#openstack-meeting-alt log

17:00:16 <hyakuhei> #startmeeting security
17:00:18 <openstack> Meeting started Thu Apr 14 17:00:16 2016 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:19 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:21 <tkelsey> o/
17:00:22 <openstack> The meeting name has been set to 'security'
17:00:24 <tmcpeak> o/
17:00:26 <hyakuhei> o/
17:00:32 <hyakuhei> #chair tmcpeak
17:00:33 <openstack> Current chairs: hyakuhei tmcpeak
17:00:42 <tmcpeak> hyakuhei: last time we decided we'll use a permanent agenda file
17:00:45 <tmcpeak> makes it easy to keep track
17:00:46 <hyakuhei> #link agenda https://etherpad.openstack.org/p/security-agenda
17:00:51 <hyakuhei> Yup - I mailed the ML about it.
17:00:52 <tmcpeak> yeah that one :)
17:00:56 <tmcpeak> ahh cool
17:01:07 <tmcpeak> I may or may not have declared ML bankrupcy
17:01:11 <hyakuhei> lol
17:01:18 <hyakuhei> Lotus notes man....
17:01:23 <tmcpeak> yeah :'(
17:01:33 <tkelsey> lol fun times
17:01:39 <hyakuhei> bknudson: How do you managed to keep up with the mailing list?
17:01:51 <bknudson> I don't use notes for the mailing list
17:01:56 <tmcpeak> probably spends like 3 hours doing it :P
17:02:06 <browne> o/
17:02:16 <tmcpeak> ahh maybe I should forward to my personal gmail instead
17:02:29 <bknudson> I use gmail and it works
17:02:46 <hyakuhei> there you go tmcpeak
17:02:48 <tmcpeak> bknudson: you wanna go halvesies on a personal exchange server :P
17:02:52 <hyakuhei> lol
17:03:06 <bknudson> I don't want to go anywhere near anything microsoft
17:03:35 <tmcpeak> true, the devil you know I guess
17:03:38 <browne> bknudson: ha do you use windowz
17:03:49 <bknudson> I don't use windows
17:03:57 <tmcpeak> having no outside knowledge I can practically guarantee bknudson does not use Windowz
17:04:21 <ccneill> o/
17:04:26 <hyakuhei> Ouch: http://seclists.org/oss-sec/2016/q2/69
17:04:33 <hyakuhei> That’s actually very nasty.
17:05:15 <bknudson> it's got a boring name
17:05:20 <dg__> o/
17:05:27 <tmcpeak> yikes
17:05:36 <gmurphy> rh - https://bugzilla.redhat.com/page.cgi?id=fields.html#priorityhttps://bugzilla.redhat.com/page.cgi?id=fields.html#priorityhttps://bugzilla.redhat.com/page.cgi?id=fields.html#priority
17:05:36 <gmurphy> low https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity low
17:05:40 <gmurphy> doh
17:05:50 <gmurphy> that was meant to say - priorty low, severity low
17:05:55 <tmcpeak> why low? non-standard config?
17:05:57 <gmurphy> according to the bz
17:06:17 <gmurphy> well
17:06:31 <gmurphy> windows
17:06:47 <gmurphy> maybe
17:06:49 <gmurphy> i dunno
17:06:51 <hyakuhei> Host leak.
17:07:02 <tmcpeak> host leaks are bad, mkay?
17:07:24 <hyakuhei> lol yeah. The TPR was built to make win32 VMs play nice but I imagine anything can abuse it
17:08:05 <tmcpeak> btw I'm not going to be around next two weeks, PTO then summit things
17:08:14 <tmcpeak> I assume we aren't having a meeting summit week anyway huh?
17:08:38 <hyakuhei> I was going to suggest that
17:08:50 <hyakuhei> Might as well start with the periodicals.
17:08:57 <hyakuhei> #topic Summit
17:09:47 <tmcpeak> sdake: scored you that VMT session, or something, yeah?
17:09:49 <hyakuhei> Ok, so first up, I have no idea if I’ll have budget for a team meal or not - sorry
17:10:02 <hyakuhei> tmcpeak: Yeah he’s got some TA stuff lined up
17:10:05 <sdake> tmcpeak we worked together on scoring it)
17:10:07 <tmcpeak> awesome
17:10:09 <hyakuhei> I want to polish the TA stuff
17:10:31 <gmurphy> https://www.openstack.org/summit/austin-2016/summit-schedule/events/9476?goback=1
17:10:35 <hyakuhei> At the moment there’s the stuff dg__ has in review and there’s the stuff I blogged about / we captured at the mid-cycle but it’s all disjoint.
17:10:38 <sdake> hyakuhei you hve a cross project session at sumit on tuesday your leading
17:10:44 <sdake> hyakuhei in case you weren't aware ;)
17:10:54 <hyakuhei> I was but thanks for the link :D
17:11:03 <hyakuhei> #action everyone - attend that !
17:11:25 <michaelxin1> Will be there for sure
17:11:38 <bknudson> added it to my calendar
17:11:43 <hyakuhei> Excellent!
17:11:46 <dg__> hyakuhei I proposed a fishbowl session on the TA, to try and define a process. Or we can do it on the plane
17:11:58 <hyakuhei> both
17:12:24 <dg__> kk
17:12:38 <hyakuhei> Ok, is everyone happy to cancel the Security IRC meeting next week?
17:12:43 <gmurphy> any other sessions being run?
17:12:47 <ccneill> sure, I'll be out on PTO too
17:12:48 <tmcpeak> +1
17:12:50 <ccneill> +1
17:13:02 <michaelxin1> +1
17:13:09 <browne> +1
17:13:10 <hyakuhei> Excellent, I’ll mail something out a little later
17:13:16 <NotDrunk> +1
17:13:20 <hyakuhei> for those who actually read the ml…. tmcpeak ....
17:13:40 <tmcpeak> I'll need to have bknudson explain his dark art
17:13:51 <hyakuhei> Ok nothing else on the topical agenda so we’ll move onto the standing items
17:13:56 <hyakuhei> #topic Anchor
17:14:33 <hyakuhei> Nothing new here that I’ve seen. I was hoping we might work with the Magnum guys on some of their problems but they’re focussed on either Barbican/Keystone so meh. No big code changes that I’m aware of.
17:15:43 <hyakuhei> tkelsey: anything to add?
17:16:02 <tkelsey> nothing from me
17:16:16 <hyakuhei> #topic Bandit
17:16:42 <tkelsey> so there is this: #link https://review.openstack.org/#/c/301847/
17:17:21 <tkelsey> and also designate is the first project to use the new no-config bandit
17:17:27 <tmcpeak> I think we should JFDI
17:17:27 <browne> yeah, once we're on 1.0.1 minimum, we can do easier things in other projects
17:17:27 <tkelsey> https://review.openstack.org/#/c/302234/ just merged
17:17:38 <hyakuhei> weeee
17:17:44 <hyakuhei> Good work
17:18:19 <tkelsey> thats all I have on bandit :)
17:18:35 <michaelxin> good job
17:18:51 <ccneill> haha I like that they posted this on the CR
17:18:53 <ccneill> https://media.giphy.com/media/oit9mu0v5LqzC/giphy.gif
17:18:53 <tmcpeak> what we doing for the summit on Bandit?
17:19:18 <browne> at the summit, let's discuss the symbol table at least
17:19:51 <tmcpeak> browne: cool, we can do that
17:20:01 <tmcpeak> are we going to do anything for outreach?
17:20:19 <hyakuhei> There’s nothing explicit though one of hte work sessions was tagged for Bandit IIRC
17:20:19 <hyakuhei> https://www.dropbox.com/s/omovd97n681a43t/Screenshot%202016-04-14%2018.19.42.png?dl=0
17:20:27 <hyakuhei> I’ll have some bandit in my talk too
17:20:54 <tmcpeak> sweet
17:20:58 <tmcpeak> say nice things :P
17:21:09 <tmcpeak> NETSPLIT!
17:21:40 <hyakuhei> boom!
17:22:01 <tkelsey> humm fun
17:22:24 <tmcpeak> Syntribos?
17:22:26 <hyakuhei> Well, next on the agenda would be docs
17:22:37 <hyakuhei> but sicarie just netsplit and elmiko is away today
17:22:43 <hyakuhei> #topic Syntribos
17:22:46 <tmcpeak> maybe makes sense to do projects, then doc-y things in agendas going forward
17:22:59 <michaelxin> sounds good
17:23:02 <hyakuhei> +1
17:23:17 <michaelxin> ccneill: mdong: your turn
17:23:25 <ccneill> kewl
17:23:47 <ccneill> so I started playing around with the sphinx docs I've been working on
17:23:54 <ccneill> and managed to get it flattened and on Github pages
17:24:05 <ccneill> http://cneill.github.io/syntribos-docs/
17:24:24 <ccneill> what I'd *really* like though is to have a permanent home for it
17:24:57 <ccneill> does anyone know the process for getting this on openstack.org / have recommendations for how to lay out these docs? elmiko already got us started (thank you again!), but I'm definitely not a docs expert
17:25:08 <ccneill> http://cneill.github.io/syntribos-docs/code-docs.html
17:25:09 <tkelsey> well there is a way to hook up a docs job to make openstack docs
17:25:13 <ccneill> this is the main part I'm working on right now
17:25:28 <tkelsey> take a look at bandits tox for an example
17:25:32 <tmcpeak> +1 what tkelsey said
17:25:33 <ccneill> cool, will do
17:25:41 <hyakuhei> So you want something like http://docs.openstack.org/developer/anchor/
17:25:41 <tmcpeak> you just add a docs publish template or something
17:25:43 <hyakuhei> ?
17:25:57 <ccneill> hyakuhei: yep, that would be awesome
17:26:21 <ccneill> I'll take a look at bandit and if I can't figure it out I might bug y'all about it later
17:26:28 <tkelsey> heh, hyakuhei beat me to it #link http://docs.openstack.org/developer/bandit/
17:26:37 <hyakuhei> Yeah, it’s just a few infra changes iirc.
17:26:41 <michaelxin> nice
17:26:44 <ccneill> other things... we're working on getting results formatted in a way that can be consumed by automation rather than manual reading
17:27:05 <hyakuhei> excellent
17:27:10 <ccneill> I believe this is the closest representation of what it's shaping up to look like
17:27:13 <ccneill> https://gist.github.com/MCDong/1cc3775d2e43381bc55072df1a43b375
17:27:37 <mdong> or, less messily
17:27:37 <mdong> https://gist.github.com/MCDong/9969351647c06f7ab67ab7d954e6cd66
17:27:39 <ccneill> we've stopped working on XUnit output for the moment since no one's really asked for it, and it's gonna require a little more creative thinking in terms of fitting our testing methodology into their TestSuite/TestCase/failure/etc. buckets
17:27:44 <tmcpeak> looks good
17:27:46 <ccneill> ah yes, thanks mdong
17:27:54 <ccneill> much clearer :)
17:27:59 <michaelxin> For resources, we did get another developer from Intel committed.
17:28:07 <ccneill> shweet
17:28:12 <tmcpeak> wow, so what's your total count?
17:28:12 <michaelxin> He will start working on the project in two weeks
17:28:17 <ccneill> 4 now
17:28:21 <tmcpeak> noice!
17:28:25 <michaelxin> 2 now
17:28:29 <michaelxin> 4 in two weeks
17:28:47 <michaelxin> They are in three week training session
17:28:57 <ccneill> yeah, mdong and I are kinda the skeleton crew right now haha
17:29:09 <tmcpeak> 3 week training? rax don't mess around :P
17:29:15 <ccneill> nah it's Intel
17:29:18 <browne> i would be interested.  i might be able to help out
17:29:22 <tmcpeak> ahh
17:29:23 <ccneill> they're learning about deploying a full OpenStack instance I believe
17:29:26 <michaelxin> browne: +1
17:29:28 <michaelxin> Thanks
17:29:46 <ccneill> so he'll be our go-to guy on all the projects that we ultimately want to test :D
17:30:02 <michaelxin> That should wrap up for syntribos
17:30:03 <tmcpeak> that's cool, useful to have around
17:30:25 <ccneill> let us know if you guys have any thoughts on the output of results - we've debated it a lot, but nothing's 100% set in stone yet
17:30:44 <ccneill> trying to walk the line of being OpenStack-specific but still generally useful
17:30:59 <hyakuhei> ccneill: LGTM
17:31:13 <ccneill> shweet
17:31:19 <ccneill> I think that's it for us
17:31:43 <hyakuhei> Great!
17:31:50 <hyakuhei> #topic OSSN
17:32:03 <hyakuhei> So I’ve got two in the works. One public, one private
17:32:17 <tmcpeak> what a beast
17:32:29 <hyakuhei> Be nice to clear out the queue though
17:32:37 <hyakuhei> #link https://review.openstack.org/#/c/300091/
17:32:47 <michaelxin> gee
17:32:50 <michaelxin> +1
17:33:41 <hyakuhei> #link https://bugs.launchpad.net/ossn
17:34:06 <michaelxin> I am working on https://bugs.launchpad.net/trove/+bug/1507841
17:34:07 <openstack> Launchpad bug 1507841 in OpenStack Security Notes "mongodb guest instance allows any user to connect" [Undecided,New] - Assigned to Michael Xin (michael-xin)
17:34:24 <hyakuhei> Thanks michaelxin !
17:34:54 <hyakuhei> So I think that means there’s only one not in progress
17:34:56 <michaelxin> The only remaining issue is that the developer never responded about whether other versions will be impacted or not.
17:35:02 <hyakuhei> https://bugs.launchpad.net/ossn/+bug/1553324
17:35:02 <openstack> Launchpad bug 1553324 in OpenStack Security Advisory "potential DOS with revoke by id or audit_id" [Undecided,Incomplete]
17:35:38 <tmcpeak> this is an interesting one to write
17:35:40 <hyakuhei> michaelxin: When it’s almost ready, if the developer doesn’t respond just send a link to the ML saying the OSSN is ready but needs signoff from [team] - that normally gets a bunch of super helpful -1’s
17:35:43 <tmcpeak> we've danced around rate limiting for a while
17:35:50 <hyakuhei> Yeah its a mess
17:35:53 <michaelxin> hyakuhei: Got it.
17:35:56 <hyakuhei> Everyone punts on it
17:36:01 <tmcpeak> I'm not sure what the answer should be
17:36:43 <ccneill> looks like he's in the channel right now michaelxin :)
17:37:19 <tmcpeak> I'll think on this a while and if I come up with good guidance I'll take a shot
17:37:42 <hyakuhei> Rate limiting might be something to discuss @summit
17:37:44 <tmcpeak> honestly a central rate limiting service in oslo makes the most sense to me
17:37:48 <tmcpeak> hyakuhei: +1 I think so
17:38:10 <tmcpeak> it's the kind of thing that if it isn't centralized every service ends up doing their own
17:38:15 <tmcpeak> is also the kind of thing security should spearhead
17:38:41 <hyakuhei> tmcpeak: I’m not sure about oslo
17:38:47 <tmcpeak> how come?
17:38:50 <tmcpeak> not the right place?
17:38:51 <hyakuhei> I mean, most services shouldn’t be fronting themselves
17:38:55 <gmurphy> umm.. no. you don't do rate limiting in python code.
17:38:58 <michaelxin> a central place with policy that might override if needed
17:39:02 <hyakuhei> Most should be using apache/nginx/whatever
17:39:16 <michaelxin> or Repose
17:39:31 <ccneill> http://www.openrepose.org/
17:39:32 <hyakuhei> So for simple rest rate limiting I think what’s needed is some guidance / boilerplate
17:39:47 <tmcpeak> gmurphy: why no rate limiting in Python?
17:39:50 <michaelxin> http://www.openrepose.org/
17:39:53 <tmcpeak> needs to be lower leveL?
17:39:55 <bknudson> I assume haproxy can do rate limiting
17:39:58 <bknudson> nginx
17:40:03 <gmurphy> yeah haproxy etc should be doing dis
17:40:05 <gmurphy> too slow
17:40:08 <ccneill> Repose might not be the optimal solution, but it might be one thing we could document for a few use cases
17:40:09 <tmcpeak> ahh
17:40:25 <hyakuhei> For other rate limiting (like limiting the impact of X number of things that cause internal load multiplication) then perhaps there’s scope for something more “in” openstakc
17:40:28 <michaelxin> Repose is Rackspace solution for rating limiting and other features and we open sourced it
17:40:33 <tmcpeak> well it does seem like the kind of thing we should discuss at the summit then
17:40:52 <tmcpeak> get some worldwide experts like gmurphy in there to sort us out :P
17:41:19 <gmurphy> nah
17:41:23 <tmcpeak> :P
17:41:24 <gmurphy> i'll be at the bar
17:41:36 <hyakuhei> gmurphy: where all the real work gets done
17:41:43 <gmurphy> ;-)
17:41:57 <tmcpeak> we can do it in the morning between when you leave the bar the night before and when you go to the bar early in the afternoon :)
17:42:25 <hyakuhei> ok lets roll on
17:42:28 <gmurphy> indeed
17:42:36 <hyakuhei> #topic Publicity
17:42:44 <hyakuhei> #link https://etherpad.openstack.org/p/security-raising-profile
17:42:53 <tmcpeak> I havne't done anything, been dropping the ball
17:42:58 <hyakuhei> So my summit talk has changed for reasons I’ll go into shortly.
17:43:28 <hyakuhei> So I’ll be doing an OSSP talk
17:43:38 <tmcpeak> ahh interesting
17:43:42 <hyakuhei> Which will borrow from the publicity stuff
17:43:48 <tmcpeak> how can we help?
17:43:50 <hyakuhei> but also hopefully have some short, pretty demos
17:43:56 <hyakuhei> #link https://www.openstack.org/summit/austin-2016/summit-schedule/events/7957?goback=1
17:43:59 <tmcpeak> you going to use the deck?
17:44:06 <hyakuhei> Yes, the clicbait does make me feel bad
17:44:19 <hyakuhei> tmcpeak: I’ll either use it or contribute back what I write for the summit to the deck
17:44:26 <tmcpeak> cool
17:44:29 <hyakuhei> Which is how we got the nice big Anchor deck
17:45:33 <tmcpeak> I assume the reason you've changed topics is bc OpenStack is so secure you can't haz root :)
17:46:04 <hyakuhei> tmcpeak: yup
17:46:13 <hyakuhei> Turns out it’s hardened to fsck.
17:46:13 <tmcpeak> sweet, mission accomplished
17:46:18 <tmcpeak> looool
17:46:18 <hyakuhei> :D
17:46:25 <tmcpeak> somebody needs to put that on the website somewhere
17:46:29 <hyakuhei> Last item of business. Disband OSSP. Job done.
17:46:49 <ccneill> lolol
17:46:49 <hyakuhei> So yeah, I’m guessing not much else on publicity
17:46:53 <ccneill> party's over
17:46:58 <hyakuhei> lol
17:47:03 <hyakuhei> #topic Blog
17:47:19 <hyakuhei> I want to get more down about TA so that Doug and I can compare our various scribbles before the summit
17:48:06 <tkelsey_> erg didi i net split?
17:48:12 <tmcpeak1> something happened to me too
17:48:38 <hyakuhei> hmmm.
17:48:42 <hyakuhei> welcome back :D
17:49:06 <hyakuhei> #topic Threat analysis
17:49:27 <tmcpeak1> why you switch your preso?
17:49:39 <hyakuhei> So I’m not sure there’s much more to say other than I want to document a bit more on the blog, after which Doug and I need to smash the stuff together and push it around
17:49:46 <hyakuhei> #topic AOB
17:49:58 <hyakuhei> So to answer your question tmcpeak
17:50:07 <hyakuhei> I’m moving to IBM, as of Monday.
17:50:39 <hyakuhei> My talk, in it’s current format, wouldn’t be suitable to give
17:50:41 <bknudson> finally joining the dark side
17:50:41 <tmcpeak1> small world :)
17:50:47 <hyakuhei> neither HPE or IBM would approve
17:50:53 <tmcpeak1> ahh interesting
17:50:53 <browne> what??? wow
17:51:15 <hyakuhei> So I spoke to the track chairs and the organisers and as I had a talk (OSSP) listed as an alternate we just swapped them
17:51:15 <ccneill> :o
17:51:16 <bknudson> I really should get a bonus for convincing you guys to come to ibm.
17:51:34 <browne> ibm must be paying the big bucks now
17:51:41 <hyakuhei> bknudson: you really should just get a bonus.
17:51:44 <hyakuhei> for being bknudson
17:52:00 <hyakuhei> they certainly pay some bucks.
17:52:12 <hyakuhei> At least, I hope they do. Didn’t really come up in conversation.
17:52:25 <hyakuhei> Wow netsplit city.
17:52:32 <hyakuhei> Anyway yes, that’s my big exciting news
17:52:33 <tkelsey> heh yeah :-/
17:52:51 <bknudson> still working on security?
17:52:53 <tmcpeak1> welcome aboard :)
17:52:59 <tkelsey> :-/ to the net split :) to the big news lol
17:53:02 <tmcpeak1> nah, hyakuhei got a marketing gig
17:53:12 <bknudson> that's where hyakuhei belongs.
17:53:18 <tmcpeak1> +1
17:53:21 <hyakuhei> bknudson: Still cloud, still openstack, still security :)
17:54:48 <tmcpeak1> look forward to seeing a bunch of you at summit then
17:54:57 <tmcpeak1> hyakuhei: let us know if we can help with your deck or the TA stuff
17:55:26 <hyakuhei> Cheers
17:55:46 <hyakuhei> So breifly
17:55:50 <hyakuhei> #link https://www.mail-archive.com/openstack-dev@lists.openstack.org/msg80864.html may be interesting
17:55:54 <hyakuhei> if you didn’t already see it
17:56:31 <tmcpeak1> interesting
17:56:34 <bknudson> we've always had the credentials backend that I don't know what anyone was using it fore.
17:56:39 <bknudson> other than ec2 tokens
17:56:43 <tmcpeak1> bknudson: is it any good?
17:56:48 <hyakuhei> It’s a bit messy iirc
17:56:51 <bknudson> it's essentially a key-value store
17:57:08 <ccneill> <_> just another day in "but what if we did it ANOTHER way" land..
17:57:24 <tmcpeak1> ccneill: +1
17:57:37 <hyakuhei> lol
17:57:43 <hyakuhei> coming up on time...
17:58:03 <tmcpeak1> good meeting all
17:58:20 <hyakuhei> See y’all at the summit!
17:58:21 <tmcpeak1> see a bunch of you in BBQ land
17:58:29 <ccneill> see y'all in a few weeks! enjoy the summit, sorry I won't be there :(
17:58:36 <hyakuhei> #endmeeting