17:01:04 #startmeeting security 17:01:05 Meeting started Thu Feb 25 17:01:04 2016 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:07 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:08 Hi 17:01:09 The meeting name has been set to 'security' 17:01:11 heyo/ 17:01:11 hi 17:01:14 #chair hyakuhei 17:01:15 Warning: Nick not in channel: hyakuhei 17:01:16 Current chairs: hyakuhei tmcpeak 17:01:20 hi 17:01:27 hi,all 17:02:03 o/ 17:02:03 yo, what's up everybody 17:02:03 we'll give a couple minutes to get people in 17:02:11 * hyakuhei is here but still in previous meeting - you see the agenda? 17:02:23 no, where's that? 17:02:33 tmcpeak, hyakuhei, approve my pull request! =D 17:02:47 #link https://etherpad.openstack.org/p/security-20160225-agenda 17:03:03 ok I'll run this until hyakuhei finishes other meeting 17:03:18 so I think we had BYOK follow up 17:03:20 we'll defer 17:03:26 all the way to… Anchor 17:03:40 although we have none of the Anchor's around either 17:03:48 added blog XD 17:03:52 #topic Bandit 17:04:01 ok we've got a lot of good changes coming 17:04:04 still working toward 1.0 17:04:33 browne, cjschaef, myself, tkelsey and others have been pushing some good work 17:04:40 +1 17:04:43 we're still on track there 17:04:45 +1 17:04:53 one thing we could use is some testing 17:05:06 so if anybody has some time to play with Bandit and find (and report) bugs, that would be awesome 17:05:33 I can do that 17:05:42 LHinds: awesome, thank you! 17:05:57 ok cool 17:05:58 I will play with it some too, now that my test coverage work is winding down 17:05:59 I ran it against some of my own code, and it found a lot, so owe it back ;-] 17:06:00 +1 17:06:07 cjschaef: great, thank you! 17:06:19 ok cool, probably not much else to say on Bandit this week 17:06:25 #topic Sec Guide 17:06:31 elmiko: sicarie 17:06:33 take it away 17:06:51 i don't think there is much to report here 17:06:54 +1 17:06:59 -1 17:07:01 Not much progress this week 17:07:02 :-) 17:07:04 we are still working towards the pdf re-release, and closing some bug 17:07:06 allright, might have a quicker meeting then ;) 17:07:13 #topic Syntribos 17:07:35 michaelxin and co 17:07:37 We added some blueprints about what we want to do 17:07:37 how's this coming? 17:07:50 Michael Dong has been working on some features. 17:08:08 We are also updating the docs 17:08:12 sweet, summary? 17:08:30 We will use it testing Solum next week 17:08:43 nice 17:08:47 summary: We are working on it. 17:08:59 fair enough 17:09:14 ok then.. 17:09:27 hmm, trying to think what we should talk about without Rob 17:09:34 summit? 17:09:45 blog? 17:09:57 he'll probably want to discuss that too ;) 17:09:57 sure blog 17:09:57 #topic Blog 17:10:07 When will they announce talks accepted for the summit? 17:10:13 ok anybody have any cool stuff they want to write about? 17:10:15 i put a post up for the blog, please accept it =D 17:10:23 elmiko: +1 17:10:29 (i refrained from just pushing it myself) 17:10:37 oh yeah? 17:10:37 you don't have mergy juice elmiko? 17:10:54 oh, i do. just wanted to be more democratic about it 17:11:09 link? 17:11:13 #link https://github.com/openstack-security/openstack-security.github.io/pull/13 17:11:14 ylinux01 17:11:44 elmiko: just push when you think it's ready 17:11:44 tmcpeak: i wanted to make sure that you and hyakuhei were good with it first 17:11:55 * tmcpeak reads 17:12:14 ok, i'll give folks sometime to check it out and merge later if there are no comments 17:12:23 good job 17:12:28 \o/ 17:13:02 elmiko: this is awesome! 17:13:16 =D 17:13:23 mergies! 17:13:23 +1 17:13:35 looks good 17:13:43 ok, i'll just merge now then 17:13:53 this is awesome elmiko 17:14:01 thanks tmcpeak 17:14:32 ok cool, up next… 17:14:40 oh let's do CORS 17:14:41 #topic CORS 17:14:57 did anybody get a chance to look at this? 17:14:58 I did 17:15:00 I did 17:15:08 (spec, docs, not code) 17:15:11 ok cool, what's your thoughts singlethink 17:15:16 I only looked at the spec 17:15:23 First blush: it sounds like a reasonable solution 17:15:34 link? 17:15:37 basically... centralizing access to APIs from web browser 17:15:38 i looked as well 17:15:45 #link http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html 17:15:47 I understand the use however it really seems like the kind of thing that needs to be well thought out 17:15:50 Thanks. 17:15:52 instead of each project maintaining their own api proxy 17:16:01 this would probably be a good use of a OSSP threat model 17:16:01 also #link http://docs.openstack.org/developer/oslo.middleware/cors.html 17:16:22 Yes... I agree it's security critical 17:16:38 yeah and they keep mentioning that it has to be done carefully and projects need to be aware of security implications 17:16:44 i think a common location for cors middleware would be great, it would also save krotscheck the time of updating all the paste deploy scripts ;) 17:16:46 that's the kind of thing we can help with 17:16:48 I also think that it deserves some coverage in the security guide (and maybe Bandit) 17:17:07 yeah we should definitely produce some guidance about this 17:17:12 Eh? 17:17:19 discussing CORS middleware 17:17:24 krotscheck: we're talking about http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html 17:17:27 I'm wondering if this should be a design session at the summit 17:17:32 Sup, sorry - ran a little long 17:17:36 Please continue :) 17:17:50 Righto 17:17:53 hey hyakuhei, saved the parts I thought you'd want to be on for you 17:18:01 a threat model is cool idea 17:18:02 Cheers 17:18:09 hyakuhei: did you read the CORS thing? 17:18:33 you'll want to check this out: http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html 17:18:39 curious for your take 17:18:53 Just reading up on it now 17:18:54 gmurphy also agrees this should be one with care 17:19:17 (pasted link in my team channel last week) 17:19:27 well, that’s scary. 17:19:42 heh yeah 17:19:45 that was my gut thought too 17:19:46 I don’t fully understand how it applies to middleware as opposed to the more typical browser example. 17:19:57 * krotscheck would like to note that he doesn't have the context-relevant vocabulary, so as he says things that sound weird, please ask for him to define what his brain things those words mean. 17:20:06 hyakuhei: I'd like to do a threat model for this in a design session 17:20:20 Seems fair 17:20:33 two birds with one stone, etc 17:20:39 sure 17:20:53 ok cool 17:20:59 #topic Summit room request 17:21:03 hyakuhei: 17:21:14 it would be a good example to illustrate how the flow of traffic works, imo (re:CORS) 17:21:33 I'd be happy to act as SME for that and explain it. 17:21:35 elmiko: yeah, one of the things I'd like to put together in TA 17:21:47 good diagrams, data flows, etc 17:21:47 Sounds good to me, fishbowl or working room? 17:21:47 +1, krotscheck, tmcpeak ;) 17:21:57 krotscheck: ahh cool 17:22:00 i'd vote working room 17:22:00 are you involved with this? 17:22:07 tmcpeak: he wrote that spec 17:22:10 oooh 17:22:11 perfect 17:22:14 hehe 17:22:16 exciting times. 17:22:20 tmcpeak: I wrote the spec. And all the patches. That are currently already in Mitaka 17:22:31 ok perfect 17:22:35 yeah we'll need you then 17:22:38 tmcpeak: That are under discussion AGAIN. 17:22:43 he's also been updating all the api-paste.ini files for projects that use them to include the necessary options for CORS support 17:22:47 * krotscheck didn't realize the horse was still alive. 17:23:07 elmiko: And it looks like I get to revert all those. 17:23:23 /sadpanda 17:23:43 elmiko: No biggie. The application default options really should be pregenerated in the config file,. 17:24:04 that makes sense 17:24:23 Anyway: Yes, assuming I'm going to the summit (95% likely, unless daycare falls through) I'll be more than happy to describe CORS to you. 17:24:47 ok cool 17:24:55 but the real issue here is not horizon talking to the services, but new browser based apps that will need to make requests directly against api servers, right? 17:25:08 or, indirectly, i suppose 17:25:29 A lot of what horizon does actually falls away with CORS in favor of browser-side operation 17:25:33 which is kinda interesting 17:25:40 yea 17:26:17 Yep 17:26:30 it seems to me we are enabling more growth of applications that can talk to the api servers with improved CORS support 17:26:40 just a good thing to do 17:27:04 anyways, sorry for the derail 17:27:21 it's a good discussion, but we should also have it face to face to be effective I think 17:27:32 +1 17:27:54 +1 17:27:56 ok cool 17:28:03 so summit rooms for real 17:28:07 hyakuhei: what'd you have in mind? 17:28:22 Ok, so we get to request rooms 17:28:31 Last summit we had 2 fishbowl, 2 working 17:28:34 and used all of them 17:28:56 what do we have in mind? 17:29:01 Bandit again? 17:29:06 TA 17:29:21 imo, TA should be a fishbowl 17:29:25 +1 17:29:29 maybe bandit too, we had a full house last time 17:29:35 i dunno 17:29:39 Though we could also have a working room for TA:Cors 17:29:45 I’d be happy to do both 17:29:46 +1 17:29:58 ok so those two, what else? 17:30:00 a working room for CORS.* seems appropriate 17:30:06 So yeah, if you want a fishbowl or a working room for your pet project put it on the etherpad 17:30:28 hyakuhei: did Doug do any talks, and/or do you think he'll be at summit? 17:30:33 * elmiko adding distributed scale attacks to list.... 17:30:35 if we're doing Killick things could be worth one 17:30:36 j/k 17:30:45 tmcpeak: Doug did, no idea if it’ll be included 17:30:59 (I actually have an idea as a track chair, but my lips are sealed, muwhahaha) 17:30:59 ok, maybe we'll need to circle back on this a couple of times 17:31:06 hyakuhei: when do you need to know by? 17:31:11 hyakuhei: oooh, nice 17:31:34 I’ve put in a provisional request for 3x3 17:31:45 i wonder if we could expand the Anchor, Killick stuff to a more broad topic on PKI in general? 17:31:47 cool 17:31:56 elmiko: yeah, that's probably a good way to slice it 17:32:04 Yeah that would be interesting 17:32:24 which etherpad? 17:32:41 i know Anchor is an OSSP baby, but i would be lax on my duties if i didn't at least advocate for a discussion of all options *cough*dogtag/ipa*cough* 17:32:49 :D 17:32:53 ;) 17:32:54 holy war, holy war 17:32:58 haha 17:33:08 Good point 17:33:17 maybe we can just have bare knuckle boxing and sort this out for once 17:33:26 +1 17:33:27 Though I have thoughts on pushing Anchor up as a general service ala AWS ACM 17:33:40 +1, imo Anchor is cool 17:33:52 which would be very different (and require more adherence to OpenStack idiomatic API etc) 17:33:59 i just think we should avoid becoming a one-solution-fits-all organ 17:34:21 hyakuhei: yea... about that ;) 17:34:29 elmiko: I agree 17:35:03 ok cool 17:35:09 onward? 17:35:24 please 17:35:42 was there a different link for the summit etherpad? 17:35:57 a link? 17:36:07 #topic PTL Elections 17:36:16 hyakuhei: what'd you want to do here? 17:36:25 I'm happy with "Rob 4 prez" as we've done in the past 17:36:31 Make sure people know there’s an election cycle coming up in about a month 17:36:37 michaelxin: re: "[12:30] < hyakuhei> So yeah, if you want a fishbowl or a working room for your pet project put it on the etherpad" 17:36:40 Work out who I need to kneecap/pay off etc. 17:36:44 but they probably want us to do the whole process 17:36:46 haha 17:36:52 elmiko: michaelxin: Just the agenda one for now 17:36:56 * tmcpeak <— pay 17:36:59 hyakuhei: ack, tahnks 17:37:00 Thanks. 17:37:12 * elmiko <- no kneecap, please 17:37:14 It’s not a big discussion, helps me with numbers, I’ll petition Theirry and we’ll see what we get 17:37:27 Remove both kneecaps, roger that! 17:37:48 Anyway yeah, last time around the PTL elections slipped us by. I wanted to make sure everyone knows this time 17:38:08 ok, anything we have to do? 17:38:14 or just hyakuhei actions? 17:38:33 Do we need to vote? 17:38:34 i think just hyakuhei, and any rivals, need to make posts to the ML right? 17:38:53 We need to add ourselves to a yml file these days I think 17:39:00 also, added room requests to the agenda 17:39:03 Process doesn’t open for a while. 17:39:06 elmiko: TY 17:39:44 does anybody want to run? 17:40:22 i'm happy to continue with our BDFL 17:40:24 not really, but are there multiple PTLs for the OSSP projects? 17:40:30 like bandit vs achor? 17:40:33 browne: good point 17:40:33 anchor 17:40:39 Not really just code leads / cores 17:40:57 I think subprojects don't get cores generally in OS 17:40:58 is that right? 17:40:59 We can spin projects out into full blown “openstack things” if required 17:41:03 sorry PTL's 17:41:08 tmcpeak: correct 17:41:20 oh, but i think of bandit as a project (at least that way in Gerrit). 17:41:38 yeah Bandit potentially should be separate 17:41:59 yea, bandit is really growing to the point it should have full project status, imo 17:42:02 PTL is mainly here to do things like arrange the summit, make sure meetings happen, push agenda upstream etc. Maybe a discussion we should have at the summit is spinning out Bandit 17:42:27 lots of work :) 17:42:33 i was more curious of the organization. not suggesting anything. its been working as is 17:42:35 hmm, to that extent, then the other projects may not make sense to spin off 17:42:38 “Status” is a relative term now that we have a big tent model, it’s not the rubber stamp that it used to be but it’s certainly I’d be open to 17:42:46 but if someone wanted to be a PTL of Bandit or whatever 17:42:56 In the words of my former boss 17:43:07 “You can call yourself whatever the hell you want so long as you don’t want any more money" 17:43:14 hyakuhei: yea, and bandit as an openstack project i don't means as much. but in the wider F/OSS community i think bandit definitely has legs. 17:43:17 haha 17:43:38 s/don't means/don't think means/ 17:43:50 elmiko: +1 17:43:57 Sounds like a good discussion to have f2f 17:44:01 +1 17:44:04 possibly including beer 17:44:08 +2 17:44:15 does bandit have its own channel? (sorry if off-topic) 17:44:20 no 17:44:31 ++ 17:44:36 maybe it's time is coming though ;) 17:44:44 LHinds: #openstack-security works I think 17:44:47 not too crowded in there 17:44:59 k, thanks tmcpeak 17:45:06 aside from the random bot ;) 17:45:20 the bot adds character 17:45:29 true 17:45:32 ok, let's see 17:45:37 anything else we want to cover? 17:45:45 maybe AOB now? 17:45:47 #topic AOB 17:46:23 when will they announce talk schedule? 17:46:34 hyakuhei: you know? 17:46:47 Oh not for a few weeks at least 17:46:58 Don’t have to close out our chair discussions until next week 17:47:07 There’s normally a 2 week tail on that before they’re announced 17:47:12 but I don’t know the details 17:47:21 thanks. 17:47:24 #action hyakuhei to check when the sched is announced 17:48:28 allright, anything else? 17:48:31 might wrap early today 17:49:09 cool. Thanks. 17:49:16 https://review.openstack.org/#/c/271517/ 17:49:24 oh yeah 17:49:29 Rob had a follow up from last time 17:49:37 ^ thats all 17:50:15 cool 17:50:35 allright, time to wrap? 17:50:46 #endmeeting