17:00:16 #startmeeting security 17:00:18 Meeting started Thu Apr 14 17:00:16 2016 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:19 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:21 o/ 17:00:22 The meeting name has been set to 'security' 17:00:24 o/ 17:00:26 o/ 17:00:32 #chair tmcpeak 17:00:33 Current chairs: hyakuhei tmcpeak 17:00:42 hyakuhei: last time we decided we'll use a permanent agenda file 17:00:45 makes it easy to keep track 17:00:46 #link agenda https://etherpad.openstack.org/p/security-agenda 17:00:51 Yup - I mailed the ML about it. 17:00:52 yeah that one :) 17:00:56 ahh cool 17:01:07 I may or may not have declared ML bankrupcy 17:01:11 lol 17:01:18 Lotus notes man.... 17:01:23 yeah :'( 17:01:33 lol fun times 17:01:39 bknudson: How do you managed to keep up with the mailing list? 17:01:51 I don't use notes for the mailing list 17:01:56 probably spends like 3 hours doing it :P 17:02:06 o/ 17:02:16 ahh maybe I should forward to my personal gmail instead 17:02:29 I use gmail and it works 17:02:46 there you go tmcpeak 17:02:48 bknudson: you wanna go halvesies on a personal exchange server :P 17:02:52 lol 17:03:06 I don't want to go anywhere near anything microsoft 17:03:35 true, the devil you know I guess 17:03:38 bknudson: ha do you use windowz 17:03:49 I don't use windows 17:03:57 having no outside knowledge I can practically guarantee bknudson does not use Windowz 17:04:21 o/ 17:04:26 Ouch: http://seclists.org/oss-sec/2016/q2/69 17:04:33 That’s actually very nasty. 17:05:15 it's got a boring name 17:05:20 o/ 17:05:27 yikes 17:05:36 rh - https://bugzilla.redhat.com/page.cgi?id=fields.html#priorityhttps://bugzilla.redhat.com/page.cgi?id=fields.html#priorityhttps://bugzilla.redhat.com/page.cgi?id=fields.html#priority 17:05:36 low https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity low 17:05:40 doh 17:05:50 that was meant to say - priorty low, severity low 17:05:55 why low? non-standard config? 17:05:57 according to the bz 17:06:17 well 17:06:31 windows 17:06:47 maybe 17:06:49 i dunno 17:06:51 Host leak. 17:07:02 host leaks are bad, mkay? 17:07:24 lol yeah. The TPR was built to make win32 VMs play nice but I imagine anything can abuse it 17:08:05 btw I'm not going to be around next two weeks, PTO then summit things 17:08:14 I assume we aren't having a meeting summit week anyway huh? 17:08:38 I was going to suggest that 17:08:50 Might as well start with the periodicals. 17:08:57 #topic Summit 17:09:47 sdake: scored you that VMT session, or something, yeah? 17:09:49 Ok, so first up, I have no idea if I’ll have budget for a team meal or not - sorry 17:10:02 tmcpeak: Yeah he’s got some TA stuff lined up 17:10:05 tmcpeak we worked together on scoring it) 17:10:07 awesome 17:10:09 I want to polish the TA stuff 17:10:31 https://www.openstack.org/summit/austin-2016/summit-schedule/events/9476?goback=1 17:10:35 At the moment there’s the stuff dg__ has in review and there’s the stuff I blogged about / we captured at the mid-cycle but it’s all disjoint. 17:10:38 hyakuhei you hve a cross project session at sumit on tuesday your leading 17:10:44 hyakuhei in case you weren't aware ;) 17:10:54 I was but thanks for the link :D 17:11:03 #action everyone - attend that ! 17:11:25 Will be there for sure 17:11:38 added it to my calendar 17:11:43 Excellent! 17:11:46 hyakuhei I proposed a fishbowl session on the TA, to try and define a process. Or we can do it on the plane 17:11:58 both 17:12:24 kk 17:12:38 Ok, is everyone happy to cancel the Security IRC meeting next week? 17:12:43 any other sessions being run? 17:12:47 sure, I'll be out on PTO too 17:12:48 +1 17:12:50 +1 17:13:02 +1 17:13:09 +1 17:13:10 Excellent, I’ll mail something out a little later 17:13:16 +1 17:13:20 for those who actually read the ml…. tmcpeak .... 17:13:40 I'll need to have bknudson explain his dark art 17:13:51 Ok nothing else on the topical agenda so we’ll move onto the standing items 17:13:56 #topic Anchor 17:14:33 Nothing new here that I’ve seen. I was hoping we might work with the Magnum guys on some of their problems but they’re focussed on either Barbican/Keystone so meh. No big code changes that I’m aware of. 17:15:43 tkelsey: anything to add? 17:16:02 nothing from me 17:16:16 #topic Bandit 17:16:42 so there is this: #link https://review.openstack.org/#/c/301847/ 17:17:21 and also designate is the first project to use the new no-config bandit 17:17:27 I think we should JFDI 17:17:27 yeah, once we're on 1.0.1 minimum, we can do easier things in other projects 17:17:27 https://review.openstack.org/#/c/302234/ just merged 17:17:38 weeee 17:17:44 Good work 17:18:19 thats all I have on bandit :) 17:18:35 good job 17:18:51 haha I like that they posted this on the CR 17:18:53 https://media.giphy.com/media/oit9mu0v5LqzC/giphy.gif 17:18:53 what we doing for the summit on Bandit? 17:19:18 at the summit, let's discuss the symbol table at least 17:19:51 browne: cool, we can do that 17:20:01 are we going to do anything for outreach? 17:20:19 There’s nothing explicit though one of hte work sessions was tagged for Bandit IIRC 17:20:19 https://www.dropbox.com/s/omovd97n681a43t/Screenshot%202016-04-14%2018.19.42.png?dl=0 17:20:27 I’ll have some bandit in my talk too 17:20:54 sweet 17:20:58 say nice things :P 17:21:09 NETSPLIT! 17:21:40 boom! 17:22:01 humm fun 17:22:24 Syntribos? 17:22:26 Well, next on the agenda would be docs 17:22:37 but sicarie just netsplit and elmiko is away today 17:22:43 #topic Syntribos 17:22:46 maybe makes sense to do projects, then doc-y things in agendas going forward 17:22:59 sounds good 17:23:02 +1 17:23:17 ccneill: mdong: your turn 17:23:25 kewl 17:23:47 so I started playing around with the sphinx docs I've been working on 17:23:54 and managed to get it flattened and on Github pages 17:24:05 http://cneill.github.io/syntribos-docs/ 17:24:24 what I'd *really* like though is to have a permanent home for it 17:24:57 does anyone know the process for getting this on openstack.org / have recommendations for how to lay out these docs? elmiko already got us started (thank you again!), but I'm definitely not a docs expert 17:25:08 http://cneill.github.io/syntribos-docs/code-docs.html 17:25:09 well there is a way to hook up a docs job to make openstack docs 17:25:13 this is the main part I'm working on right now 17:25:28 take a look at bandits tox for an example 17:25:32 +1 what tkelsey said 17:25:33 cool, will do 17:25:41 So you want something like http://docs.openstack.org/developer/anchor/ 17:25:41 you just add a docs publish template or something 17:25:43 ? 17:25:57 hyakuhei: yep, that would be awesome 17:26:21 I'll take a look at bandit and if I can't figure it out I might bug y'all about it later 17:26:28 heh, hyakuhei beat me to it #link http://docs.openstack.org/developer/bandit/ 17:26:37 Yeah, it’s just a few infra changes iirc. 17:26:41 nice 17:26:44 other things... we're working on getting results formatted in a way that can be consumed by automation rather than manual reading 17:27:05 excellent 17:27:10 I believe this is the closest representation of what it's shaping up to look like 17:27:13 https://gist.github.com/MCDong/1cc3775d2e43381bc55072df1a43b375 17:27:37 or, less messily 17:27:37 https://gist.github.com/MCDong/9969351647c06f7ab67ab7d954e6cd66 17:27:39 we've stopped working on XUnit output for the moment since no one's really asked for it, and it's gonna require a little more creative thinking in terms of fitting our testing methodology into their TestSuite/TestCase/failure/etc. buckets 17:27:44 looks good 17:27:46 ah yes, thanks mdong 17:27:54 much clearer :) 17:27:59 For resources, we did get another developer from Intel committed. 17:28:07 shweet 17:28:12 wow, so what's your total count? 17:28:12 He will start working on the project in two weeks 17:28:17 4 now 17:28:21 noice! 17:28:25 2 now 17:28:29 4 in two weeks 17:28:47 They are in three week training session 17:28:57 yeah, mdong and I are kinda the skeleton crew right now haha 17:29:09 3 week training? rax don't mess around :P 17:29:15 nah it's Intel 17:29:18 i would be interested. i might be able to help out 17:29:22 ahh 17:29:23 they're learning about deploying a full OpenStack instance I believe 17:29:26 browne: +1 17:29:28 Thanks 17:29:46 so he'll be our go-to guy on all the projects that we ultimately want to test :D 17:30:02 That should wrap up for syntribos 17:30:03 that's cool, useful to have around 17:30:25 let us know if you guys have any thoughts on the output of results - we've debated it a lot, but nothing's 100% set in stone yet 17:30:44 trying to walk the line of being OpenStack-specific but still generally useful 17:30:59 ccneill: LGTM 17:31:13 shweet 17:31:19 I think that's it for us 17:31:43 Great! 17:31:50 #topic OSSN 17:32:03 So I’ve got two in the works. One public, one private 17:32:17 what a beast 17:32:29 Be nice to clear out the queue though 17:32:37 #link https://review.openstack.org/#/c/300091/ 17:32:47 gee 17:32:50 +1 17:33:41 #link https://bugs.launchpad.net/ossn 17:34:06 I am working on https://bugs.launchpad.net/trove/+bug/1507841 17:34:07 Launchpad bug 1507841 in OpenStack Security Notes "mongodb guest instance allows any user to connect" [Undecided,New] - Assigned to Michael Xin (michael-xin) 17:34:24 Thanks michaelxin ! 17:34:54 So I think that means there’s only one not in progress 17:34:56 The only remaining issue is that the developer never responded about whether other versions will be impacted or not. 17:35:02 https://bugs.launchpad.net/ossn/+bug/1553324 17:35:02 Launchpad bug 1553324 in OpenStack Security Advisory "potential DOS with revoke by id or audit_id" [Undecided,Incomplete] 17:35:38 this is an interesting one to write 17:35:40 michaelxin: When it’s almost ready, if the developer doesn’t respond just send a link to the ML saying the OSSN is ready but needs signoff from [team] - that normally gets a bunch of super helpful -1’s 17:35:43 we've danced around rate limiting for a while 17:35:50 Yeah its a mess 17:35:53 hyakuhei: Got it. 17:35:56 Everyone punts on it 17:36:01 I'm not sure what the answer should be 17:36:43 looks like he's in the channel right now michaelxin :) 17:37:19 I'll think on this a while and if I come up with good guidance I'll take a shot 17:37:42 Rate limiting might be something to discuss @summit 17:37:44 honestly a central rate limiting service in oslo makes the most sense to me 17:37:48 hyakuhei: +1 I think so 17:38:10 it's the kind of thing that if it isn't centralized every service ends up doing their own 17:38:15 is also the kind of thing security should spearhead 17:38:41 tmcpeak: I’m not sure about oslo 17:38:47 how come? 17:38:50 not the right place? 17:38:51 I mean, most services shouldn’t be fronting themselves 17:38:55 umm.. no. you don't do rate limiting in python code. 17:38:58 a central place with policy that might override if needed 17:39:02 Most should be using apache/nginx/whatever 17:39:16 or Repose 17:39:31 http://www.openrepose.org/ 17:39:32 So for simple rest rate limiting I think what’s needed is some guidance / boilerplate 17:39:47 gmurphy: why no rate limiting in Python? 17:39:50 http://www.openrepose.org/ 17:39:53 needs to be lower leveL? 17:39:55 I assume haproxy can do rate limiting 17:39:58 nginx 17:40:03 yeah haproxy etc should be doing dis 17:40:05 too slow 17:40:08 Repose might not be the optimal solution, but it might be one thing we could document for a few use cases 17:40:09 ahh 17:40:25 For other rate limiting (like limiting the impact of X number of things that cause internal load multiplication) then perhaps there’s scope for something more “in” openstakc 17:40:28 Repose is Rackspace solution for rating limiting and other features and we open sourced it 17:40:33 well it does seem like the kind of thing we should discuss at the summit then 17:40:52 get some worldwide experts like gmurphy in there to sort us out :P 17:41:19 nah 17:41:23 :P 17:41:24 i'll be at the bar 17:41:36 gmurphy: where all the real work gets done 17:41:43 ;-) 17:41:57 we can do it in the morning between when you leave the bar the night before and when you go to the bar early in the afternoon :) 17:42:25 ok lets roll on 17:42:28 indeed 17:42:36 #topic Publicity 17:42:44 #link https://etherpad.openstack.org/p/security-raising-profile 17:42:53 I havne't done anything, been dropping the ball 17:42:58 So my summit talk has changed for reasons I’ll go into shortly. 17:43:28 So I’ll be doing an OSSP talk 17:43:38 ahh interesting 17:43:42 Which will borrow from the publicity stuff 17:43:48 how can we help? 17:43:50 but also hopefully have some short, pretty demos 17:43:56 #link https://www.openstack.org/summit/austin-2016/summit-schedule/events/7957?goback=1 17:43:59 you going to use the deck? 17:44:06 Yes, the clicbait does make me feel bad 17:44:19 tmcpeak: I’ll either use it or contribute back what I write for the summit to the deck 17:44:26 cool 17:44:29 Which is how we got the nice big Anchor deck 17:45:33 I assume the reason you've changed topics is bc OpenStack is so secure you can't haz root :) 17:46:04 tmcpeak: yup 17:46:13 Turns out it’s hardened to fsck. 17:46:13 sweet, mission accomplished 17:46:18 looool 17:46:18 :D 17:46:25 somebody needs to put that on the website somewhere 17:46:29 Last item of business. Disband OSSP. Job done. 17:46:49 lolol 17:46:49 So yeah, I’m guessing not much else on publicity 17:46:53 party's over 17:46:58 lol 17:47:03 #topic Blog 17:47:19 I want to get more down about TA so that Doug and I can compare our various scribbles before the summit 17:48:06 erg didi i net split? 17:48:12 something happened to me too 17:48:38 hmmm. 17:48:42 welcome back :D 17:49:06 #topic Threat analysis 17:49:27 why you switch your preso? 17:49:39 So I’m not sure there’s much more to say other than I want to document a bit more on the blog, after which Doug and I need to smash the stuff together and push it around 17:49:46 #topic AOB 17:49:58 So to answer your question tmcpeak 17:50:07 I’m moving to IBM, as of Monday. 17:50:39 My talk, in it’s current format, wouldn’t be suitable to give 17:50:41 finally joining the dark side 17:50:41 small world :) 17:50:47 neither HPE or IBM would approve 17:50:53 ahh interesting 17:50:53 what??? wow 17:51:15 So I spoke to the track chairs and the organisers and as I had a talk (OSSP) listed as an alternate we just swapped them 17:51:15 :o 17:51:16 I really should get a bonus for convincing you guys to come to ibm. 17:51:34 ibm must be paying the big bucks now 17:51:41 bknudson: you really should just get a bonus. 17:51:44 for being bknudson 17:52:00 they certainly pay some bucks. 17:52:12 At least, I hope they do. Didn’t really come up in conversation. 17:52:25 Wow netsplit city. 17:52:32 Anyway yes, that’s my big exciting news 17:52:33 heh yeah :-/ 17:52:51 still working on security? 17:52:53 welcome aboard :) 17:52:59 :-/ to the net split :) to the big news lol 17:53:02 nah, hyakuhei got a marketing gig 17:53:12 that's where hyakuhei belongs. 17:53:18 +1 17:53:21 bknudson: Still cloud, still openstack, still security :) 17:54:48 look forward to seeing a bunch of you at summit then 17:54:57 hyakuhei: let us know if we can help with your deck or the TA stuff 17:55:26 Cheers 17:55:46 So breifly 17:55:50 #link https://www.mail-archive.com/openstack-dev@lists.openstack.org/msg80864.html may be interesting 17:55:54 if you didn’t already see it 17:56:31 interesting 17:56:34 we've always had the credentials backend that I don't know what anyone was using it fore. 17:56:39 other than ec2 tokens 17:56:43 bknudson: is it any good? 17:56:48 It’s a bit messy iirc 17:56:51 it's essentially a key-value store 17:57:08 <_> just another day in "but what if we did it ANOTHER way" land.. 17:57:24 ccneill: +1 17:57:37 lol 17:57:43 coming up on time... 17:58:03 good meeting all 17:58:20 See y’all at the summit! 17:58:21 see a bunch of you in BBQ land 17:58:29 see y'all in a few weeks! enjoy the summit, sorry I won't be there :( 17:58:36 #endmeeting