17:00:53 <tmcpeak> #startmeeting security 17:00:54 <openstack> Meeting started Thu Dec 3 17:00:53 2015 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:56 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:56 <tmcpeak> #chair hyakuhei 17:00:58 <openstack> The meeting name has been set to 'security' 17:00:59 <openstack> Current chairs: hyakuhei tmcpeak 17:01:00 <openstack> hyakuhei: Error: Can't start another meeting, one is in progress. Use #endmeeting first. 17:01:01 <hyakuhei> heh 17:01:07 <hyakuhei> Thanks tmcpeak 17:01:08 <tmcpeak> :P 17:01:10 <nkinder> Hi all 17:01:11 <tmcpeak> take it away sir 17:01:14 <ysm> o/ 17:01:21 <tmcpeak> hey nkinder 17:01:24 <nkinder> fyi - I'm only half here (in another meeting) 17:01:27 <hyakuhei> hey nkinder ! 17:01:29 <tmcpeak> fair enough 17:01:32 <browne> hi 17:01:33 <nkinder> Push OSSN stuff to the end please 17:01:42 <tmcpeak> cool 17:01:43 <hyakuhei> righto! 17:02:10 <hyakuhei> Okiedokie I guess we can get started 17:02:17 <hyakuhei> #link https://etherpad.openstack.org/p/security-20151203-agenda 17:02:20 <hyakuhei> Agenda ^ 17:02:39 <tmcpeak> nice 17:02:50 <tmcpeak> I like this etherpad approach 17:03:02 <hyakuhei> Normally I like to share them earlier 17:03:07 <hyakuhei> bumped OSSN to the bottom of the list 17:03:19 <hyakuhei> As per nkinder :) 17:03:28 <hyakuhei> Hmmm, no redrobot here. 17:03:42 <hyakuhei> ok, so I also knocked this together 17:03:46 <tmcpeak> no michaelxin either 17:03:48 <hyakuhei> #topic Publicity 17:03:55 <hyakuhei> #link https://etherpad.openstack.org/p/security-raising-profile 17:04:12 <hyakuhei> Etherpad for ideas on how to raise awareness as well as tracking which teams we’ve spammed :) 17:04:12 <michaelxin> here 17:04:18 <tmcpeak> oh nice 17:04:21 <michaelxin> sorry that I am late 17:04:30 <michaelxin> half here too. 17:04:45 <hyakuhei> General idea is that you look through, pick a few in your timezone and drop in on their meetings, add something to the teams agenda if you can 17:05:19 <hyakuhei> The boilerplate part is there for us to work on some messaging, make it easier to be consistent in meetings 17:05:34 <tmcpeak> cool, shall we prioritize in some way? 17:05:38 <michaelxin> that's a huge list 17:05:47 <tmcpeak> +1 - huge list 17:05:49 <hyakuhei> That’s almost every team 17:05:53 <hyakuhei> I’m happy to cut 17:05:55 <michaelxin> we need some security champs 17:06:07 <michaelxin> +1 for prioritizing 17:06:17 <hyakuhei> michaelxin: While I agree, for the most part we need champs to come to us 17:06:32 <hyakuhei> That is to say, people like bknudson who work on another project but also want to dip into security 17:06:56 <tmcpeak> +1 - too many groups for us to be involved with each 17:07:08 <tmcpeak> seems easier and more effective to get people interested in security within a project 17:07:10 <sicarie> hyakuhei: I was noticing this week that the neutron api folk put out a request to -dev for liaisons 17:07:11 <hyakuhei> I think the best we can do is increase our visbility and accessibility - if we build it, they <might> come 17:07:34 <bknudson> the bandit work should help 17:07:35 <hyakuhei> sicarie: We’ve tried that (years ago) - lets see if they get traction with that. 17:07:45 <tmcpeak> bknudson: agreed 17:07:48 <bknudson> maybe we need to make it clearer that bandit is an ossg project? 17:08:21 <hyakuhei> bknudson: I’d like to bask in the Bandit glory :D 17:08:29 <tmcpeak> hehe 17:08:42 <tmcpeak> I assume we'll be needing a big push again once we get the baseline gate working 17:09:00 <tmcpeak> at that point I'd imagine most projects should be ready to do at least a non-voting gate to start 17:09:28 <tmcpeak> so how should we go forward on this? 17:09:43 <michaelxin> we can brainstorm for some ideas 17:09:52 <tmcpeak> maybe get a few of us interested 17:09:56 <michaelxin> it might be a good topic for mid-cycle 17:09:58 <tmcpeak> then each sign up for 2 meetings to start? 17:10:12 <hyakuhei> Well, start with some more boilerplate on that etherpad. It’d be good if everyone just picked a couple of meetings. 17:10:29 <tmcpeak> 1) drop something on the meeting agenda, 2) introduce ourselves and our mission, 3) ask if anybody is interested in security? 17:10:35 <hyakuhei> Prioritising is great but to start with just picking those meetings that fit most easily with your schedule is fine 17:10:40 <hyakuhei> tmcpeak: Pretty much 17:10:42 <tmcpeak> ok, I'll pick a couple now 17:10:56 <hyakuhei> It would be ncie to have the Boilerplate really become more of an FAQ. 17:11:36 <michaelxin> I will sign up two 17:12:02 <tmcpeak> ok I'll take OSLO and Heat to begin 17:12:15 <hyakuhei> Great, put your name by them 17:12:37 <tmcpeak> good work hyakuhei 17:12:43 <michaelxin> +1 17:12:47 <hyakuhei> and then just strike them out (line through) when done? 17:13:10 <tmcpeak> will do 17:13:12 <hyakuhei> I’ll prune the list a little later, groking the meeting info has resulted in entries for _everything_ 17:13:15 <bknudson> we should make sure that people are clear that ossg isn't keystone 17:13:30 <tmcpeak> hehe 17:13:32 <tmcpeak> wut? 17:13:34 <bknudson> since I would think most people think that keystone handles security for their project 17:13:43 <tmcpeak> oh.. like that 17:13:44 <bknudson> most developers 17:13:50 <tmcpeak> well then we've got some work to do 17:14:08 <michaelxin> bknudson: Thanks for letting us know 17:14:38 <hyakuhei> Absolutely, that’s why I figured having some boilerplate text might be useful 17:15:08 <hyakuhei> I’ll also push to have a security-project presentation at each of the summits moving forward. 17:15:13 <tmcpeak> yeah true 17:15:17 <tmcpeak> how should we approach that? 17:15:24 <tmcpeak> we can point to the deck too 17:15:48 <hyakuhei> tbh, I’m not sure it’s that important, not many devs go to the conference talks. 17:16:32 <hyakuhei> But yeah, we need to think of other things to raise profile too 17:16:40 <michaelxin> We tried one for Tokyo 17:16:44 <tmcpeak> I just mean we can pull the boiler plate from the deck 17:16:45 <michaelxin> only two showed up 17:17:00 <bknudson> I think the best way to raise the profile in other projects is to get involved 17:17:10 <michaelxin> bknudson: +1 17:17:15 <bknudson> for example, push changes to enable bandit 17:17:17 <tmcpeak> definitely - I'm just not sure we have the resources 17:17:20 <tmcpeak> we need more bknudson's 17:17:54 <bknudson> we have to prioritize... maybe it's more important to get bandit in the projects rather than adding new features 17:17:59 <hyakuhei> I’ll be able to put some more effort from my team into pushing bandit out to other projects. 17:18:10 <hyakuhei> bknudson, possiblilty for parallel tracks 17:18:22 <bknudson> It doesn't hurt to go to the meetings and ask for volunteers 17:18:27 <hyakuhei> It’s also possible that integrating with other projects might be more approachable than creating new features 17:18:33 <bknudson> sometimes devs are looking for interesting work 17:18:43 <tmcpeak> yeah - if we just double down on getting a bandit gate in most of these, then they'll have had a (hopefully good) introduction to the security team 17:18:56 <tmcpeak> and ideally be more comfortable reaching out for design decisions and the other stuff we do 17:19:29 <bknudson> getting reminders from bandit that they don't know security should help. 17:19:29 <hyakuhei> Demonstrating value is always a good way to get buy-in 17:19:40 <tmcpeak> bknudson: :D 17:20:35 <hyakuhei> lol yes that too 17:21:15 <bknudson> how about an action plan to get a project using bandit with the new baseline feature, write up how it's done, and post a message to the mailing list 17:21:18 <hyakuhei> Anything to discuss re: Bandit specifically ? 17:21:31 <bknudson> then when you attend the meeting ask for help with this. 17:21:34 <tmcpeak> bknudson: that sounds like a great approach 17:21:38 <hyakuhei> Agree 17:21:48 <tmcpeak> ok cool, tkelsey or I can take that action 17:22:16 <tmcpeak> I'm guiding one of our internal teams through setting up the baseline gates currently :) 17:22:30 <tmcpeak> that should be it for Bandit 17:23:14 <hyakuhei> I’d be interested in helping out 17:23:17 <tmcpeak> awesome 17:23:28 <tmcpeak> let's shoot for that as the next step then 17:23:38 <hyakuhei> Throw it in the etherpad. 17:23:45 <tmcpeak> shouldn't be too bad, I've already got the requisite jenkins job manager magic 17:23:51 <tmcpeak> ok 17:23:59 <hyakuhei> Thanks tmcpeak ! 17:24:34 <tmcpeak> cool, np 17:25:26 <hyakuhei> Ok, lets roll on. We don’t have dg_ or tkelsey as they’re at HPE Discover 17:25:28 <bknudson> we don't need baseline for keystone since we've got it deployed 17:25:30 <hyakuhei> #topic Bandit 17:25:40 <hyakuhei> Anything else going on here that you’d like to discuss? 17:25:53 <tmcpeak> so we have a proposal to fix config 17:26:12 <tmcpeak> https://review.openstack.org/249128 17:26:37 <tmcpeak> basically config has been one of the major pain points 17:26:48 <tmcpeak> the file is huge, if you update Bandit a lot of times your old config doesn't work as expected, etc 17:27:16 <tmcpeak> so basically the idea is to break it up. Some stuff can be flat out removed, other stuff will be moved to dedicated profile files, and the config generator will be adapted to build profiles easily 17:27:27 <tmcpeak> I encourage you all to read it if you haven't yet 17:27:32 <bknudson> the proposal looks like it'll be a nice improvement 17:27:48 <browne> nice, i missed that spec 17:27:50 <bknudson> the bandit upgrade changes have been difficult to review 17:27:50 <tmcpeak> bknudson: awesome, was hoping you'd think so 17:27:55 <tmcpeak> (our most loyal customer) 17:28:13 <tmcpeak> bknudson: upgrade changes? 17:28:27 <bknudson> yes, when we're supporting new versions of bandit 17:28:31 <bknudson> and the config file changes 17:28:32 <tmcpeak> oh yeah.. 17:28:38 <tmcpeak> so this should obviate the need to do that 17:28:41 <bknudson> it's difficult for reviewers to know if it's correct or not 17:29:02 <tmcpeak> basically what you'll do from a keystone perspective is run "bandit —include 101-150" or something 17:29:07 <tmcpeak> and then it will just run the right tests 17:29:12 <browne> yea 17:29:23 <tmcpeak> similar to how PEP8 works 17:29:27 <bknudson> no config file? 17:29:29 <tmcpeak> nope 17:29:34 <tmcpeak> you can have a profile file 17:29:38 <tmcpeak> that specifies which tests and settings 17:29:45 <tmcpeak> and if you have that profile it'll work from one version to the next 17:30:08 <tmcpeak> bc each plugin has defaults values for what it needs built in 17:30:08 <bknudson> that works as long as it doesn't put too many lines in the tox.ini 17:30:19 <tmcpeak> bknudson: it'll be really small tox.ini 17:31:32 <tmcpeak> we'd like to get these done before midcycle but who knows 17:31:40 <tmcpeak> that special not working time of the year is rolling on up 17:31:47 <browne> tmcpeak: when is midcycle? 17:31:52 <hyakuhei> speaking of the midcycle, we don’t have a whole-lot of signups 17:31:53 <tmcpeak> Jan 11-15 I think 17:31:59 <hyakuhei> #link https://etherpad.openstack.org/p/security-mitaka-midcycle 17:32:12 <hyakuhei> Has Rackspace confirmed the space now? 17:32:18 <michaelxin> hyakuhei: yes 17:32:26 <michaelxin> We booked the conferences for both 17:32:28 <michaelxin> teams 17:32:48 <tmcpeak> yeah we don't… time to scare up more participants! 17:32:54 <hyakuhei> Wonderful, I thought was the case but thank you for the confirmation. 17:32:59 <michaelxin> We also booked some small conference rooms if we want to break into small groups 17:33:01 <tmcpeak> #topic Midcycle 17:33:04 <hyakuhei> Perfect 17:33:05 <tmcpeak> :) 17:33:07 <bknudson> I might be able to get another couple to go. I have to advertise it. 17:33:25 <bknudson> I wasn't sure if the dates were confirmed. 17:34:06 <bknudson> #link https://wiki.openstack.org/wiki/Sprints 17:34:11 <michaelxin> The dates should be 01/12-01/15 17:34:16 <michaelxin> Tuesday to Friday 17:34:21 <tmcpeak> so.. who wants to go to midcycle and hasn't signed up? 17:34:26 <hyakuhei> I’ll add ours now 17:34:39 <bknudson> thanks! 17:34:40 <browne> i want to, but need to confirm with mgmt 17:35:06 <michaelxin> Barbian team's mid-cycle is from Monday to Wednesday 17:35:08 <tmcpeak> sigmavirus24: it's in your backyard, you should come 17:35:14 <michaelxin> So we have two day overlapped. 17:35:26 <sigmavirus24> oh? 17:35:26 <sigmavirus24> where? 17:35:54 <michaelxin> It should give us some time to work together. 17:35:55 <sigmavirus24> hm 17:35:59 <michaelxin> sigmavirus24: in the castle 17:36:26 <sigmavirus24> I will talk to my manager 17:36:29 <tmcpeak> sweet 17:38:32 <sigmavirus24> and approved 17:38:37 <tmcpeak> haha damn 17:38:38 <tmcpeak> nice 17:39:25 <michaelxin> sigmavirus24: +1 17:39:29 <tmcpeak> allright so, in conclusion - sign up if you haven't and you'd like to come to midcycle 17:40:02 <hyakuhei> +1 17:40:08 <tmcpeak> recruiting? 17:40:12 <tmcpeak> or nkinder.. 17:40:19 <hyakuhei> #topic Recruiting 17:40:25 <tmcpeak> sweet 17:40:32 <hyakuhei> Which kind of overlaps with the publicity stuff 17:40:33 <tmcpeak> I've got a slot at the OpenStack meetup in the bay 17:40:37 <hyakuhei> Excellent! 17:40:39 <tmcpeak> Jan 21st I think 17:40:43 <tmcpeak> browne said he'll come too 17:40:46 <michaelxin> ccneil delivered a talk for Austin Openstack meetup 17:40:51 <tmcpeak> nkinder would but he's actually pretty far in the boonies now 17:41:01 <tmcpeak> michaelxin: legit! 17:41:05 <tmcpeak> anything come from it? 17:41:08 <nkinder> Yeah, I'm not sure if I'll be down there at that time 17:41:08 <michaelxin> A couple of people showed interest in Bandit 17:41:13 <tmcpeak> and how was it received? I think he's the first 17:41:25 <michaelxin> none is interested in OSSP. :-( 17:41:46 <tmcpeak> how many people turned up? 17:41:53 <michaelxin> 30+ 17:42:08 <michaelxin> Visa gave a talk before our talk. 17:42:15 <tmcpeak> any feel for demographics? 17:42:28 <michaelxin> I do not know. 17:42:30 <michaelxin> I was not there. 17:42:46 <michaelxin> We will host a OWASP San Antonio in two weeks. 17:43:01 <michaelxin> We will handle out flyers. 17:43:03 <tmcpeak> nice! 17:43:10 <hyakuhei> Superb! 17:43:15 <elmiko> o/ 17:43:21 <michaelxin> And talk with people about OSSP 17:43:46 <tmcpeak> elmiko: you made it afterall :) 17:44:07 <elmiko> tmcpeak: my talk ended a little early =) 17:44:24 <tmcpeak> awesome 17:44:38 <hyakuhei> welcome elmiko 17:44:47 <hyakuhei> nkinder: you around to talk OSSNs now ? 17:44:53 <nkinder> Sure 17:44:58 <hyakuhei> #topic OSSN 17:45:17 <nkinder> So there's an embargoed one that I'm working on that's quite close to being opened up 17:45:34 <tmcpeak> yep, that ones looking good 17:45:40 <nkinder> The way the issue is being handled has changed since I drafted the note, so there are some minor changes needed. 17:46:05 <nkinder> There was another issue that was embargoed that tmcpeak and hyakuhei worked on 17:46:11 <bknudson> maybe we can get some other folks to look at the proposals, maybe they have a different opinion 17:46:29 <hyakuhei> nkinder: Does that need another look? 17:46:30 <nkinder> I believe the issue is public now, but the note was never proposed as a review 17:46:49 <tmcpeak> wait, which one is this? 17:47:04 <nkinder> hyakuhei: OSSN-0060, which is in the embargoed repo we use 17:47:20 <tmcpeak> is that the one we distributed through the OSSA channel? 17:47:29 <hyakuhei> I think so yeah 17:47:35 <hyakuhei> it never got the final release? 17:48:27 <tmcpeak> I thought it did.. 17:48:33 <nkinder> so are we dropping the OSSN? If so, we should close the OSSN bug for it and free up the OSSN number 17:48:57 <tmcpeak> no it should just be released as a public OSSN now 17:49:27 <nkinder> tmcpeak: ok, do you want to propose the review since you worked on writing it? 17:49:30 <hyakuhei> Yeah, I think it just goes out as normal 17:49:33 <nkinder> then I can review it 17:49:35 <hyakuhei> I can help with that. 17:49:47 <nkinder> ok, great. 17:49:54 <tmcpeak> nkinder: sorry I missed your comments about 0060 17:49:58 <tmcpeak> I don't read gud 17:50:04 <nkinder> The queue of OSSNs is looking pretty good 17:50:13 <nkinder> There are 3 to be picked up 17:50:25 <nkinder> one new one came in last week that should be easy - https://bugs.launchpad.net/ossn/+bug/1516031 17:50:25 <openstack> Launchpad bug 1516031 in Glance "Use of MD5 in OpenStack Glance image signature (CVE-2015-8234)" [Undecided,Triaged] 17:50:54 <hyakuhei> lol - I can knock that out tomorrow morning unless someone else wants it 17:51:01 <hyakuhei> been a while since I authored an OSSN 17:51:35 <tmcpeak> hmm 17:51:41 <nkinder> hyakuhei: cool. I'll try to get to one of the other ones once the embargoed one I'm working is wrapped up. 17:51:48 <hyakuhei> Cool 17:52:14 <tmcpeak> looks like a fun one 17:52:20 <tmcpeak> that's actually a cool bug 17:52:22 <tmcpeak> signature = rsa(sha256(md5(disk-image-content))) 17:52:22 <tmcpeak> This degrades the security of the system to that of the weakest hash, which is obviously MD5 here. 17:52:23 <hyakuhei> #action hyakuhei to pick up bug 1516031 17:52:23 <openstack> bug 1516031 in Glance "Use of MD5 in OpenStack Glance image signature (CVE-2015-8234)" [Undecided,Triaged] https://launchpad.net/bugs/1516031 17:52:32 <tmcpeak> not super obvious from the code but it's true 17:52:37 <nkinder> That's about it on the OSSN side of things. Anyone interested can pick one of then up. :) 17:52:54 <hyakuhei> Thanks nkinder 17:53:47 <elmiko> tmcpeak: a collision on the md5 would ripple up through the sha and rsa? 17:54:10 <tmcpeak> you can just brute the md5 and then calculate sha256 of it 17:54:20 <elmiko> right 17:54:21 <nkinder> yeah, hash the same input and you get the same output 17:54:24 <tmcpeak> I'm not sure how the rsa fits in 17:54:27 <hyakuhei> *sigh* 17:54:30 <elmiko> lol 17:54:33 <hyakuhei> Righto, Any other business. 17:54:41 <hyakuhei> #topic Any Other Business 17:55:13 <tristanC> oh hi folks, if I may share another list of things to do... This is the list of public OSSA issues (confirmed and incomplete): https://bugs.launchpad.net/ossa/+bugs?field.information_type%3Alist=PUBLICSECURITY&orderby=-status&start=0 17:56:06 <hyakuhei> Are these where you need opinions from us? 17:56:26 <tristanC> well the two first one needs patch 17:57:27 <tristanC> the swift one needs opinion, investigation... 17:58:04 <tristanC> and the last one also requires some more investigation 17:58:10 <hyakuhei> Excellent, anyone want to take actions on these? 17:58:34 <tmcpeak> if they haven't been done by next week I should have some time to spend 17:58:50 <hyakuhei> I’ll try to do some on Monday. 17:59:02 <tristanC> to be honest, we figured those public ossa issue would be better discussed with OSSP 17:59:21 <tmcpeak> ok cool, Ill put it on my queue for Monday too 17:59:52 <tristanC> but times is now running out, so yes if they could get reviewed next time, that would be very helpful 18:00:07 <tmcpeak> ok cool, will do 18:00:23 <tmcpeak> time is up! 18:00:28 <hyakuhei> #endmeeting