16:59:47 #startmeeting Security 16:59:48 Meeting started Thu Sep 17 16:59:47 2015 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:59:50 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:59:52 #chair tmcpeak 16:59:52 The meeting name has been set to 'security' 16:59:53 Current chairs: hyakuhei tmcpeak 16:59:56 o/ 16:59:58 o/ 16:59:59 o/ 17:00:03 o/ 17:00:14 o/ 17:00:26 o/ 17:00:29 gaming the attendence mechanic eh? ;) 17:00:41 :P 17:00:46 hehe michaelxin is sneaky 17:01:03 :-) 17:01:07 hi 17:01:12 welcome bknudson ! 17:01:57 ok so I guess we’ll get going with an agenda of sorts… 17:02:02 hi all 17:02:03 oh hai nkinder ! 17:02:04 o/ 17:02:07 nkinder, wattup! 17:02:08 link to agenda? 17:02:10 o/ 17:02:12 Got a nice stack of OSSNs for you :) 17:02:20 Yeah, just reviewed one. :) 17:02:23 woot! 17:02:35 Trying to catch back up from traveling 17:02:39 will find time to update mine 17:02:46 nkinder: you home now ? 17:02:50 Yep 17:02:50 michaelxin: Thanks buddy 17:03:10 o/ 17:04:29 Agenda: Anchor, Bandit, OSSN, Security-doc, Robs Stupid, Syntibos, Threat Analysis, ... 17:04:39 lol 17:04:40 Anything else? 17:04:44 Recruiting 17:04:58 Excellent! 17:05:05 That deck is coming on nicely 17:05:10 +1 17:05:10 +1 17:05:24 i've made some progress on the auth deck too 17:05:30 awesome! 17:05:41 Sweet elmiko, share it with me when you can :) 17:05:46 elarson: +1 17:05:46 I’ve not done much thinking around that 17:05:53 elmiko: +1 17:05:53 so-called "on demand credential distribution and authorization control" 17:06:10 I think we can come up with something shinier :P 17:06:12 Anyway 17:06:15 #topic Anchor 17:06:34 Not a huge amount to report other than Stan has been super busy making it meet RFCs and other silly things: https://review.openstack.org/#/q/anchor+status:open,n,z 17:06:46 tkelsey and dg_ are both on PTO 17:06:55 Anyway got any Anchor queries? 17:07:11 Cool 17:07:15 #topic Bandit 17:07:19 What’s the story here ? 17:07:21 lol, that was quick 17:07:35 #link https://review.openstack.org/#/q/bandit+status:open,n,z 17:07:38 Bandit has been a little slow this week, I plan to circle back soon at least with reviews 17:07:39 any release planned? must have been quite a few changes since the last release 17:07:41 there are a lot in flight 17:07:46 bknudson: yeah, we need to 17:07:51 would be nice to get multi processing in 17:08:12 actually there are quite a few nice to haves in flight 17:08:20 maybe we can clear this current queue, test, and then release? 17:08:28 I don't think https://review.openstack.org/#/q/bandit+status:open,n,z is a long list. 17:08:34 there are some deal breaker bugs now too 17:08:40 at least one 17:08:46 severity filtering no longer works 17:08:54 so maybe release week or two? 17:08:58 ouch 17:09:07 How’s the multiprocess stuff looking? 17:09:07 yea :| 17:09:18 it looks good, much faster 17:09:20 we should JFDI 17:09:48 Plough on! 17:10:19 cool cool 17:10:26 probably good for Bandit this week 17:10:30 I'll kick up some dust before next week 17:10:31 cool 17:10:34 we'll have more to say then :) 17:10:37 #topic OSSN 17:10:47 THere’s a few OSSN stacked up here : https://review.openstack.org/#/q/security-doc+status:open,n,z 17:11:03 nkinder: once theres a +1 workflow, what’s the process ? 17:11:12 Yep, I'm cycling through the reviews now. 17:11:24 spam messages at nkinder until mergies? 17:11:28 Excellent, I know there’s plenty there nkinder 17:11:28 :P 17:11:34 hyakuhei: Once they merge, I've been updating the wiki and sending them out to the mailing list 17:11:48 and you’re still happy to do that ? 17:11:53 There's no easy way to locate merged, but unapproved notes. 17:12:04 I am, though it would make sense for someone else to become familiar with it too. 17:12:15 I was wondering if we want to look at publishing gates like we have for some of the docs stuff. 17:12:35 I presume the magic that makes this work #link http://docs.openstack.org/developer/anchor 17:12:45 that would be cool 17:12:53 could be used for OSSNs in some similar way 17:13:12 OSSN format is already pretty close to RST 17:13:19 It looks like OSSN-0052 and OSSN-0055 need to be published 17:13:38 publishing gates would be nice 17:13:51 (I think this is a similar but separate issue from the previous “how to format OSSN” discussion. 17:13:59 are there currently any gates? 17:14:02 line width etc? 17:14:02 ...but we also want to send e-mail 17:14:24 nkinder: sure, so I’m positive we could script that or do some other relatively smart thing 17:14:24 hyakuhei was mentioning that the jobs/tests were broken IIRC 17:14:27 gmurphy: you about? 17:15:07 Lets maybe kick off an email thread about it? I’m sure docs / VMT have already solved some of this. The less manual cross-posting copy/pasting that’s required the better 17:15:24 +1 for no manual CCP 17:15:25 A few OSSNs are waiting for small changes from the authors 17:15:27 agreed 17:15:29 i am 17:15:34 what's up 17:15:53 gmurphy: thoughts regarding publishing OSSNs, I presume the VMT has a pretty slick process for OSSAs 17:16:29 so essentially what we do now is push .yaml ossa to gerrit. 17:16:34 it gets +2'd etc 17:16:52 then that auto updates security.o.o 17:17:11 and we've just been sending the generated .rst source out in emails 17:17:54 which looks like this - http://lists.openstack.org/pipermail/openstack-announce/2015-April/000350.html 17:17:58 Sounds like there’s only one manual step there, which would be an improvement on where we are. 17:18:27 nkinder: I’d be happy to look at getting some gate magic working 17:18:43 However, it’s completely up to you :) 17:19:26 So I’ve asked a few authors to make some OSSN changes/updates 17:19:30 i think this these are the jenkins things that makes it happen.. 17:19:30 http://git.openstack.org/cgit/openstack-infra/project-config/tree/jenkins/jobs/projects.yaml#n2694 17:19:36 hyakuhei, gmurphy: So the e-mail is still sent out there. 17:19:38 http://git.openstack.org/cgit/openstack-infra/project-config/tree/jenkins/jobs/static-publish-jobs.yaml 17:19:51 If nothing happens by the weekend I’ll get out the “review -d” hammer and do the updates so we can get them out next week. 17:19:51 The OSSN's are in-tree in the format we e-mail out 17:20:02 so it's really the same one step for that part of publishing 17:20:14 The only other manual step is adding the note to the wiki 17:20:16 the wiki part is somewhat time consuming though huh? 17:20:25 and thoroughly manual 17:20:26 Nah, it's quick (but manual) 17:20:46 ahh ok 17:21:18 Another point: How should we manage releasing this wave of OSSNs, will it be seen as a bad thing to dump out 3-6 OSSNs in a day or two? 17:21:41 one per week? 17:21:59 No, I think that will be fine 17:22:06 I'll publish the 2 that are merged today 17:22:06 cool 17:22:14 all of the others I looked at need some minor updates 17:22:23 I suppose that’s what openstack-announce is for anyway, and -dev is such high traffic no-one should mind. 17:23:00 I can give the authors a few days, then make the tweaks myself early next week if needed 17:23:33 Yeah, that’s what I was saying above, give them a few days and then we can just bring them up to scratch and publish. 17:24:03 Yep. There are a few more that might merge today once I look them over 17:24:24 nkinder: +1 17:24:33 michaelxin: Your trustedVM OSSN. Even if it’s _not_ a vulnerability as such, OSSNs can address common misconceptions about the implied security qualities of a product or feature 17:24:48 hyakuhei: Got it. Thanks. 17:25:45 hyakuhei: agreed. I think a note would still be good for that one. 17:26:10 Sweet 17:26:15 Anything else for OSSN ? 17:26:41 ship it :P 17:26:53 nope 17:26:58 Cool 17:27:07 So next up I had security-doc discussion 17:27:17 sicarie_: ? 17:27:33 There not much to discuss there 17:27:42 How’s the RST transformation ? 17:27:48 Compete 17:27:52 Complete 17:28:00 Sorry, on the bus into the office 17:28:21 added a new sec-doc core, worth mentioning 17:28:23 We found an rst to pdf converter 17:28:30 oooh 17:28:30 +1 17:28:38 +1 17:28:44 A new doc core is helping with the sec guide 17:28:48 Excellent 17:29:01 The guide is nice 17:29:09 Coming on well, lots of new contributions 17:29:15 So just trying to get everything in before we push a new leaf version 17:29:16 I though the crypto discussion looked good 17:29:25 Yeah, that was a good addition 17:29:40 Did you see that thread regarding Ansible hardening ? 17:29:54 No, I missed out 17:29:55 who's the doc core? 17:29:56 It 17:30:07 I’ll see if I can find it 17:30:16 tmcpeak we have a few helping, the new one is Kato 17:30:23 ahh cool 17:30:27 hyakuhei thanks 17:30:35 #link http://permalink.gmane.org/gmane.comp.cloud.openstack.devel/63644 17:30:54 oh yeah, this was interesting 17:31:04 Nice, ill see what we can add to the guide 17:31:30 Sweet. Anything else? 17:31:35 Not from me 17:31:42 #topic PTL 17:31:45 elmiko? 17:32:01 you covered it, just bug fixes to note as well 17:32:03 #link https://review.openstack.org/224798 17:32:09 So I screwed up just a little bit ^^ 17:32:23 we're lucky a black hat didn't come in and take over. 17:32:37 lol, that would have been epic 17:33:05 Viva la revolucion! 17:33:09 Could still happen, it’s all in the hands of the TC now :) I presume they can be bribed with booze, money or legos and I’m working on a solution 17:33:13 I guess the tc gets to pick 17:33:20 Names in a hat ? 17:33:31 hyakuhei: i didn't realize these things went through gerrit. should we add +1s if we agree, or just is a different process? 17:33:44 do we have to do elections? 17:33:44 +1 17:33:47 I haven't seen the voting process yet 17:33:47 Feel free to +1 as a sign of support 17:33:54 It will be ignored by the committee 17:34:09 I think they just moved to Gerrit this cycle 17:34:20 cool, i'm into meaningless gestures ;) 17:34:23 Previously I think it was all done on the ML but I could be wrong. 17:34:44 voting is usually using an on-line form for condorcet voting 17:34:50 Yeah 17:34:55 So gerrit isn’t for voting 17:35:00 yeah, I never saw gerrit before 17:35:02 just announcing candidates / verifying 17:35:11 bknudson: oh yea, good point 17:35:15 but this process passed me (and four other PTLs) by 17:35:20 although I don't know how the tc goes about picking a ptl 17:35:29 That is undocumented... 17:35:35 we didn't do that whole determine the voting base thing either :| 17:35:47 That’s part of the gerrit stuff 17:35:52 I think it will happen by magic 17:35:53 how? 17:35:58 Same way ATCs are decided 17:36:05 I’m guessing 17:36:18 I think I’ve demonstrated I don’t have a firm grasp of the process ;) 17:37:01 who are four other PTLs? 17:37:15 Barbican, Magnum and some others I don’t recall 17:37:31 tc is going to be busy 17:37:36 hyakuhei: Thanks. 17:37:50 michaelxin is planning a takeover 17:37:55 Active projects all, I presume all PTLs busy doing PTL things :P 17:38:19 sicarie_:lol 17:38:30 So, moving on from my failings... 17:38:40 #topic Syntribos 17:38:49 michaelxin: Anything awesome to share? 17:39:05 still working on moving the project. 17:39:10 So this is pretty exciting: #link https://review.openstack.org/#/c/220351/ 17:39:15 I was told that stack forge is frozen 17:39:36 that's it. 17:39:39 Bringing it in as a top level security project is fine with me 17:39:47 +1 17:39:55 Though it does mean I have to change the outline on our project diagram 17:40:09 hyakuhei: tmcpeak Thanks. 17:40:09 #link https://wiki.openstack.org/wiki/File:SecurityProjectPillars.png 17:40:17 heh. 17:40:38 back to Visio for you hyakuhei 17:40:43 :’( 17:40:45 just slice up the bandit/anchor region 17:41:01 We already have it as a verticle on the right 17:41:08 oh yea, oops 17:41:09 +1 17:41:18 oh yeah 17:41:49 you might not have a handle on this candidacy process but you're a fortune teller when it comes to diagrams ;) 17:42:04 :D 17:42:12 lol 17:42:46 dg_ isn’t around to talk about Threat Analysis/Modelling 17:42:57 #topic Recruiting 17:43:06 cool, so we're on the books with the first meetup 17:43:07 He started a folder in grit hee was populating 17:43:13 tmcpeak: What’s the link to the google doc again? Is it globably shared/viewable? 17:43:24 OpenStack in Seattle Dec 15th 17:43:30 I'll make it globally viewable 17:43:31 Grit -> gerrit 17:43:49 https://etherpad.openstack.org/p/security-project-recruiting 17:43:54 Thanks tmcpeak 17:44:23 https://docs.google.com/presentation/d/13GG47EdoQCBEGqMe7ji_UzfO9okMTLgbnK5_UpoaXYA/edit?usp=sharing_eid 17:44:33 https://docs.google.com/presentation/d/13GG47EdoQCBEGqMe7ji_UzfO9okMTLgbnK5_UpoaXYA/edit?usp=sharing 17:44:38 ;) 17:44:55 also this 17:44:56 https://etherpad.openstack.org/p/security-project-recruiting 17:45:05 as you register for events please put them here 17:45:11 I also took a shot at an abstract 17:45:31 tmcpeak: +1 17:45:44 so all please set up your local events 17:45:57 I'll be delayed until I get back to the bay, but would nice to have a round done by January 17:46:00 I’ll try to add some Anchor over the weekend. 17:46:07 hyakuhei: awesome 17:46:26 Who else do you need contributions from ? 17:46:31 still need slides for Anchor 17:46:52 it would be nice to have notes at the bottom of each slide 17:47:00 so people that aren't as familiar with each project know what's important to say 17:47:09 tmcpeak: +1 17:47:22 I'll do one for Bandit 17:47:28 sicarie_: can you do notes for sec guide? 17:47:31 hyakuheI: anchor? 17:47:35 nkinder: want to play? 17:47:44 Yeah speaking notes make sense 17:47:45 tmcpeak: sure 17:47:50 sweet 17:48:07 I'll do OSSA too since I made that section 17:48:14 tmcpeak: yeah, I'll take a look at OSSNs 17:48:16 michaelxin: syntribos please? 17:48:20 nkinder: thank you 17:48:29 tmcpeak: got it. 17:48:33 awesome 17:48:40 so hopefully we should have the deck done by next week 17:48:52 would anybody like help setting up events in their area or you all got a good handle on it? 17:49:16 tmcpeak: Did you have a UK event targetted? 17:49:21 hyakuhei: not yet 17:49:22 I am good with San Antonio and Austin 17:49:29 I can set one up or you want to? 17:49:31 Already updated the page 17:49:53 I’ll look for one, I was just checking :) 17:49:57 I've learned from Seattle that the earlier you can start the process the better :) 17:50:12 I'll even start trying to set up something in the bay now 17:50:31 with the assumption that evens like OWASP are booked out pretty far in advance 17:51:07 that's probably it for recruiting this week 17:51:11 Excellent work, I hope this is fruitfull, the bar for entry is pretty high for OpenStack Security, OpenStack itself has so many moving/option pieces. 17:51:21 Thanks tmcpeak lets keep recruiting as a regular feature. 17:51:31 tmcpeak: when the deck is finished, it might even make sense to have a trimmed down version for lightning talks 17:51:32 hyakuhei: +1 would be nice to get more bodies 17:51:32 ;) 17:51:42 nkinder: good point 17:51:52 #topic Any other business 17:51:52 as it is could probably just lightning through it :) 17:51:57 tmcpeak: ...that way we can still give presos at conferences where we don't have an accepted slot 17:52:01 elmiko: How’s your auth writeup going? 17:52:07 definitely 17:52:24 hyakuhei: about 5-6 pages in to a slide deck, i'd like to finish this up then do a spec-style writeup as well 17:52:40 sicarie_: What are you using for RST -> PDF conversion? 17:52:44 hyakuhei: restore your +2 on this, and I can get it pushed out today - https://review.openstack.org/#/c/219922/ 17:52:45 i'm thinking i will be ready to share some stuff next week and we can start hammering out details and reworking 17:53:11 singlethink: rst2pdf I think - I had a few to go through once we got an idea of where we wanted to be 17:53:16 trying to keep it open at the moment and stick to what we talked about during the midcycle, also noting some questions that are coming up 17:53:18 elmiko: Great, thank you, I’d like to contribute as much as I can. 17:53:40 nkinder: done. 17:53:40 hyakuhei: for sure, i'm not trying to own this, just want to have something complete that we can collab. on 17:53:51 Sounds good to me :) 17:53:51 sicarie: just curious... we use pandoc heavily at work for md -> pdf, docx, etc. conversion with good results 17:54:15 sicarie: That’s what Atom uses for rst->pdf too 17:54:25 it _hates_ tables though (at least when I tried it) 17:54:26 singlethink: thanks, I'll take a look - there's something with that and the docs team I remember it coming up before 17:54:33 That might have been it 17:54:39 Yes... tables are one of its weaknesses 17:55:05 For us, it's nice because we already write markdown in all of our GitHub repos 17:55:20 Yeah, I really like GH MD 17:55:21 from there we can go to pdf, docx, or other formats using a configurable template 17:55:22 pretty 17:55:47 It does have some warts though (like tables) 17:57:38 Anything else people ? 17:58:17 bye 17:58:20 thanks. 17:58:20 I guess that’s a wrap! Thank you for a very productive meeting! 17:58:23 #endmeeting