16:59:54 #startmeeting Security 16:59:55 Meeting started Thu Jun 2 16:59:54 2016 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:59:56 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:59:57 lol 16:59:59 The meeting name has been set to 'security' 17:00:00 tmcpeak: Error: Can't start another meeting, one is in progress. Use #endmeeting first. 17:00:16 #chair tmcpeak 17:00:17 Current chairs: hyakuhei tmcpeak 17:00:20 o/ 17:00:24 o/ 17:00:31 o/ 17:00:32 o/ 17:00:59 #link https://etherpad.openstack.org/p/security-agenda 17:01:44 o/ 17:01:45 sup guys 17:01:55 whatup dg___! 17:02:03 you add more underscores e'rytime 17:02:10 Hey everyone, I hope elmiko took good care of you all last time around! 17:02:29 he is good and fair 17:02:31 he did 17:02:33 o/ 17:02:35 also he can't make it today, but sends his regards 17:03:06 No worries. Seems like a quiet room today. I guess we’re only two minutes in 17:03:13 o/ 17:03:21 Hey ccneill 17:03:24 hola 17:03:33 ok I guess we’ll roll onwards! 17:03:42 #topic Anchor 17:03:57 I’m not aware of anything exciting going on. 17:04:13 hey all 17:04:17 Ive not touched anchor in the last couple of weaks, not sure about Tim 17:04:17 Tim isn’t here, I haven’t added anything - dg___ ? 17:04:28 narp 17:04:33 lol, ok I guess we can move on to the next issue then :) 17:04:43 Bandit is similarly skips 17:04:46 nothing new 17:04:52 Ok 17:04:57 after long weekend 17:04:57 #topic Bandit 17:04:59 pass 17:05:03 #topic Syntribos 17:05:03 everyone is catching up 17:05:25 We are still testing Syntribos against the broken API 17:05:31 and improving the existing tests. 17:05:43 mdong has a spreadsheet showing some results from our test runs against vAPI 17:06:10 Oh cool, is it somewhere we can share / take a look ? 17:06:11 we're trying to collect data at each step along the way to see how our false positive/negative rates improve over time 17:06:14 sec 17:06:16 https://docs.google.com/spreadsheets/d/14Lkd1xiEPDhKEBGq3bmYf36c30p9qiWvvd0RsHLUQjI/edit#gid=0 17:06:24 #link https://docs.google.com/spreadsheets/d/14Lkd1xiEPDhKEBGq3bmYf36c30p9qiWvvd0RsHLUQjI/edit#gid=0 17:06:25 boom 17:06:29 Oooh, I smell some big-data on the horizon! 17:06:30 beat me to it 17:06:37 haha hyakuhei maybe not quite "big data" 17:06:55 but I'm not gonna lie, I definitely want to turn this data into graphs ;) 17:07:08 this is against the vuln app, yeah? 17:07:12 yep 17:07:17 sweet 17:07:20 Excellent! I think this is a very interesting project. Have you had many contributions outside OpenStack or outside Rack ? 17:07:32 I'm working on some architectural changes that will make test-writing easier 17:07:37 we have a design session / demo on that today 17:07:58 hyakuhei: we did get one small CR from browne, but otherwise it's mostly the OSIC folks at this point 17:08:02 ccneill: one thing we did early on for Bandit that helped was get a couple of posts out 17:08:07 Reddit, Twitter, etc 17:08:11 get some publicity 17:08:17 brought people outside OpenStack 17:08:30 tmcpeak: I think we're juuuust about ready to do a PR push 17:08:35 we're getting there 17:08:36 Good points 17:08:36 sweet 17:09:01 got a few things I think we want to tackle first, like removing opencafe and making installation easier 17:09:11 Sounds good 17:09:18 but we'll probably be there in the next few weeks 17:09:20 I think that's it for us 17:09:31 awesome 17:09:50 Excellent, thank you! 17:09:55 #topic OSSN 17:10:03 So there’s a couple of _good_ OSSN stuck in the queue 17:10:14 hyakuhei: +1 17:10:50 this the right link? 17:10:53 looks security-doc 17:10:57 we have a separate one for ossn, yeah? 17:11:01 Narp 17:11:03 Same repo 17:11:11 Probably some gerrit magic can improve it 17:11:12 I was thinking LP 17:11:21 https://review.openstack.org/#/c/267800/6 17:11:27 https://bugs.launchpad.net/ossn 17:11:39 Not a search link but an example of something we should have had out much sooner 17:12:01 https://review.openstack.org/#/c/313896/2/security-notes/OSSN-0068 Especially 17:12:12 ooh gotcha 17:12:19 Can I get a couple of people to take a look at that and review please? 17:12:26 I will 17:12:30 regarding 0068 (ratre-limiting) should I add some keystone core folks to help review? 17:12:31 sure 17:12:34 Sure 17:12:58 will do 17:13:11 Good plan. 17:13:22 So there’s wider chatter about rate limiting that continues 17:13:39 bug 1572966 17:14:12 Ok so that’s private because it talks to lots of things but the point is that we keep getting DoS reports for services 17:14:22 That are just HTTP services. That’s kind of how HTTP works. 17:14:39 "by design. #yolo" 17:14:45 very true 17:14:48 hehe yeah 17:15:04 So the movement is to have a ‘party-line’ or set peice of advice for when these issues come up 17:15:37 I will make a push on the security guide section on rate limiting. 17:15:46 This OSSN will probably be that so it needs lots of reviews 17:15:47 this is kind of what lhinds has written, yeah? 17:15:49 lhinds: good plan 17:15:52 yeah 17:15:54 tmcpeak: exactly 17:15:55 cool 17:16:16 it will be like 0068, but covering all the different services 17:16:30 Awesome 17:16:56 give them guidance, but make caveat known, that its there cloud, with its own characteristics 17:17:08 there/their 17:17:09 It’s HTTP dummies :P 17:17:38 extra points if you use the word dummies in the note and guide section 17:17:54 ok so if people can get lots of eyes on 0068 I’d really appreciate it. 17:17:55 haha 17:18:02 I will try and make the first word of each sentence using d u m m i e s 17:18:22 perfect 17:18:25 and yeah, will review 17:18:32 first letter i mean (long day) 17:18:37 will review too 17:18:53 Thanks ya’ll 17:19:08 Happy to move on? 17:19:27 yip 17:19:32 #topic Midcycle 17:19:48 Reminder that the signup is over here: https://etherpad.openstack.org/p/barbican-security-midcycle-N 17:19:57 we figure out where yet? 17:20:02 and confirmed we're doing those dates? 17:20:22 not yet. 17:20:34 diazjf ? 17:20:51 hyakuhei, tmcpeak: Elvin and I are working on getting rooms. By any chance did you get any funding? 17:20:56 There was talk of doing it IBM Austin, I saw some internal traffic about it but I haven’t seen much on it recently. 17:21:38 I’m hoping to bring it up in a meeting later today. 17:22:01 So, we will do it in IBM austin. 17:22:13 I also need to update my leaders about this assp. 17:22:19 hyakuhei, let me know. I will try and book some rooms in the meantime. 17:22:21 Just want to get confirmation. 17:22:24 Probably! I just need to find the right stone to squeeze some blood from. 17:22:29 michaelxin: Yup 17:22:49 Sound like a good plan to me. 17:23:04 I will let my leaders know that they do not need to worry about this. 17:23:06 :-) 17:23:19 Thanks diazjf and hyakuhei 17:23:34 Righto, I’ve fired off a quick email about that but I’ll try to chase. 17:23:39 hyakuhei, If you need I can send you the info of the costs, etc, and who to talk to 17:23:48 michaelxin, No Problem :) 17:24:18 hyakuhei: Am I the only one thinking that you are still working for HP? 17:24:25 Ah sorry. 17:24:30 I work for IBM now 17:24:36 along with diazjf 17:24:36 haha 17:24:42 lol 17:24:43 and about a million other people 17:25:14 ok, any more for midcycle? 17:25:43 ask people to signup 17:25:59 Other than on IRC you mean? 17:26:02 #link https://etherpad.openstack.org/p/barbican-security-midcycle-N 17:26:14 we do it again with Barbican team? 17:26:52 Hopefully yes 17:28:08 #topic Publicity 17:28:19 Anything tmcpeak ? 17:28:26 nopes 17:28:29 should do something else 17:28:31 could use the help 17:28:57 but I doubt anybody that isn't doing serious openstack work for their org would have time 17:29:18 Trudat. 17:29:25 #topic Docs 17:29:27 sicarie: ? 17:29:37 very little going on 17:29:54 I'm otherwise occupied, as is elmiko, so we're slowing at the moment 17:30:01 it should ramp up next month 17:31:02 Righto! There was a nice post-summit surge. 17:31:20 #topic Blog 17:31:28 Yeah, it was good to get the initial push - I need to be better about bugging the people on the Neutron team to push forward on the bugs they have 17:31:55 So I unbroke it a while ago and setup an IFTT recipie to alert me each time a new post lands 17:32:10 by ‘alert’ it changes the colour of the lights in my house :D 17:32:30 haha 17:32:37 #todo everybody go hack Rob's house 17:32:39 * sicarie goes off to write a submission bot 17:32:48 Party time! 17:32:59 * hyakuhei goes off to read that rate limiting OSSN 17:33:05 lol 17:33:09 :-D 17:33:21 Anything else on blogstuff? 17:34:07 nopes 17:34:17 #topic TA 17:34:20 dg___: ? 17:34:27 what's our plan to go forward with the work we had for kolla? 17:34:48 I moved the vulnerability_managed review into the ta part of the agenda. 17:35:11 hyakuhei and I need to work through what we have, meet with steve from the kolla team to progress it 17:35:28 hyakuhei lets talk on skype, set something up for next week? 17:35:34 Sounds good to me. 17:35:36 I think we have all the artifacts we need, yeah? 17:35:40 maybe 17:36:03 Most of. They were supposed to build them out further I think. We need to re-sync 17:36:13 dg___: and I probably need to meet in the same office for a few hours 17:36:18 we have a lot of information across a lot of etherpads, need to consolidate and then follow up 17:36:27 dg___: +1 17:36:37 hyakuhei sounds like a plan, shame you broke! 17:37:12 surely IBM has an office in hyakuhei's little village 17:37:30 Indeed they do 17:37:47 yup wales can work 17:38:00 Excellent. 17:38:03 Anything else on TA? 17:38:49 did you see the email from Steve on the kolla team? 17:39:03 A little while back but I’m way behind. 17:39:44 np 17:39:47 #topic Any other business 17:40:06 So this thread posted to -dev today, looks like the middle of another conversation 17:40:09 #link http://lists.openstack.org/pipermail/openstack-dev/2016-June/096447.html 17:40:25 Might be something worth taking a look at, but mostly is keystone stuff 17:40:39 Interesting, thanks for flagging it. I spoke with Jamie about this a while back 17:42:41 anything else? 17:43:01 Not from me 17:43:19 \o~ 17:43:29 nothing 17:43:50 sick, allright, have a good week everybody 17:43:55 #endmeeting