17:00:34 <hyakuhei> #startmeeting Security
17:00:38 <openstack> Meeting started Thu Dec 10 17:00:34 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:39 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:42 <openstack> The meeting name has been set to 'security'
17:00:51 <hyakuhei> Hey everybody!
17:00:55 <elmiko> hi
17:00:57 <ccneill> howdy o/
17:01:03 <greg_a> hello!
17:01:05 <michaelxin_> hi
17:01:05 <mdong> o/
17:01:12 <nkinder> o/
17:01:15 <gmurphy> o/
17:01:19 <sicarie> o/
17:01:41 <SheenaG> Oh man, I didn't realize you guys had a meeting right after Fuel - lots of familiar names!  Hi michaelxin_!  Hi ccneill!
17:01:48 <ccneill> hi there SheenaG!
17:01:53 <ccneill> long time no see
17:01:55 <bknudson> hi
17:02:12 <SheenaG> ccneill: no kidding.  Time for me to duck out, you guys have a good meeting!
17:02:16 <michaelxin_> SheenaG: How are you?
17:02:29 <hyakuhei> heh
17:02:45 <SheenaG> michaelxin_ I'm good!  I miss you guys!  Looking forward to seeing everyone up at the Austin summit
17:02:53 <michaelxin_> SheenaG: sure
17:03:02 <tmcpeak> o/
17:03:11 <tmcpeak> time ran away with me ;)
17:03:18 <hyakuhei> pffft!
17:03:23 <elmiko> hehe
17:03:24 <tkelsey> o/ all
17:03:30 <tmcpeak> debugging my crappy gate failure
17:03:33 <hyakuhei> Right so I don’t have a locked in agenda for today (my bad)
17:03:39 <tristanC> greeting!
17:03:40 <tmcpeak> pffft
17:03:44 <hyakuhei> Did anyone pick up any of hte OSSNs this week?
17:03:48 <hyakuhei> Hey tristanC
17:03:52 <elmiko> tmcpeak: lol
17:04:03 <michaelxin_> hyakuhei: not me
17:04:07 <michaelxin_> how many do we have?
17:04:15 <ccneill> I'm just back from vacation
17:04:24 <elmiko> neither did i :/
17:04:27 <tmcpeak> I was supposed to check out the OSSA's but I got stuck on something and forgot :(
17:04:34 <nkinder> hyakuhei: no new ones picked up.  Still finishing the embargoed one
17:04:34 <hyakuhei> 3-4 I think, I’ve got one in review
17:04:45 <hyakuhei> #link https://review.openstack.org/#/c/254427/
17:04:56 <nkinder> hyakuhei: ah, I'll take a look at your draft
17:05:14 <hyakuhei> Cheers
17:05:20 <michaelxin_> hyakuhei: +1
17:05:32 <michaelxin_> will check it later.
17:05:41 <hyakuhei> Thanks
17:06:38 <hyakuhei> It was an easy one because the initial writeup was good
17:07:14 <nkinder> That always helps :)
17:07:35 <hyakuhei> ok, here’s a copy-pasted agenda whoop!
17:07:39 <tmcpeak> hyakuhei: looks legit
17:07:41 <hyakuhei> #link https://etherpad.openstack.org/p/security-20151210-agenda
17:07:48 <hyakuhei> #topic Publicity
17:07:57 <hyakuhei> #link https://etherpad.openstack.org/p/security-raising-profile
17:08:07 <hyakuhei> Anyone managed to pick up any sessions?
17:08:20 <hyakuhei> By that I mean - drop in and say hello...
17:08:27 <tmcpeak> I think we decided to be ready with the Bandit baseline job first?
17:08:31 <tmcpeak> I'm working on that as we speak
17:08:35 <hyakuhei> Ah yeah that’s right
17:08:35 <tmcpeak> or was prior to the meeting
17:08:44 <hyakuhei> In the meantime the boilerplate needs working on
17:08:53 <tmcpeak> +1
17:08:58 <michaelxin_> I picked up two
17:09:04 <elmiko> hyakuhei: had not seen this pad, but i'll look into taking a session
17:09:06 <michaelxin_> and I will go to one of them today.
17:09:21 <tmcpeak> michaelxin: hold off until we have the Bandit stuff ready so we can demo it during the meeting?
17:09:24 <michaelxin_> I missed one early this morning due to some other duty
17:09:38 <michaelxin_> tmcpeak: ok
17:09:46 <elmiko> i'll definitely followup with the api-wg
17:09:57 <tmcpeak> that way they can play with it, see (hopefully) it's good, and then we can get next steps to put it in their tox
17:09:57 <michaelxin_> elmiko: sahara? right
17:10:04 <elmiko> michaelxin_: yes
17:10:09 <tmcpeak> oh yeah, I have an update on that I can wait until bandit slot
17:10:13 <michaelxin_> elmiko: +1
17:10:24 <hyakuhei> Well, you can take any meeting you want, whenever you want :) If you want to wait for Bandit so that there’s a nice way to demo / leverage it then that’s absolutely fine
17:10:27 <tmcpeak> ahh ok, if you're already set up go ahead
17:10:49 <michaelxin_> maybe, we can start to say hi
17:10:55 <michaelxin_> and learn what other people is doing.
17:11:03 <tmcpeak> seems reasonable
17:11:09 <hyakuhei> Whatever works for you as individuals, it’d be nice to drop in on the same group more than once
17:11:13 <michaelxin_> There is some emails about security issue for Fuel
17:11:15 <tmcpeak> with Sahara I'm sure elmiko can push Bandit anyway ;)
17:11:18 <hyakuhei> Maybe even being more of a security rep…
17:11:28 <hyakuhei> but that gets time intensive
17:11:31 <michaelxin_> Maybe, we can leverage opportunities like that
17:11:31 <elmiko> tmcpeak: hehe, yea. we are working towards a voting bandit gate
17:11:36 <tmcpeak> yep
17:11:46 <tmcpeak> elmiko: ok, with the baseline I think it will be easier for you ;)
17:11:52 <elmiko> cool
17:11:56 <michaelxin_> yes
17:12:21 <michaelxin_> we might have to spend time on projects to learn what people are doing
17:12:30 <michaelxin_> the challenges they face
17:12:34 <elmiko> seems like we already have good engagement with some of the projects on this list. should we just note that in the etherpad?
17:12:34 <michaelxin_> and help them
17:12:40 <elmiko> (for example, barbican)
17:12:51 <michaelxin_> elmiko: +1
17:13:16 <michaelxin_> ccneill: is working on lots of barbican security testings.
17:13:23 <elmiko> nice
17:13:36 <ccneill> <_< something like that
17:13:42 <michaelxin_> and designate
17:13:44 <ccneill> I at least know what's going on I think ;)
17:13:55 <tmcpeak> gotta start somewhere
17:14:03 <michaelxin_> mdong: too.
17:14:13 <ccneill> I've been able to poke at the code manually a bit, and mcdong and I have written some functional security tests
17:14:24 <hyakuhei> Thats excellent news
17:14:25 <ccneill> still have to figure out what we want to do with the tempest-lib CR I have open..
17:14:45 <tmcpeak> ccneill: you writing them for tempest?
17:14:58 <ccneill> https://review.openstack.org/#/c/216303/ + https://review.openstack.org/#/c/237263/
17:15:00 <tmcpeak> or just unit tests in Barbican?
17:15:33 <ccneill> so I originally started with barbican, then Designate was added to my plate, and I realized that maintaining a one-off file for every product I test would be tedious
17:15:45 <ccneill> and someone from designate recommended putting it in tempest-lib
17:15:46 <tmcpeak> yeah, good to reuse
17:16:01 <ccneill> barbican + designate both use tempest-lib, so I figured it was the lowest barrier to entry
17:16:13 <ccneill> this also happened before syntribos, so there's some confusion of how/if they fit together
17:16:26 <ccneill> I think the stuff I've written makes sense mostly as a data generator; the validators I have are very simplistic
17:16:33 <tmcpeak> yeah, looks like there is some overlap
17:16:41 <tmcpeak> but still, cool stuff
17:17:02 <ccneill> sorry for that tangent, but figured it kind of fits in with our outreach
17:17:11 <tmcpeak> definitely
17:17:15 <hyakuhei> no it’s very useful
17:17:23 <ccneill> since we'll want to figure out what tools we recommend/use ourselves/etc.
17:17:45 <michaelxin_> ccneill: +1
17:17:51 <ccneill> I think maybe in Q1 I can work on integrating Syntribos and my stuff a little more
17:17:59 <ccneill> at least feeding the stuff I've done into Syntribos or something
17:18:01 <tmcpeak> maybe we can spend some time reconciling this at the midcycle
17:18:12 <tmcpeak> + planning out where we want to do our fuzzing and drawing the lines
17:18:19 <ccneill> yeah
17:18:41 <ccneill> this was built purely to serve my needs for the tests I wanted to write for those 2 products; there is definitely room for improvement haha
17:19:27 <tmcpeak> it seems to make sense to have this in tempest
17:19:34 <tmcpeak> since those are already being run in the gate
17:19:48 <tmcpeak> would have less barrier to entry than introducing a separate tool
17:19:51 <ccneill> yeah, and it's super trivial to write your own functional tests and just plug in my data generators
17:19:56 <michaelxin_> agree
17:20:11 <hyakuhei> I saw a Mirantis blog on security highlightly Syntribos
17:20:22 <hyakuhei> but completely missing the Security project as a whole
17:20:23 <tmcpeak> oh sweet, link?
17:20:28 <tmcpeak> :P
17:20:32 <hyakuhei> which made me both sad with mirantis and sad generally
17:20:52 <tmcpeak> well yeah, you'd think we'd at least have one participant from there
17:21:04 <hyakuhei> #link https://www.mirantis.com/blog/openstack-security-issues-self-defense-without-weapons/
17:21:08 <hyakuhei> You’d think right? hehe.
17:21:52 <hyakuhei> Anyway, do you guys have specific bandit things to talk about?
17:22:15 <tmcpeak> yeah
17:22:27 <hyakuhei> #topic Bandit
17:22:55 <tmcpeak> ok cool
17:23:07 <tmcpeak> so we were going to make it easy to do a Bandit gate
17:23:14 <tmcpeak> with the baseline stuff
17:23:29 <tmcpeak> and I was going to do just make a gate job template like I did for the HP stuff
17:23:49 <tmcpeak> but the project-config guys had the idea that we should just make a command line tool, and then projects can add it to their tox.ini and run it as part of flake8 checks
17:23:50 <hyakuhei> good idea
17:24:07 <tmcpeak> then a project doesn't have to do anything with config changes, they can change it themselves with their tox.ini
17:24:12 <tmcpeak> and it's also easy for developers to check locally
17:24:14 <tmcpeak> yeah
17:24:31 <hyakuhei> Ok that makes sense
17:24:33 <ccneill> +1 for easy peasy
17:24:36 <tmcpeak> so I've got this tool I've been working on: https://review.openstack.org/254455
17:24:49 <tmcpeak> the unit tests are broken (I'm deubgging them)
17:24:51 <tmcpeak> but the tool works
17:24:55 <tmcpeak> if you guys want to play with it
17:25:20 <tmcpeak> basically it checks out the parent commit, runs Bandit, checks out the current commit, runs Bandit baseline, and compares
17:25:38 <tmcpeak> so even if your project has a bunch of problems, you'll only get results that are introduced as part of your code change
17:25:50 <tmcpeak> you basically run 'bandit-baseline <bandit args>' and away you go
17:25:55 <tmcpeak> it can do HTML report, txt output, etc
17:26:06 <browne> nice
17:26:07 <elmiko> tmcpeak: very cool
17:26:09 <tmcpeak> and most importantly we can just add it to the tox target
17:26:10 <wayward710> That sounds useful
17:26:27 <tmcpeak> so a project that wants to use a bandit gate but has existing issues should still be able to use it
17:26:33 <tmcpeak> it will just make sure new issues aren't introduced
17:27:09 <tmcpeak> so yeah, as soon as this unit test gets fixed we should be able to merge it, push a new Bandit that includes it, and then start socializing it
17:27:27 <ccneill> sounds awesome
17:27:34 <tmcpeak> cool, thanks guys
17:27:46 <ccneill> some of the feedback I got presenting the OSSP deck at the OS Austin meetup was one guy was VERY interested in seeing every product gate on bandit
17:27:51 <michaelxin> tmcpeak: great job
17:27:53 <elmiko> tmcpeak: +1
17:27:55 <hyakuhei> :D
17:28:03 <ccneill> so this is great stuff
17:28:15 <tmcpeak> cool, so next week it should be merged and everybody can go play around with it
17:28:36 <tmcpeak> that's all I had, tkelsey I assume you were busy?
17:28:47 <tkelsey> nope im here
17:28:48 <hyakuhei> #topic Anchor
17:29:04 <hyakuhei> So not a lot has happened but viraptor has been working on integrating CMC messaging
17:29:04 <tmcpeak> I mean with the changes you're working on (config stuff)
17:29:10 <tkelsey> tmcpeak: I'll look it over, I have been a bit snowed under :)
17:29:16 <tmcpeak> heh ,yeah, figured
17:29:28 <hyakuhei> because we want to leverage that (possibly) for attestation in Leeson too (certificate things)
17:29:38 <hyakuhei> tkelsey: I don’t think there’s any other Anchor things?
17:29:53 <tmcpeak> what's CMC messaging?
17:30:03 <hyakuhei> s/messaging/requests
17:30:08 <hyakuhei> (brainfart)
17:30:14 <tmcpeak> what's CMC requests?
17:30:19 <hyakuhei> It’s like google
17:30:35 <hyakuhei> CMC is a way of packaging up certificate requests
17:30:43 <hyakuhei> It comes in two variants, simple and … not
17:30:57 <hyakuhei> Barbican has a simple implementation, we want to try and implement it too
17:31:05 <tmcpeak> ahh
17:31:14 <hyakuhei> #link https://tools.ietf.org/html/rfc5272
17:31:38 <tmcpeak> I take it we've rushed right out and started integration with the complicated one? :P
17:31:44 <tkelsey> my IRC client is being lame, BRB while i relaunch it sorry!
17:32:00 <hyakuhei> We also need to put something together to better explain why ephemeral certificates are a good thing (revocation not working etc)
17:32:16 <hyakuhei> because I basically have to do a coffee talk every time someone new hears about it…
17:32:38 <tmcpeak> haha
17:32:42 <elmiko> heh, i'll bet
17:32:55 <hyakuhei> “You dont revoke certificates!” INSECURE!
17:33:07 <hyakuhei> Well, you don’t really revoke them either, you just think you do....
17:33:12 <ccneill> yeah, from presenting at OSSP, it was definitely clear that at least I am unable to articulate all the benefits of Anchor...
17:33:14 <wayward710> I would be interested in helping with that, but there will be a learning curve for me, making for a slower timeline.  Is that OK?
17:33:19 <hyakuhei> …. lets grab a coffee and maybe a white board.
17:33:19 <ccneill> er *at Austin OpenStack
17:33:34 <tmcpeak> hyakuhei: you love doing coffee talks tho? :)
17:33:43 <hyakuhei> I’d  be happy to try and get some design summit space to talk abotu Anchor
17:33:55 <hyakuhei> Of course there’s some content on youtube already
17:33:56 <tkelsey> ok back
17:34:00 <hyakuhei> wb tkelsey
17:34:00 <tkelsey> apologies
17:34:04 <tkelsey> ty hyakuhei
17:34:11 <hyakuhei> I don’t have much to add really
17:35:15 <hyakuhei> Doug doesn’t appear to be here so nothing to add on the Killick things.
17:35:25 <hyakuhei> sicarie: What’s up with security docs?
17:35:32 <hyakuhei> (if he’s here….)
17:35:41 <sicarie> haven't had time to mess with it much the last few weeks
17:35:45 <sicarie> very little going on
17:35:58 <hyakuhei> Is it all shiny RST now ?
17:36:03 <sicarie> yep
17:36:05 <sicarie> all RST
17:36:11 <sicarie> still working on getting sphinx to build the pdf
17:36:11 <elmiko> and very shiny ;)
17:36:13 <sicarie> that's a huge pain
17:36:16 <hyakuhei> Well that makes the bar for contribution significantly lower
17:36:21 <hyakuhei> congratulations
17:36:26 <elmiko> +1
17:36:27 <hyakuhei> massive bit of work to complete
17:36:56 <hyakuhei> #topic Last meeting
17:37:09 <hyakuhei> #Vote should we hold a meeting on Thursday the 17th?
17:37:15 <tmcpeak> last meeting?
17:37:29 <michaelxin> last meeting of this year?
17:37:32 <tmcpeak> #sure
17:37:32 <tkelsey> of the year i'm guessing?
17:37:48 <elmiko> i have no objection to that
17:37:54 <nkinder> +1
17:37:54 <tkelsey> +1 I can be there then
17:37:54 <hyakuhei> #startvote Last meeting of the year on the 17th?
17:37:55 <openstack> Begin voting on: Last meeting of the year on the 17th? Valid vote options are Yes, No.
17:37:56 <openstack> Vote using '#vote OPTION'. Only your last vote counts.
17:38:00 <tkelsey> +1
17:38:08 <tmcpeak> #vote Yes
17:38:08 <hyakuhei> ^ Yay bot votey thing works :P
17:38:09 <sicarie> #vote Yes
17:38:09 <tkelsey> #vote yes
17:38:09 <nkinder> #vote Yes
17:38:10 <elmiko> #yes
17:38:13 <michaelxin> I will be here. +vote Yes
17:38:16 <ccneill> #vote yes
17:38:17 <elmiko> #vote yes
17:38:17 <hyakuhei> #vote yes
17:38:22 <michaelxin> #vote Yes
17:38:24 <wayward710> #vote yes
17:38:28 <gmurphy> #vote No - just to be different
17:38:32 <hyakuhei> Ok well I guess that was easy enough, I’m presuming we’ll skip the meeting on christmas eve
17:38:35 <elmiko> gmurphy: nice ;)
17:38:39 <hyakuhei> gmurphy: you were already way different enough!
17:38:46 <tmcpeak> #vote no Xmas eve meeting
17:38:47 <tkelsey> lol
17:38:53 <hyakuhei> lol +1
17:39:04 <hyakuhei> #showvote
17:39:10 <elmiko> wait, i thought we were doing ossp santa tracker on xmas eve?
17:39:19 <michaelxin> elmiko: +1
17:39:23 <elmiko> hehe
17:39:27 <hyakuhei> #endvote
17:39:29 <openstack> Voted on "Last meeting of the year on the 17th?" Results are
17:39:31 <tmcpeak> ossp santa modding?
17:39:42 <hyakuhei> wow the openstack bot is having a bad day....
17:39:54 <elmiko> naughty/nice list injection exploits, ftw
17:39:55 <tmcpeak> thinking… thinking
17:40:02 <tmcpeak> #santaglitches
17:40:05 <gmurphy> 42
17:40:15 <nkinder> it's goign to tell us we have to meet on xmas eve...
17:40:19 <elmiko> haha
17:40:20 <tmcpeak> lol
17:40:20 <michaelxin> haha
17:40:34 <hyakuhei> rofl
17:40:38 <tmcpeak> this voting has worked wonderfully
17:40:42 <hyakuhei> ok that’s more-or-less all I had
17:40:46 <tmcpeak> midcycle?
17:40:47 <hyakuhei> #topic Any other business
17:40:58 <hyakuhei> Yes, so afaik we’re just waiting for people to confirm numbers
17:41:02 <michaelxin> mdong: can you update Syntribos?
17:41:14 <tmcpeak> cool, fair enough
17:41:16 <tmcpeak> we good on topics?
17:41:18 <hyakuhei> #link https://etherpad.openstack.org/p/security-mitaka-midcycle
17:41:20 <michaelxin> mdong has been working on Syntribos recently.
17:41:23 <mdong> I can talk a little bit on it
17:41:37 <bknudson> festivus is dec 23 so I'll be busy
17:41:44 <hyakuhei> We need to build the topics out more, add some structure, leaders for each bit as we’ve done with previous summits
17:41:50 <hyakuhei> s/summits/mid-cycles/
17:41:58 <mdong> so I’ve been working on making Syntribos more usable, namely working on its reporting
17:42:11 <elmiko> bknudson: +1
17:42:31 <tkelsey> mdong: insteresting
17:42:36 <tkelsey> *interesting
17:42:46 <mdong> trying to make it output like bandit instead of what it’s doing right now, which is writing stack traces to logs
17:42:47 <hyakuhei> +1
17:43:10 <tmcpeak> mdong: feel free to steal :)
17:43:22 <tmcpeak> that's what open source is all about
17:44:05 <michaelxin> tmcpeak: +1
17:44:12 <mdong> already on it ;)
17:44:38 <michaelxin> https://review.openstack.org/255357
17:44:56 <mdong> I should have a few more CRs up for it shortly
17:45:19 <tmcpeak> nice
17:45:26 <tmcpeak> looks like it's coming along
17:45:44 <tkelsey> mdong: nice
17:46:14 <hyakuhei> I’m really excited to see where this project goes
17:46:29 <tmcpeak> hyakuhei: +1
17:46:32 <hyakuhei> and aligning outputs of bandit and syntribos is very classy
17:46:43 <dg_> +1
17:47:04 <mdong> really the problem is that Syntribos, being based on OpenCafe, behaves very differently from Bandit
17:47:10 <elmiko> hyakuhei: +1
17:47:16 <hyakuhei> I get that, they’re different tools doing different things
17:47:20 <mdong> as far as the way its tests are written and run
17:47:38 <mdong> but as far as aligning the output it’s not too hard
17:47:45 <michaelxin> cool
17:47:45 <hyakuhei> but if the outputs, although different can potentially be consumed in similar ways with similar look and feel that’s going ot play very nicely with developers
17:48:38 <tmcpeak> yep ye
17:48:40 <tmcpeak> p
17:49:26 <hyakuhei> Excellent. Right what else to discuss people?
17:49:42 <tkelsey> dg_: anything on Killick?
17:50:06 <tmcpeak> https://media1.giphy.com/media/4PvmF62Tl3KLe/200_s.gif
17:50:19 <hyakuhei> lol
17:50:21 <elmiko> lol, ouch
17:50:25 <tkelsey> lol
17:50:25 <tmcpeak> :P
17:50:30 <michaelxin> please sign up for mid-cycle meeting if you have not done it yet.
17:50:35 <michaelxin> :-)
17:50:36 <hyakuhei> +1
17:50:40 <hyakuhei> #endmeeting