit hyakuhei
17:00:45 <tmcpeak> #chair hyakuhei
17:00:46 <openstack> Warning: Nick not in channel: hyakuhei
17:00:47 <michaelxin> hello
17:00:47 <openstack> Current chairs: hyakuhei tmcpeak
17:00:54 <tmcpeak> hey everybody
17:01:01 <bknudson> hi
17:01:02 <elmiko> hiyo/
17:01:10 <sicarie> hello
17:01:13 <tmcpeak> hyakuhei is out doing sales stuff, but he said he'll try to make it, subject to availability of n3tz on the road
17:01:17 <tmcpeak> #topic Roll Call
17:01:25 <sicarie> o/
17:01:27 <bknudson> hi
17:01:28 <tmcpeak> o/
17:01:33 <michaelxin> o/
17:01:53 <tmcpeak> sweet
17:02:24 <tmcpeak> so just a reminder, we have an agenda for each meeting here: https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity  which bknudson has showed us how to use with his agenda item
17:02:42 <elmiko> very nice
17:02:43 <sigmavirus24> o/
17:02:48 <tmcpeak> hey sigma
17:02:55 <tmcpeak> so let's get right on into it
17:02:57 <michaelxin> nice
17:02:58 <tmcpeak> #topic Anchor
17:03:03 <tmcpeak> tkelsey, dg_, Daviey
17:03:20 <dg_> anchor is awesome, you shold have it in your cloud
17:03:30 <elmiko> lol, nice
17:03:30 <Daviey> You should also have it in your devstack!
17:03:31 <tmcpeak> excellent, next topic :D
17:03:36 <elmiko> haha
17:03:38 <michaelxin> haha
17:03:43 <michaelxin> will try for sure
17:03:56 <Daviey> dg_: Have you any more comments on the devstack branch?
17:04:00 <tmcpeak> anything you guys want to mention this week?
17:04:06 <dg_> hopefully coming soon to Octavia as the default pki, Ive been working with some of the cores trying to get it integrated
17:04:23 <dg_> daviey Ive not looked at it further, its on my list to play with further
17:04:32 <tmcpeak> very cool
17:04:40 <Daviey> #link https://wiki.openstack.org/wiki/Octavia
17:04:55 <tmcpeak> ty Daviey (saved me the Googles)
17:04:57 <Daviey> dg_: Ok, reach out to me if/when you do pls.
17:05:02 <redrobot> o/
17:05:04 <dg_> tkelsey and I have spent the last couple of days playing with devstack for something else, so we are getting more familiar with it, probably take a look at it next week
17:05:12 <tmcpeak> hello Mr. redrobot
17:05:19 <Daviey> dg_: Yeah, i saw the barbican interest
17:05:24 <dg_> daviey for sure
17:05:31 <Daviey> EOF
17:05:45 <tmcpeak> cool
17:05:55 <tmcpeak> #topic Bandit
17:06:09 <tmcpeak> we've got a new Bandit (0.13.1) in response to the good point that we weren't handling missing config very well
17:06:16 <tmcpeak> specifically we were spamming exceptions
17:06:34 <tmcpeak> Daviey got it fixed up last week and yesterday we pushed the new version to PyPI
17:06:57 <tmcpeak> browne also wrote a cool new plugin for short keysizes in cryptos
17:07:08 <Daviey> tmcpeak: Does there need to be a release announcement ?
17:07:12 <tmcpeak> that will wait for 0.14.0 as sigmavirus24 points out, we shouldn't be dropping new plugins in point releases
17:07:22 <tmcpeak> Daviey: probs not, it just fixes crap behavior, would rather not call it out :)
17:07:27 <Daviey> heh
17:07:43 <tmcpeak> I dunno, I'm open to suggestions
17:08:12 <Daviey> tmcpeak: Are we seeing any more adoption at gates?
17:08:28 <tkelsey> bah, sorry im late!
17:08:38 <tkelsey> what i miss?
17:08:38 <tmcpeak> a few non-voting jobs thanks to browne and.. somebody else, can't remember ATM
17:08:59 <tmcpeak> tkelsey: we've got a handle on this security thing
17:09:02 <tmcpeak> we can all go home
17:09:07 <sigmavirus24> lol
17:09:13 <tkelsey> tmcpeak: sounds good to me, same time next week then
17:09:17 <tmcpeak> yep yep
17:09:18 <elmiko> not openstack related, but i am giving a tech talk on bandit at red hat next week =)
17:09:25 <tmcpeak> elmiko: sweet!
17:09:25 <bknudson> here's the output in keystone with latest bandit: http://logs.openstack.org/20/208620/10/check/gate-keystone-tox-bandit/d7698f9/console.html#_2015-08-13_13_14_16_081
17:09:34 <sigmavirus24> elmiko: I'm giving one on it tonight at the local UG
17:09:35 <tkelsey> elmiko: awesome
17:09:42 <elmiko> sigmavirus24: ^5
17:09:43 <sigmavirus24> although the talk is about code quality tools in general
17:09:46 <sigmavirus24> ^5
17:09:53 <michaelxin> sigmavirus24: elmiko +1
17:10:05 <tmcpeak> yeah sweet guys!
17:10:09 <tmcpeak> spread the word :)
17:10:24 <elmiko> trying =)
17:10:34 <tkelsey> bknudson: looks good, anything out of place from your perspective?
17:10:38 <Daviey> sigmavirus24: Hopefully this won't be an example of bad code!
17:10:42 <bknudson> nope, looks good.
17:10:49 <tkelsey> bknudson: awesome :)
17:10:54 <sigmavirus24> lol
17:10:56 <sigmavirus24> no it won't
17:10:58 <tmcpeak> bknudson: I always give preferential testing to the Keystone properties before release
17:11:03 <sigmavirus24> Daviey: it'll be used to improve code-q
17:11:07 <tmcpeak> since you guys have voting gates
17:11:07 <bknudson> it says when the run started but doesn't say when the run ended
17:11:20 <tmcpeak> but it's top of my list to get automation for all the gate projects
17:11:22 <bknudson> (not sure why either one is all that interesting to log)
17:11:59 <tmcpeak> bknudson: not particularly unless you're super concerned with performance
17:12:13 <tmcpeak> cool, so that's probs good for Bandit this week, keep on keeping on
17:12:19 <tmcpeak> #topic Sec Guide
17:12:27 <tmcpeak> sicarie, elmiko, Daviey, pdesai
17:12:29 <sicarie> So the migration to RST is complete
17:12:33 <Daviey> \o/
17:12:39 <tmcpeak> mwahahahahaha
17:12:41 <elmiko> whoop whoop
17:12:45 <sicarie> Awesome work from everyone
17:12:47 <tmcpeak> I mean, awesome! :)
17:12:50 <Daviey> #link http://docs.openstack.org/security-guide/
17:12:50 <sicarie> http://docs.openstack.org/security-guide/
17:13:03 <sicarie> the 'Warning' there is getting removed as soon as we get a doc core +2
17:13:10 <elmiko> the commit to delete the xml files was actually delicious
17:13:15 <sicarie> +1
17:13:18 <tmcpeak> it's… it's.. beautiful
17:13:23 <elmiko> hehe
17:13:26 <dg_> +1
17:13:30 <Daviey> sigmavirus24: Anne questioned if we should be advertising liberty coverage in docs yet?
17:13:34 <Daviey> err sicarie ^
17:13:43 <sigmavirus24> hah
17:13:51 <sigmavirus24> tab complete is not your friend
17:13:57 <Daviey> Inflippindeed
17:14:03 <elmiko> oh, and we have yet to address the current LuLu print and future pdf plans, unless sicarie addressed it already
17:14:17 <sicarie> Daviey: if it's not released, I'm not a fan of promoting it
17:14:46 <sicarie> I think we should keep an eye on it and open bugs for coverage, but I also don't know anything liberty specific we'd need to include at this point
17:14:56 <sicarie> elmiko: yes, I've been chatting with Anne and Lana about that
17:15:06 <elmiko> sicarie: awesome =)
17:15:15 <Daviey> We learned that LuLu was not insignificant sales.. which surprised me
17:15:17 <sicarie> I need to validate the tooling - it might take docbook, in which case our leaf version will be the current XML :(
17:15:23 <tmcpeak> how much?
17:15:24 <elmiko> Daviey: +1
17:15:29 <sicarie> (might ONLY take docbook)
17:15:42 <Daviey> tmcpeak: Numbers TBC, i'll dig out the comment
17:16:04 <elmiko> sicarie: ouch..
17:16:12 <tmcpeak> does that just cover printing cost or it go to the openstack foundation in some way?
17:16:13 <sicarie> elmiko: agreed
17:16:34 <elmiko> just when i thought i had escaped xml, it drags me back in....
17:16:46 <sicarie> tmcpeak: there is a charge to update content, and then I'd imagine that some of the profits go towards cost of printing, but that is all foundation stuff
17:17:08 <sicarie> elmiko: at this point, I'm in favor of updating it, and then adding a disclaimer and opening a ticket against the docs team :)
17:17:12 <tmcpeak> ahh cool
17:17:20 <Daviey> (tmcpeak: In May 2015, 20 were sold.)
17:17:22 <elmiko> sicarie: that sounds fair
17:17:28 <tmcpeak> that's pretty solid
17:17:39 <sicarie> So that's my action for the week
17:17:45 <tmcpeak> cool
17:17:47 <sicarie> As long as I don't forget - I'm still digging out from my inbox
17:17:51 <sicarie> though I'm almost done
17:17:54 <tmcpeak> #topic Security Notes
17:18:08 <tmcpeak> nkinder: you around today?
17:18:14 <elmiko> i think we need a OSSN triage day or something
17:18:14 <tmcpeak> looks like not
17:18:17 <Daviey> I've made no progress with my inflight OSSN this week.  I suck.
17:18:26 <tmcpeak> yeah, so elmiko was pointing out we have some murky OSSN's
17:18:53 <elmiko> i looked through several of the open ones to find a new target, and there is no clear winner. i think we need to make sure they are all viable for notes
17:19:19 <tmcpeak> we should definitely triage some of these
17:19:29 <Daviey> elmiko: Wait, the open OSSN's might not all need docs?
17:19:33 <tmcpeak> this one (for example) has been going on forever
17:19:47 <elmiko> Daviey: imo no, some of them there is no clear path for an OSSN
17:19:57 <elmiko> or at the least they should be marked as incomplete
17:20:10 <Daviey> elmiko: Does that need nkinder to prune them?
17:20:55 <elmiko> Daviey: i think we should probably do an OSSN triage day where we have nkinder and others take a look over them to make sure they are relevent
17:21:03 <tmcpeak> elmiko: +1
17:21:04 <Daviey> elmiko: sprint topic?
17:21:07 <elmiko> if we make it a group effort we can probably bust through the lot of them
17:21:24 <tmcpeak> Daviey: yeah probably a good sprint effor
17:21:25 <elmiko> Daviey: that would be great
17:21:25 <tmcpeak> t
17:22:01 <elmiko> sadly, i'm thinking i won't be able to attent the mid-cycle, but i would certainly pitch in for a sprint to read them and raise questions
17:22:14 <tmcpeak> bah, elmiko not making it?
17:22:35 <tmcpeak> :(
17:22:36 <elmiko> tmcpeak: i want to, i just haven't heard back on my requests to attend =(
17:22:50 <tmcpeak> we should get a subsprint going with those that can't make it
17:22:58 <tmcpeak> to do things like OSSN cleanup, unit tests for Bandit, etc
17:23:03 <elmiko> there's still hope, but i'm not sure
17:23:11 <elmiko> tmcpeak: +1
17:23:33 <tmcpeak> cool, ok
17:23:37 <tmcpeak> #topic Midcycle
17:23:38 <michaelxin> elmiko: good luck
17:23:48 <tmcpeak> not much to say here, I think we're all up to date
17:23:58 <tmcpeak> hopefully those that are planning on attending have been able to book their hotel/flights by now
17:24:13 <tmcpeak> we'll do a self-paid social day at some point, but not sure yet when that will be
17:24:17 <tmcpeak> we can synch up in person
17:24:42 <tmcpeak> we'll also get some directions ready to explain what to do on the first day for those that haven't been to HP Seattle yet
17:25:06 <michaelxin> what's the address of HP seattle?
17:25:17 <tmcpeak> also if you have anything you'd like to propose for an agenda item please add it to the etherpad: https://etherpad.openstack.org/p/security-liberty-midcycle
17:25:33 <tmcpeak> 701 Pike St, Seattle, WA
17:25:38 <dg_> michaelxin hp seattle is in the seattle convention center
17:25:39 <tmcpeak> I think 9th floor?
17:25:45 <tmcpeak> sicarie: ^
17:25:46 <sicarie> (Suite 900 and zip of 98101)
17:25:50 <dg_> tmcpeak yeah
17:25:51 <tmcpeak> perfect
17:25:51 <michaelxin> thanks
17:26:14 <tmcpeak> we have some good items already on the etherpad
17:26:14 <dg_> worry about the details closer to the time, but basically 'convention center'
17:26:23 <tmcpeak> looks like plenty to keep us busy
17:26:37 <michaelxin> will check with boss today.
17:26:37 <tmcpeak> but if you have something else you think would be good for the midcycle, please add it to the topics section
17:26:52 <tmcpeak> along with your name (if you want to lead it) a brief synopsis, and how much effort you think it will take
17:27:27 <tmcpeak> michaelxin: great
17:27:32 <tmcpeak> #topic API Testing
17:27:35 <tmcpeak> michaelxin: any update here?
17:27:54 <bknudson> I'll take the monorail.
17:28:02 <michaelxin> sorry, I just got back from China yesterday and Matt is out of office this week.
17:28:22 <tmcpeak> ok cool no worries, we'll do an update next week
17:28:30 <michaelxin> sure.
17:28:34 <tmcpeak> #topic oslo proposal for privsep daemon library - https://review.openstack.org/#/c/204073
17:28:40 <tmcpeak> bknudson: ^
17:28:53 <bknudson> I just wanted to mention it in case security people wanted to look at it.
17:29:16 <tmcpeak> this looks promising
17:29:17 <bknudson> we talked about this at the last ossg meetup
17:29:30 <tmcpeak> oh
17:29:32 <tmcpeak> we did?
17:29:37 <bknudson> as a better implementation of rootwrap
17:29:48 <tmcpeak> I should go get my head checked I think
17:30:13 <Daviey> This is really interesting!  I've never really been happy with rootwrap
17:30:22 <sigmavirus24> bknudson: if we could get that in before glance starts using os-brick... that'd be greaaattt =P
17:30:30 <elmiko> yea, this spec looks pretty intense
17:30:33 <elmiko> very cool
17:30:45 <sigmavirus24> all I need to hear was "better implementation of rootwrap"
17:30:51 <elmiko> lol
17:31:03 <bknudson> picking up rootwrap would be a mistake IMO
17:31:03 <tmcpeak> +1 intense
17:31:18 <Daviey> At least the current one is better than the Eucalyptus C one that was rushed in.
17:32:06 <tmcpeak> I'll have to read this properly after the meeting
17:32:41 <tmcpeak> cool, ok- so this looks interesting I encourage everybody to read it :)
17:32:46 <tmcpeak> #topic AOB
17:32:48 <tmcpeak> open floor
17:33:24 <tmcpeak> sicarie: DC + BH overview?
17:33:40 <tmcpeak> anything of note for OpenStack pplz?
17:33:57 <sicarie> Sure, I think my highlight was the "cloud instructor" who was talking about different paradigms and was all excited that "in the cloud, production can change as much as five times a day!"
17:34:24 <tmcpeak> haha
17:34:27 <sicarie> I didn't see anything openstack-related
17:34:42 <sicarie> And I did try to hit all the cloud talks, even after it was apparent they were a hot mess
17:34:46 <tmcpeak> I suppose that's good
17:35:07 <elmiko> sicarie: hot mess in terms of not being that focused, or ...?
17:35:36 <sicarie> elmiko: they were either all theoretical or they were focused on very fringe firmware versions that did not go across many devices
17:35:39 <sicarie> Oh
17:35:57 <sicarie> There was one note - apparently flooding the CAN in OVS breaks all vlans and will allow arbitrary sniffing
17:36:10 <sicarie> I think that was the most useful bit
17:36:20 <elmiko> cool
17:36:34 <michaelxin> sicarie: +1
17:36:37 <elmiko> the real question though, did DefCon continue the badge hacking contest?
17:36:54 <sicarie> elmiko: yes, but in this case you just added your own stuff on top of the record
17:37:02 <tmcpeak> DC badges looked strange this year
17:37:06 <elmiko> ahh
17:37:16 <sicarie> I didn't go to the closing ceremonies - I was off at the last technical talk
17:37:35 <michaelxin> sicarie: Heard car hacking is hot this year.
17:37:44 <sicarie> michaelxin: there were 3 talks, all SRO
17:37:47 <sicarie> and a car-hacking village
17:37:54 <sicarie> I didn't get in there in time to get a badge, though :(
17:38:14 <michaelxin> wished I were there.
17:38:17 <tmcpeak> if anybody hasn't read the whitepaper Charlie Miller and Chris Valasek did on their car hacking you should
17:38:20 <sicarie> Obviously Valacek's talk was huge, the Tesla one was actually better - they went through what was done right, and all the stuff they had to rip through to get in
17:38:20 <tmcpeak> it's really good
17:38:38 <elmiko> ooh car hacking village, very cool
17:38:50 <sicarie> +1 I sat in with a few people, it was fun
17:38:53 <michaelxin> what's next?
17:39:00 <michaelxin> plane hacking village?
17:39:25 <sicarie> Oh, and the I Will Kill You talk was hysterical
17:39:54 <elmiko> michaelxin: lol
17:40:18 <bknudson> liability requirements for software haven't kept up with how it's used
17:40:21 <tmcpeak> yeah that one was great
17:40:37 <tmcpeak> hysterical and terrifying in one
17:40:50 <sicarie> And PenTesting a City
17:41:01 <sicarie> Though the slides for that one weren't as descriptive as the talk
17:41:19 <Daviey> was the ring -1 stuff overrated, or was it just me?
17:41:29 <sicarie> Daviey: ring -1?
17:43:45 <Daviey> sorry, OTP
17:43:51 <Daviey> nvm
17:44:19 <tmcpeak> cool, anything else before we wrap?
17:44:54 <Daviey> lets go home!
17:45:28 <tmcpeak> cool
17:45:30 <tmcpeak> #endmeeting