17:00:00 <tmcpeak> #startmeeting security
17:00:00 <openstack> Meeting started Thu Jun  9 17:00:00 2016 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:02 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:04 <openstack> The meeting name has been set to 'security'
17:00:06 <tmcpeak> #chair elmiko
17:00:06 <openstack> Current chairs: elmiko tmcpeak
17:00:08 <tmcpeak> o/
17:00:11 <tmcpeak> #link https://etherpad.openstack.org/p/security-agenda
17:00:16 <tmcpeak> good morning/afternoon everybody
17:00:20 <lhinds> hey!
17:00:22 <tkelsey> o/
17:00:25 <tmcpeak> hyakuhei is out living the dream somewhere so he won't make it today
17:00:28 <mdong> o/
17:00:29 <elmiko> o/
17:00:33 <sicarie> o/
17:00:37 <tmcpeak> we'll give a couple of minutes for folks to show up and then roll on with the agenda in the Etherpad
17:00:40 <sicarie> dg__ sends his regards, he will try to be along shortly
17:00:51 <tmcpeak> sicarie: ack
17:01:34 <tmcpeak> allright, let's get started
17:01:37 <tmcpeak> #topic Anchor
17:01:51 <tmcpeak> anything new here? have we reached steady state or still have roadmap items?
17:02:01 <tmcpeak> tkelsey: this is for you :)
17:02:05 <ccneill> o/
17:02:07 <browne> o/
17:02:14 <michaelxin> o/
17:02:25 <tmcpeak> allright, nice attendance today
17:02:31 <tkelsey> tmcpeak: well I have a backport patch for bandit 1.0.1 in mitaka
17:02:53 <tmcpeak> tkelsey: Bandit or Anchor?
17:02:59 <tkelsey> babdit
17:03:03 <tmcpeak> oh cool
17:03:04 <tkelsey> *bandit
17:03:13 <tmcpeak> let's go on to that then if there isn't anything on Anchor
17:03:24 <tmcpeak> I have seen some Bandit activity
17:03:29 <tmcpeak> #topic Bandit
17:03:34 <tmcpeak> tkelsey: so what's that about tkelsey?
17:04:07 <tkelsey> mitaka stable has pre 1.0 bandit in req's
17:04:22 <tmcpeak> ahh ok cool
17:04:27 <tkelsey> #link https://review.openstack.org/#/c/327135/
17:04:28 <tmcpeak> so just bump it in global-req?
17:04:31 <tkelsey> yup
17:04:47 <tmcpeak> cool
17:04:51 <tkelsey> browne has added a nice man page as well
17:05:02 <browne> ha yep
17:05:03 <tmcpeak> yeah browne has a couple of things it looks like
17:05:42 <tmcpeak> I guess at some point we should circle back on if there is anything left we really want to do for Bandit and decide if we plan to do any of the state tracking stuff or not
17:06:04 <tmcpeak> we still also have a bunch of work to do to get projects using Bandit
17:06:13 <tkelsey> yeah we should work out a new roadmap since I think we basically got where we wanted to be with 1.0
17:06:16 <tmcpeak> would be a nice thing to tackle at the midcycle
17:06:18 <browne> yeah, reviews from other projects have been slow
17:06:31 <tmcpeak> browne: +1
17:06:35 <tkelsey> +1
17:07:17 <tmcpeak> one way forward would be to do that thing where security joins other project's meetings and introduces what we propose and how it will help
17:07:37 <tmcpeak> we could chop up the projects and try to attend one or two each week, etc
17:07:43 <tkelsey> +1 seems reasonable
17:07:51 <browne> sounds good
17:08:15 <tmcpeak> I think we have a etherpad from the summit where we listed projects and their current Bandit status
17:08:23 <browne> link?
17:08:29 <tmcpeak> trying to find it
17:08:47 <tmcpeak> lost to my browser history :(
17:08:48 <dg___> o/
17:08:52 <tmcpeak> hi dg___
17:08:54 <tkelsey> hey dguryanov2
17:08:59 <tkelsey> nope dg___
17:08:59 <tmcpeak> lol
17:09:06 <tmcpeak> tab fail
17:09:20 <tkelsey> lol yup
17:09:27 <tkelsey> i type good! :p
17:09:28 <ccneill> I'm surprised that doesn't happen more with ~400 people in here
17:09:32 <tmcpeak> #link let's use this: https://etherpad.openstack.org/p/bandit-project-status
17:09:35 <tmcpeak> #link https://etherpad.openstack.org/p/bandit-project-status
17:09:41 <tmcpeak> I don't think I used the link command correctly :P
17:09:51 <elmiko> tmcpeak: https://etherpad.openstack.org/p/bandit-worksession ?
17:10:04 <tmcpeak> elmiko: you are a hero
17:10:11 <elmiko> ^5
17:10:20 <michaelxin> +1
17:10:39 <tmcpeak> realistically I won't have as much time for this as I'd hope for a bit
17:10:52 <tmcpeak> this might have to wait until midcycle or something
17:10:58 <tmcpeak> maybe I'll get inspired on vacation :P
17:10:59 <elmiko> i know the feeling ;)
17:11:16 <tmcpeak> anyways, I think we need to start doing more of that
17:11:23 <tmcpeak> anything else for Bandit?
17:11:23 <elmiko> +1
17:11:30 <tkelsey> nothing from me
17:11:43 <tmcpeak> cool, fair enough
17:11:45 <tmcpeak> #topic Syntribos
17:11:51 <ccneill> kewl
17:12:12 <ccneill> so we're still working through some architectural questions
17:12:26 <ccneill> https://etherpad.openstack.org/p/syntribos-signals
17:12:45 <ccneill> we're collecting questions/feedback on different approaches here, and will regroup on signals tomorrow
17:12:53 <ccneill> we're also regrouping on the vAPI and the results we've gotten from it tomorrow
17:13:18 <tmcpeak> "slug"
17:13:22 <ccneill> unrahul has pointed out that the results aren't very actionable today, so if we don't cover it tomorrow, we'll be discussing reporting very soon
17:13:33 <unrahul> browne:  added a man page for us https://review.openstack.org/#/c/327305/1, thanks michaelxin ccneill mdong vinaypotluri  can you guys take a look at this and give your review..
17:13:57 <tmcpeak> browne - the keeper of the docs :)
17:14:00 <mdong> we’re thinking through different ways to write tests, ccneill has a commit on github to prototype what that might look like
17:14:02 <ccneill> right, so the tl;dr is this: we want for Syntribos to look at a series of "signals" that are just pieces of information (e.g. "500 status code" or "connection failed" or "this bad string is present")
17:14:03 <mdong> #link https://github.com/cneill/syntribos/tree/http_signal2
17:14:28 <ccneill> and create issues from those signals, with our confidence determined by the signals we get back
17:14:59 <ccneill> e.g. a 500 + a bad error string + a long response time = high confidence in a command execution attempt for doing ;sleep 10
17:15:10 <tmcpeak> makes sense
17:15:10 <unrahul> we are trying out the ccneill version of writing tests using signals , the idea is to make tetsts more robust and in a way smart,  thus making it *easier* for the end user to extend and write more tests
17:15:29 <ccneill> browne: thanks for working on that manpage. I hadn't even thought about writing that
17:15:44 <browne> np
17:15:54 <ccneill> browne: as unrahul said in his comment though, things are kind of in flux for us at the moment, so we may need to regroup once we have a better idea of the setup process / final command line options
17:16:14 <ccneill> it's very much based on the CAFE paradigm right now
17:16:30 <browne> ok, no rush
17:16:37 <ccneill> luckily, our main CAFE contact is back from leave, so we'll be meeting with him soon to discuss our plans for ripping it out
17:16:44 <ccneill> probably next week or so
17:16:57 <ccneill> that will probably inform our discussion of config options, installation, etc.
17:17:33 <ccneill> if anyone wants an idea of what "signals" we're thinking about
17:17:35 <ccneill> #link https://gist.github.com/cneill/9526cd2fcfbe88696b039c1509c4d55f
17:17:40 <ccneill> I've started putting together a list here
17:17:48 <ccneill> if you have any suggestions, let us know in the comments, or in IRC
17:17:56 <ccneill> it's not a complete list at this point - still working on that
17:18:03 <ccneill> whew. I think that's it for us :)
17:18:25 <tmcpeak> great, lots of good work on this project
17:18:37 <tmcpeak> I expect there will be a lot of Syntribos hacking at the midcycle
17:18:42 <ccneill> :D I hope so
17:18:45 <tmcpeak> #topic OSSN
17:19:00 <tmcpeak> we had a couple last week we were going to try to get finished
17:19:46 <tmcpeak> I don't remember the link for the open security doc reviews
17:19:49 <tmcpeak> sicarie: you have it?
17:19:51 <lhinds> I cleaned up some nits, and will push nginx config for OSSN-0068 before the week is out
17:20:09 <lhinds> I just need to sanity check the nginx rate limit stuff works
17:20:20 <sicarie> uhhh
17:20:24 <sicarie> docs or ossns?
17:20:34 <tmcpeak> they're both in the same repo
17:20:44 <tmcpeak> so open reviews should be the same
17:20:51 <lhinds> #link https://review.openstack.org/#/c/313896/
17:20:53 <tmcpeak> lhinds: awesome!
17:21:06 <tmcpeak> lhinds: you blocked anywhere?
17:21:27 <lhinds> tmcpeak: it's cool, I just need to add something for nginx as well
17:21:32 <sicarie> and the full one is
17:21:34 <sicarie> #link: https://review.openstack.org/#/q/is:watched+project:openstack/security-doc+is:open
17:21:37 <tmcpeak> lhinds: looks like Jenkins killed you
17:21:42 <tmcpeak> sicarie: thanks, thats the one
17:21:56 <lhinds> tmcpeak: that is the config files going over 72 chars
17:21:59 <tmcpeak> #link https://review.openstack.org/#/q/project:openstack/security-doc+is:open
17:22:08 <tmcpeak> gotta take out the is-watched filter :)
17:22:15 <lhinds> tmcpeak: sort of unavoidable
17:22:25 <tmcpeak> this is good, this means that dave-mccowan's merged, yeah?
17:22:43 <tmcpeak> https://review.openstack.org/#/c/267800/
17:22:49 <tmcpeak> review.o says yes
17:23:29 <tmcpeak> dave-mccowan: around?
17:23:52 <dave-mccowan> o/
17:24:01 <tmcpeak> ok so we need to get the published note on the wiki
17:24:11 <tmcpeak> and we need to send a notification to a ML, don't remember which
17:24:14 <tmcpeak> nkinder has been doing this
17:24:20 <tmcpeak> announce?
17:25:02 <tmcpeak> checking with him in #openstack-security if he can still do these things
17:25:26 <tmcpeak> and lhinds let us know when you're ready and we'll get eyeballs on your note
17:25:35 <tmcpeak> thank you lhinds and dave-mccowan for taking the time to write them
17:26:07 <tmcpeak> I know we were going to work on parseable format too, but unless anybody is teaming with excitement to get that going I realistically don't see it happening prior to midcycle
17:26:27 <lhinds> tmcpeak: thanks for the opportunity
17:26:39 <lhinds> ps. any reviews needed, just add me too.
17:26:47 <tmcpeak> lhinds: thanks!
17:27:01 <tmcpeak> allright, let's move to midcycle
17:27:06 <tmcpeak> #link https://etherpad.openstack.org/p/barbican-security-midcycle-N
17:27:20 <tmcpeak> I think Rob was going to work on budget and scoring a room, but since he isn't here we can't speak to that
17:27:39 <tmcpeak> our attendance numbers are looking lower than they have been in the past
17:28:06 <tmcpeak> good midcycle work is honestly one of the things that has kept OSSP productive
17:28:19 <tmcpeak> I'd like to keep as much participation as possible but I know travel budget and schedules can be tough
17:28:51 <tmcpeak> anybody on the fence and want a motivational speech? :P
17:29:25 <ccneill> tmcpeak: looking forward to making it this time :)
17:29:28 <elmiko> i'm always up for a pep talk ;)
17:29:33 <tmcpeak> ccneill: will be great to have you
17:29:39 <ccneill> especially since it sounds like it's happening in Austin this go-around
17:29:57 <tmcpeak> elmiko: the time is now, to make security history.  Only you have the power to make the internets safe for all the childrens
17:30:00 <tmcpeak> how am I doing?
17:30:09 * elmiko swoons
17:30:13 <tmcpeak> lol
17:30:17 <elmiko> hehe
17:30:27 <tmcpeak> anyway hopefully we can get more registered and participating
17:30:37 <tmcpeak> I'm skipping publicity...
17:30:39 <tmcpeak> #topic Docs
17:30:44 <tmcpeak> sicarie, elmiko
17:30:46 <browne> i could potentially participate remotely like elmiko
17:30:53 <tmcpeak> browne: we'll take it :)
17:30:56 <sicarie> not much going on in docs land
17:31:03 <sicarie> I jumped on the bugs earlier today
17:31:04 <elmiko> things have been extra slow on the docs front
17:31:04 <tmcpeak> everybody is saving their money for Barcelona, huh?
17:31:08 <sicarie> ping’d a few poeple
17:31:16 <sicarie> I’m going to push at least one next week to keep things moving
17:31:25 <sicarie> really very little
17:31:27 <elmiko> sicarie: are we still holding the monday meetings?
17:31:37 <elmiko> it's been quiet the last few weeks
17:31:43 <tmcpeak> pdesai is out of OpenStack now too huh?
17:31:50 <elmiko> tmcpeak: think so
17:31:55 <sicarie> ah, my bad, i got migrated to o365 and it messed with my calendar
17:31:58 <elmiko> or at least, on other stuff
17:32:10 <elmiko> sicarie: no worries, it's been just you and me anyways
17:32:13 <sicarie> elmiko: i’ll ping you offline
17:32:15 <tmcpeak> lol
17:32:26 <elmiko> sicarie: sounds good
17:32:43 <tmcpeak> allright guys, it might be a good time to discuss what we want to prioritize with lower participation I'm seeing
17:32:51 <tmcpeak> so the security guide is very good and mature
17:32:56 <elmiko> needless to say, i think we could use a few more warm bodies on docs. i know, this is a common openstack issue
17:32:59 <tmcpeak> realistically how much work is required to keep it current?
17:33:11 <sicarie> quite a bit, actually
17:33:14 <elmiko> yeah
17:33:16 <tmcpeak> I was afraid of that
17:33:17 <sicarie> the neutron chapter hasn’t been updated in a while
17:33:23 <sicarie> that really needs some work
17:33:46 <sicarie> I’ve been trying to keep up with some of the others, but a few of them are too project-specific for me to realistically handle
17:34:12 <sicarie> we really need a ‘rootwrap’ section and good best practices around that
17:34:13 <tmcpeak> any plan for how to keep it current with limited time and having a hard time getting access to the right SME's?
17:34:25 <tmcpeak> who even knows about good use of rootwrap?
17:34:31 <sicarie> exactly
17:34:34 <tmcpeak> lol
17:34:42 <sicarie> bug people in person at midcycles and summits
17:34:52 <tmcpeak> doesn't sound like that can scale
17:34:53 <sicarie> that usually kicks off a contribution or two
17:34:55 <unrahul> :D
17:35:54 <elmiko> sicarie is spot on
17:35:55 <tmcpeak> so you guys have more work than you can handle and a very hard time getting access to the right SME's huh?
17:36:03 <sicarie> pretty much
17:36:05 <tmcpeak> :\
17:36:30 <tmcpeak> I assume that both of you are also carving off time from otherwise very busy schedules to work on it too huh?
17:36:32 <elmiko> ideally, we need to increase the potential of CPLs from each team to the docs team
17:36:36 <tmcpeak> not like the guide is your full time job
17:36:50 <sicarie> yep
17:36:58 <elmiko> unfortunately, docs is so far down on my list that i barely have time to take on issues
17:37:20 <elmiko> i feel like this is something we need to reach out to the greater community to help solve
17:37:28 <tmcpeak> yeah elmiko i was thinking so too
17:37:39 <tmcpeak> it's one of our great resources, and something I point people to all the time
17:37:44 <elmiko> i mean, if the TC et al. feel that it is important to have quality security docs, then we need to make noise and have it be a priority
17:37:47 <tmcpeak> but having out of date security material can in some ways be worse than not having it
17:38:02 <elmiko> exactly
17:38:09 <tmcpeak> I wonder if we should section certain sections as "possibly out of date" and reaffirm a commitment to keep certain sections up to date
17:38:31 <tmcpeak> the security guide is huge and maintaining all of it must be a ton of work
17:38:57 <tmcpeak> anyway I don't have a good answer for this, just something we should think about
17:39:00 <elmiko> we may also need to come up with some sort of sec-docs tag that can be applied to projects
17:39:11 <elmiko> to help add some stick to projects that want to contribute
17:39:27 <elmiko> we just need help, that's the main message
17:39:28 <tmcpeak> hah projects are bad enough at keeping their own projects up to date
17:39:33 <elmiko> right
17:39:34 <tmcpeak> *own docs I mean
17:40:04 <tmcpeak> allright, well on that note, let's move on
17:40:19 <tmcpeak> I don't think we have anything new on the blog so..
17:40:23 <tmcpeak> #topic Threat Analysis
17:40:29 <tmcpeak> sdake_: around?
17:40:47 <sdake_> hoot
17:40:49 <sdake_> shoot
17:40:57 <tmcpeak> hoot indeed :)
17:41:09 <tmcpeak> sdake_: you have that link to the threat analysis change you're proposing?
17:41:13 <tmcpeak> specifically to create the new repo?
17:41:21 <sdake_> the repo has ben created
17:41:28 <tmcpeak> \o/
17:41:34 <dg___> sdake_ thanks for sorting that out
17:41:52 <tmcpeak> +1
17:41:56 <sdake_> although i don't see it on github
17:41:57 <sdake_> which is odd
17:43:03 <sdake_> https://review.openstack.org/#/c/325049/
17:43:17 <sdake_> hmm looks like we went with security-analysis
17:43:19 <tmcpeak> awesome
17:43:21 <sdake_> not threat-analysis
17:43:37 <dg___> ahh ok
17:43:37 <sdake_> because this repo will contain other types of analysis that community members provide
17:43:38 <dg___> thats fine
17:43:43 <dg___> cool
17:43:44 <sdake_> the way the vmt wording is written is
17:43:55 <dg___> Im not massively in love with the term 'threat analysis' anyway
17:43:59 <sdake_> https://review.openstack.org/#/c/300698/
17:44:16 <dg___> security analysis or security review is far better
17:44:22 <tmcpeak> dg___: +1
17:44:46 <sdake_> might want to add tht project to your watchd list
17:44:49 <sdake_> i am going to be making sosme improvements
17:44:51 <sdake_> like adding reno
17:44:53 <sdake_> and whatnot
17:45:08 <dg___> thanks sdake
17:45:23 <tmcpeak> ok cool, so next we need to do some actual analysis
17:45:25 <sdake_> sure happy to help
17:45:29 <tmcpeak> what are our current plans for moving that forward?
17:45:44 <sdake_> i need the flow diagram hyakuhei did
17:45:47 <sdake_> so we can reproduce that for kolla's snowflakes
17:45:49 <dg___> rob and I have been super busy with the day jobs, but are aiming to meet up and review progress and a path forward
17:45:51 <sdake_> of which there ar e7 or 8
17:45:57 <tmcpeak> ahh ok cool
17:46:03 <tmcpeak> pesky day jobs
17:46:17 <tmcpeak> although they pay better than upstream ;)
17:46:20 <dg___> #action dg__ progress threat analysis
17:46:27 <sdake_> upstream pays pretty well :)
17:46:30 <dg___> I will do *something* on it this next week
17:46:39 <tmcpeak> cool, ok anything else for TA?
17:46:46 <sdake_> dg___ if you can get me the flow diagram hyakuhei did, that owuld be a good start
17:46:51 <sdake_> so our team can finish the flow diagrams for the other snowflakes
17:46:53 <tmcpeak> sdake_, dg___: thanks for the work on this
17:47:08 <dg___> sdake do you mean the sequence diagram?
17:47:16 <sdake_> yup
17:47:25 <dg___> ok I'll talk to hyakuhei when he is back
17:47:37 <tmcpeak> #topic AOB
17:47:39 <tmcpeak> open floor
17:48:30 <ccneill> if you don't come to the midcycle in Austin, you'll miss out on awesome tacos like this: http://s3-media1.fl.yelpcdn.com/bphoto/LRcdHCl52zmMRJb9DND1qw/o.jpg
17:48:33 <ccneill> :P
17:48:41 <tmcpeak> that does look very good
17:48:48 * elmiko misses Torchy's
17:48:52 <mdong> also, this
17:48:52 <mdong> https://franklinbarbecue.com/wp-content/uploads/2012/02/DSC_8825.jpeg
17:48:57 <sdake_> what days are the midcycle
17:49:12 <tmcpeak> that's actually a great question
17:49:17 <ccneill> nomnomnom
17:49:20 <tmcpeak> have we figured out the division of days for Barbican and Security?
17:49:47 <tmcpeak> realistically I can probably only make the security half so it would be good to know what those are
17:50:33 <tmcpeak> I've added an agenda item for it next week
17:50:49 <tmcpeak> allright folks, anything else?
17:51:23 * ccneill hears crickets
17:51:43 <tmcpeak> allright
17:51:47 <tmcpeak> laters everybody!
17:51:49 <tmcpeak> #endmeeting