16:59:47 <hyakuhei> #startmeeting Security
16:59:48 <openstack> Meeting started Thu Sep 17 16:59:47 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:59:50 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:59:52 <hyakuhei> #chair tmcpeak
16:59:52 <openstack> The meeting name has been set to 'security'
16:59:53 <openstack> Current chairs: hyakuhei tmcpeak
16:59:56 <tmcpeak> o/
16:59:58 <elmiko> o/
16:59:59 <hyakuhei> o/
17:00:03 <jian5397> o/
17:00:14 <michaelxin> o/
17:00:26 <redrobot_mobile> o/
17:00:29 <elmiko> gaming the attendence mechanic eh?  ;)
17:00:41 <tmcpeak> :P
17:00:46 <hyakuhei> hehe michaelxin is sneaky
17:01:03 <michaelxin> :-)
17:01:07 <bknudson> hi
17:01:12 <hyakuhei> welcome bknudson !
17:01:57 <hyakuhei> ok so I guess we’ll get going with an agenda of sorts…
17:02:02 <nkinder> hi all
17:02:03 <hyakuhei> oh hai nkinder !
17:02:04 <singlethink> o/
17:02:07 <tmcpeak> nkinder, wattup!
17:02:08 <bknudson> link to agenda?
17:02:10 <AndChat|215124> o/
17:02:12 <hyakuhei> Got a nice stack of OSSNs for you :)
17:02:20 <nkinder> Yeah, just reviewed one. :)
17:02:23 <hyakuhei> woot!
17:02:35 <nkinder> Trying to catch back up from traveling
17:02:39 <michaelxin> will find time to update mine
17:02:46 <hyakuhei> nkinder: you home now ?
17:02:50 <nkinder> Yep
17:02:50 <hyakuhei> michaelxin: Thanks buddy
17:03:10 <dave-mccowan> o/
17:04:29 <hyakuhei> Agenda: Anchor, Bandit, OSSN, Security-doc, Robs Stupid, Syntibos, Threat Analysis, ...
17:04:39 <tmcpeak> lol
17:04:40 <hyakuhei> Anything else?
17:04:44 <tmcpeak> Recruiting
17:04:58 <hyakuhei> Excellent!
17:05:05 <hyakuhei> That deck is coming on nicely
17:05:10 <michaelxin> +1
17:05:10 <tmcpeak> +1
17:05:24 <elmiko> i've made some progress on the auth deck too
17:05:30 <tmcpeak> awesome!
17:05:41 <hyakuhei> Sweet elmiko, share it with me when you can :)
17:05:46 <michaelxin> elarson: +1
17:05:46 <hyakuhei> I’ve not done much thinking around that
17:05:53 <michaelxin> elmiko: +1
17:05:53 <elmiko> so-called "on demand credential distribution and authorization control"
17:06:10 <hyakuhei> I think we can come up with something shinier :P
17:06:12 <hyakuhei> Anyway
17:06:15 <hyakuhei> #topic Anchor
17:06:34 <hyakuhei> Not a huge amount to report other than Stan has been super busy making it meet RFCs and other silly things: https://review.openstack.org/#/q/anchor+status:open,n,z
17:06:46 <hyakuhei> tkelsey and dg_ are both on PTO
17:06:55 <hyakuhei> Anyway got any Anchor queries?
17:07:11 <hyakuhei> Cool
17:07:15 <hyakuhei> #topic Bandit
17:07:19 <hyakuhei> What’s the story here ?
17:07:21 <tmcpeak> lol, that was quick
17:07:35 <hyakuhei> #link https://review.openstack.org/#/q/bandit+status:open,n,z
17:07:38 <tmcpeak> Bandit has been a little slow this week, I plan to circle back soon at least with reviews
17:07:39 <bknudson> any release planned? must have been quite a few changes since the last release
17:07:41 <tmcpeak> there are a lot in flight
17:07:46 <tmcpeak> bknudson: yeah, we need to
17:07:51 <tmcpeak> would be nice to get multi processing in
17:08:12 <tmcpeak> actually there are quite a few nice to haves in flight
17:08:20 <tmcpeak> maybe we can clear this current queue, test, and then release?
17:08:28 <bknudson> I don't think https://review.openstack.org/#/q/bandit+status:open,n,z is a long list.
17:08:34 <tmcpeak> there are some deal breaker bugs now too
17:08:40 <tmcpeak> at least one
17:08:46 <tmcpeak> severity filtering no longer works
17:08:54 <tmcpeak> so maybe release week or two?
17:08:58 <hyakuhei> ouch
17:09:07 <hyakuhei> How’s the multiprocess stuff looking?
17:09:07 <tmcpeak> yea :|
17:09:18 <tmcpeak> it looks good, much faster
17:09:20 <tmcpeak> we should JFDI
17:09:48 <hyakuhei> Plough on!
17:10:19 <tmcpeak> cool cool
17:10:26 <tmcpeak> probably good for Bandit this week
17:10:30 <tmcpeak> I'll kick up some dust before next week
17:10:31 <hyakuhei> cool
17:10:34 <tmcpeak> we'll have more to say then :)
17:10:37 <hyakuhei> #topic OSSN
17:10:47 <hyakuhei> THere’s a few OSSN stacked up here : https://review.openstack.org/#/q/security-doc+status:open,n,z
17:11:03 <hyakuhei> nkinder: once theres a +1 workflow, what’s the process ?
17:11:12 <nkinder> Yep, I'm cycling through the reviews now.
17:11:24 <tmcpeak> spam messages at nkinder until mergies?
17:11:28 <hyakuhei> Excellent, I know there’s plenty there nkinder
17:11:28 <tmcpeak> :P
17:11:34 <nkinder> hyakuhei: Once they merge, I've been updating the wiki and sending them out to the mailing list
17:11:48 <hyakuhei> and you’re still happy to do that ?
17:11:53 <nkinder> There's no easy way to locate merged, but unapproved notes.
17:12:04 <nkinder> I am, though it would make sense for someone else to become familiar with it too.
17:12:15 <hyakuhei> I was wondering if we want to look at publishing gates like we have for some of the docs stuff.
17:12:35 <hyakuhei> I presume the magic that makes this work #link http://docs.openstack.org/developer/anchor
17:12:45 <elmiko> that would be cool
17:12:53 <hyakuhei> could be used for OSSNs in some similar way
17:13:12 <hyakuhei> OSSN format is already pretty close to RST
17:13:19 <nkinder> It looks like OSSN-0052 and OSSN-0055 need to be published
17:13:38 <nkinder> publishing gates would be nice
17:13:51 <hyakuhei> (I think this is a similar but separate issue from the previous “how to format OSSN” discussion.
17:13:59 <tmcpeak> are there currently any gates?
17:14:02 <tmcpeak> line width etc?
17:14:02 <nkinder> ...but we also want to send e-mail
17:14:24 <hyakuhei> nkinder: sure, so I’m positive we could script that or do some other relatively smart thing
17:14:24 <nkinder> hyakuhei was mentioning that the jobs/tests were broken IIRC
17:14:27 <hyakuhei> gmurphy: you about?
17:15:07 <hyakuhei> Lets maybe kick off an email thread about it? I’m sure docs / VMT have already solved some of this. The less manual cross-posting copy/pasting that’s required the better
17:15:24 <tmcpeak> +1 for no manual CCP
17:15:25 <hyakuhei> A few OSSNs are waiting for small changes from the authors
17:15:27 <nkinder> agreed
17:15:29 <gmurphy> i am
17:15:34 <gmurphy> what's up
17:15:53 <hyakuhei> gmurphy: thoughts regarding publishing OSSNs, I presume the VMT has a pretty slick process for OSSAs
17:16:29 <gmurphy> so essentially what we do now is push .yaml ossa to gerrit.
17:16:34 <gmurphy> it gets +2'd etc
17:16:52 <gmurphy> then that auto updates security.o.o
17:17:11 <gmurphy> and we've just been sending the generated .rst source out in emails
17:17:54 <gmurphy> which looks like this - http://lists.openstack.org/pipermail/openstack-announce/2015-April/000350.html
17:17:58 <hyakuhei> Sounds like there’s only one manual step there, which would be an improvement on where we are.
17:18:27 <hyakuhei> nkinder: I’d be happy to look at getting some gate magic working
17:18:43 <hyakuhei> However, it’s completely up to you :)
17:19:26 <hyakuhei> So I’ve asked a few authors to make some OSSN changes/updates
17:19:30 <gmurphy> i think this these are the jenkins things that makes it happen..
17:19:30 <gmurphy> http://git.openstack.org/cgit/openstack-infra/project-config/tree/jenkins/jobs/projects.yaml#n2694
17:19:36 <nkinder> hyakuhei, gmurphy: So the e-mail is still sent out there.
17:19:38 <gmurphy> http://git.openstack.org/cgit/openstack-infra/project-config/tree/jenkins/jobs/static-publish-jobs.yaml
17:19:51 <hyakuhei> If nothing happens by the weekend I’ll get out the “review -d” hammer and do the updates so we can get them out next week.
17:19:51 <nkinder> The OSSN's are in-tree in the format we e-mail out
17:20:02 <nkinder> so it's really the same one step for that part of publishing
17:20:14 <nkinder> The only other manual step is adding the note to the wiki
17:20:16 <tmcpeak> the wiki part is somewhat time consuming though huh?
17:20:25 <tmcpeak> and thoroughly manual
17:20:26 <nkinder> Nah, it's quick (but manual)
17:20:46 <tmcpeak> ahh ok
17:21:18 <hyakuhei> Another point: How should we manage releasing this wave of OSSNs, will it be seen as a bad thing to dump out 3-6 OSSNs in a day or two?
17:21:41 <michaelxin> one per week?
17:21:59 <nkinder> No, I think that will be fine
17:22:06 <nkinder> I'll publish the 2 that are merged today
17:22:06 <hyakuhei> cool
17:22:14 <nkinder> all of the others I looked at need some minor updates
17:22:23 <hyakuhei> I suppose that’s what openstack-announce is for anyway, and -dev is such high traffic no-one should mind.
17:23:00 <nkinder> I can give the authors a few days, then make the tweaks myself early next week if needed
17:23:33 <hyakuhei> Yeah, that’s what I was saying above, give them a few days and then we can just bring them up to scratch and publish.
17:24:03 <nkinder> Yep.  There are a few more that might merge today once I look them over
17:24:24 <michaelxin> nkinder: +1
17:24:33 <hyakuhei> michaelxin: Your trustedVM OSSN. Even if it’s _not_ a vulnerability as such, OSSNs can address common misconceptions about the implied security qualities of a product or feature
17:24:48 <michaelxin> hyakuhei: Got it. Thanks.
17:25:45 <nkinder> hyakuhei: agreed.  I think a note would still be good for that one.
17:26:10 <hyakuhei> Sweet
17:26:15 <hyakuhei> Anything else for OSSN ?
17:26:41 <tmcpeak> ship it :P
17:26:53 <nkinder> nope
17:26:58 <hyakuhei> Cool
17:27:07 <hyakuhei> So next up I had security-doc discussion
17:27:17 <hyakuhei> sicarie_: ?
17:27:33 <sicarie_> There not much to discuss there
17:27:42 <hyakuhei> How’s the RST transformation ?
17:27:48 <sicarie_> Compete
17:27:52 <sicarie_> Complete
17:28:00 <sicarie_> Sorry, on the bus into the office
17:28:21 <elmiko> added a new sec-doc core, worth mentioning
17:28:23 <sicarie_> We found an rst to pdf converter
17:28:30 <hyakuhei> oooh
17:28:30 <sicarie_> +1
17:28:38 <michaelxin> +1
17:28:44 <sicarie_> A new doc core is helping with the sec guide
17:28:48 <hyakuhei> Excellent
17:29:01 <hyakuhei> The guide is nice
17:29:09 <hyakuhei> Coming on well, lots of new contributions
17:29:15 <sicarie_> So just trying to get everything in before we push a new leaf version
17:29:16 <hyakuhei> I though the crypto discussion looked good
17:29:25 <sicarie_> Yeah, that was a good addition
17:29:40 <hyakuhei> Did you see that thread regarding Ansible hardening ?
17:29:54 <sicarie_> No, I missed out
17:29:55 <tmcpeak> who's the doc core?
17:29:56 <sicarie_> It
17:30:07 <hyakuhei> I’ll see if I can find it
17:30:16 <sicarie_> tmcpeak we have a few helping, the new one is Kato
17:30:23 <tmcpeak> ahh cool
17:30:27 <sicarie_> hyakuhei thanks
17:30:35 <hyakuhei> #link http://permalink.gmane.org/gmane.comp.cloud.openstack.devel/63644
17:30:54 <tmcpeak> oh yeah, this was interesting
17:31:04 <sicarie_> Nice, ill see what we can add to the guide
17:31:30 <hyakuhei> Sweet. Anything else?
17:31:35 <sicarie_> Not from me
17:31:42 <hyakuhei> #topic PTL
17:31:45 <sicarie_> elmiko?
17:32:01 <elmiko> you covered it, just bug fixes to note as well
17:32:03 <hyakuhei> #link https://review.openstack.org/224798
17:32:09 <hyakuhei> So I screwed up just a little bit ^^
17:32:23 <bknudson> we're lucky a black hat didn't come in and take over.
17:32:37 <elmiko> lol, that would have been epic
17:33:05 <sicarie_> Viva la revolucion!
17:33:09 <hyakuhei> Could still happen, it’s all in the hands of the TC now :) I presume they can be bribed with booze, money or legos and I’m working on a solution
17:33:13 <bknudson> I guess the tc gets to pick
17:33:20 <hyakuhei> Names in a hat ?
17:33:31 <elmiko> hyakuhei: i didn't realize these things went through gerrit. should we add +1s if we agree, or just is a different process?
17:33:44 <tmcpeak> do we have to do elections?
17:33:44 <michaelxin> +1
17:33:47 <bknudson> I haven't seen the voting process yet
17:33:47 <hyakuhei> Feel free to +1 as a sign of support
17:33:54 <hyakuhei> It will be ignored by the committee
17:34:09 <hyakuhei> I think they just moved to Gerrit this cycle
17:34:20 <elmiko> cool, i'm into meaningless gestures ;)
17:34:23 <hyakuhei> Previously I think it was all done on the ML but I could be wrong.
17:34:44 <bknudson> voting is usually using an on-line form for condorcet voting
17:34:50 <hyakuhei> Yeah
17:34:55 <hyakuhei> So gerrit isn’t for voting
17:35:00 <tmcpeak> yeah, I never saw gerrit before
17:35:02 <hyakuhei> just announcing candidates / verifying
17:35:11 <elmiko> bknudson: oh yea, good point
17:35:15 <hyakuhei> but this process passed me (and four other PTLs) by
17:35:20 <bknudson> although I don't know how the tc goes about picking a ptl
17:35:29 <hyakuhei> That is undocumented...
17:35:35 <tmcpeak> we didn't do that whole determine the voting base thing either :|
17:35:47 <hyakuhei> That’s part of the gerrit stuff
17:35:52 <hyakuhei> I think it will happen by magic
17:35:53 <tmcpeak> how?
17:35:58 <hyakuhei> Same way ATCs are decided
17:36:05 <hyakuhei> I’m guessing
17:36:18 <hyakuhei> I think I’ve demonstrated I don’t have a firm grasp of the process ;)
17:37:01 <michaelxin> who are four other PTLs?
17:37:15 <hyakuhei> Barbican, Magnum and some others I don’t recall
17:37:31 <bknudson> tc is going to be busy
17:37:36 <michaelxin> hyakuhei: Thanks.
17:37:50 <sicarie_> michaelxin is planning a takeover
17:37:55 <hyakuhei> Active projects all, I presume all PTLs busy doing PTL things :P
17:38:19 <michaelxin> sicarie_:lol
17:38:30 <hyakuhei> So, moving on from my failings...
17:38:40 <hyakuhei> #topic Syntribos
17:38:49 <hyakuhei> michaelxin: Anything awesome to share?
17:39:05 <michaelxin> still working on moving the project.
17:39:10 <hyakuhei> So this is pretty exciting: #link https://review.openstack.org/#/c/220351/
17:39:15 <michaelxin> I was told that stack forge is frozen
17:39:36 <michaelxin> that's it.
17:39:39 <hyakuhei> Bringing it in as a top level security project is fine with me
17:39:47 <tmcpeak> +1
17:39:55 <hyakuhei> Though it does mean I have to change the outline on our project diagram
17:40:09 <michaelxin> hyakuhei: tmcpeak Thanks.
17:40:09 <hyakuhei> #link https://wiki.openstack.org/wiki/File:SecurityProjectPillars.png
17:40:17 <hyakuhei> heh.
17:40:38 <tmcpeak> back to Visio for you hyakuhei
17:40:43 <hyakuhei> :’(
17:40:45 <elmiko> just slice up the bandit/anchor region
17:41:01 <hyakuhei> We already have it as a verticle on the right
17:41:08 <elmiko> oh yea, oops
17:41:09 <michaelxin> +1
17:41:18 <tmcpeak> oh yeah
17:41:49 <tmcpeak> you might not have a handle on this candidacy process but you're a fortune teller when it comes to diagrams ;)
17:42:04 <hyakuhei> :D
17:42:12 <elmiko> lol
17:42:46 <hyakuhei> dg_ isn’t around to talk about Threat Analysis/Modelling
17:42:57 <hyakuhei> #topic Recruiting
17:43:06 <tmcpeak> cool, so we're on the books with the first meetup
17:43:07 <sicarie_> He started a folder in grit hee was populating
17:43:13 <hyakuhei> tmcpeak: What’s the link to the google doc again? Is it globably shared/viewable?
17:43:24 <tmcpeak> OpenStack in Seattle Dec 15th
17:43:30 <tmcpeak> I'll make it globally viewable
17:43:31 <sicarie_> Grit -> gerrit
17:43:49 <michaelxin> https://etherpad.openstack.org/p/security-project-recruiting
17:43:54 <hyakuhei> Thanks tmcpeak
17:44:23 <michaelxin> https://docs.google.com/presentation/d/13GG47EdoQCBEGqMe7ji_UzfO9okMTLgbnK5_UpoaXYA/edit?usp=sharing_eid
17:44:33 <tmcpeak> https://docs.google.com/presentation/d/13GG47EdoQCBEGqMe7ji_UzfO9okMTLgbnK5_UpoaXYA/edit?usp=sharing
17:44:38 <tmcpeak> ;)
17:44:55 <tmcpeak> also this
17:44:56 <tmcpeak> https://etherpad.openstack.org/p/security-project-recruiting
17:45:05 <tmcpeak> as you register for events please put them here
17:45:11 <tmcpeak> I also took a shot at an abstract
17:45:31 <michaelxin> tmcpeak: +1
17:45:44 <tmcpeak> so all please set up your local events
17:45:57 <tmcpeak> I'll be delayed until I get back to the bay, but would nice to have a round done by January
17:46:00 <hyakuhei> I’ll try to add some Anchor over the weekend.
17:46:07 <tmcpeak> hyakuhei: awesome
17:46:26 <hyakuhei> Who else do you need contributions from ?
17:46:31 <michaelxin> still need slides for Anchor
17:46:52 <tmcpeak> it would be nice to have notes at the bottom of each slide
17:47:00 <tmcpeak> so people that aren't as familiar with each project know what's important to say
17:47:09 <michaelxin> tmcpeak: +1
17:47:22 <tmcpeak> I'll do one for Bandit
17:47:28 <tmcpeak> sicarie_: can you do notes for sec guide?
17:47:31 <tmcpeak> hyakuheI: anchor?
17:47:35 <tmcpeak> nkinder: want to play?
17:47:44 <hyakuhei> Yeah speaking notes make sense
17:47:45 <sicarie> tmcpeak: sure
17:47:50 <tmcpeak> sweet
17:48:07 <tmcpeak> I'll do OSSA too since I made that section
17:48:14 <nkinder> tmcpeak: yeah, I'll take a look at OSSNs
17:48:16 <tmcpeak> michaelxin: syntribos please?
17:48:20 <tmcpeak> nkinder: thank you
17:48:29 <michaelxin> tmcpeak: got it.
17:48:33 <tmcpeak> awesome
17:48:40 <tmcpeak> so hopefully we should have the deck done by next week
17:48:52 <tmcpeak> would anybody like help setting up events in their area or you all got a good handle on it?
17:49:16 <hyakuhei> tmcpeak: Did you have a UK event targetted?
17:49:21 <tmcpeak> hyakuhei: not yet
17:49:22 <michaelxin> I am good with San Antonio and Austin
17:49:29 <tmcpeak> I can set one up or you want to?
17:49:31 <michaelxin> Already updated the page
17:49:53 <hyakuhei> I’ll look for one, I was just checking :)
17:49:57 <tmcpeak> I've learned from Seattle that the earlier you can start the process the better :)
17:50:12 <tmcpeak> I'll even start trying to set up something in the bay now
17:50:31 <tmcpeak> with the assumption that evens like OWASP are booked out pretty far in advance
17:51:07 <tmcpeak> that's probably it for recruiting this week
17:51:11 <hyakuhei> Excellent work, I hope this is fruitfull, the bar for entry is pretty high for OpenStack Security, OpenStack itself has so many moving/option pieces.
17:51:21 <hyakuhei> Thanks tmcpeak lets keep recruiting as a regular feature.
17:51:31 <nkinder> tmcpeak: when the deck is finished, it might even make sense to have a trimmed down version for lightning talks
17:51:32 <tmcpeak> hyakuhei: +1 would be nice to get more bodies
17:51:32 <tmcpeak> ;)
17:51:42 <tmcpeak> nkinder: good point
17:51:52 <hyakuhei> #topic Any other business
17:51:52 <tmcpeak> as it is could probably just lightning through it :)
17:51:57 <nkinder> tmcpeak: ...that way we can still give presos at conferences where we don't have an accepted slot
17:52:01 <hyakuhei> elmiko: How’s your auth writeup going?
17:52:07 <tmcpeak> definitely
17:52:24 <elmiko> hyakuhei: about 5-6 pages in to a slide deck, i'd like to finish this up then do a spec-style writeup as well
17:52:40 <singlethink> sicarie_: What are you using for RST -> PDF conversion?
17:52:44 <nkinder> hyakuhei: restore your +2 on this, and I can get it pushed out today - https://review.openstack.org/#/c/219922/
17:52:45 <elmiko> i'm thinking i will be ready to share some stuff next week and we can start hammering out details and reworking
17:53:11 <sicarie> singlethink: rst2pdf I think - I had a few to go through once we got an idea of where we wanted to be
17:53:16 <elmiko> trying to keep it open at the moment and stick to what we talked about during the midcycle, also noting some questions that are coming up
17:53:18 <hyakuhei> elmiko: Great, thank you, I’d like to contribute as much as I can.
17:53:40 <hyakuhei> nkinder: done.
17:53:40 <elmiko> hyakuhei: for sure, i'm not trying to own this, just want to have something complete that we can collab. on
17:53:51 <hyakuhei> Sounds good to me :)
17:53:51 <singlethink> sicarie: just curious... we use pandoc heavily at work for md -> pdf, docx, etc. conversion with good results
17:54:15 <hyakuhei> sicarie: That’s what Atom uses for rst->pdf too
17:54:25 <hyakuhei> it _hates_ tables though (at least when I tried it)
17:54:26 <sicarie> singlethink: thanks, I'll take a look - there's something with that and the docs team I remember it coming up before
17:54:33 <sicarie> That might have been it
17:54:39 <singlethink> Yes... tables are one of its weaknesses
17:55:05 <singlethink> For us, it's nice because we already write markdown in all of our GitHub repos
17:55:20 <hyakuhei> Yeah, I really like GH MD
17:55:21 <singlethink> from there we can go to pdf, docx, or other formats using a configurable template
17:55:22 <hyakuhei> pretty
17:55:47 <singlethink> It does have some warts though (like tables)
17:57:38 <hyakuhei> Anything else people ?
17:58:17 <michaelxin> bye
17:58:20 <michaelxin> thanks.
17:58:20 <hyakuhei> I guess that’s a wrap! Thank you for a very productive meeting!
17:58:23 <hyakuhei> #endmeeting