#openstack-meeting-alt log

16:59:54 <hyakuhei> #startmeeting Security
16:59:55 <openstack> Meeting started Thu Jun  2 16:59:54 2016 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:59:56 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:59:57 <tmcpeak> lol
16:59:59 <openstack> The meeting name has been set to 'security'
17:00:00 <openstack> tmcpeak: Error: Can't start another meeting, one is in progress.  Use #endmeeting first.
17:00:16 <hyakuhei> #chair tmcpeak
17:00:17 <openstack> Current chairs: hyakuhei tmcpeak
17:00:20 <tmcpeak> o/
17:00:24 <singlethink> o/
17:00:31 <diazjf> o/
17:00:32 <hyakuhei> o/
17:00:59 <tmcpeak> #link https://etherpad.openstack.org/p/security-agenda
17:01:44 <sicarie> o/
17:01:45 <dg___> sup guys
17:01:55 <tmcpeak> whatup dg___!
17:02:03 <tmcpeak> you add more underscores e'rytime
17:02:10 <hyakuhei> Hey everyone, I hope elmiko took good care of you all last time around!
17:02:29 <tmcpeak> he is good and fair
17:02:31 <michaelxin> he did
17:02:33 <michaelxin> o/
17:02:35 <tmcpeak> also he can't make it today, but sends his regards
17:03:06 <hyakuhei> No worries. Seems like a quiet room today. I guess we’re only two minutes in
17:03:13 <ccneill> o/
17:03:21 <hyakuhei> Hey ccneill
17:03:24 <ccneill> hola
17:03:33 <hyakuhei> ok I guess we’ll roll onwards!
17:03:42 <hyakuhei> #topic Anchor
17:03:57 <hyakuhei> I’m not aware of anything exciting going on.
17:04:13 <lhinds> hey all
17:04:17 <dg___> Ive not touched anchor in the last couple of weaks, not sure about Tim
17:04:17 <hyakuhei> Tim isn’t here, I haven’t added anything - dg___ ?
17:04:28 <dg___> narp
17:04:33 <hyakuhei> lol, ok I guess we can move on to the next issue then :)
17:04:43 <tmcpeak> Bandit is similarly skips
17:04:46 <tmcpeak> nothing new
17:04:52 <hyakuhei> Ok
17:04:57 <michaelxin> after long weekend
17:04:57 <hyakuhei> #topic Bandit
17:04:59 <hyakuhei> pass
17:05:03 <hyakuhei> #topic Syntribos
17:05:03 <michaelxin> everyone is catching up
17:05:25 <michaelxin> We are still testing Syntribos against the broken API
17:05:31 <michaelxin> and improving the existing tests.
17:05:43 <ccneill> mdong has a spreadsheet showing some results from our test runs against vAPI
17:06:10 <hyakuhei> Oh cool, is it somewhere we can share / take a look ?
17:06:11 <ccneill> we're trying to collect data at each step along the way to see how our false positive/negative rates improve over time
17:06:14 <ccneill> sec
17:06:16 <mdong> https://docs.google.com/spreadsheets/d/14Lkd1xiEPDhKEBGq3bmYf36c30p9qiWvvd0RsHLUQjI/edit#gid=0
17:06:24 <mdong> #link https://docs.google.com/spreadsheets/d/14Lkd1xiEPDhKEBGq3bmYf36c30p9qiWvvd0RsHLUQjI/edit#gid=0
17:06:25 <ccneill> boom
17:06:29 <hyakuhei> Oooh, I smell some big-data on the horizon!
17:06:30 <ccneill> beat me to it
17:06:37 <ccneill> haha hyakuhei maybe not quite "big data"
17:06:55 <ccneill> but I'm not gonna lie, I definitely want to turn this data into graphs ;)
17:07:08 <tmcpeak> this is against the vuln app, yeah?
17:07:12 <ccneill> yep
17:07:17 <tmcpeak> sweet
17:07:20 <hyakuhei> Excellent! I think this is a very interesting project. Have you had many contributions outside OpenStack or outside Rack ?
17:07:32 <ccneill> I'm working on some architectural changes that will make test-writing easier
17:07:37 <ccneill> we have a design session / demo on that today
17:07:58 <ccneill> hyakuhei: we did get one small CR from browne, but otherwise it's mostly the OSIC folks at this point
17:08:02 <tmcpeak> ccneill: one thing we did early on for Bandit that helped was get a couple of posts out
17:08:07 <tmcpeak> Reddit, Twitter, etc
17:08:11 <tmcpeak> get some publicity
17:08:17 <tmcpeak> brought people outside OpenStack
17:08:30 <ccneill> tmcpeak: I think we're juuuust about ready to do a PR push
17:08:35 <ccneill> we're getting there
17:08:36 <hyakuhei> Good points
17:08:36 <tmcpeak> sweet
17:09:01 <ccneill> got a few things I think we want to tackle first, like removing opencafe and making installation easier
17:09:11 <hyakuhei> Sounds good
17:09:18 <ccneill> but we'll probably be there in the next few weeks
17:09:20 <ccneill> I think that's it for us
17:09:31 <tmcpeak> awesome
17:09:50 <hyakuhei> Excellent, thank you!
17:09:55 <hyakuhei> #topic OSSN
17:10:03 <hyakuhei> So there’s a couple of _good_ OSSN stuck in the queue
17:10:14 <tmcpeak> hyakuhei: +1
17:10:50 <tmcpeak> this the right link?
17:10:53 <tmcpeak> looks security-doc
17:10:57 <tmcpeak> we have a separate one for ossn, yeah?
17:11:01 <hyakuhei> Narp
17:11:03 <hyakuhei> Same repo
17:11:11 <hyakuhei> Probably some gerrit magic can improve it
17:11:12 <tmcpeak> I was thinking LP
17:11:21 <hyakuhei> https://review.openstack.org/#/c/267800/6
17:11:27 <tmcpeak> https://bugs.launchpad.net/ossn
17:11:39 <hyakuhei> Not a search link but an example of something we should have had out much sooner
17:12:01 <hyakuhei> https://review.openstack.org/#/c/313896/2/security-notes/OSSN-0068 Especially
17:12:12 <tmcpeak> ooh gotcha
17:12:19 <hyakuhei> Can I get a couple of people to take a look at that and review please?
17:12:26 <tmcpeak> I will
17:12:30 <lhinds> regarding  0068 (ratre-limiting)  should I add some keystone core folks to help review?
17:12:31 <michaelxin> sure
17:12:34 <hyakuhei> Sure
17:12:58 <lhinds> will do
17:13:11 <hyakuhei> Good plan.
17:13:22 <hyakuhei> So there’s wider chatter about rate limiting that continues
17:13:39 <hyakuhei> bug 1572966
17:14:12 <hyakuhei> Ok so that’s private because it talks to lots of things but the point is that we keep getting DoS reports for services
17:14:22 <hyakuhei> That are just HTTP services. That’s kind of how HTTP works.
17:14:39 <tmcpeak> "by design.  #yolo"
17:14:45 <lhinds> very true
17:14:48 <hyakuhei> hehe yeah
17:15:04 <hyakuhei> So the movement is to have a ‘party-line’ or set peice of advice for when these issues come up
17:15:37 <lhinds> I will make a push on the security guide section on rate limiting.
17:15:46 <hyakuhei> This OSSN will probably be that so it needs lots of reviews
17:15:47 <tmcpeak> this is kind of what lhinds has written, yeah?
17:15:49 <hyakuhei> lhinds: good plan
17:15:52 <tmcpeak> yeah
17:15:54 <hyakuhei> tmcpeak: exactly
17:15:55 <tmcpeak> cool
17:16:16 <lhinds> it will be like 0068, but covering all the different services
17:16:30 <hyakuhei> Awesome
17:16:56 <lhinds> give them guidance, but make caveat known, that its there cloud, with its own characteristics
17:17:08 <lhinds> there/their
17:17:09 <hyakuhei> It’s HTTP dummies :P
17:17:38 <tmcpeak> extra points if you use the word dummies in the note and guide section
17:17:54 <hyakuhei> ok so if people can get lots of eyes on 0068 I’d really appreciate it.
17:17:55 <michaelxin> haha
17:18:02 <lhinds> I will try and make the first word of each sentence using d u m m i e s
17:18:22 <tmcpeak> perfect
17:18:25 <tmcpeak> and yeah, will review
17:18:32 <lhinds> first letter i mean (long day)
17:18:37 <michaelxin> will review too
17:18:53 <hyakuhei> Thanks ya’ll
17:19:08 <hyakuhei> Happy to move on?
17:19:27 <tmcpeak> yip
17:19:32 <hyakuhei> #topic Midcycle
17:19:48 <hyakuhei> Reminder that the signup is over here: https://etherpad.openstack.org/p/barbican-security-midcycle-N
17:19:57 <tmcpeak> we figure out where yet?
17:20:02 <tmcpeak> and confirmed we're doing those dates?
17:20:22 <michaelxin> not yet.
17:20:34 <hyakuhei> diazjf ?
17:20:51 <diazjf> hyakuhei, tmcpeak: Elvin and I are working on getting rooms. By any chance did you get any funding?
17:20:56 <hyakuhei> There was talk of doing it IBM Austin, I saw some internal traffic about it but I haven’t seen much on it recently.
17:21:38 <hyakuhei> I’m hoping to bring it up in a meeting later today.
17:22:01 <michaelxin> So, we will do it in IBM austin.
17:22:13 <michaelxin> I also need to update my leaders about this assp.
17:22:19 <diazjf> hyakuhei, let me know. I will try and book some rooms in the meantime.
17:22:21 <michaelxin> Just want to get confirmation.
17:22:24 <hyakuhei> Probably! I just need to find the right stone to squeeze some blood from.
17:22:29 <hyakuhei> michaelxin: Yup
17:22:49 <michaelxin> Sound like a good plan to me.
17:23:04 <michaelxin> I will let my leaders know that they do not need to worry about this.
17:23:06 <michaelxin> :-)
17:23:19 <michaelxin> Thanks diazjf and hyakuhei
17:23:34 <hyakuhei> Righto, I’ve fired off a quick email about that but I’ll try to chase.
17:23:39 <diazjf> hyakuhei, If you need I can send you the info of the costs, etc, and who to talk to
17:23:48 <diazjf> michaelxin, No Problem :)
17:24:18 <michaelxin> hyakuhei: Am I the only one thinking that you are still working for HP?
17:24:25 <hyakuhei> Ah sorry.
17:24:30 <hyakuhei> I work for IBM now
17:24:36 <hyakuhei> along with diazjf
17:24:36 <michaelxin> haha
17:24:42 <dg___> lol
17:24:43 <hyakuhei> and about a million other people
17:25:14 <hyakuhei> ok, any more for midcycle?
17:25:43 <michaelxin> ask people to signup
17:25:59 <hyakuhei> Other than on IRC you mean?
17:26:02 <hyakuhei> #link https://etherpad.openstack.org/p/barbican-security-midcycle-N
17:26:14 <michaelxin> we do it again with Barbican team?
17:26:52 <hyakuhei> Hopefully yes
17:28:08 <hyakuhei> #topic Publicity
17:28:19 <hyakuhei> Anything tmcpeak ?
17:28:26 <tmcpeak> nopes
17:28:29 <tmcpeak> should do something else
17:28:31 <tmcpeak> could use the help
17:28:57 <tmcpeak> but I doubt anybody that isn't doing serious openstack work for their org would have time
17:29:18 <hyakuhei> Trudat.
17:29:25 <hyakuhei> #topic Docs
17:29:27 <hyakuhei> sicarie: ?
17:29:37 <sicarie> very little going on
17:29:54 <sicarie> I'm otherwise occupied, as is elmiko, so we're slowing at the moment
17:30:01 <sicarie> it should ramp up next month
17:31:02 <hyakuhei> Righto! There was a nice post-summit surge.
17:31:20 <hyakuhei> #topic Blog
17:31:28 <sicarie> Yeah, it was good to get the initial push - I need to be better about bugging the people on the Neutron team to push forward on the bugs they have
17:31:55 <hyakuhei> So I unbroke it a while ago and setup an IFTT recipie to alert me each time a new post lands
17:32:10 <hyakuhei> by ‘alert’ it changes the colour of the lights in my house :D
17:32:30 <tmcpeak> haha
17:32:37 <tmcpeak> #todo everybody go hack Rob's house
17:32:39 * sicarie goes off to write a submission bot
17:32:48 <hyakuhei> Party time!
17:32:59 * hyakuhei goes off to read that rate limiting OSSN
17:33:05 <tmcpeak> lol
17:33:09 <dg___> :-D
17:33:21 <hyakuhei> Anything else on blogstuff?
17:34:07 <tmcpeak> nopes
17:34:17 <hyakuhei> #topic TA
17:34:20 <hyakuhei> dg___: ?
17:34:27 <tmcpeak> what's our plan to go forward with the work we had for kolla?
17:34:48 <hyakuhei> I moved the vulnerability_managed review into the ta part of the agenda.
17:35:11 <dg___> hyakuhei and I need to work through what we have, meet with steve from the kolla team to progress it
17:35:28 <dg___> hyakuhei lets talk on skype, set something up for next week?
17:35:34 <hyakuhei> Sounds good to me.
17:35:36 <tmcpeak> I think we have all the artifacts we need, yeah?
17:35:40 <dg___> maybe
17:36:03 <hyakuhei> Most of. They were supposed to build them out further I think. We need to re-sync
17:36:13 <hyakuhei> dg___: and I probably need to meet in the same office for a few hours
17:36:18 <dg___> we have a lot of information across a lot of etherpads, need to consolidate and then follow up
17:36:27 <tmcpeak> dg___: +1
17:36:37 <dg___> hyakuhei sounds like a plan, shame you broke!
17:37:12 <tmcpeak> surely IBM has an office in hyakuhei's little village
17:37:30 <hyakuhei> Indeed they do
17:37:47 <dg___> yup wales can work
17:38:00 <hyakuhei> Excellent.
17:38:03 <hyakuhei> Anything else on TA?
17:38:49 <dg___> did you see the email from Steve on the kolla team?
17:39:03 <hyakuhei> A little while back but I’m way behind.
17:39:44 <dg___> np
17:39:47 <hyakuhei> #topic Any other business
17:40:06 <sicarie> So this thread posted to -dev today, looks like the middle of another conversation
17:40:09 <sicarie> #link http://lists.openstack.org/pipermail/openstack-dev/2016-June/096447.html
17:40:25 <sicarie> Might be something worth taking a look at, but mostly is keystone stuff
17:40:39 <hyakuhei> Interesting, thanks for flagging it. I spoke with Jamie about this a while back
17:42:41 <tmcpeak> anything else?
17:43:01 <hyakuhei> Not from me
17:43:19 <tmcpeak> \o~
17:43:29 <michaelxin> nothing
17:43:50 <tmcpeak> sick, allright, have a good week everybody
17:43:55 <hyakuhei> #endmeeting