17:00:36 <hyakuhei> #startmeeting security
17:00:38 <openstack> Meeting started Thu Dec 17 17:00:36 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:39 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:42 <openstack> The meeting name has been set to 'security'
17:00:48 <elmiko> hi
17:00:58 <browne> hi
17:01:04 <hyakuhei> #chair elmiko
17:01:04 <openstack> Current chairs: elmiko hyakuhei
17:01:15 <bknudson> hola
17:01:16 <hyakuhei> ^ My internet is terrible today so adding elmiko as chair
17:01:24 <elmiko> ack
17:01:38 <elmiko> bknudson: lol, don't you start... ;)
17:01:46 <sigmavirus24> o/
17:02:28 <hyakuhei> tmcpeak sends his appologies
17:02:33 <elmiko> hyakuhei: did you have an agenda set up?
17:02:34 <hyakuhei> tkelsey: you around?
17:02:41 <tkelsey> hey yeah
17:02:42 <sigmavirus24> ¿Cómo está todo el mundo?
17:02:54 <hyakuhei> #link http://eavesdrop.openstack.org/meetings/security/2015/security.2015-12-10-17.00.html agenda
17:02:57 <hyakuhei> elmiko: ^
17:03:01 <elmiko> sigmavirus24: shades of #openstack-security
17:03:04 <elmiko> hyakuhei: thanks!
17:03:09 <sigmavirus24> elmiko: only for you
17:03:32 <hyakuhei> cool so it's time for people to start booking travel etc for the mid-cycle!
17:03:37 <hyakuhei> #topic midcycpe
17:03:41 <hyakuhei> sigh...
17:03:52 <browne> i'm booked
17:03:55 <bknudson> I haven't gotten formal approval yet, but managers haven't said no either.
17:03:59 <sigmavirus24> I'm booked for the midcycpe too
17:04:08 <hyakuhei> So yes, book your travel for the midcycpe... you'll see that I've added more detail to the etherpad
17:04:13 <elmiko> i'm in a similar state as bknudson
17:04:20 <hyakuhei> I'm intending on being there for the Barbican stuff too.
17:04:29 <bknudson> also I'm trying to advertise it so that maybe we can get more from IBM to attend
17:04:36 <elmiko> neat
17:04:57 <bknudson> I'm hoping to get 1 or 2 more to attend at least
17:05:01 <hyakuhei> #link https://etherpad.openstack.org/p/security-mitaka-midcycle
17:05:05 <hyakuhei> bknudson: excellent
17:05:14 <browne> bknudson: get some of those IBM austiners
17:05:15 <bknudson> actually, more like 2-3... forgot someone
17:06:00 <hyakuhei> So if everyone who's intending to attend take a look at the topics on the etherpad and add your name by things you care about / want to lead.
17:06:19 <hyakuhei> You can suggest things even if you don't want to lead them
17:06:53 <michaelxin> I invited Major for the meeting
17:07:19 <hyakuhei> excellent, I was happy to see his name by a few things :D
17:07:23 <michaelxin> all rooms have been booked.
17:07:31 <michaelxin> We should be good to go.
17:07:33 <hyakuhei> The Barbican guys have a good list of local hotels etc
17:07:34 <elmiko> cool
17:07:39 <hyakuhei> #link https://wiki.openstack.org/wiki/Sprints/BarbicanMitakaSprint
17:07:59 <michaelxin> I will add my contact info to the page
17:08:17 <michaelxin> and direction to the castle and check in procedure.
17:08:28 <browne> i went with a-loft.  hopefully shuttle is good enough so i don't need to rent a car
17:08:29 <michaelxin> We should be ready!
17:09:26 <browne> the midcycle agenda has left out Anchor.  was that on purpose?
17:09:34 <hyakuhei> michaelxin: How do refreshments / caffination facilities work at this location, should we arrange to buy something in?
17:09:55 <michaelxin> hyakuhei: no worry.
17:10:00 <hyakuhei> browne: Not particularly, I'll add somethign
17:10:03 <michaelxin> We will provide them
17:10:08 * hyakuhei can't seem to type today.
17:10:28 <michaelxin> There are free soda, water, coffee in the castle
17:10:40 <hyakuhei> woot!
17:10:46 <bknudson> food trucks
17:10:49 <browne> score
17:10:52 <michaelxin> We will provide some refreshments, or better coffee.
17:10:53 <elmiko> wow
17:11:06 <hyakuhei> michaelxin: You guys should do this more often :P
17:11:07 <michaelxin> We will provide breakfast and lunch
17:11:11 <browne> and since its a castle, i assume there will be swords
17:11:16 <elmiko> lol
17:11:43 <hyakuhei> ok any more midcycle-things?
17:12:02 <michaelxin> We will have budget for one happy hour dinner.
17:12:10 <elmiko> oooh
17:12:24 <hyakuhei> Excellent, I'll talk to HPE about getting some budget to either throw in with you or take everyone out another night
17:12:34 <michaelxin> hyakuhei: +1
17:12:39 <michaelxin> cool
17:12:46 <hyakuhei> Let me know which would be more appropriate
17:12:46 <michaelxin> I need to run
17:12:58 <michaelxin> another night will be great
17:13:02 <michaelxin> :-)
17:13:11 <michaelxin> what do you all think?
17:13:23 <elmiko> yea, definitely another night ;)
17:13:30 <browne> +1
17:13:57 <michaelxin> sorry, need to take off.
17:13:59 <michaelxin> bye
17:14:01 <hyakuhei> thanks michaelxin
17:14:04 <elmiko> take care michaelxin
17:14:47 <hyakuhei> ok, next topic
17:15:00 <hyakuhei> #topic Embargo Privacy
17:15:19 <hyakuhei> From time to time some of you might be asked to help out with a private OSSA or OSSN
17:15:58 <hyakuhei> It's important that on these occasions you keep any information in those discussions private
17:16:11 <hyakuhei> including the title of the issue, the service that might be affected etc.
17:16:17 <bknudson> it would be handy to have a doc to point people to.
17:16:25 <elmiko> bknudson: +1
17:16:39 <hyakuhei> TBH most of the time it's core-sec so that's 3-4 people
17:16:39 <bknudson> (if there isn't one already)
17:17:15 <hyakuhei> One issue we had was that when a bug was assigned to the OSSN queue, everyone in OSSP could see it, even if the bug was a private one. That's changed now so that only the core-sec people will have visibility of such things
17:17:25 <hyakuhei> bknudson: elmiko I'm happy to consider writing up a doc
17:17:39 <hyakuhei> but other than saying "keep private things private" - I'm not sure what I'd put it in
17:17:42 <hyakuhei> *in it
17:17:54 <elmiko> hyakuhei: i think it would be useful, but given what you said about the audience maybe it doesn't need to be huge
17:17:55 <hyakuhei> This is just a general reminder really, it doesn't apply to most of you
17:18:26 <hyakuhei> elmiko: Righto, I'll put something on the wiki, we should probably document a little more about core-sec anyway
17:18:37 <sigmavirus24> There was some documentation about it in the past
17:18:38 <elmiko> hyakuhei: i don't think it hurt
17:18:43 <elmiko> *it will hurt
17:18:45 * sigmavirus24 shrugs
17:19:09 <bknudson> the common mistake is posting a review to gerrit
17:19:26 <hyakuhei> bknudson: Yup, developers accidentally disclose this stuff all the time
17:19:34 <hyakuhei> but we want to be better than them ;)
17:19:39 <bknudson> so maybe include some things to remind people not to do it.
17:20:59 <hyakuhei> Sure
17:21:18 <hyakuhei> though private OSSNs generally get written and reviewed in a private GitLab account
17:21:28 <hyakuhei> ok, that's all I had on this - I don't really want to labor the point
17:21:32 <bknudson> that would be a good suggestion
17:21:47 <bknudson> I haven't seen that done for code patches.
17:22:13 <hyakuhei> bknudson: So the context is really just writing OSSN/OSSA - A document for how to handle private bugs in general would be the responsibility of the VMT - whom I believe have already done great work in this area
17:23:32 <hyakuhei> ok, so looking at the standing agenda I can't see anything that's had a lot of movement this week
17:23:48 <hyakuhei> #topic PR
17:23:51 <hyakuhei> sicarie: you around?
17:23:55 <sicarie> yep
17:24:09 <hyakuhei> I heard you gave a good talk involving the security project yesterday or the day before
17:24:14 <hyakuhei> can you breif us on it ?
17:24:16 <sicarie> Sure
17:24:34 <sicarie> I presented the OSSP deck at the Seattle OpenStack meetup on Tuesday
17:24:42 <sicarie> Overall it was well received
17:24:46 <sicarie> a few good questions
17:24:57 <sicarie> two follow-ups on people who may be interested
17:25:04 <sicarie> (that I know of)
17:25:11 <tkelsey> nice one sicarie :) anything we should add into the deck ?
17:25:14 <elmiko> how big was the attendance?
17:25:34 <sicarie> tkelsey: I definitely changed up that deck
17:26:00 <sicarie> The deck is here
17:26:03 <sicarie> #link https://docs.google.com/presentation/d/13GG47EdoQCBEGqMe7ji_UzfO9okMTLgbnK5_UpoaXYA/edit?usp=sharing
17:26:05 <tkelsey> could you share out your revised version some place? we should iterate on stuff as we present it
17:26:09 <tkelsey> ah :D awesome
17:26:54 <sicarie> elmiko: 20-30?
17:27:08 <sicarie> I’m bad at estimating crowd size
17:27:09 <elmiko> nice
17:27:18 <hyakuhei> I'm all for iterating on the live deck :)
17:27:24 <sicarie> they had chairs in the front, but poeple were walking around back by the food
17:27:33 <sicarie> probably more the food than listening to me jabber
17:27:56 <elmiko> hehe
17:28:03 <sicarie> hyakuhei: I gave the caveat it would be a living doc, so those in attendance are prepared for it to change
17:28:50 <hyakuhei> Excellent
17:29:09 <hyakuhei> I'm sure if you wanted something to distribute you could use the export-as-PDF and then put it in the cloud somewhere :P
17:29:30 <hyakuhei> Azure or maybe AWS ... just to be safe
17:29:36 <tkelsey> lol
17:29:42 <elmiko> real nice...
17:29:48 <sicarie> I was going to take the flyers Rackspace posted, but didn’t end up taking a bag with me
17:29:58 <hyakuhei> They were good
17:30:00 <sicarie> In hindsight those would have been good to leave by the food
17:30:12 <elmiko> +1
17:30:16 <bknudson> OSSG napkins
17:30:20 <elmiko> hahaha
17:30:34 <hyakuhei> I guess it's too late for us to try and get some clothing made up
17:30:45 <hyakuhei> but I'll try to get something lined up for the next summit
17:30:48 <sicarie> well, i’m interested to see how the other ones go
17:32:13 <hyakuhei> We don't have an nkinder here today.
17:32:15 <hyakuhei> #topic OSSN
17:32:21 <hyakuhei> We had a couple of OSSNs issued
17:32:29 <elmiko> \o/
17:32:50 <hyakuhei> #link https://wiki.openstack.org/wiki/Security_Notes
17:33:36 <hyakuhei> 62 and 61 are the new ones
17:33:41 <hyakuhei> That's all I have on OSSN
17:33:56 <hyakuhei> The queue only has a couple
17:34:05 <hyakuhei> #link https://bugs.launchpad.net/ossn
17:34:36 <hyakuhei> It'd be good to have that cleared by the midcycle
17:34:49 <hyakuhei> and a nice place to be in comparison to the last midcycle ;)
17:35:03 <elmiko> totally
17:35:08 <hyakuhei> Is there anything interesting going on with Bandit? tkelsey ?
17:35:13 <elmiko> i thought there was some issue with that blacklist one?
17:35:37 <tkelsey> there are a few patches in review, we are pushing on with the plan to remove the config file
17:35:50 <tkelsey> please take a look if people are interested/have cycles
17:36:14 <tkelsey> I have put some words down in the either pad around topics for the midcycle bandit session
17:36:22 <tkelsey> please leave feedback there as well :)
17:36:25 <elmiko> tkelsey: will the migration to config-less be an issue for projects currently using bandit?
17:36:26 <hyakuhei> excellent
17:36:43 <tkelsey> elmiko: no it shouldnt be, the old config will still work
17:36:51 <elmiko> got it, thanks
17:36:56 <tkelsey> its being deprecated and made optional
17:37:16 <elmiko> cool, that should make it easy =)
17:37:23 <tkelsey> yeah :) thats the plan
17:37:41 <tkelsey> thats all I have for now
17:38:12 <tkelsey> for specifics around the config file stuff, please see the spec
17:38:30 <hyakuhei> Great
17:38:46 <hyakuhei> So I'm going to move along to AOB :)
17:38:47 <tkelsey> #link https://blueprints.launchpad.net/bandit/+spec/config-change
17:39:12 <hyakuhei> #topic Any Other Business
17:39:39 <tkelsey> no AOB from me, other than to say im looking forward to the midcycle  :)
17:40:27 <bknudson> meeting next week?
17:40:41 <hyakuhei> I think we can give everyone christmas-eve off
17:40:50 <hyakuhei> So long as they write one OSSN each :)
17:40:56 <elmiko> lol, nice
17:41:26 <tkelsey> haha
17:41:31 <hyakuhei> ok, lets call it there then!
17:41:33 <hyakuhei> #endmeeting