17:00:12 <hyakuhei> #startmeeting Security
17:00:13 <openstack> Meeting started Thu Mar 31 17:00:12 2016 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:14 <tmcpeak> o/
17:00:15 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:16 <elmiko> o/
17:00:17 <openstack> The meeting name has been set to 'security'
17:00:24 <hyakuhei> #chair tmcpeak
17:00:24 <openstack> Current chairs: hyakuhei tmcpeak
17:00:50 <hyakuhei> My dog’s just had to go back to the vets for the second time today so it’s possible I’ll need to hand over to you tmcpeak
17:00:57 <gmurphy> o/
17:00:58 <hyakuhei> Anyway, hopefully not.
17:01:02 <hyakuhei> Hey gmurphy
17:01:05 <gmurphy> sup
17:01:09 <hyakuhei> #link https://etherpad.openstack.org/p/security-20160331-agenda
17:01:12 <elmiko> hyakuhei: =(
17:01:18 <sdake> o/ ;)
17:01:18 <elmiko> hope the pup is ok
17:01:33 <tmcpeak> yep
17:01:36 <hyakuhei> me too :)
17:01:58 <tmcpeak> hope all is well for the dog
17:02:12 <michaelxin> hi, all
17:02:22 <michaelxin> hyakuhei: good luck
17:02:27 <hyakuhei> Cheers
17:02:34 <gmurphy> i missed the first part of this convo. but i also hope the dog is ok.
17:02:43 <hyakuhei> Righto. One more minute and we’ll get started
17:02:48 <redrobot> o/
17:02:58 <hyakuhei> hey buddy!
17:03:02 <elmiko> i had a thought about a name if we ever get to run a Pwn2Own type competition, "Attack the Stack"
17:03:44 <tmcpeak> got some minor nits on your note Rob
17:03:46 <tmcpeak> looks good
17:03:58 <michaelxin> elmiko: +1
17:04:20 <hyakuhei> Cool, yeah I just wrote it now, very much WIP but given how nasty that issue is I thought I’d put it up for review early
17:04:20 <redrobot> elmiko hehe, that's awesome
17:04:58 <elmiko> since we're talking about it, can we start with OSSN?
17:05:03 <tmcpeak> yeah
17:05:11 <dave-mccowan> o/
17:05:40 <elmiko> this came up on dave-mccowan's review, the issue of service naming and capitalization...
17:06:05 <tmcpeak> what's this now?
17:06:05 <hyakuhei> #topic OSSN-0064
17:06:19 <hyakuhei> #link https://review.openstack.org/#/c/300091/
17:06:32 <elmiko> what about 0063... ;)
17:06:36 <hyakuhei> I know it’s scrappy, just read the bug today and got very yikes
17:06:49 <tmcpeak> lol yeah
17:06:50 <bknudson> http://docs.openstack.org/contributor-guide/writing-style/general-writing-guidelines.html
17:06:57 <hyakuhei> 63 is taken per the wiki that or I missed it because I’m dumb
17:07:05 <elmiko> bknudson: right, for docs that's true
17:07:21 <sicarie> OSSNs have always been a bit more informal
17:07:28 <elmiko> i just wanted to make sure we stay consistent in the notes, i'm totally fine with following that convention but we already have bifurcation of opionoins
17:07:49 <elmiko> sicarie: exactly, and those doc rules about caps are for official "docs"
17:08:17 <dg____> and annoying as hell
17:08:43 <sicarie> IMO it's consistency through the note itself - though having a convention to point to for all notes may be useful
17:08:49 <elmiko> sicarie: +1
17:08:59 <dg____> +1
17:09:16 <hyakuhei> I’m not sure which we’ve done historically
17:09:19 <elmiko> and i happened to notice that hyakuhei was using caps for his note (and stayed internally consistent mind you, hyakuhei++)  ;)
17:09:23 <hyakuhei> but certainly we should stick with one
17:09:37 <hyakuhei> and whichever it is, add it to our OSSN guidance and template file.
17:09:39 <dg____> i think we have historically stuck with the doc standard
17:09:52 <elmiko> hyakuhei: +1
17:09:53 <hyakuhei> I think I Will Have Used Caps Because I Always Do
17:10:00 <elmiko> haha!
17:10:05 <michaelxin> Gee
17:10:08 <hyakuhei> Just generally that’s how I tend to write things
17:10:22 <hyakuhei> Ok, lets skip past caps for now. I’d appreciate reviews on that
17:10:23 <dg____> shouty?
17:10:29 <michaelxin> As long as it not all Caps
17:10:44 <elmiko> ossn, now in all caps for extra emphasis
17:11:35 <tmcpeak> we're kind of a big deal so caps
17:11:44 <hyakuhei> :)
17:12:27 <tmcpeak> but also thank you for writing a note Rob
17:12:39 <tmcpeak> I don't think we've produced many lately
17:13:30 <tmcpeak> actually for that matter what's our plan for notes?
17:13:48 <tmcpeak> should we just accumulate a few and batch through them all at midcycle?
17:13:49 <hyakuhei> To write more?
17:14:00 <tmcpeak> I picked a few more bugs for note tasks yesterday
17:14:01 <hyakuhei> Midcycle is 3 months away or more
17:14:17 <hyakuhei> THere’s only 3-4 I at the moment I think but I know there’s at least that many in the pipeline too
17:14:42 <gmurphy> might be interesting to see how many folks in opentack-operators ml actually refer to / use these notes.
17:14:44 <tmcpeak> seems like our pool of people that can and have the time to write notes is dwindling a bit
17:14:45 <hyakuhei> I can probably commit to starting one each week, at least progressing them to the stage something like this Keystone one today.
17:14:50 <tmcpeak> gmurphy: ++
17:14:55 <hyakuhei> +1
17:15:12 <elmiko> tmcpeak: is our backlog on notes growing?
17:15:13 <michaelxin> +1
17:15:30 <tmcpeak> elmiko: a bit
17:15:44 <tmcpeak> https://bugs.launchpad.net/ossn
17:15:47 <tmcpeak> we've got 5 now
17:15:48 <elmiko> ok, i can try to pick one up too
17:16:18 <elmiko> 2 in process, 3 new. not horrible, but needs to be addressed
17:16:23 <tmcpeak> elmiko: awesome
17:16:40 <hyakuhei> Thanks elmiko
17:16:57 <hyakuhei> Like I said, there’s 3-4 that will drop in the next week or so I think (currently embargoed)
17:17:13 <tmcpeak> yep yep
17:17:14 <michaelxin> I will take one later this week.
17:17:26 <tmcpeak> michaelxin: awesome, thank you
17:18:01 <michaelxin> I will ask my guys to take on some too since they are supposed to work full time on upstream projects.
17:18:05 <tmcpeak> I wonder what's the best way to find out if people are using them?
17:18:09 <tmcpeak> and if so how they are using them
17:18:11 <tmcpeak> and if not why not
17:18:22 <michaelxin> tmcpeak: +1
17:18:24 <hyakuhei> Thanks michaelxin
17:18:27 <gmurphy> send out survey?
17:18:41 <hyakuhei> Very harrd to get anything difinitive
17:18:44 <elmiko> good questions, i like the idea about hitting the operator ml, might also be worth it to have an ossp rep at the operator meetup for summit?
17:18:46 <dg____> and whether they even know the notes exist...
17:18:54 <gmurphy> lol
17:18:55 <hyakuhei> I’d certainly like to know from deployers what we could do to make them more accessible/usable.
17:19:00 <tmcpeak> gmurphy: a survey would be great if we have a forum to do so
17:19:02 <dg____> +1 for ops meetup
17:19:17 <hyakuhei> I suspect a part of that may well be the parser/db thing we talked about before
17:19:49 <tmcpeak> hyakuhei: +1
17:19:58 <elmiko> is there an operators working group or something?
17:20:00 <tmcpeak> if there was a nice portal where you could select your versions and get the relevant notes
17:20:01 <gmurphy> maybe we crash an ops session at the summit
17:20:08 <elmiko> tmcpeak: ooh, nice +1
17:20:19 <hyakuhei> tmcpeak: that’s the dream ;)
17:20:28 <hyakuhei> I think gmurphy and nkinder both did work in this area.
17:20:33 <elmiko> gmurphy: yea, would be cool if we could get a moderator to give us a few minutes on the agenda
17:20:38 * gmurphy hides
17:20:43 <hyakuhei> We could also have a blog about it
17:20:51 <hyakuhei> and I’ll write one about this keystone issue too
17:20:56 <tmcpeak> this is the kind of thing gmurphy smashes out in like 10 minutes with breakfast
17:21:30 <tmcpeak> (did I do a good job being motivational?)
17:21:36 <hyakuhei> heroic
17:21:46 <elmiko> lol
17:21:46 <tmcpeak> take the bait gmurphy? :)
17:22:17 <gmurphy> nah.
17:22:33 <tmcpeak> bah, my game is weak
17:22:46 <tmcpeak> anyway how to make notes better seems like a great topic for the summit
17:22:56 <elmiko> +1
17:23:01 <gmurphy> i did put on the agenda for the summit sessions about separating the ossa repo so we can have more control over the security.opentack.org content
17:23:15 <gmurphy> so could also cover this
17:23:22 <tmcpeak> oh cool
17:23:26 <gmurphy> as well
17:23:26 <tmcpeak> where is that agenda anyway?
17:23:33 <tmcpeak> the etherpad
17:23:43 <hyakuhei> #link https://etherpad.openstack.org/p/security-20160331-agenda
17:23:50 <gmurphy> #link https://etherpad.openstack.org/p/security-newton-summit-brainstorm
17:23:53 <tmcpeak> oh sorry, I meant summit sessions
17:23:54 <gmurphy> is where i put some stuff
17:24:18 <tmcpeak> yeah, that's the one
17:24:45 <tmcpeak> allright anything else for notes?
17:24:55 <hyakuhei> Nope
17:25:10 <elmiko> longest notes discussion evar...
17:25:14 <tmcpeak> lol, yeah
17:25:26 <tmcpeak> anybody talk to nkinder lately btw?
17:25:37 <elmiko> not me, sadly
17:25:41 <hyakuhei> :(
17:25:48 <dg____> :(
17:25:52 <tmcpeak> I know he's pretty busy doing manager'y things
17:25:57 <elmiko> i heard from him on email a few days ago, but that's about it
17:26:19 <tmcpeak> allright
17:26:24 <tmcpeak> #topic Summit Sessions
17:26:28 <tmcpeak> probably not much to say here?
17:26:28 <elmiko> tmcpeak: yea, i think he's just up to his eyeballs with internal stuffs
17:26:34 <tmcpeak> we should have some! o/
17:26:42 <elmiko> \o/
17:26:58 <hyakuhei> Defintely should have some :D
17:27:02 <dg____> I would like to propose a session on Threat Analysis and a session on PKI
17:27:07 <hyakuhei> BYOK would be interesting.
17:27:11 <hyakuhei> Do it dg____
17:27:20 <tmcpeak> dg____: yeah we're supposed to do that one with that one project
17:27:20 <elmiko> we have those both in the etherpad
17:27:26 <elmiko> as fishbowls no less
17:27:28 <tmcpeak> I suck with names
17:27:34 <tmcpeak> what was the project we were going to do TA for?
17:27:39 <elmiko> anchor?
17:27:40 <sdake> kolla
17:27:40 <tmcpeak> I wonder if we're still on track to do that...
17:27:43 <tmcpeak> Kolla
17:27:47 <tmcpeak> yeah that's the one
17:27:47 <elmiko> ah, cool
17:27:53 <tmcpeak> sdake that's you, right?
17:27:54 <dg____> yeh...no...
17:27:55 <sdake> kollah as 14 slots at summit
17:27:59 <dg____> TA is a way behind
17:28:01 <sdake> and a full day contributor meetup
17:28:07 <tmcpeak> ooh very cool
17:28:08 <elmiko> sdake: woof, impressive
17:28:17 <sdake> lets burn up one or two of our slots for TA
17:28:22 <tmcpeak> awesome!
17:28:25 <sdake> assuming we want to do that at summit
17:28:27 <tmcpeak> I'm really looking forward to that
17:28:33 <tmcpeak> for sure we do
17:28:34 <sdake> one or two slots needed?
17:28:40 <tmcpeak> how long is a slot?
17:28:44 <sdake> 40 minutes
17:28:46 <hyakuhei> sdake: that’d be cool
17:28:50 <tmcpeak> I'd say two then
17:28:52 <michaelxin> nice
17:28:55 <elmiko> my guess is it cold easily run 2 slots
17:28:55 <sdake> another optoin is friday for the all day contributor meetup
17:29:04 <sdake> ok lets do this, lets use 1 slot
17:29:06 <dg____> that would be my vote
17:29:07 <hyakuhei> could easily run 5 but 2 should be useful.
17:29:08 <michaelxin> Friday will not be good.
17:29:10 <sdake> and then we can use more on friday
17:29:16 <elmiko> hyakuhei: yea, exactly
17:29:19 <sdake> becuase we have a super packed agenda already
17:29:24 <tmcpeak> ok cool
17:29:29 <elmiko> sdake: +1
17:29:31 <sdake> so the 1 slot will be an intro to threat analyssis
17:29:33 <tmcpeak> sdake: you have any luck with architecture diagrams yet?
17:29:35 <sdake> for our team
17:29:47 <tmcpeak> if so we can get an early start on them, would probably make the slot we have more effective
17:29:55 <sdake> tmcpeak overloaded but i promise before summit they will be done to prep for this session
17:30:05 <tmcpeak> sdake: awesome, thank you
17:30:10 <elmiko> i almost feel it's more valuable to spend our time empowering the kolla team to run their own initial TA
17:30:16 <tmcpeak> please let us know in #openstack-security when they are so we can do our homework
17:30:29 <sdake> elmiko the requirements require 3rd party ta
17:30:31 <tmcpeak> elmiko: it's useful to have security people involved I think
17:30:32 <sdake> not self-ta
17:30:33 <elmiko> as a design pattern for how we can do this type of work with other teams
17:30:34 <hyakuhei> sdake: we can help, the earlier the better we can just ask dumb uestions.
17:30:55 <sdake> the tagging VMT requriements require third party
17:30:56 <elmiko> sdake: ah, missed that. is that for the tag?
17:31:00 <sdake> i think we can meld that into third part y+ the project
17:31:03 <sdake> right for the tag
17:31:11 <tmcpeak> if we have one slot maybe we should shoot for people having read the blog post on TA for background first
17:31:21 <elmiko> my feeling is that initial analysis should be done by the team, then handed off to a 3rd party for review
17:31:24 <sdake> provide a link and i'll put it in the agenda
17:31:46 <elmiko> mainly to help overcome the domain knowledge gap
17:31:47 <sdake> elmiko i can bounce that change off the governance repository
17:32:01 <tmcpeak> lol, I can't find any links
17:32:04 <sdake> elmiko if the security team can come together and agree that is the best way to scale
17:32:05 <tmcpeak> one of you have the blog for that?
17:32:14 <elmiko> sdake: oh, i'm fine with the ultimate governor being a third party review, but does the whole thing need to be 3rd party?
17:32:26 <sdake> elmiko as written yes
17:32:30 <elmiko> ah, gotcha
17:32:33 <sdake> so lets fix that if thats what you want
17:32:37 <sdake> governance repo can be changed
17:32:37 <tmcpeak> sdake: that policy is kind of BS ;)
17:32:40 <elmiko> well, i'm curious to hear other's thoughts on this too
17:32:45 <sdake> tmcpeak lets fix it
17:32:52 <tmcpeak> sdake: makes sense
17:32:59 <sdake> tmcpeak can you hold a vote or something to see if the security team wants that model
17:33:03 <tmcpeak> that being said I do like the nudge to actually do a TA before getting a VMT tag
17:33:18 <sdake> where the projects do their own threat analysis and hand off to a third party for review
17:33:23 <hyakuhei> 100%
17:33:41 <sdake> i need irc logs to convince the tc ;-)
17:33:42 <tmcpeak> I don't think most (any?) of the projects have ever done a third party TA
17:33:44 <elmiko> right. but the question here is, do we as a group agree that the initial TA can be done by the team with a 3rd party review for the final tag, is that sufficient?
17:34:04 <sdake> tmcpeak ya many have vmt tags with grandfathered status which is a bunch of bs imo
17:34:09 <sdake> if you want that fixed, vote for me for tc ;)
17:34:10 <tmcpeak> sufficient for what though?  I'm saying this requirement is pretty much pie in the sky
17:34:25 <dg____> yeh i think so
17:34:25 <tmcpeak> oooh, grandfathered
17:34:30 <elmiko> i like the idea of the project teams starting the work, hopefully pointing to the areas *they* think are weak. then an external team reviewing the work and doing a further analysis.
17:34:48 <hyakuhei> elmiko: I don’t think that the TA process is well documented enough yet to expect teams to be able to do it hands-off
17:34:51 <dg____> im a bit wary of fully handing off to project teams, given we havent managed to successfully document a process for performing a TA
17:34:54 <dg____> snap lol
17:34:57 <elmiko> hyakuhei: agreed
17:35:06 <elmiko> we'll need to help get the fire burning
17:35:32 <sdake> i can possib yget a cross project TA session on tuesday
17:35:37 <sdake> where we can discuss how to do that
17:35:38 <tmcpeak> if we're saying "from now on all projects that are new to VMT will have a TA done" sounds legit to me :)
17:35:41 <hyakuhei> cool
17:35:45 <hyakuhei> That would be good
17:35:49 <elmiko> yea, i agree that currently we can't just "hand this off", which is why i like the idea of these early reviews being an opportunity for the ossp to build educational materials about TA
17:35:49 <sdake> no gurantees
17:36:01 <dg____> elmiko +1
17:36:08 <sdake> you tell me what you want, and i'll make it happen ;)
17:36:10 <tmcpeak> elmiko: +1
17:36:25 <sdake> yuor the security experts here
17:36:34 <elmiko> for me, the ultimate goal is empowering future teams to start this work on their own, possibly while they are developing their projcets
17:37:01 <tmcpeak> sdake: step 1 - architecture diagram(s)  step 2 - have a few security conscious people from your team try to do a TA and ask us for any help in the process  step 3 - security team will review and give the "third party" stamp
17:37:02 <sdake> ok so sound slike we have short term which is we work together to define a ta process
17:37:07 <elmiko> otherwise, i feel we will run into the issues that we've seen with scaling efforts that require a single team to help bless a process.
17:37:10 <ccneill> o/ sorry I'm late! needed to grab some lunch
17:37:17 <tmcpeak> elmiko: +1 - we don't have bandwidth to do reviews for all projects
17:37:22 <elmiko> right
17:37:36 <hyakuhei> We have a TA-light process to some extent
17:37:39 <sdake> tmcpeak right scaling is a problem
17:37:45 <hyakuhei> It’s mainly documented in the Anchor blog at the moment
17:37:54 <elmiko> i really like the idea of doing a session at summit with kolla to help kick this process off, find out what we need to provide, what we will need from teams, etc...
17:37:58 <hyakuhei> +1
17:37:59 <sdake> ok well i think the next step is to get that on docs.openstack.org
17:38:08 <tmcpeak> good point
17:38:12 <sdake> cross project is all projects
17:38:31 <hyakuhei> Yeah it needs to be improved / iterated on first really, which means partnering with a project to develop it
17:38:36 <sdake> title of session would be "VMT threat analysis generation"
17:38:46 <elmiko> this could definitely grow from an ossp skunkworks type thing into a cp spec
17:38:46 <sdake> kolla can be that project
17:39:03 <sdake> just don't ask me to write a cp spec ;)
17:39:04 <tmcpeak> ok so shall we do this as a security session or a Kolla session?
17:39:15 <elmiko> sdake: no, i think we would need to author it
17:39:17 <sdake> i think you said you only have 3 or 4 sessions
17:39:25 <sdake> so lets use a kolla session
17:39:31 <sdake> and a cross project session
17:39:33 <hyakuhei> Kolla have more spare
17:39:36 <hyakuhei> +1 CP
17:39:37 <tmcpeak> ok cool
17:39:38 <sdake> we dont have spare
17:39:42 <sdake> but we have more capacity
17:39:46 <hyakuhei> s/spare//
17:39:49 <sdake> we actually had 25 planned sessions
17:39:55 <elmiko> whoa!
17:39:55 <dg____> wow
17:39:55 <sdake> ;-)
17:40:01 <tmcpeak> so what steps are needed to make sure we can actually pull this off in an organized way at the summit?
17:40:04 <elmiko> well, containers are hot ;)
17:40:25 <sdake> tmcpeak here is my recommendation
17:40:36 <sdake> we add a cross project session tuesday on scaling the VMT threat analysis process
17:40:44 <sdake> kolla sessions are wed/thur
17:40:48 <hyakuhei> I don’t think it’s fair to call it that
17:41:03 <sdake> hyakuhei come up with a better title nd i'll use it ;)
17:41:03 <hyakuhei> As the VMT has zero involvement and at the moment no agreement to recognise/leverage TA
17:41:13 <sdake> they do agee to use ta
17:41:19 <sdake> i got that change in the governance repo ;)
17:41:23 <hyakuhei> Whoop!
17:42:12 <tmcpeak> ok sdake this sounds reasonable
17:42:14 <sdake> so is scaling th evmt threat analysis process a fair  title then?
17:42:17 <tmcpeak> how do we schedule those sessions?
17:42:27 <tmcpeak> I like it
17:42:27 <sdake> tmcpeak using the corss project wiki
17:42:36 <sdake> tmcpeak i could use ptl help from the security team
17:42:44 <sdake> forgive my ignorance but i'm no tsure which one of you is he ptl :)
17:42:48 <hyakuhei> So long as the VMT don’t mind yeah. I mean VMT is part of Security anyway
17:42:51 <tmcpeak> hyakuhei is
17:42:52 <hyakuhei> o/
17:43:03 * elmiko points at hyakuhei
17:43:03 <tmcpeak> I'm just chatty :P
17:43:09 <gmurphy> why not s/vmt/ossp/ ?
17:43:16 <elmiko> good question
17:43:19 <dg____> +1
17:43:22 <michaelxin> +1
17:43:30 <tmcpeak> gmurphy: +1
17:43:35 <sdake> someone write a title down in irc since mine was shot down :)
17:43:40 <hyakuhei> vmt probably has more traction but is probably a little missleading .
17:43:46 <sdake> and i'll work with hyakuhei to make it happen
17:43:54 <tmcpeak> "Scaling the OSSP Threat Analysis Process"
17:44:01 <elmiko> scaling the ossp threat analysis process?
17:44:02 <elmiko> lol
17:44:05 <elmiko> jinx!
17:44:09 <tmcpeak> ;)
17:44:14 <hyakuhei> All The Caps!
17:44:18 <gmurphy> wfm
17:44:36 <sdake> do we need changess to hte governance repo to streamline things
17:44:49 <tmcpeak> ok so we do that Tuesday and then have a session with Kolla Weds or Thurs and then possible extended work Friday?
17:44:55 <sdake> or is that a subject for later
17:44:58 <elmiko> i think we should discuss it out at summit first, before making gov. changes
17:44:59 <hyakuhei> Sounds good. So I can probably throw some real time at this on Monday/Tuesday
17:45:02 <sdake> tmcpeak sounds good
17:45:15 <tmcpeak> ok cool
17:45:15 <sdake> elmiko ok sounds good
17:45:25 <hyakuhei> (Refining the process a little as it stands, finishing the anchor documentation)
17:45:33 <tmcpeak> ok cool
17:45:38 <elmiko> i would like to make as many of these sessions as possible, but i have a feeling i will spread thin, yet again....
17:45:39 <tmcpeak> should we put an action item?
17:45:45 <tmcpeak> for sdake and hyakuhei?
17:45:51 <hyakuhei> yup
17:45:55 <sdake> tuesday is ONLY cross project
17:45:59 <sdake> so we dont have to worry about conflicts then
17:46:02 <elmiko> cool
17:46:06 <tmcpeak> #action sdake and hyakuhei to schedule TA sessions at summit
17:46:17 <elmiko> i just saw that sahara and ossp sessions are crossed again =(
17:46:28 <tmcpeak> :(
17:46:52 <elmiko> too many projects syndrome i suppose
17:47:04 <tmcpeak> allright
17:47:10 <tmcpeak> this is going to be good
17:47:14 <tmcpeak> let's run through the rest of the things
17:47:16 <tmcpeak> #topic Anchor
17:47:21 <tmcpeak> dg____: hyakuhei whatup
17:47:24 <sdake> can we get docs on security.openstack.org documenting the ta process
17:47:32 <hyakuhei> sdake: Sure can
17:47:32 <sdake> oops sorry to disrupt
17:47:35 <tmcpeak> sdake: yes for sure
17:47:50 <sdake> if that can happen prior to summit that would help out the cp thing and kolla ta
17:47:50 <tmcpeak> hyakuhei: you OK to take that as well?
17:47:52 <hyakuhei> We need to refine it a little more combine what I’ve written with the docs dg____ has put up in the repo already
17:47:56 <hyakuhei> tmcpeak: sure
17:47:59 <sdake> and our ultimate goal of making governance changes
17:48:00 <tmcpeak> cool
17:48:09 <tmcpeak> #action hyakuhei to get TA process on docs.openstack
17:48:23 <hyakuhei> I’d like TA to eventually become a project maturity tag
17:48:37 <sdake> hyakuhei i think that is what VMT is :)
17:48:45 <elmiko> hyakuhei: that makes sound sense
17:49:03 <sdake> maybe vmt should depend on a ta tag
17:49:14 <tmcpeak> I don't think that's the purpose of VMT but probably a decent side effect ;)
17:49:16 <sdake> these are probably discussions for the corss project session
17:49:17 <elmiko> something to consider, #link https://review.openstack.org/#/c/220712/
17:49:49 <tmcpeak> oh for the sec guide?
17:49:58 <elmiko> any help there is welcomed
17:50:17 <elmiko> that's what is up now, but maybe it should live somewhere else eventually. i think we just decided that sec-guide was a good place to start
17:50:28 <elmiko> plus, now that it's all rst, we can link from anywhere
17:51:08 <tmcpeak> sec guide is mostly for deployers though yeah?
17:51:16 <elmiko> although, maybe that TA is more user facing and less developer facing, should we have 2 sets of TA stuff? (sounds like a lot)
17:51:27 <elmiko> tmcpeak: yea, exactly
17:51:41 <elmiko> i think there is some overlap
17:51:50 <tmcpeak> yeah TA should definitely be done by both
17:52:00 <elmiko> right, but the process will be similar?
17:52:00 <tmcpeak> but the guidance should be different
17:52:07 <tmcpeak> in some wayss
17:52:09 <elmiko> ok, i can get that
17:52:17 <tmcpeak> process is the same but the kind of things you're looking at are different I think
17:52:24 <elmiko> we probably need to hash this out more
17:52:28 <tmcpeak> yeah
17:52:32 <elmiko> maybe something on ml?
17:52:43 <tmcpeak> sure
17:52:49 <elmiko> (since we're chewing through valuable meeting time)
17:53:09 <elmiko> ok, i'll put together an email to get the ball rolling
17:53:10 <tmcpeak> ok
17:53:14 <tmcpeak> thanks elmiko
17:53:17 <tmcpeak> ok, not much time so
17:53:18 <tmcpeak> #topic AOB
17:53:19 <hyakuhei> thanks elmiko
17:53:24 <tmcpeak> Bandit is really creeping on 1.0
17:53:29 <hyakuhei> :)
17:53:32 <tmcpeak> I think tkelsey is thinking about this week
17:53:58 <tmcpeak> exciting times!
17:54:02 <browne> looks like we just need to resolve the sahara issue in the integration
17:54:06 <michaelxin> mdong and ccneil are working hard on Syntribos
17:54:15 <mdong> and rahulunair!
17:54:16 <tmcpeak> you guys want to do a Syntribos update?
17:54:20 <elmiko> yup, just waiting on our testing then i'm gonna workflow it
17:54:22 <tmcpeak> I've seen lots of activity in #openstack-security
17:54:50 <mdong> Sure, yeah as you can see from all our spam in #openstack-security we’ve been busy on Syntribos
17:54:55 <michaelxin> We are also talking about add a broken API with security defects for testing purpose.
17:55:14 <mdong> we’ve gone through our blueprints page
17:55:15 <michaelxin> We have something started
17:55:30 <mdong> and prioritized everything so the community can have a better idea of what we’re working on
17:56:00 <tmcpeak> michaelxin: oh very cool
17:56:04 <tmcpeak> like a Syntribos test bed?
17:56:15 <michaelxin> yes
17:56:22 <tmcpeak> that's a great idea
17:56:36 <michaelxin> It can also be sued to educate developers about security coding.
17:56:42 <mdong> we originally wrote it for a workshop here at Rackspace
17:56:43 <elmiko> nice, great idea
17:56:44 <mdong> https://github.com/mattvaldes/vulnerable-api/
17:56:46 <hyakuhei> Good point
17:57:13 <tmcpeak> cool!
17:57:17 <michaelxin> Matthew Valdes started this project.
17:57:24 <michaelxin> We want to add more to this.
17:57:37 <michaelxin> Just want to get you guys's opinion
17:57:56 <elmiko> that vuln list is awesome
17:58:17 <michaelxin> Thanks.
17:58:20 <michaelxin> Need to run.
17:58:28 <hyakuhei> LGTM!
17:58:55 <michaelxin> Ping me at security channel if you want to talk more about this.
17:59:02 <michaelxin> bye
17:59:08 <tmcpeak> awesome
17:59:10 <elmiko> later michaelxin
17:59:11 <tmcpeak> I think that's a wrap
17:59:15 <dg____> kk
17:59:17 <tmcpeak> #endmeeting