17:00:28 <hyakuhei> #startmeeting Security
17:00:29 <openstack> Meeting started Thu Oct 15 17:00:28 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:31 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:33 <openstack> The meeting name has been set to 'security'
17:00:36 <tkelsey> o/
17:00:37 <hyakuhei> o/
17:00:39 <elmiko> o/
17:00:50 <hyakuhei> Who would like to co-chair (in case I get called out)
17:00:50 <dave-mccowan> o/
17:00:59 <elmiko> i can hyakuhei
17:01:06 <hyakuhei> #chair elmiko
17:01:06 <openstack> Current chairs: elmiko hyakuhei
17:01:12 <nkinder> o/
17:01:28 <michaelxin> o/
17:01:34 <hyakuhei> Hey :)
17:01:44 <hyakuhei> I’ve got the standing agenda over here: https://etherpad.openstack.org/p/security-20151015-agenda
17:01:52 <hyakuhei> Please feel free to modify/add as required
17:02:37 <redrobot> o/
17:02:40 <elmiko> man, our agenda is getting serious ;)
17:02:48 <hyakuhei> It’s scary right.
17:03:28 <hyakuhei> We didn’t get to cover some things last week because Killick and Ansible soaked up a lot of time
17:03:30 <ccneill> o/
17:03:34 <hyakuhei> hey ccneill
17:03:39 <ccneill> afternoon, all
17:03:52 <elmiko> true
17:04:26 <hyakuhei> #topic Summit
17:04:43 <tristanC> Hello!
17:04:44 <browne> hi
17:04:49 <hyakuhei> #startvote Should we cancel next weeks meeting due to the summit? Yes, No, Maybe
17:04:50 <openstack> Begin voting on: Should we cancel next weeks meeting due to the summit? Valid vote options are Yes, No, Maybe.
17:04:51 <openstack> Vote using '#vote OPTION'. Only your last vote counts.
17:04:56 <hyakuhei> #vote Yes
17:05:05 <tkelsey> #vote Yes
17:05:06 <browne> #vote Yes
17:05:15 <michaelxin> #vote Yes
17:05:15 <nkinder> #vote Yes
17:05:17 <mvaldes> #vote Yes
17:05:23 <hyakuhei> lol
17:05:27 <elmiko> #vote yes
17:05:29 <hyakuhei> That was fun!
17:05:30 <tkelsey> popular :P
17:05:33 <redrobot> #vote no
17:05:39 <nkinder> I'll already be in Tokyo next Thursday
17:05:42 <elmiko> nice redrobot ;P
17:05:45 <hyakuhei> Trust you redrobot !
17:05:51 <redrobot> ccccccombo breaker!
17:05:53 <hyakuhei> nkinder: nice! I land on Monday :-s
17:05:55 <elmiko> lol
17:05:57 <hyakuhei> #endvote
17:05:58 <openstack> Voted on "Should we cancel next weeks meeting due to the summit?" Results are
17:06:00 <openstack> Yes (7): michaelxin, mvaldes, browne, tkelsey, hyakuhei, nkinder, elmiko
17:06:01 <openstack> No (1): redrobot
17:06:05 <hyakuhei> ^ grrr
17:06:17 <hyakuhei> ok perfect, that really was fun!
17:06:22 <d-9> lol
17:06:28 <hyakuhei> Next up #link https://mitakadesignsummit.sched.org/overview/type/Security#.Vh_bWxNVhBc
17:06:32 <redrobot> I'll still be in TX and this is my lunchtime entertaiment :)
17:06:35 <tkelsey> hyakuhei is easily amused :P
17:06:41 <hyakuhei> yarp
17:06:57 <hyakuhei> So We’ve got fishbowls assigned, one community one and one authZ
17:07:10 <hyakuhei> As per #link https://etherpad.openstack.org/p/security-mikata-scheduling
17:07:19 <hyakuhei> Any big issues or concerns?
17:07:37 <hyakuhei> (We cant change the title of the work sessions but if you look we’ve got one for syntribos and one for bandit
17:08:16 <michaelxin> so, we have four sessions in total?
17:08:17 <bknudson> there's overlap with keystone sessions so I don't think I'll be able to make them all
17:08:49 <elmiko> i like that the fishbowl session no one signed up to attend is making the cut =)
17:09:00 <bknudson> record it for me
17:09:45 <hyakuhei> Well we had two suggested fishbowls
17:09:46 <hyakuhei> so....
17:09:53 <elmiko> hehe
17:09:55 <Daviey> .
17:10:03 <hyakuhei> there. fixed.
17:10:17 <hyakuhei> Daviey: Good to see you buddy!
17:10:23 <elmiko> don't get me wrong, i'm totally cool with it, but that's mainly my selfish desire to continue talking about it
17:10:37 <elmiko> hyakuhei: lol +1, love the change
17:10:44 <hyakuhei> elmiko: +1 I think its a cool idea though I have my reservations about it
17:10:52 <elmiko> agreed
17:10:59 <hyakuhei> #topic Flyer
17:11:15 <hyakuhei> I think maybe it was michaelxin who suggested having a flyer for the Security project?
17:11:26 <michaelxin> hyakuhei: Yes
17:11:29 <hyakuhei> I think that’s actually an awesome idea but I’ve not had time to come up with anything
17:11:31 <elmiko> +1, nice idea
17:11:39 <michaelxin> I will find a graphic designer
17:11:47 <tkelsey> michaelxin: +1
17:11:48 <hyakuhei> Thanks, I have no talent in that area
17:11:58 <michaelxin> And come up something early next week
17:12:15 <hyakuhei> Alternatively we could just get a stack of security project business cards, Just with the links for the group and our main functions.
17:12:19 <hyakuhei> I like the flyer idea more
17:12:25 <dg_> stickers
17:12:25 <hyakuhei> but it needs someone else to take it on
17:12:30 <tkelsey> dg_: +1
17:12:31 <michaelxin> Do you guys want this flyer to be specific to this summit?
17:12:46 <hyakuhei> Doesn’t have to be
17:12:51 <nkinder> I think we might as well make it generic so we can reuse it at meetups
17:12:54 <elmiko> i think generic would be nice
17:12:55 <michaelxin> +1
17:12:58 <ccneill> +1 stickers
17:13:00 <hyakuhei> I like the idea of getting them out at the security sessions
17:13:07 <hyakuhei> We need stickers anyway
17:13:14 <hyakuhei> :D
17:13:19 <ccneill> is there an OSSG logo?
17:13:25 <hyakuhei> No, wanna do one?
17:13:30 <elmiko> hyakuhei: +9000
17:13:32 <ccneill> I do dabble in PHotoshop
17:13:34 <Daviey> (hyakuhei: Sorry, not ignoring you.. Distracted by a real life meeting)
17:13:38 <michaelxin> haha
17:13:39 <ccneill> I can try to come up with something
17:13:45 <dg_> ccneill i dont think its called OSSG anymore...
17:13:45 * hyakuhei hrmmph's
17:13:46 <ccneill> no promises though, it's not my day job ;)
17:13:53 <michaelxin> I will ask the designer to come up with a logo too
17:13:56 <hyakuhei> OpenStack Security Project
17:14:02 <dg_> OSSP?
17:14:03 <hyakuhei> Please do both, you guys are awesome
17:14:10 <hyakuhei> dg_: sssh.
17:14:13 <michaelxin> So, we are not Openstack Security Group?
17:14:20 <hyakuhei> Not since we went big-tent
17:14:30 <hyakuhei> We’re the official OpenStack security project
17:14:33 <michaelxin> OK, OSSP then.
17:14:37 <ccneill> Openstack Security Project / OSSP, got it
17:14:44 <hyakuhei> because each $big-tent-thing is a “project"
17:15:06 <hyakuhei> Not team or ninja horde - both were rejected by the TC when I tried.
17:15:10 <michaelxin> Not sure whether we have time for stickers by next week
17:15:11 <ccneill> OpenStack Security Cabal
17:15:26 <hyakuhei> michaelxin: probably not but we’re making a start which is cool
17:15:26 <tkelsey> ccneill: lol
17:15:27 <elmiko> haha
17:15:50 <hyakuhei> Top of list for next summit for me is publicity, getting a number of cross projects in etc
17:16:31 <hyakuhei> but for this one it’s getting the crypto ducks in a row and trying to get more involved with the contianer people
17:16:55 <michaelxin> Just in time for our promotion in Austin.
17:17:18 <michaelxin> ccneill: will talk about OSSP in Austin openstack meetup
17:17:25 <hyakuhei> Yeah I think that’ll be a good venue to really start pushing our influence, we’re continuing to gain momentum and pick up new members
17:17:30 <hyakuhei> and convincing project
17:17:33 <hyakuhei> (projects)
17:17:42 <hyakuhei> Like Syntribos, Bandit etc
17:18:19 <hyakuhei> I haven’t arranged a specific meetup for Security at the summit because the agenda is rammed already and we largely consist of dual homed developers like bknudson
17:18:42 <hyakuhei> However, if anyone can see a good time to meet please feel free to suggest it
17:19:07 <elmiko> karaoke after midnight?
17:19:19 <hyakuhei> Why not!
17:19:21 <elmiko> hehe
17:19:27 <michaelxin> elmiko: +1
17:19:31 <hyakuhei> Anything else summit related ?
17:20:09 <hyakuhei> #topic OSSN
17:20:22 <hyakuhei> nkinder: Are you subscribed to the emargoed OSSN?
17:20:43 <nkinder> hyakuhei: I believe so (if it's the issue I'm thinking of)
17:21:01 <hyakuhei> Yeah there’s only one. It’s ready to be openly discussed / published now
17:21:07 <hyakuhei> [the notification window closed]
17:21:13 <nkinder> hyakuhei: this is the one tmcpeak worked on, right?
17:21:29 <hyakuhei> he and I wrote it up, yes
17:21:49 <nkinder> hyakuhei: so if it's ready to expose, then we should put it in an official review and we can fast-track it through
17:21:59 <hyakuhei> I’m fine with that
17:22:01 <hyakuhei> Sorry @all
17:22:25 <nkinder> hyakuhei: do you or tmcpeak want to create the review?
17:22:49 <hyakuhei> Sure I’ve just asked for the bug 1493448 to be opened up
17:22:57 <hyakuhei> Then I’ll do the review, add the fixes-bug etc
17:22:58 <nkinder> Ok, great.
17:23:21 <hyakuhei> So @all, there was a vulnerability in glance that we decided needed an OSSN rather than an OSSA
17:23:46 <hyakuhei> For the first time though we felt the issue was so severe that downstream stakeholders deserved to get advanced notice of the OSSN before it was more widely published
17:23:58 <hyakuhei> it’s nice for the VMT to show that much faith in the OSSN process
17:24:07 <hyakuhei> nkinder: what’s the general state of the other OSSN?
17:24:11 <nkinder> So for non-embargoed stuff, there's one glance one that I just pushed through.  It should merge later today, then I'll publish it.
17:24:21 <hyakuhei> sweet!
17:24:27 <nkinder> There's a trusted compute one that just needs some minor updates that elmiko pointed out
17:24:34 <elmiko> very nice
17:24:37 <nkinder> I think michaelxin was working on that one
17:24:50 <michaelxin> I will update it today.
17:25:01 <nkinder> michaelxin: thanks!
17:25:05 <hyakuhei> I’ll look to review it tomorrow am. Thanks michaelxin
17:25:28 <nkinder> I think we should retire this one - https://review.openstack.org/#/c/136203/
17:25:32 <elmiko> yea, i'll keep an eye out today
17:25:36 <hyakuhei> +1
17:25:41 <michaelxin> https://review.openstack.org/#/c/220263/8/security-notes/OSSN-0059
17:26:02 <nkinder> Ok, I'll abandon it
17:26:12 <hyakuhei> heh, depreciating vs deprecating. good catch.
17:26:31 <hyakuhei> The way I spell there’s a 50/50 chance it’d auto-correct into either of those
17:26:38 <hyakuhei> Anything else OSSN?
17:27:01 <nkinder> So that's the review queue for OSSNs.  I believe we have a few other new ones to be picked up
17:27:05 <nkinder> #link https://bugs.launchpad.net/ossn/
17:27:20 <nkinder> The backlog doesn't look too bad though
17:27:22 <hyakuhei> Yeah we cleared a lot of that out post mid-cycle
17:27:30 * ccneill bumps https://bugs.launchpad.net/ossn/+bug/1497031
17:27:30 <openstack> Launchpad bug 1497031 in OpenStack Security Notes "Authenticated Denial of Service in Blacklists" [Undecided,New]
17:27:34 <hyakuhei> probably a few there we could jump onto
17:27:35 <ccneill> <_<
17:27:49 <ccneill> I'd be happy to write it up, just haven't done it before. I can work with michaelxin on it
17:28:09 <hyakuhei> Hehe, that’s a nice issue
17:28:25 <ccneill> yeah.. gotta <3 regexes
17:28:27 <elmiko> ccneill: feel free to ping in openstack-security too, we have plenty of experienced folks now  =)
17:28:27 <hyakuhei> #link https://wiki.openstack.org/wiki/Security/Security_Note_Process
17:28:36 <ccneill> will do :)
17:28:37 <hyakuhei> yeah, quite a few of us can help
17:28:42 <michaelxin> ccneill: +1
17:28:45 <hyakuhei> Best bet if you’re not sure is to get it up for review early
17:28:57 <elmiko> +1
17:29:14 <hyakuhei> Rather than slaving on something that might go in the wrong direction we can work on it more collaboratively but as you’re the reporter I’m sure this’ll go smoothly
17:29:48 <ccneill> I'll do my best haha
17:29:59 <hyakuhei> #topic Ansible Hardening
17:30:04 <ccneill> I feel like there's a doc somewhere describing the OSSN write-up process, but I can't find it in my bookmarks at the moment
17:30:16 <hyakuhei> ^ I linked it above
17:30:19 <ccneill> shweet
17:30:29 <hyakuhei> mhayden has been super busy #link https://review.openstack.org/#/q/status:open+project:openstack/openstack-ansible-security,n,z
17:31:05 <hyakuhei> It’d be nice to show some support and review a few of those, maybe even add some. It seems like a valuable project
17:31:13 <michaelxin> we are glad to help.
17:31:21 <michaelxin> Greg already talked with Major.
17:31:36 <elmiko> i need to skill-up more on ansible...
17:31:40 <michaelxin> He will help with code reviewing.
17:32:35 <hyakuhei> elmiko: review-wise it’s not to hard to read and understand what’s going on
17:32:45 <hyakuhei> excellent
17:32:59 <hyakuhei> #topic PR
17:33:11 <hyakuhei> tmcpeak couldn’t be here so I’ll raise this :)
17:33:13 <hyakuhei> #link https://docs.google.com/presentation/d/13GG47EdoQCBEGqMe7ji_UzfO9okMTLgbnK5_UpoaXYA/edit?usp=sharing
17:33:39 <elmiko> hyakuhei: i did take a look, just didn't want to add noise. i'll circle back around though.
17:34:20 <elmiko> that deck is looking nice
17:34:46 <hyakuhei> The deck is coming together well, it needs some dry runs and perhaps some tweaks but it’s pretty good as is. Thank you to everyone who contributed
17:35:29 <Daviey> hyakuhei: are there any gaps left?
17:36:15 <hyakuhei> Daviey: none of my bits :P
17:36:27 <hyakuhei> tmcpeak can do a runthrough with us during lunch at the summit
17:36:32 <hyakuhei> Bascially it needs _lots_ more speaking notes
17:37:04 <hyakuhei> at the moment there’s good slides but not much guidance for people who might not be very familiar with each of our main activities
17:37:14 <hyakuhei> Nathaniel isn’t around to talk about docs
17:37:18 <hyakuhei> tkelsey: bandit?
17:37:24 <tkelsey> can do
17:37:25 <hyakuhei> #topic Bandit
17:37:38 <tkelsey> so we pushed 0.14.0 and then 0.14.1
17:37:52 <hyakuhei> whoop!
17:37:58 <elmiko> nice
17:38:00 <tkelsey> should be no fallout for people using it in the gate, anyone spots somthing. let me know
17:38:11 <michaelxin> nice
17:38:12 <browne> so we could still use some more documentation for the plugins
17:38:17 <tkelsey> lots of nice new features, checkout the info on PyPI
17:38:27 <tkelsey> browne: yeah for sure
17:38:41 <tkelsey> but we have somthing now at least
17:38:42 <Daviey> tkelsey: Sorry for being absent, but how is the gate checking looking?
17:39:03 <tkelsey> Daviey: looking good, you can run the coverage script to see for yourself :)
17:39:13 <tkelsey> tools/coverage.py i think
17:39:22 <Daviey> yeah, i saw that,.... nice!
17:40:04 <tkelsey> I would also like feedback on this #link https://review.openstack.org/#/c/235491/
17:40:14 <hyakuhei> I just saw the weak curve plugin, very nice.
17:40:22 <tkelsey> its the first baby steps to making a symbol table for deeper inspection in bandit
17:40:38 <browne> hyakuhei: thx, but i also forgot to doc it
17:40:47 <tkelsey> hyakuhei: yes its nice to see new crypto tests going in
17:41:04 <tkelsey> browne: yup, docs please :)
17:41:40 <tkelsey> I dont think there is too much else bandit related, anyone got anything else?
17:41:40 <browne> we should also consider bumping g-r bandit version at some point
17:41:41 <elmiko> tkelsey: symbol stuff looks interesting
17:41:54 <tkelsey> elmiko: thanks, its very experimental
17:41:54 <hyakuhei> I don’t think we have anything Anchor related
17:41:56 <ccneill> tkelsey: this looks very cool
17:41:57 <hyakuhei> elmiko tkelsey yes
17:42:04 <hyakuhei> I can see by the commit how stressy it was :P
17:42:18 <tkelsey> haha :)
17:42:27 <hyakuhei> adfkjnasdf Experimental ajsdnfkafba symbols asjbkdfa....
17:42:42 <elmiko> lol
17:42:42 <tkelsey> :P that's how i normally type
17:42:52 <hyakuhei> Anywho, it has the potential to allow you to do some very clever things with Bandit, good work tkelsey
17:43:05 <michaelxin> tkelsey: good job
17:43:20 <hyakuhei> So nothing much to say on Anchor this week. Maybe dg_ and redrobot could argue about Killick for a while ?
17:43:34 <redrobot> :)
17:44:03 <dg_> lol
17:44:10 <hyakuhei> I think that’s everything we had on the agenda this week :D
17:44:17 <hyakuhei> Also, we had an agenda this week!
17:44:22 <tkelsey> nice :)
17:44:32 <hyakuhei> #topic Any other business
17:44:33 <dg_> good work
17:44:47 <hyakuhei> Anything to add before we close?
17:44:53 <hyakuhei> Remember, no meeting next week!
17:44:56 <redrobot> dg_ will you be attending the summit?  I think it would be good to catch up
17:44:58 <michaelxin> what's our plan for container project?
17:45:09 <michaelxin> container security project
17:45:13 <hyakuhei> michaelxin: can you elaborate ?
17:45:17 <dg_> redrobot unfortunately not, but rob can cover any PKI stuff
17:45:21 <hyakuhei> +!
17:45:31 <michaelxin> That's one of the topics listed in mid-cycle.
17:45:42 <michaelxin> But we did not have time then.
17:45:48 <hyakuhei> Oh right ok
17:46:00 <hyakuhei> So there’s so much container magic moving around at the moment
17:46:07 <shelleea007> im interested in the container project as well
17:46:25 <hyakuhei> Magnum is trying to decide if it’s a COE facilitator or more of an updated Nova-Docker
17:46:35 <hyakuhei> Kolla is a thing I don’t really understand
17:46:40 <hyakuhei> plus a bunch of otheres
17:46:42 <michaelxin> Synopsis: Containers make security more challenging both with introspection, internal networking, and at-scale tooling. OpenStack currently has no security documentation around containers, and no resources looking at the specs on Magnum, Kuryr, or Kolla. This will be a discussion around how the container release cycle (Docker has been as much as 3 months, and as little as 3 weeks) fits into larger efforts like Kubernetes
17:46:43 <michaelxin> with OpenStack.
17:47:00 <hyakuhei> I don’t think there’s enough stability there to really throw effort in.
17:47:41 <elmiko> helping with container orchestration security seems more bang for the buck, imo
17:47:57 <elmiko> the containers themselves are still the wild-wild-west
17:48:00 <hyakuhei> In the openstack context, containers are normally layered ontop of compute which somewhat isolates them
17:48:04 <hyakuhei> from say, baremetal containers
17:48:13 <hyakuhei> which would need a whole heap of extra controls
17:48:25 <elmiko> ok
17:48:55 <hyakuhei> I’m interested in a roadmap item on this and it seems like a good crossproject/fishbowl for austin but I’m open to ideas around how we could move on this more quickly
17:49:06 <elmiko> +1
17:49:14 <michaelxin> +1
17:49:46 <michaelxin> One of my team member showed strong interest and wants to lead the efforts.
17:50:04 <michaelxin> I will check with him
17:50:13 <elmiko> cool
17:50:36 <hyakuhei> excellent
17:50:45 <hyakuhei> Anything else for today ?
17:50:48 <ccneill> so.. I started working on some fuzzing utilities for functional tests (used in barbican & designate) before we started on Syntribos, and I'm trying to get them a home in tempest-lib. if anyone has some time to take a look, I'd appreciate it greatly. not a lot of interest so far it seems. this CR is basically a skeleton at this point, but I have a lot of fuzz strings to add in a follow-on CR.
17:50:49 <ccneill> you can also see them in the earlier patches. #link https://review.openstack.org/#/c/216303/
17:50:59 <ccneill> wow, that was even longer than I thought haha
17:51:20 <hyakuhei> I’ll take a look :)
17:51:30 <elmiko> ccneill: someone pointed this out to me last week, or so, i'll take another look. thanks!
17:51:31 <ccneill> ty :)
17:51:44 <tkelsey> ccneill: will look
17:51:51 <hyakuhei> nice work ccneill
17:51:59 <ccneill> thanks, all
17:52:08 <hyakuhei> Ok, I think we’re done here! Thanks everyone!
17:52:12 <hyakuhei> #endmeeting