17:00:29 <tmcpeak> #startmeeting security 17:00:36 <openstack> Meeting started Thu Aug 13 17:00:29 2015 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:37 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:40 <openstack> The meeting name has been set to 'security' 17:00:40 <Daviey> \o 17:00:42 <tmcpeak> #charit hyakuhei 17:00:45 <tmcpeak> #chair hyakuhei 17:00:46 <openstack> Warning: Nick not in channel: hyakuhei 17:00:47 <michaelxin> hello 17:00:47 <openstack> Current chairs: hyakuhei tmcpeak 17:00:54 <tmcpeak> hey everybody 17:01:01 <bknudson> hi 17:01:02 <elmiko> hiyo/ 17:01:10 <sicarie> hello 17:01:13 <tmcpeak> hyakuhei is out doing sales stuff, but he said he'll try to make it, subject to availability of n3tz on the road 17:01:17 <tmcpeak> #topic Roll Call 17:01:25 <sicarie> o/ 17:01:27 <bknudson> hi 17:01:28 <tmcpeak> o/ 17:01:33 <michaelxin> o/ 17:01:53 <tmcpeak> sweet 17:02:24 <tmcpeak> so just a reminder, we have an agenda for each meeting here: https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity which bknudson has showed us how to use with his agenda item 17:02:42 <elmiko> very nice 17:02:43 <sigmavirus24> o/ 17:02:48 <tmcpeak> hey sigma 17:02:55 <tmcpeak> so let's get right on into it 17:02:57 <michaelxin> nice 17:02:58 <tmcpeak> #topic Anchor 17:03:03 <tmcpeak> tkelsey, dg_, Daviey 17:03:20 <dg_> anchor is awesome, you shold have it in your cloud 17:03:30 <elmiko> lol, nice 17:03:30 <Daviey> You should also have it in your devstack! 17:03:31 <tmcpeak> excellent, next topic :D 17:03:36 <elmiko> haha 17:03:38 <michaelxin> haha 17:03:43 <michaelxin> will try for sure 17:03:56 <Daviey> dg_: Have you any more comments on the devstack branch? 17:04:00 <tmcpeak> anything you guys want to mention this week? 17:04:06 <dg_> hopefully coming soon to Octavia as the default pki, Ive been working with some of the cores trying to get it integrated 17:04:23 <dg_> daviey Ive not looked at it further, its on my list to play with further 17:04:32 <tmcpeak> very cool 17:04:40 <Daviey> #link https://wiki.openstack.org/wiki/Octavia 17:04:55 <tmcpeak> ty Daviey (saved me the Googles) 17:04:57 <Daviey> dg_: Ok, reach out to me if/when you do pls. 17:05:02 <redrobot> o/ 17:05:04 <dg_> tkelsey and I have spent the last couple of days playing with devstack for something else, so we are getting more familiar with it, probably take a look at it next week 17:05:12 <tmcpeak> hello Mr. redrobot 17:05:19 <Daviey> dg_: Yeah, i saw the barbican interest 17:05:24 <dg_> daviey for sure 17:05:31 <Daviey> EOF 17:05:45 <tmcpeak> cool 17:05:55 <tmcpeak> #topic Bandit 17:06:09 <tmcpeak> we've got a new Bandit (0.13.1) in response to the good point that we weren't handling missing config very well 17:06:16 <tmcpeak> specifically we were spamming exceptions 17:06:34 <tmcpeak> Daviey got it fixed up last week and yesterday we pushed the new version to PyPI 17:06:57 <tmcpeak> browne also wrote a cool new plugin for short keysizes in cryptos 17:07:08 <Daviey> tmcpeak: Does there need to be a release announcement ? 17:07:12 <tmcpeak> that will wait for 0.14.0 as sigmavirus24 points out, we shouldn't be dropping new plugins in point releases 17:07:22 <tmcpeak> Daviey: probs not, it just fixes crap behavior, would rather not call it out :) 17:07:27 <Daviey> heh 17:07:43 <tmcpeak> I dunno, I'm open to suggestions 17:08:12 <Daviey> tmcpeak: Are we seeing any more adoption at gates? 17:08:28 <tkelsey> bah, sorry im late! 17:08:38 <tkelsey> what i miss? 17:08:38 <tmcpeak> a few non-voting jobs thanks to browne and.. somebody else, can't remember ATM 17:08:59 <tmcpeak> tkelsey: we've got a handle on this security thing 17:09:02 <tmcpeak> we can all go home 17:09:07 <sigmavirus24> lol 17:09:13 <tkelsey> tmcpeak: sounds good to me, same time next week then 17:09:17 <tmcpeak> yep yep 17:09:18 <elmiko> not openstack related, but i am giving a tech talk on bandit at red hat next week =) 17:09:25 <tmcpeak> elmiko: sweet! 17:09:25 <bknudson> here's the output in keystone with latest bandit: http://logs.openstack.org/20/208620/10/check/gate-keystone-tox-bandit/d7698f9/console.html#_2015-08-13_13_14_16_081 17:09:34 <sigmavirus24> elmiko: I'm giving one on it tonight at the local UG 17:09:35 <tkelsey> elmiko: awesome 17:09:42 <elmiko> sigmavirus24: ^5 17:09:43 <sigmavirus24> although the talk is about code quality tools in general 17:09:46 <sigmavirus24> ^5 17:09:53 <michaelxin> sigmavirus24: elmiko +1 17:10:05 <tmcpeak> yeah sweet guys! 17:10:09 <tmcpeak> spread the word :) 17:10:24 <elmiko> trying =) 17:10:34 <tkelsey> bknudson: looks good, anything out of place from your perspective? 17:10:38 <Daviey> sigmavirus24: Hopefully this won't be an example of bad code! 17:10:42 <bknudson> nope, looks good. 17:10:49 <tkelsey> bknudson: awesome :) 17:10:54 <sigmavirus24> lol 17:10:56 <sigmavirus24> no it won't 17:10:58 <tmcpeak> bknudson: I always give preferential testing to the Keystone properties before release 17:11:03 <sigmavirus24> Daviey: it'll be used to improve code-q 17:11:07 <tmcpeak> since you guys have voting gates 17:11:07 <bknudson> it says when the run started but doesn't say when the run ended 17:11:20 <tmcpeak> but it's top of my list to get automation for all the gate projects 17:11:22 <bknudson> (not sure why either one is all that interesting to log) 17:11:59 <tmcpeak> bknudson: not particularly unless you're super concerned with performance 17:12:13 <tmcpeak> cool, so that's probs good for Bandit this week, keep on keeping on 17:12:19 <tmcpeak> #topic Sec Guide 17:12:27 <tmcpeak> sicarie, elmiko, Daviey, pdesai 17:12:29 <sicarie> So the migration to RST is complete 17:12:33 <Daviey> \o/ 17:12:39 <tmcpeak> mwahahahahaha 17:12:41 <elmiko> whoop whoop 17:12:45 <sicarie> Awesome work from everyone 17:12:47 <tmcpeak> I mean, awesome! :) 17:12:50 <Daviey> #link http://docs.openstack.org/security-guide/ 17:12:50 <sicarie> http://docs.openstack.org/security-guide/ 17:13:03 <sicarie> the 'Warning' there is getting removed as soon as we get a doc core +2 17:13:10 <elmiko> the commit to delete the xml files was actually delicious 17:13:15 <sicarie> +1 17:13:18 <tmcpeak> it's… it's.. beautiful 17:13:23 <elmiko> hehe 17:13:26 <dg_> +1 17:13:30 <Daviey> sigmavirus24: Anne questioned if we should be advertising liberty coverage in docs yet? 17:13:34 <Daviey> err sicarie ^ 17:13:43 <sigmavirus24> hah 17:13:51 <sigmavirus24> tab complete is not your friend 17:13:57 <Daviey> Inflippindeed 17:14:03 <elmiko> oh, and we have yet to address the current LuLu print and future pdf plans, unless sicarie addressed it already 17:14:17 <sicarie> Daviey: if it's not released, I'm not a fan of promoting it 17:14:46 <sicarie> I think we should keep an eye on it and open bugs for coverage, but I also don't know anything liberty specific we'd need to include at this point 17:14:56 <sicarie> elmiko: yes, I've been chatting with Anne and Lana about that 17:15:06 <elmiko> sicarie: awesome =) 17:15:15 <Daviey> We learned that LuLu was not insignificant sales.. which surprised me 17:15:17 <sicarie> I need to validate the tooling - it might take docbook, in which case our leaf version will be the current XML :( 17:15:23 <tmcpeak> how much? 17:15:24 <elmiko> Daviey: +1 17:15:29 <sicarie> (might ONLY take docbook) 17:15:42 <Daviey> tmcpeak: Numbers TBC, i'll dig out the comment 17:16:04 <elmiko> sicarie: ouch.. 17:16:12 <tmcpeak> does that just cover printing cost or it go to the openstack foundation in some way? 17:16:13 <sicarie> elmiko: agreed 17:16:34 <elmiko> just when i thought i had escaped xml, it drags me back in.... 17:16:46 <sicarie> tmcpeak: there is a charge to update content, and then I'd imagine that some of the profits go towards cost of printing, but that is all foundation stuff 17:17:08 <sicarie> elmiko: at this point, I'm in favor of updating it, and then adding a disclaimer and opening a ticket against the docs team :) 17:17:12 <tmcpeak> ahh cool 17:17:20 <Daviey> (tmcpeak: In May 2015, 20 were sold.) 17:17:22 <elmiko> sicarie: that sounds fair 17:17:28 <tmcpeak> that's pretty solid 17:17:39 <sicarie> So that's my action for the week 17:17:45 <tmcpeak> cool 17:17:47 <sicarie> As long as I don't forget - I'm still digging out from my inbox 17:17:51 <sicarie> though I'm almost done 17:17:54 <tmcpeak> #topic Security Notes 17:18:08 <tmcpeak> nkinder: you around today? 17:18:14 <elmiko> i think we need a OSSN triage day or something 17:18:14 <tmcpeak> looks like not 17:18:17 <Daviey> I've made no progress with my inflight OSSN this week. I suck. 17:18:26 <tmcpeak> yeah, so elmiko was pointing out we have some murky OSSN's 17:18:53 <elmiko> i looked through several of the open ones to find a new target, and there is no clear winner. i think we need to make sure they are all viable for notes 17:19:19 <tmcpeak> we should definitely triage some of these 17:19:29 <Daviey> elmiko: Wait, the open OSSN's might not all need docs? 17:19:33 <tmcpeak> this one (for example) has been going on forever 17:19:47 <elmiko> Daviey: imo no, some of them there is no clear path for an OSSN 17:19:57 <elmiko> or at the least they should be marked as incomplete 17:20:10 <Daviey> elmiko: Does that need nkinder to prune them? 17:20:55 <elmiko> Daviey: i think we should probably do an OSSN triage day where we have nkinder and others take a look over them to make sure they are relevent 17:21:03 <tmcpeak> elmiko: +1 17:21:04 <Daviey> elmiko: sprint topic? 17:21:07 <elmiko> if we make it a group effort we can probably bust through the lot of them 17:21:24 <tmcpeak> Daviey: yeah probably a good sprint effor 17:21:25 <elmiko> Daviey: that would be great 17:21:25 <tmcpeak> t 17:22:01 <elmiko> sadly, i'm thinking i won't be able to attent the mid-cycle, but i would certainly pitch in for a sprint to read them and raise questions 17:22:14 <tmcpeak> bah, elmiko not making it? 17:22:35 <tmcpeak> :( 17:22:36 <elmiko> tmcpeak: i want to, i just haven't heard back on my requests to attend =( 17:22:50 <tmcpeak> we should get a subsprint going with those that can't make it 17:22:58 <tmcpeak> to do things like OSSN cleanup, unit tests for Bandit, etc 17:23:03 <elmiko> there's still hope, but i'm not sure 17:23:11 <elmiko> tmcpeak: +1 17:23:33 <tmcpeak> cool, ok 17:23:37 <tmcpeak> #topic Midcycle 17:23:38 <michaelxin> elmiko: good luck 17:23:48 <tmcpeak> not much to say here, I think we're all up to date 17:23:58 <tmcpeak> hopefully those that are planning on attending have been able to book their hotel/flights by now 17:24:13 <tmcpeak> we'll do a self-paid social day at some point, but not sure yet when that will be 17:24:17 <tmcpeak> we can synch up in person 17:24:42 <tmcpeak> we'll also get some directions ready to explain what to do on the first day for those that haven't been to HP Seattle yet 17:25:06 <michaelxin> what's the address of HP seattle? 17:25:17 <tmcpeak> also if you have anything you'd like to propose for an agenda item please add it to the etherpad: https://etherpad.openstack.org/p/security-liberty-midcycle 17:25:33 <tmcpeak> 701 Pike St, Seattle, WA 17:25:38 <dg_> michaelxin hp seattle is in the seattle convention center 17:25:39 <tmcpeak> I think 9th floor? 17:25:45 <tmcpeak> sicarie: ^ 17:25:46 <sicarie> (Suite 900 and zip of 98101) 17:25:50 <dg_> tmcpeak yeah 17:25:51 <tmcpeak> perfect 17:25:51 <michaelxin> thanks 17:26:14 <tmcpeak> we have some good items already on the etherpad 17:26:14 <dg_> worry about the details closer to the time, but basically 'convention center' 17:26:23 <tmcpeak> looks like plenty to keep us busy 17:26:37 <michaelxin> will check with boss today. 17:26:37 <tmcpeak> but if you have something else you think would be good for the midcycle, please add it to the topics section 17:26:52 <tmcpeak> along with your name (if you want to lead it) a brief synopsis, and how much effort you think it will take 17:27:27 <tmcpeak> michaelxin: great 17:27:32 <tmcpeak> #topic API Testing 17:27:35 <tmcpeak> michaelxin: any update here? 17:27:54 <bknudson> I'll take the monorail. 17:28:02 <michaelxin> sorry, I just got back from China yesterday and Matt is out of office this week. 17:28:22 <tmcpeak> ok cool no worries, we'll do an update next week 17:28:30 <michaelxin> sure. 17:28:34 <tmcpeak> #topic oslo proposal for privsep daemon library - https://review.openstack.org/#/c/204073 17:28:40 <tmcpeak> bknudson: ^ 17:28:53 <bknudson> I just wanted to mention it in case security people wanted to look at it. 17:29:16 <tmcpeak> this looks promising 17:29:17 <bknudson> we talked about this at the last ossg meetup 17:29:30 <tmcpeak> oh 17:29:32 <tmcpeak> we did? 17:29:37 <bknudson> as a better implementation of rootwrap 17:29:48 <tmcpeak> I should go get my head checked I think 17:30:13 <Daviey> This is really interesting! I've never really been happy with rootwrap 17:30:22 <sigmavirus24> bknudson: if we could get that in before glance starts using os-brick... that'd be greaaattt =P 17:30:30 <elmiko> yea, this spec looks pretty intense 17:30:33 <elmiko> very cool 17:30:45 <sigmavirus24> all I need to hear was "better implementation of rootwrap" 17:30:51 <elmiko> lol 17:31:03 <bknudson> picking up rootwrap would be a mistake IMO 17:31:03 <tmcpeak> +1 intense 17:31:18 <Daviey> At least the current one is better than the Eucalyptus C one that was rushed in. 17:32:06 <tmcpeak> I'll have to read this properly after the meeting 17:32:41 <tmcpeak> cool, ok- so this looks interesting I encourage everybody to read it :) 17:32:46 <tmcpeak> #topic AOB 17:32:48 <tmcpeak> open floor 17:33:24 <tmcpeak> sicarie: DC + BH overview? 17:33:40 <tmcpeak> anything of note for OpenStack pplz? 17:33:57 <sicarie> Sure, I think my highlight was the "cloud instructor" who was talking about different paradigms and was all excited that "in the cloud, production can change as much as five times a day!" 17:34:24 <tmcpeak> haha 17:34:27 <sicarie> I didn't see anything openstack-related 17:34:42 <sicarie> And I did try to hit all the cloud talks, even after it was apparent they were a hot mess 17:34:46 <tmcpeak> I suppose that's good 17:35:07 <elmiko> sicarie: hot mess in terms of not being that focused, or ...? 17:35:36 <sicarie> elmiko: they were either all theoretical or they were focused on very fringe firmware versions that did not go across many devices 17:35:39 <sicarie> Oh 17:35:57 <sicarie> There was one note - apparently flooding the CAN in OVS breaks all vlans and will allow arbitrary sniffing 17:36:10 <sicarie> I think that was the most useful bit 17:36:20 <elmiko> cool 17:36:34 <michaelxin> sicarie: +1 17:36:37 <elmiko> the real question though, did DefCon continue the badge hacking contest? 17:36:54 <sicarie> elmiko: yes, but in this case you just added your own stuff on top of the record 17:37:02 <tmcpeak> DC badges looked strange this year 17:37:06 <elmiko> ahh 17:37:16 <sicarie> I didn't go to the closing ceremonies - I was off at the last technical talk 17:37:35 <michaelxin> sicarie: Heard car hacking is hot this year. 17:37:44 <sicarie> michaelxin: there were 3 talks, all SRO 17:37:47 <sicarie> and a car-hacking village 17:37:54 <sicarie> I didn't get in there in time to get a badge, though :( 17:38:14 <michaelxin> wished I were there. 17:38:17 <tmcpeak> if anybody hasn't read the whitepaper Charlie Miller and Chris Valasek did on their car hacking you should 17:38:20 <sicarie> Obviously Valacek's talk was huge, the Tesla one was actually better - they went through what was done right, and all the stuff they had to rip through to get in 17:38:20 <tmcpeak> it's really good 17:38:38 <elmiko> ooh car hacking village, very cool 17:38:50 <sicarie> +1 I sat in with a few people, it was fun 17:38:53 <michaelxin> what's next? 17:39:00 <michaelxin> plane hacking village? 17:39:25 <sicarie> Oh, and the I Will Kill You talk was hysterical 17:39:54 <elmiko> michaelxin: lol 17:40:18 <bknudson> liability requirements for software haven't kept up with how it's used 17:40:21 <tmcpeak> yeah that one was great 17:40:37 <tmcpeak> hysterical and terrifying in one 17:40:50 <sicarie> And PenTesting a City 17:41:01 <sicarie> Though the slides for that one weren't as descriptive as the talk 17:41:19 <Daviey> was the ring -1 stuff overrated, or was it just me? 17:41:29 <sicarie> Daviey: ring -1? 17:43:45 <Daviey> sorry, OTP 17:43:51 <Daviey> nvm 17:44:19 <tmcpeak> cool, anything else before we wrap? 17:44:54 <Daviey> lets go home! 17:45:28 <tmcpeak> cool 17:45:30 <tmcpeak> #endmeeting