17:02:03 #startmeeting security 17:02:03 Meeting started Thu Jan 21 17:02:03 2016 UTC and is due to finish in 60 minutes. The chair is elmiko. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:02:04 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:02:06 The meeting name has been set to 'security' 17:02:10 hi 17:02:29 hey all 17:02:42 hi 17:02:57 o/ 17:03:23 haven't talked with hyakuhei, not sure what's on the agenda. so let's gather some topics 17:03:29 i'd like to discuss sec-doc 17:03:40 threat analysis :D 17:03:42 bandit 1.0 pls :) 17:03:42 i'm guessing we should get status for bandit and anchor? 17:03:50 ack, threat analysis 17:04:06 ossp outreach 17:04:10 +1 17:04:26 hi 17:04:29 sorry I am late 17:04:46 o/ 17:04:48 no prob, we're still gathering topics 17:04:52 #chair tmcpeak 17:04:52 Current chairs: elmiko tmcpeak 17:05:01 hey elmiko, thanks for starting! :) 17:05:03 syntribos status? 17:05:07 was in another meeting and got distracted 17:05:31 #link https://etherpad.openstack.org/p/ossp-meeting-agenda-2016-01-21 17:05:38 i'm adding agenda items there ^^ 17:06:18 elmiko: sure 17:06:23 please add an item if you'd like to discuss it =) 17:06:30 lgtm 17:06:30 ok then, 17:06:44 #topic sec doc 17:06:45 feedback for mid-cycle 17:07:09 i wanted to highlight this review 17:07:13 #link https://review.openstack.org/#/c/258846/ 17:07:31 sicarie, i think that review is proving troublesome and we could use a few more eyes on it 17:07:40 ack 17:07:53 I don't have many free cycles for hte next 10 days, but I'll make sure I hit that one 17:07:59 thanks 17:08:10 any other specific updates for the guide? 17:08:31 are there docs that say that :file: is deprecated? 17:08:45 they should be linked in the commit message 17:08:48 Hi all. Sorry I'm late. 17:09:03 hey nkinder good to see you 17:09:03 bknudson: yea... agreed about linking it in 17:09:03 can we break that into smaller patches, like Ian suggested? 17:09:15 mvaldes: i hope so, but please add your comments on the review =) 17:09:19 hi nkinder ! 17:09:25 oh yea.. that's how it works :) 17:09:29 hehe 17:09:58 sicarie: any other updates for the guide? 17:10:15 not at the moment 17:10:18 k 17:10:32 #topic midcycle feedback/review 17:10:38 (should have started with this) 17:10:44 thanks all for everybody that attended! 17:10:47 so, midcyclers, how did it go? =) 17:10:50 +1 17:10:56 you should know, you were on a huge screen for most of it! 17:11:01 >.< 17:11:05 all hail the dark lord elmiko 17:11:10 yea, but i missed all the fun stuff 17:11:11 sorry I didn't get to meet more of you in person! stupid allergies/cold/whatever/voice-eating-monster 17:11:11 hahaha 17:11:19 ccneill: =( 17:11:19 we got a ton of stuff done, RAX was an awesome host 17:11:25 sweet 17:11:29 i learned a lot 17:11:33 so I guess for those that attended - what went well and what should we do better next time? 17:11:43 any feedback about things that worked well or could be improved? 17:11:45 jinx 17:11:50 :D 17:11:52 tmcpeak: +1 17:12:02 i have no complaints 17:12:03 rackspace was a really good host, many thanks rackers! 17:12:07 Collaboration with Baribican is good 17:12:15 I'd say our unconference style continues to be productive 17:12:16 tkelsey: Anytime 17:12:25 :) 17:12:32 our pleasure! it was a good time 17:12:39 Tim's deep dive into bandit is great 17:12:41 michaelxin: yea, it seemed like having ossp and barbican together was very useful 17:12:54 redrobot ^^ 17:12:57 yeah it seems like we've got a few new Bandit contributers now, which is always awesome 17:12:57 We've got keystone meetup next week and I'm hoping we'll do the unconference. 17:13:05 o/ 17:13:10 michaelxin: thanks :) 17:13:11 Major's demonstration is cool too. 17:13:14 * redrobot pretends he wasn't late 17:13:17 unconference does seem to work well for us 17:13:17 tmcpeak: yeah looks like :) 17:13:24 redrobot: no worries =) 17:13:34 We might need to come with more deliverables during planning stage. 17:13:54 michaelxin: elaborate please? 17:13:57 michaelxin: would you mind expanding on that a little 17:13:59 haha 17:14:12 tmcpeak: GET OUT OF MY MIND!!! 17:14:15 ;) 17:14:16 :# 17:14:35 Say, we talk about outreach or anchor. 17:14:36 I agree, unconference format was awesome. Totally stole the idea for Barbican too. 17:14:47 it's contagious! 17:15:01 What did we accomplish during mid-cycle for these topics? 17:15:21 For some topics, we talked a lot but there is no action items 17:15:24 no follow up. 17:15:27 michaelxin: is it a case of needing better note taking during those sessions, or just making more firm plans? 17:15:28 michaelxin: you mean like a status report afterwards? 17:15:33 to michaelxin point, i had to think pretty hard to list out what we achieved. it would be good to have some goals going in, and some defined tasks on the way out 17:15:38 michaelxin: good point 17:15:49 this is good feedback 17:15:55 elmiko: +1 17:16:03 where did all of the pictures from the midcycle end up? 17:16:06 mvaldes, michaelxin yeah hyakuhei, tkelsey and I had to do some for HP also. Maybe we could pool efforts next time at the end to come up with a master list 17:16:16 browne: i think michaelxin has them on google somewhere... 17:16:17 tmcpeak: +1 17:16:17 browne: it is in google photos. 17:16:22 tmcpeak: +1 17:16:35 browne: I think hyakuhei had some 17:16:39 what I suggested (as the only person who wasn't actually there) was maybe coming up with sort of "user acceptance criteria" for each topic, and then we can use that as a checklist 17:16:42 https://goo.gl/photos/BaWfnFKSc8NtuYia8 17:16:57 tmcpeak: certainly would make reporting back easier for all participants 17:16:58 so we don't have to duplicate effort (i.e. "we'll do this" and then "we did this") 17:16:59 Rob and I have SuperUser post in the works about it too 17:17:02 oh ok, will those make it into the blog? 17:17:12 ccneill: nice idea 17:17:17 elmiko: yeah definitely 17:17:21 tmcpeak: sweet, +1 17:17:26 +1 17:17:42 ok cool, good points, so next time we'll pool efforts on the post mortem :) 17:17:52 tmcpeak: +1 17:18:07 maybe something for the last day session, a recap/review type of breakdown 17:18:19 yep, sounds legit 17:18:30 browne: Did you see the pictures? 17:18:40 michaelxin: yep thx 17:18:42 #info having a post-mortem of the midcycle would be very useful for participants 17:18:48 cool 17:18:52 so what's the status of the blog? 17:18:59 #topic blog 17:19:04 it's up, Rob's got a couple of posts in the works 17:19:12 oh cool 17:19:16 anybody that wants to contribute please do, should be pretty easy 17:19:22 http://openstack-security.github.io/ 17:19:27 write in MD, name it in a format that github.io understands and gtg 17:19:31 #chair hyakuhei_ 17:19:33 Current chairs: elmiko hyakuhei_ tmcpeak 17:19:35 #link http://openstack-security.github.io 17:19:38 thanks dg_ 17:19:41 Hey, sorry I’m late, #lifeboat things 17:19:42 ooer 17:19:56 all good man 17:19:59 hyakuhei_: np, and hey =) 17:20:14 hyakuhei_: agenda started here, https://etherpad.openstack.org/p/ossp-meeting-agenda-2016-01-21 17:20:18 So those blogs are obviously a work in progress, they’ve not been shared anywhere yet and perhaps we can keep it that way fora a little while :) 17:20:29 Excellent thank you elmiko, tmcpeak 17:20:52 Please continue, I’m enjoying this waltzing in late and having things already being done :) 17:20:58 hehe 17:21:08 is there a good way for us to collaborate on the blog posts? 17:21:09 ok, any other updates on the blog? 17:21:15 (if needed) 17:21:19 mvaldes: maybe etherpad? 17:21:19 well, it’s github, and it’s under an org 17:21:24 mvaldes: i'm guessing patches to the repo would be acceptable 17:21:29 so let me know your nick and I can add you there 17:21:30 im going to blog some stuff soon 17:21:36 +1 17:21:39 Yeah, so direct pull requests are welcome. 17:21:45 jqxin2006 17:21:50 I’d also like to consider using gerrithub perhaps 17:22:02 I tried reviewable but it made me hate life 17:22:07 haha 17:22:27 michaelxin: I’ll add you to the openstack-security org now. 17:22:35 hyakuhei_: Thanks. 17:22:42 hyakuhei_: mattvaldes 17:22:47 :) thanks 17:22:58 The blogs are stored/authored here: https://github.com/openstack-security/openstack-security.github.io 17:23:04 Thanks! 17:23:28 anything else on this topic? 17:23:40 We are creating an internal blog 17:23:52 and a external blog about mid-cycle 17:23:56 nice 17:24:01 it will be published soon. 17:24:09 I hope. :-) 17:24:15 That will be interesting to see, since I wasn't able to go to the meeting 17:24:23 michaelxin: ok you’re added to the org (with RW on the blog) - anyone else? 17:24:27 and we can all get ssh access to rackspaces internal network for the blog? ;) 17:24:36 me please 17:24:51 Also please feel free to open pull requests for obviously good changes to the jekyll configuration etc 17:24:58 hyakuhei_: add mattvaldes please 17:25:01 tkelsey: you’re already in the org 17:25:10 lol 17:25:10 elmiko: I will mail you my RSA token 17:25:15 \o/ 17:25:18 nice! 17:25:22 mvaldes: added. 17:25:24 hyakuhei_: ty 17:25:39 Both blogs should be same. :-) 17:25:54 A likely story 17:26:04 #info bug hyakuhei if you need access to the securit blog organization on github 17:26:15 moving on 17:26:18 #topic bandit 17:26:23 tkelsey, tmcpeak, updates? 17:26:26 tkelsey: roll it 17:26:39 ok, so we talked about 1.0 in the midcycle 17:26:56 we came up with some work items to make that happen, and now are pushing though them 17:27:20 cool 17:27:26 things like breaking out blacklists, fixing up test_set, profiles etc 17:27:35 there are a number of patches in review right now 17:27:43 so please take a look if your interested 17:27:58 I think the work items are on the eitherpad 17:28:05 (if not i'll add them) 17:28:19 The link? 17:28:19 also of interest, Ryan_Lee from Lyft has a cool plugin in flight to try to find hardcoded creds using entropy analysis 17:28:24 do you have a date for when you think 1.0 will be out? I'm wondering for timing purposes. 17:28:26 i noticed that Ryan_Lane has suggested several interesting features in irc too, which is cool 17:28:27 tmcpeak: +1 17:28:37 tmcpeak: +1 17:28:39 +1 17:28:43 so thats Ober and Lyft using it :) 17:28:46 some great conversations around bandit in irc recently 17:28:46 *uber 17:28:59 bknudson: +1 17:29:00 yeah looks like awesome stuff. And we love it when people contribute, especially those that aren't necessarily involved in OpenStack 17:29:09 yea, totally kickass 17:29:17 indeed :) its nice to see bandit having a wider impact 17:29:28 any other updates? 17:29:32 so in light of all we know, how far out from 1.0 do you guys think we are? 17:29:37 I'd say a few months realistically 17:29:39 #link https://etherpad.openstack.org/p/security-mitaka-midcycle 17:29:58 some projects (e.g., glance) are blocking adding bandit since they want to wait for 1.0 17:29:58 we should make sure 1.0 is really tight before we throw it up 17:30:05 it looks like the work items didnt make it on there, i'll add some blueprints for the ones that are not done yet 17:30:07 question: is the new stripped-down config a 1.0 thing? or will that land before 1.0? 17:30:13 bknudson: interesting 17:30:16 (asking because designate wants to add bandit to their gate) 17:30:16 bknudson: yeah, that's probably for the best at this point 17:30:34 ccneill: it's partly a thing, but none of that is on PyPI yet 17:30:42 ccneill: its sort of in master right now, but yeah its for 1.0 really 17:30:47 ccneill: if they get going with a config file we'll fix it for them once 1.0 lands 17:30:51 since thats the next version AFAK 17:31:07 tkelsey: no, we're going to have to do another version with the .bandit file as soon as that lands 17:31:25 o/ 17:31:30 OK, if that lands before the other 1.0 stuff. 17:31:32 nice 17:32:08 tmcpeak, tkelsey : I'll ask them if they want to be on the bleeding edge or if they'd prefer to wait for 1.0 then 17:32:35 ccneill: cool, we are always happy to help out if needs be as well 17:32:45 ccneill: +1 17:33:05 anyway, we got a load done on bandit and have had a lot of new interest as well. I'll put up some blueprints soon for the remaining 1.0 work 17:33:07 cool cool, I'll sync up with them and report back 17:33:14 tkelsey: awesome, +1 17:33:16 in the mean time, please take a look at the patches in reivew :) 17:33:30 very encouraging to see continued evolution in bandit 17:33:35 yep yep 17:33:43 ok, moving along 17:33:46 #link https://review.openstack.org/#/q/project:openstack/bandit+status:open 17:33:53 #topic anchor 17:33:58 dg_: any news here? 17:34:10 Soooo 17:34:17 There’s a few things that are interesting here 17:34:30 First off, I did bloggy things : http://localhost:3000/tooling/2016/01/20/ephemeral-pki.html 17:34:32 lol 17:34:35 hehe 17:34:39 one sec, I’ll get a none local link 17:34:40 haha 17:34:51 #link https://openstack-security.github.io/tooling/2016/01/20/ephemeral-pki.html 17:34:54 … long day. 17:35:02 lol 17:35:02 worked, thanks 17:35:12 So that post’s a bit rambly at the moment, needs a bit of a tidy 17:35:22 hyakuhei_: +1, looks awesome =) /me adds to reading list 17:35:31 We’ve got a bunch of open bugs: https://openstack-security.github.io/tooling/2016/01/20/ephemeral-pki.html 17:35:59 oh actually, everyone should watch that defcon 17 video, 35:20 is my fave altime security bug 17:36:03 hyakuhei I'll have an edit. I de-typo'd your TA post 17:36:12 excellent! 17:36:12 hyakuhei_: this is awesome 17:36:33 Thanks tmcpeak I’m not very happy with it so please feel free to edit or send me comments 17:36:35 love the cert revocation meme, cant believe I've not seen that in one of your presentations 17:36:45 It didn’t exist until yesterday. 17:36:57 That mozilla stuff was very interesting research 17:36:59 visually it's pretty good, I'll have a read through the content later :) 17:37:00 anywhooo 17:37:11 The big code change at the moment is introducing CMC support in requests 17:37:18 tmcpeak: +1 17:37:22 #link https://tools.ietf.org/html/rfc5272 17:37:24 Yeah, the cert revocation cat thing was great 17:37:37 Thanks :) 17:37:47 So Stan has a bunch of patches in flight for that to work 17:38:04 cool :) 17:38:04 and then I want to go through a 1.0 plan just like Bandit did - i.e how to get there. 17:38:11 +1 for 1.0 17:38:16 +1, nice 17:38:16 and for you guys to perhaps take a look at how this might apply to your clouds 17:38:20 hyakuhei_: +1 17:38:22 apart from you elmiko 17:38:27 whaaa? 17:38:29 hyakuhei_: this looks good to me so far, will definitely watch the Moxie talk 17:38:33 because we all know DOGTAG IS SUPERIOR! 17:38:41 * dg_ drinks 17:38:46 haha 17:39:02 i reserve the right to run anchor on my home cloud, tyvm ;) 17:39:14 Awww 17:39:24 I can follow up with Major to see the possibility with RPC 17:39:33 #link https://review.openstack.org/#/q/project:openstack/anchor+status:open 17:39:50 Oh, I guess the only other thing to mention re: Anchor is cathead 17:40:13 I landed this a few days back #link https://review.openstack.org/#/c/267762/ 17:40:13 next nautical themed project name needs to be jibboom imo 17:40:19 elmiko: +1 17:40:34 hehe 17:40:39 i just like saying it 17:40:47 So that’s basically a client side application for swapping out certificates, it’s a bit bare-bones but potentially an interesting thing to develop further 17:40:52 I don’t have anything else on Anchor 17:41:08 cool, thanks hyakuhei_ , dg_ 17:41:15 #topic threat analysis 17:41:21 dg_: how's it coming along? 17:41:22 https://www.youtube.com/watch?v=jN5Z8HDZSpg 17:41:33 bknudson: HAHA 17:41:50 lol 17:41:56 lo; 17:41:58 #link https://review.openstack.org/#/c/220712/ 17:41:58 elmiko thanks for the comments on the WIP stuff that I pushed up (its now marked as WIP to avoid confusion) 17:42:13 cool, i know it's wip but i wanted to help out =) 17:42:40 #link https://openstack-security.github.io/collaboration/2016/01/16/threat-analysis.html <- I blogged about that too, again not wonderful. 17:42:58 oh man, you've been a blogging maniac ;) 17:43:05 hyakuhei_: the worlds leader in mediocre OpenStack security blogposts :P 17:43:09 elmiko Yeah its super helpful, I've made a stack of changes, and have a whole bunch more to make. Right now trying to get the templates vaugely useful 17:43:18 dg_: sweet 17:43:22 For a newbie, these are very helpful 17:43:26 hyakuhei_: great start! 17:43:33 +1 17:43:34 hyakuhei_: i applaud your push for openness with these blogs too, +1 17:43:36 hyakuhei_: this looks legit, your standards are too high 17:44:01 What's our plan here? 17:44:12 seriously TA one looks good to me, I say ship it 17:44:17 dg_, hyakuhei_, so i guess we'll just keep pushing on this review until it's ready for publishing? 17:44:20 the TA Blog? +1 17:44:20 I think people could get real benefit from reading this 17:44:22 I’m expecting that after initial interest we’ll end up with 2-3 regular contributors 17:44:23 elmiko yeah 17:44:29 great, thanks 17:44:45 everyone who is interested, please take a look at the review linked earlier 17:44:56 elmiko hyakuhei was there any process documentation that came out of the mid-cycle? 17:45:04 https://openstack-security.github.io/collaboration/2016/01/16/threat-analysis.html 17:45:16 dg_, not that i am aware of 17:45:28 There was a picture. 17:45:31 Yes but mainly captured in the etherpad/whiteboard 17:45:37 ok cool 17:45:40 and… in my mind :) 17:45:49 and heart 17:45:50 I'll take a first attempt at turning the etherpad/whiteboard/yourmind into a document 17:45:52 hehe 17:46:01 dg_: that could be....dangerous 17:46:03 Basically, instead of trying to write it all down we’re going to TA some things, applying and recording the process as we go 17:46:09 ok cool 17:46:12 Anchor is a nice easy project to start with. 17:46:12 hyakuhei_: +1 17:46:15 fancy a TA for Anchor 17:46:17 lol 17:46:20 then Barbican and Keystone 17:46:40 In that case tkelsey needs to crack on and document anchor like we agreed at techcon.... 17:46:41 Mid-term goal is to get project maturity metrics associated with TA and Bandit-gates 17:46:50 dg_: indeed 17:46:54 i will most likely work towards something for sahara following what has been posted, but it will be in the late M3 timeframe 17:47:15 elmiko: +1 17:47:18 hyakuhei_: if you'd like to do it for the blogpost I got most of the whiteboard for Barbican on draw.io 17:47:18 tkelsey lets work together as neither of us has got around to it 17:47:24 So that to get (6 of 6 - maybe) you need to meet all the security requirements: https://www.openstack.org/software/project-navigator/ 17:47:32 dg_: +1 will chat 17:47:38 kk 17:47:43 tmcpeak: excellent, we still need to decide on a drawing/graphing tool 17:47:51 yep yep 17:47:57 mspaint :D 17:47:59 hyakuhei_: have you started discussion with any of the TC or crossproject group yet? 17:48:05 always time for some good old tool bikeshedding 17:48:12 +1 17:48:25 elmiko: no 17:48:32 I wanted to have the TA process more refined first 17:48:35 Then tell them about the idea 17:48:39 then TA bandit and Keystone 17:48:42 that makes way too much sense 17:48:46 ;) 17:48:49 lol; 17:48:49 use them as exemplars 17:48:54 definitely 17:48:58 how can we help with TA process? 17:48:59 and then push for adding it as a maturity metric 17:49:08 hyakuhei_: s/bandit/Barbican/ 17:49:09 and i think you mean s/bandit/anchor/ ? 17:49:13 ah 17:49:19 or anchor :) 17:49:24 s/bandit/barbican 17:49:29 thanks 17:49:32 anchor wil lcome earlier 17:49:45 and Barbican/Keystone will be more convincing for the TC 17:49:50 definitely 17:50:03 having keystone almost seems like a must in my book 17:50:03 plus good tests of if the documentation/process we have created is consumable / applicable by developers 17:50:09 elmiko: yarp 17:50:23 ok, 10mins left. 2 topics, can we move along? 17:50:35 please do! 17:50:42 #topic syntribos 17:50:47 michaelxin: any updates? 17:50:59 i've seen lots of activity from gerrit =) 17:51:04 mdong: will give some updates. 17:51:09