17:00:17 #startmeeting security 17:00:18 Meeting started Thu Mar 3 17:00:17 2016 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:20 o/ 17:00:20 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:21 #chair hyakuhei 17:00:21 \o 17:00:22 The meeting name has been set to 'security' 17:00:24 Current chairs: hyakuhei tmcpeak 17:00:28 Hi Guys 17:00:28 o/ 17:00:32 o/ 17:00:34 hey all 17:00:35 thanks tmcpeak 17:00:37 hi 17:00:40 sure :) 17:00:50 o/ 17:00:57 I’ve got a copy-pasted agenda from last week here #link https://etherpad.openstack.org/p/security-20160303-agenda 17:01:07 Obviously need supdating with things people care about 17:01:56 hello 17:02:00 hey michaelxin ! 17:03:16 Ok so our room requests are in, lets wait to see what the openstack gods decide 17:03:31 Track choices should be out soon too I think 17:03:35 * elmiko lights sacrificial incense 17:04:45 hehe 17:04:53 We had to have the final decisions in by Monday 17:06:03 would be cool to know soon :) 17:06:10 Right ok, so I guess we can get started :) 17:06:12 Yeah it would! 17:06:48 allright 17:06:52 The track chairing (for security) went really well this year, good discussions on various aspects. We’ve tried to create a pretty inclusive track 17:07:02 nice 17:07:17 awesome. thanks for the hard work on that 17:07:22 are there many security related talks submitted? 17:07:25 My pleasure 17:07:36 Righto, agenda wise - did any of you guys look at the BYOK stuff? 17:07:49 i did, not sure i have much to add though :/ 17:07:50 #link https://review.openstack.org/#/c/271517/ 17:07:59 If you have crypto thoughts, please add them 17:08:17 Although this is crypto stuff it’s a Security project 17:08:24 So it’s ours to screw up all on our own. 17:08:25 trying to multitask here. 17:08:34 Though Barbican will help :P 17:08:45 hehe 17:08:52 looks like the bikeshed is alive and well with this one 17:09:03 Indeed 17:09:17 It’s all good content though 17:09:24 Just need a gentle nudge 17:09:32 +1 17:09:39 Ok, so I don’t have anything to add regarding the summit 17:09:47 Anyone else got questions before we do Agenda things? 17:10:05 just curious if there are many sec. related talks 17:10:19 There’s a whole track 17:10:20 how much of a track did we get hyakuhei? 17:10:25 four days? 17:10:29 Oh I see 17:10:36 cool, very encouraging to hear 17:10:37 So we got hmmm… 10 slots I think 17:10:50 that's pretty solid 17:10:51 How they stack up over the week is beyond my understanding 17:11:12 Got a couple of good alternates in there too, we could have had a very compelling 15 talk track 17:11:24 neat 17:11:44 it's 4 days this time, right 17:11:45 ? 17:12:00 great 17:12:24 the conference is mon - thurs 17:12:39 ops and design is mon - fri 17:12:41 yeah I think the big difference this time around is they’ve moved the ops stuff? 17:12:52 so it deconflicts with most of the rest of the design summit? 17:13:13 https://www.openstack.org/themes/openstack/static/images/austin/schedule-chart.svg 17:13:36 mvaldes: +1 17:13:52 cool 17:14:09 i'm really curious to see how that proposal to split the summit proceeds 17:14:12 WOO is such a cool acronym 17:14:16 +1 17:14:43 ok, agenda then 17:14:47 #topic Anchor 17:14:59 Stan did some good work on this, a bunch of stuff merged and 0.3 is in Pypi now 17:15:02 tkelsey: ? 17:15:07 Is that accurate? 17:15:26 not sure about Pypi, sorry 17:15:37 oh ok, maybe that’s not updated then, as you own it. 17:15:38 heh 17:15:42 Stan was asking about it, but i dont know if he got anything in 17:15:46 Unless Stan hacked your creds 17:15:55 wait I own it :-/ 17:16:01 which… I mean…. it’s stan, so entirely possible. 17:16:05 https://pypi.python.org/pypi/anchor/0.3 17:16:05 OK i'll find out whats going on there then lol 17:16:06 yeah 17:16:16 https://www.dropbox.com/s/66acgvh3i7ugm9f/Screenshot%202016-03-03%2017.16.13.png?dl=0 17:16:23 ^ ANCHOR BOSS 17:16:53 nice, +1 tkelsey ;) 17:16:57 well I guess thats good :D (yeah i'll find out what the deal is) been distracted with Bandit 1.0 and other suff 17:17:13 No problem. 17:17:23 there was some interest re: anchor during my OWASP talk on syntribos last Friday 17:17:49 mvaldes: oh, thats interesting :0 17:17:50 :) 17:17:54 I’ve been wondering how/if Anchor should be positioned or extended to behave a little bit more like Amazon’s new certificate service 17:17:58 i mentioned OSSP and a few of the projects. made sure they knew we were looking for help/testing/etc 17:18:06 Though I guess Barbican front ending some other CA makes more sense there, potentially 17:18:11 thats cool mvaldes 17:18:16 oh, I had one other thing 17:18:19 mvaldes: awesome :) 17:18:28 I’ve got an in-depth anchor deck 17:18:54 excellent 17:19:06 I mean, if you want 45 minutes on PKI deployments and passive revocation 17:19:07 https://docs.google.com/presentation/d/1HDyEiSA5zp6HNdDZcRAYMT5GtxqkHrxbrqDRzITuSTc/edit?usp=sharing 17:19:09 Tadaaa 17:19:27 Removed 99.3% of the copyrighted content too 17:19:31 we want it live! 17:19:33 ;) 17:19:57 Possibly needs some speaker notes as it goes into some interesting places 17:20:01 like CRLSets etc 17:20:06 yes pls :) 17:20:21 My favorite bit here: https://www.dropbox.com/s/rkmw5kicwmoc5xn/Screenshot%202016-03-03%2017.20.15.png?dl=0 17:20:35 lol 17:20:39 :# 17:20:57 nice 17:21:04 That is public domain / usable though at least heh. 17:21:12 it may catch on 17:21:18 Right, I don’t have anything else to add on Anchor. 17:21:21 if you're lucky 17:21:51 lol love the "SO MUCH PLUMBING" slide 17:21:58 :) 17:22:07 I’ve used that or some variation of it for years :) 17:22:16 Gets a good chuckle 17:22:30 My fave is probably “How security see’s openstack” 17:22:40 FIRE 17:23:05 the deck looks good 17:23:06 yea, that slide is awesome 17:23:09 Anyway, feel free to borrow as much (or as little) as you’d like from that 17:23:14 and so accurate XD 17:23:31 lol 17:23:51 https://i.ytimg.com/vi/C-zCzM5qPec/maxresdefault.jpg 17:23:59 ok, any questions on that before we move on ? 17:24:06 ccneill: amazing! 17:24:23 yeah I bet that's coming in a Rob speech soon 17:24:37 ha! ccneill++ 17:24:43 those are great slides 17:24:51 someone made a flag of that picture at the Castle.. I'm so jealous lol 17:25:05 no they didnt... so awesome 17:25:46 lol 17:25:50 ook, 17:25:53 #topic Bandit 17:26:07 I think we have the last major feature added that we needed for 1.0 17:26:15 from now it should just be filing and closing bugs 17:26:18 doc fixes, etc 17:26:34 yup 17:26:39 https://blueprints.launchpad.net/bandit 17:26:41 #link https://blueprints.launchpad.net/bandit 17:26:51 great news! 17:26:56 just need to land the stuff in flight than double down on docs and any bug fixes 17:27:03 +1 17:27:08 could really use people hammering away at Bandit 17:27:14 try using it in ways you don't normally use it 17:27:22 +1 17:27:45 tmcpeak: is there a slide deck / similar describing everything in 1.0? 17:27:46 other than that bit of shameless begging I don't have anything to add :) 17:27:56 there's been a lot of activity in other projects to hook up bandit into the pep8 testenv 17:27:59 nice, grats on the lp 17:28:02 ccneill: no, but that would be great to have 17:28:24 well, I don't know that I'm qualified to do it, but I'm definitely willing to TRY helping with docs 17:28:26 :) 17:28:42 ccneill: like release notes? 17:28:45 ccneill: that would be awesome! 17:28:56 I had a good go at it this week, but could not find anything issues (which is good!) 17:28:57 browne: yeah, release notes of some kind would be great 17:29:03 LHinds: thanks! 17:29:10 s/anything/any 17:29:11 thanks :) 17:29:12 yeah preferably release notes from somebody that isn't a core Bandit dev 17:29:17 so we have a fresh pair of eyes 17:29:45 ccneill: +1 17:30:23 tmcpeak, a review or author? 17:30:31 author would be best 17:30:33 tmcpeak: any of these have a much higher priority than others? 17:30:38 haha 17:30:43 they don't have assigned priorities at the moment 17:30:51 ccneill: which are you looking at? 17:30:55 the bps 17:30:59 the link above 17:31:03 oh, we're done on those 17:31:07 oh, sweet! 17:31:12 1.0 ones are finished and none of the ones that aren't 1.0 are in 17:31:36 gotcha 17:31:49 I guess best thing to do is make sure 1) our wiki is in good shape 17:31:56 2) the docs make sense for how to use it and nothing is missing 17:32:11 with those two we're in good shape from a doc perspective 17:32:27 cool, I'll see what I can do 17:32:34 ccneill: awesome, thank you! 17:32:41 np - thank you! 17:32:45 this is the easy part :) 17:33:01 anything else anybody wants to mention on Bandit? 17:33:12 tthere's a whole release note feature many of the other projects use. not sure we should for bandit 17:33:25 browne: what's that about? 17:33:39 are you talking about reno? 17:33:44 yep reno 17:33:47 use it 17:33:58 I am hoping to get the OPNFV project to use Bandit, will keep you updated. Most of what they do is upstreamed, but they do have some infra stuff on LF repos. 17:34:00 it's very convenient for generating release notes 17:34:06 LHinds: neat! 17:34:11 elmiko: cool 17:34:20 from the discussion on the mailing list reno is generating content for deployers 17:34:27 and deployers don't care about bandit features 17:34:37 hmm, didn't think about that bknudson 17:34:48 We tried Veracode python support early version 17:35:09 #link https://launchpad.net/bandit/+milestone/1.0 17:35:18 from a developer perspective, reno is really convenient for generating a release note with your changes. but i can see how it might make excess noise in some places. 17:35:57 bknudson: do the reno changes automatically get picked up outside the project, or does something need to be configured to comb the project for notes? 17:36:15 bknudson: oh yeah, I'm not sure ^ that is up to date 17:36:18 elmiko: I assume something has to be configured to get the release notes on the release web page 17:36:23 we haven't been great about assigning stuff to the milestone 17:36:27 bknudson: gotcha, thanks 17:36:48 so maybe bandit release notes wouldn't be included there? 17:36:51 the release notes can be included into the project docs. i've seen projects do that 17:37:12 +1 17:37:20 good idea 17:37:23 and we could tailor to our target audience i believe 17:37:25 release notes have been traditionally included in the git commit 17:37:45 yea, i definitely recommend using reno for making the notes and in-project integration. for bandit, i agree with bknudson, it doesn't make sense to agregate those changes for operators. 17:38:33 anybody who has good experience with the release notes side - we could really use the help for Bandit 17:38:39 agregate where? in my view, we can write them for whomever 17:38:40 I know I haven't done anything on that front before 17:38:43 I'm kind of shooting in the dark 17:38:55 * ccneill too :( 17:39:10 browne: i just meant, if they were being collated for release with the service project release notes 17:40:10 guess something worth digging into 17:40:18 tmcpeak: i've used it a bunch, i could take a stab at putting a patch together unless browne wants to dig in 17:40:26 elmiko: that would be awesome 17:40:36 elmiko: go for it 17:40:47 ok, cool 17:41:07 cool 17:41:11 allright moving on 17:41:15 #topic Docs 17:41:28 elmiko: looks like you're up :) 17:41:37 ok, well things have been moving along slowly 17:41:47 we have closing some bugs and generally improving the sec. guide 17:42:00 we are still blocked on creating the new pdf/book version though 17:42:02 improve is good 17:42:11 i'm not sure where sicarie has gotten to with that 17:42:15 what's the plan for the guide? 17:42:25 I guess it will need maintenance forever huh? 17:42:37 afaik, we need to get a pdf published and then make a new physical copy available 17:42:55 tmcpeak: it’s called a “living document” 17:43:02 yep yep 17:43:06 tmcpeak: pretty much, we continue to update, improve, and hopefully add more service content as we find domain experts/authors 17:43:19 are there any new chapters planned? 17:43:21 elmiko: +1 17:43:50 i *think* we had some interest writing a networking chapter around neutron 17:43:53 Is there much on Barbican / Crypto 17:44:05 not muc 17:44:06 h 17:44:29 we'd like to get something on barbican, as well as others like trove and manilla 17:44:35 but, 17:44:45 we need more CPLs to help with writing those 17:44:53 Of course 17:44:59 and there’s a TA chapter in the works 17:45:04 +2 17:45:15 Something like https://openstack-security.github.io/threatanalysis/2016/02/07/anchorTA.html 17:45:18 but not terrible 17:45:22 lol 17:45:23 and finished. 17:45:29 +2 17:45:43 i think that would be great, plus we could follow the nice checklists that we have for the other chapters 17:45:49 yeah a TA chapter would be cool for sure 17:46:15 i think these are great projects for Newton, but we need to do more outreach and hopefully get a few more contributors on board 17:46:30 yeah 17:46:36 we're spread pretty thin 17:46:58 we need new blood for sure. 17:46:59 and getting a new leaf version for publishing is a high prio, i know it's been driving sicarie nuts 17:47:10 Sorry, I'll try to start doing stuff. :) 17:47:27 no prob wayward710, i'm just grousing in general XD 17:47:28 speaking of spread thin -- 17:47:35 hyakuhei: this looks interesting! one tiny thing: looks like there are some headings where the "#" and the subsequent title don't have a space, so it's not rendering as a heading 17:47:36 I may be taking some time with less participation for a bit 17:47:48 I'm taking a new gig and will probably be busy getting up to speed for a while 17:47:55 nooooo 17:47:58 oh noez 17:48:03 Thanks. Just got busier than expected -- probably happened to many people here too. :) 17:48:06 tmcpeak: congrats :) 17:48:06 a sad day for the ossp 17:48:10 OSSP is awesome and I want to stay involved but it might take some time to get my head above water again :) 17:48:25 mvaldes: thanks! 17:48:26 tmcpeak++ 17:48:35 I have been thinking of NFV aspects we could introduce, but need to find the differentiators. I will certainly try to come up with something, but only if its of value. 17:48:47 tmcpeak: congrats! 17:48:48 a lot of what you have there applies to Telco 17:49:01 or rather Telco world 17:49:03 LHinds, thanks! we appreciate any contribs =) 17:49:25 I am working on something tool 17:49:32 hopefully it will be finalized soon. 17:49:36 ooh, a docs bonanza! 17:49:41 michaelxin: +1 17:49:50 all the docs! 17:49:53 hehe 17:49:55 so, we will have some new blood joining. 17:50:00 great! 17:50:06 :-) 17:50:33 allright 17:50:36 speaking of.. 17:50:43 i think that's all i've got 17:50:43 #topic Publicity 17:50:46 we should try to get the deck presented more 17:51:09 that being said I don't think we got any new participation from browne and me presenting at the meetup 17:51:11 +1 17:51:16 so we might want to adjust our strategy 17:51:18 has OpenStack ever considered a bug bounty? 17:51:26 like, paid bug bounty? 17:51:31 tmcpeak: did you guys have any specific de-brief notes? 17:51:32 Yes a couple of times 17:51:39 HP considered sponsoring one via ZDI too 17:51:51 I think one of hte problem with getting OSSP people is either 1) they are already deeply dug into OS and know how much of a firehose we have to drink from 17:51:51 It was felt that we don’t have the logistical staff to deal with all the terrible reports 17:51:53 elmiko: nah, nothing in particular 17:52:03 or 2) they don't know what OS is or how to add value 17:52:04 ccneill: +1 17:52:10 ccneill: +1 17:52:12 tmcpeak: ack, maybe just a swing and miss... gotta keep up the pressure ;) 17:52:37 honestly I think a lot of security people are busy making money and stuff :) 17:52:43 hyakuhei: yeah, I've seen some amazingly bad reports.. 17:52:53 i also feel that corporate interests don't always value having their people spend time on security work :/ 17:52:56 need someone(s) to take it on basically full time 17:53:04 I've always felt OSSP is a great way to make an entry into the industry for college students 17:53:08 elmiko: yup 17:53:12 tmcpeak: agreed 17:53:16 elmiko: +1 17:53:21 tmcpeak: I agree in principle but I’ve struggled to get buyin 17:53:22 maybe we could focus there a bit 17:53:30 OpenStack is actually big and scary … 17:53:31 it's really staggering, the amount of sec. work that /could/ be done 17:53:33 hyakuhei: yeah, I've gotten shut down at the professor level 17:53:40 I think they think I'm pitching something 17:53:41 tmcpeak: I think it's hard to scope it to something they'd understand 17:53:43 we can try 17:53:52 michaelxin: could be an opportunity with OSIC + UTSA 17:54:00 OSSP is too open-ended. "secure every component of a cloud provider" isn't something most college kids would even know where to start on, I think 17:54:03 could always start simple though, write a note, fix some docs, etc 17:54:10 I will check with them for sure. 17:54:25 "too open-ended" meaning, I think we need a kind of "onboarding" process 17:54:41 ccneill: yea, i think we might be able to do more to create highly focused bugs that newer developers could work on. but, again, time.... 17:54:42 ccneill: yeah that would be helpful too 17:54:44 I think probably this time an idea can be put up for Outreachy on OSSP 17:54:55 http://osic.org/ 17:55:15 If they want to start, they can get some free clusters from this program 17:55:26 Akanksha08: good idea, we could certainly make more effort to get interns in on the OSSP 17:55:36 ccneill: could there be an executability requirement? You must submit your bug as a program that exploits _insert_canonical_environment_here_ 17:55:44 yeah OpenStack interns - that would be an awesome thing to have 17:56:14 going through Outreachy and GSOC are great ways to find some interested parties. we need to come up with projects that can be worked on though. 17:56:31 sadly, we just missed the last GSOC round and OpenStack wasn't included 17:56:41 singlethink: I was thinking of starting simpler, like doing a first pass of triage on mailinglist bugs 17:56:42 yes the project can even be fixing few small bugs 17:57:01 yup 17:57:12 so that the intern with get an idea of codebase and then I am sure the intern will continue contributing to OSSP 17:57:14 the hard part, is finding the time to have OSSP members groom and create the bugs 17:57:16 will* 17:57:25 Yeah that’s always been hard 17:57:29 elmiko: +1 17:57:34 hyakuhei: Is it possible to associate syntriobs with OSSP at http://git.openstack.org/cgit/openstack/governance/tree/reference/projects.yaml 17:57:36 writing notes is nice and focused 17:57:50 michaelxin: sure 17:57:52 oh yeah, I skipped Syntribos :( 17:57:58 doh! 17:58:07 #topic AOB 17:58:09 2 mins! 17:58:24 hyakuhei: Great! Thanks. 17:58:31 No problem 17:58:49 off topic: I made a Chrome Extension to help myself deal with the giant mess that is my tab bar 17:58:51 https://github.com/cneill/tagatab 17:59:03 if anyone else is a serial tab-hoarder 17:59:06 hyakuhei: Please drop me a note once it is done. Thanks. 17:59:14 oh this looks cool 17:59:33 We are adding features and start testing Solum using it. 17:59:45 hey folks, sorry, it's time to wrap up 17:59:59 michaelxin: you could write the change and ask me to +2 it :P 18:00:05 #endmeeting