17:00:08 <hyakuhei> #startmeeting Security 17:00:09 <openstack> Meeting started Thu Sep 22 17:00:08 2016 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:11 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:13 <openstack> The meeting name has been set to 'security' 17:00:16 <lhinds> o/ 17:00:18 <sigmavirus> o/ 17:00:22 <michaelxin> o/ 17:00:24 <hyakuhei> o/ 17:00:28 <hyakuhei> #chair tmcpeak 17:00:29 <elmiko> o/ 17:00:29 <unrahul> o/ 17:00:29 <openstack> Current chairs: hyakuhei tmcpeak 17:00:32 <tmcpeak> o/ 17:00:37 <Daviey> \o 17:00:44 <knangia> o/ 17:00:50 <mdong> o/ 17:01:28 <ccneill> o/ 17:01:30 <hyakuhei> Righto guys, as normal the agenda is over here #link https://etherpad.openstack.org/p/security-agenda 17:01:36 <vinaypotluri> o/ 17:01:38 <browne> o/ 17:02:11 <tkelsey> o/ all 17:02:17 <tmcpeak> packed meeting today :D 17:02:20 <hyakuhei> Good turnout today... 17:02:31 <hyakuhei> So I suppose we should level-set 17:02:32 <tkelsey> lol 17:02:42 <lhinds> nice blog post hyakuhei (from my speed read) 17:02:44 <hyakuhei> Most of the meeting today will be talking about the future of the Security Project 17:02:50 <michaelxin> even elmiko is here 17:03:09 <greenhorn> Adam here, just listening this round 17:03:10 <hyakuhei> Which, as lhinds alluded to, I blogged about here #link https://openstack-security.github.io/organization/2016/09/22/maturing-the-security-project.html 17:03:18 <dg____> o/ 17:03:20 <tmcpeak> welcome greenhorn 17:03:35 <hyakuhei> Thanks for joining us greenhorn 17:03:40 <greenhorn> you bet 17:03:46 <Daviey> hyakuhei: great blog post, well outlined and reflective 17:03:51 * elmiko waves at michaelxin 17:04:13 <hyakuhei> Thanks Daviey the truth is there are things we need to do better, this has been a welcome wakeup call in that regard 17:04:23 <Daviey> +1 17:04:28 <hyakuhei> I think dhellmann might be joining us today? 17:04:53 <hyakuhei> ttx also may want to be involved 17:05:01 <dhellmann> o/ 17:05:13 <elmiko> wow 17:05:19 <hyakuhei> elmiko ? 17:05:52 <hyakuhei> #topic Future of the Security Project 17:05:57 <elmiko> oh, just emoting about the big-wigs getting involved ;) 17:06:07 <hyakuhei> It's nice to matter ;) 17:06:11 <elmiko> definitely 17:06:27 <elmiko> i didn't think my pulling back would have such a big effect.... /s 17:06:33 <hyakuhei> So yes, I missed the PTL election, for the second time. I had what most people would call a good reason but it was still a major screwup on my part and I hold my hand up to that 17:06:34 <michaelxin> haha 17:06:43 <tmcpeak> so for starters, is there anybody in here that wants to go to working group, and if so, why? 17:06:45 <michaelxin> good blog 17:06:47 <hyakuhei> It did however raise a bunch of issues beyond "why is there no PTL" 17:07:18 <ccneill> like "what is a PTL, really?" 17:07:20 <tmcpeak> including others that aren't OSSP members and want us to be a working group 17:07:22 <ccneill> especially for our project 17:07:23 <hyakuhei> Which lead me to look at a number of things I hadn't really been aware of (likely because I was grandfathered into PTL) like the project team guide 17:07:50 <dg____> tmcpeak - it would be good to get some clarity from dhellman over 'what a working group is' and 'how is it different to a project team' 17:07:57 <hyakuhei> dhellmann I'm not really sure where to take this conversation. Do you have time to take a look at my blog post ? 17:07:57 <greenhorn> and possibly the risk of having one become a PTL by just volunteering from outside the project. if I thought about it, others might 17:08:14 <hyakuhei> greenhorn You're absolutely right but I don't want to focus on the election 17:08:17 <hyakuhei> That's not going to happen again 17:08:20 <greenhorn> sure sure 17:08:30 <sigmavirus> greenhorn: also you have to qualify to be PTL first 17:08:31 <dhellmann> hyakuhei : I'm looking now, but let me also try to answer some of the questions 17:08:43 <hyakuhei> of course. 17:08:46 <dhellmann> first, it's very unlikely that someone who has not contributed at all to the team would be "appointed" to lead the team 17:08:53 <sigmavirus> So it would be unlikely to be totally outside the project 17:09:13 <dhellmann> yeah, I mean if you all decided to leave openstack entirely that would be a different story, but no one thinks that's what happened 17:09:42 <dhellmann> and just to be completely clear, I have no preconceived notion of the best outcome here other than that we should help the team find what it thinks is the best outcome 17:10:00 <dhellmann> so exploring the idea of a WG instead of a big tent team is just that, a discussion exploring it 17:10:31 <hyakuhei> My position is that there are clearly things that we need to do to be better community members, I think I can guide us to that place and that's what I want to do. I think we should stay in the big tent, at least until we've done a good job of showing that we should work that way. 17:10:32 <dhellmann> as to the difference, there are a couple of areas to talk about 17:11:13 <dhellmann> hyakuhei : great, I am happy to support you in that if that's what the team agrees to 17:11:28 <michaelxin> Do we want to vote? 17:11:42 <dhellmann> a working group is a less formal structure than a project team. membership in a working group does not automatically confer atc status, which means members don't automatically get to vote for tc just by participating in the wg 17:11:44 <tmcpeak> michaelxin: +1 17:11:45 <lhinds> I also really believe we need no change, we know where we went wrong, but aside to that productivity and synergy in the group is great 17:12:16 <Daviey> dhellmann: and less summit timetable? 17:12:19 <dhellmann> if they have atc status from elsewhere (patches in another project, or extra-atc status from another project) that would give them voting rights in those project elections and the tc election 17:12:30 <tkelsey> lhinds: +1 17:12:36 <sigmavirus> Daviey: yes, but that's already something that's changing with the split of the summit 17:12:38 <dhellmann> yes, a working group is likely to have fewer summit resources, although we don't know for sure what the ptg allocation is going to look like 17:12:50 <ccneill> for precedent purposes, looking at projects vs. working groups, it's not entirely clear that there is a "right" and "wrong" way. QA is a project, performance is a working group 17:13:14 <tmcpeak> let's vote on big-tent, working group 17:13:17 <sigmavirus> ccneill: so that's the thing, is that we occupy both spaces in a way 17:13:23 <tmcpeak> #startvote 17:13:24 <sigmavirus> tmcpeak: can we wait until people have all the information? 17:13:24 <openstack> Unable to parse vote topic and options. 17:13:25 <dhellmann> it's quite likely, but I'm not the authority on this, that the security team would be considered cross-project enough to meet on the first day or two of the ptg, leaving vertical team meetings for later in the week 17:13:32 <tmcpeak> sigmavirus: ? 17:13:37 <tmcpeak> I didn't do it correctly anyway 17:13:47 <sigmavirus> tmcpeak: dhellmann is still answering questions 17:13:49 <hyakuhei> dhellmann we've often worn two hats in that regard 17:14:01 <tmcpeak> ok 17:14:09 <hyakuhei> That'll be even more the case with our TA work complimenting the VMT 17:14:30 <hyakuhei> I'm looking forward to exploring how things will work with the ptg too 17:14:33 <dhellmann> yes, there's a bit of grey area there but the case can be made either way 17:14:53 <tmcpeak> something that I brought up yesterday, and was echoed by others is that we're likely to receive a measurable drop in participation and funding for a working group 17:14:56 <sigmavirus> ccneill: to explain, since AIUI you're new to openstack, performance WG issues guidelines/suggestions/etc. and doesn't produce much of a deliverable besides documented best practices (like the API WG) 17:15:08 <dg____> with my corporate hat on, I think I will struggle to get funds for contribution to working group, particuarly things like meals at meetups, etc. I realise this will change with ptg, but historically we have funded mid-cycles etc. 17:15:12 <Daviey> dhellmann: Well truth be told, there were issues in previous summit where required people couldn't be there due to clashes. Would WG make cross-project this more possible? who knows 17:15:12 <dhellmann> ccneill is right to point out the performance working group. another example is the new architecture group 17:15:16 <sigmavirus> ccneill: while QA works on tempest, hacking, etc. 17:15:28 <ccneill> sigmavirus: right. so in those two buckets, I see us doing both of those things (tools + docs) 17:15:41 <dhellmann> Daviey: couldn't attend at all, or couldn't attend specific session(s)? 17:15:46 <ccneill> so I think logically it makes sense that we should come to a decision about which we think WE are 17:15:50 <sigmavirus> ccneill: although from what I gathered yesterday from private conversations, we've been more tooling heavy 17:15:57 <ccneill> since we are best able to assess our goals vs. the larger OS goals 17:16:04 <Daviey> dhellmann: specific 17:16:18 <dhellmann> Daviey : ok 17:16:30 <hyakuhei> My personal opinion (which I tend to be stating a lot at the moment) is that I'd like for us to stay in the big tent and up our game in terms of operating appropriately in that space we can re-assess at that point. 17:16:33 <dg____> sigmavirus - dong forget the security guide, OSSNs and security review (TA) work 17:16:35 <hyakuhei> Nothing is set in stone 17:16:43 <dhellmann> those sorts of conflicts are one of the things we're trying to address with the new ptg schedule 17:16:59 <hyakuhei> I'm cautiously optimistic about the ptg. 17:17:03 <dg____> +1 17:17:07 <greenhorn> WG or BigTent, do either prevent the work from getting done or is it funding related mostly? 17:17:14 <sigmavirus> dg____: right, I said we do both, but have leaning more towards tooling lately (based on the impression of people more aware than I am of the docs portion) 17:17:22 <dhellmann> yeah, we're going to need to hold a ptg once to really figure out what we need to change 17:17:39 <michaelxin> what's ptg? 17:17:44 <hyakuhei> greenhorn there's more of a disconnect with regards to use being a gating function for the VMT re the changes to the vulnerability managed tag 17:17:56 <Daviey> In the future, it might be piratical for OSSP to become a WG which focusses on projects in their own right (which the OSSP is currently guardian of) 17:17:56 <hyakuhei> michaelxin the breakout of the design sessions from the conferences 17:18:04 <Daviey> practical* 17:18:05 <dhellmann> michaelxin : sorry, "project team gathering" is the name of the new contributor-only event to be held in february next year 17:18:19 <michaelxin> Thanks hyakuhei dhellmann 17:18:35 <sigmavirus> greenhorn: so some people have asserted that we will lose people working on OSSP if it becomes a WG 17:18:52 <hyakuhei> Me among them. 17:18:57 <tmcpeak> me too 17:19:05 <michaelxin> OSIC will suffer too. 17:19:15 <dhellmann> hyakuhei, tmcpeak: you would be lost to the team, or you think that will be an outcome? 17:19:33 <michaelxin> If OSSP is not a project, it is very likely Rackspace and Intel will stop contributing. 17:19:34 <elmiko> wow... that's huge imo 17:19:43 <tmcpeak> I personally will get considerable less (if any) time commitment 17:19:44 <dhellmann> that's unfortunate 17:19:48 <michaelxin> For OSIC project. 17:20:02 <ccneill> I can't say for sure, but myself, mdong, unrahul, vinaypotluri, and knangia all work on OSSP projects full-time; I can't speak for OSIC, but it's definitely a risk that they don't continue to fund us 17:20:18 <hyakuhei> It shouldn't (and isn't) just about funding 17:20:24 <hyakuhei> but that's a major concern for me 17:20:28 <lhinds> I think we are thinking of changes cars as we had a flat tyre. We just need to monitor for announcements better, but everything else from my end was working really well. 17:20:30 <dhellmann> sure, I share that concern 17:20:39 <lhinds> s/changes/changing 17:20:40 <michaelxin> ccneill: I talked with Homer. They are very concerned. 17:20:44 <dg____> HPE will probably cut us back. Mostly due to the 'security leaves openstack' headlines 17:21:03 <dg____> of course, HPE might cut us anyway :) 17:21:07 <sigmavirus> hyakuhei: okay, so you're the first person to have a concern other than funding 17:21:07 <hyakuhei> ouch. 17:21:09 <elmiko> i like hyakuhei's statement about upping our game, that seems like an excellent course if we can follow it 17:21:21 <tmcpeak> should we ignore the funding component? 17:21:31 <tmcpeak> seems like a big deal to gloss over 17:21:32 <hyakuhei> sigmavirus I don't think that's true but I have probably been the most vocal 17:21:52 <ccneill> hyakuhei: I agree - I don't want it to be about funding, but it is a reality. I think though that we can look at it as a positive opportunity to really grow into the Project title rather than "giving up" so to speak and reverting to WG 17:22:01 <hyakuhei> +1 17:22:04 <tmcpeak> ccneill: +1 17:22:06 <dg____> +1 17:22:06 <hyakuhei> That's exactly what I want 17:22:09 <lhinds> +1 17:22:14 <hyakuhei> Hence the long rambling blog post 17:22:26 <hyakuhei> Oh, I also want Gmail to support special characters in filters. 17:22:30 <sigmavirus> tmcpeak: I'm not saying it's unimportant, I'm saying that before hyakuhei's blog post no one had anything to argue in favor of a PTL besides "They organize our events for us and being in the big tent gives us funding" 17:22:31 <elmiko> turn into the headwind, eh? 17:22:47 <Daviey> Being 'downgraded' to a WG to me, is making a statement that security isn't a first priority of OpenStack 17:22:48 <tmcpeak> PTL has nothing to do with it. The question is are we a big-tent project 17:22:54 <dg____> +1 17:23:04 <dhellmann> aside from the fact that the vmt is folded into this team, would anyone object to it being called "security tools" rather than "security"? Does that adequately capture the nature of the work being done? 17:23:11 <greenhorn> @hyakuhei +1 17:23:11 <dg____> no 17:23:15 <tmcpeak> dhellmann: not at all 17:23:16 <tkelsey> if the OSSP leaves the big tent how will that impact bandit/anchor/etc 17:23:18 <hyakuhei> dhellmann maybe 50% of what we do 17:23:22 <sigmavirus> Daviey: so then you think the API design, architecture, and performance working groups aren't important to OpenStack because they're working groups? 17:23:30 <tkelsey> will they need to re-enter as their own thing each? 17:23:31 <lhinds> dhellmann: we do more then tooling though, I don't agree with that myself 17:23:31 <ccneill> whoa tkelsey in the house :) 17:23:34 <tmcpeak> we own the security guide, security notes, sec-core (advice for security on embargoed issues) 17:23:39 <tkelsey> ccneill: hi :) 17:23:40 <dg____> dhellman for example: http://docs.openstack.org/security-guide/ 17:23:45 <hyakuhei> dhellmann we have a decent infographic here https://wiki.openstack.org/wiki/Security 17:23:46 <tmcpeak> secure development guidelines 17:23:54 <dhellmann> ok, it sounds like a name change is too narrowly focused, thanks for clarifying that 17:23:56 <hyakuhei> Basically tooling as a thing we do isn't the big priority 17:24:04 <dg____> dhellman theres also this: http://security.openstack.org 17:24:05 <michaelxin> By moving to WG for security project might conflict with the goal of getting Openstack Enterprise ready (security is a big part). 17:24:11 <elmiko> sigmavirus: if attendence is any metric, api-wg is not seen as important... =( 17:24:11 <Daviey> sigmavirus: No.. that isnn't quite what i mean... but those are not primary deliverable 17:24:12 <hyakuhei> and we need to update that with Syntribos, now that Secure API testing has a proper name 17:24:27 <unrahul> +1 17:24:57 <hyakuhei> #action hyakuhei to update the Security wiki image to give Syntribos their due place 17:25:01 <greenhorn> furthermore an argument*could* be made that if security leaves ghe bigtestnt, it portrays a message we might not want to send ('security was kicked out' = not so great msg) 17:25:07 <sigmavirus> michaelxin: unsurprisingly (to me) OSIC needs serious education about how OpenStack works, but that's for another channel and another discussion 17:25:16 <dhellmann> I really don't understand the distinction being made between a project team and a working group then. If the point of the team is not to deliver a product, but to deliver advice, etc., then a chartered working group seems just as good a fit. 17:25:26 <hyakuhei> We do both 17:25:28 <michaelxin> sigmavirus: +1 17:25:39 <dhellmann> greenhorn : you wouldn't be "leaving" though, just having a status change 17:25:43 <hyakuhei> In pretty much equal parts 17:25:45 <tmcpeak> we deliver lots of products 17:25:49 <dhellmann> is there anyone on the team who is only an atc because of contributions to this team? 17:25:50 <lhinds> we have three development projects putting in around 20-30 patches a day 17:25:57 <tmcpeak> o/ 17:26:02 <sicarie> o/ 17:26:04 <sigmavirus> dhellmann: certainly there are 17:26:08 <unrahul> o/ 17:26:09 <mdong> o/ 17:26:16 <vinaypotluri> o/ 17:26:16 <tmcpeak> actually no, that's not true. I contribute to security to other projects (such as Bandit gates) 17:26:20 <dhellmann> ok, that's good information to have, too 17:26:24 <tkelsey> o/ 17:26:26 <lhinds> o/ 17:26:32 <michaelxin> o/ 17:26:33 <mdong> I know all of us OSIC members certainly are 17:26:33 <knangia> o/ 17:26:34 <ccneill> dhellmann: think of our advice as "this is good" and our tools as "hopefully this will make it even better." we can't have the tools without people with the expertise to give the advice, but we can't have the level of contributions if some people can't work on it in a full-time way (i.e. on an on-going product development or other effort) 17:26:36 <hyakuhei> o/ (96% sure that's correct for the last cycle) 17:26:38 <tkelsey> actually no, i have others as well 17:26:40 <dg____> i think there definitely are some of us who are only ATC because of this project 17:26:45 <ccneill> o/ 17:26:46 <hyakuhei> ccneill I like that 17:26:50 <hyakuhei> Well put sir 17:26:57 <Daviey> but those people who are ATC just because of OSSP, could get ATC if the projects were themselevs projects 17:27:04 <Daviey> Such as OSSN becoming a project itself 17:27:05 <elmiko> at some point, wasn't the security guide an actual product that this group produced? 17:27:09 <hyakuhei> Most aren't big enough to stand on their own 17:27:10 <dg____> daviey yup 17:27:24 <tmcpeak> Daviey: but then we need tons of PTLs instead 17:27:24 <tkelsey> so we would swap one project for many small ones, and multiply the admin overhead 17:27:26 <hyakuhei> We're good at self managing these things at the moment (election and ML aside) 17:27:26 <michaelxin> hyakuhei: +1 17:27:29 <tkelsey> not great IMHO 17:27:32 <dhellmann> yeah, I'm not sure that the best outcome is to turn each repo into its own team 17:27:35 <sigmavirus> aren't some of the doc-related things co-owned by the documentation team? 17:27:35 <dg____> Daviey - if we cant manage to elect a PTL for OSSP, could we get one for Anchor, Bandit, OSSN, Security Doc..... 17:27:38 <Daviey> tmcpeak: well.. one PTL could cover them all 17:27:54 <Daviey> (I don't agree with it, but i am suggesting it) 17:27:55 <dg____> like a security PTL? 17:27:59 * greenhorn wishes IRC was threaded 17:27:59 <Daviey> hah 17:28:06 <dhellmann> that sounds quite a bit like what you have now :-) 17:28:20 <Daviey> dhellmann: and it kinda works :) 17:28:23 <ccneill> with more overhead, it sounds like 17:28:29 <dhellmann> Daviey : mostly :-) 17:28:33 <dg____> so it seems like switching to a WG is going to have a bunch of negative effects, without adding much benefit 17:28:35 <Daviey> somewhat 17:28:45 <hyakuhei> dg____ that's my feeling at the moment. 17:28:47 <michaelxin> I do not think that we have enough people to do it. 17:28:48 <elmiko> sigmavirus: i think you may be right about that 17:29:01 <tmcpeak> I think we're just pushing around beans here. We have a bunch of projects that we think benefit from having a PTL. Whether those are under one project or a bunch of different projects doesn't matter 17:29:02 <dhellmann> so it sounds like folks want to stay a big tent team, and that there's some recognition that there are expectations from outside the team to maintain that status 17:29:13 <michaelxin> We have been struggling with growing team for a while. 17:29:26 <tmcpeak> dhellmann: yes 17:29:32 <dg____> by switching to a WG we get a bunch of extra admin for our existing projects, probably reduce funding and resource, generate negative publicity 17:29:37 <dhellmann> tmcpeak : sort of. we want to find a stable state where the team is actually working together and not just lumped under a title because of pattern matching 17:29:49 <dg____> we work together quite well 17:29:50 <sigmavirus> dg____: all publicity is good publicity, or so I'm told 17:29:57 <greenhorn> eh 17:30:12 <greenhorn> tell that to snowden. ; ) 17:30:13 <hyakuhei> dhellmann I think that's fair. We're certainly willing to revisit it and I'm going to be accountable for us delivering on the things we should be doing from a project point of view 17:30:15 <michaelxin> sigmavirus: +1 17:30:15 <dg____> sigmavirus 'openstack abandons security' 17:30:23 <ccneill> dhellmann: from your perspective, do the goals outlined in hyakuhei's post get us closer to being like other projects? 17:30:33 <Daviey> dhellmann: To change tack slightly... what would the benefits be of switching to a WG? 17:30:48 <dhellmann> ccneill : I've been talking here, not reading, but I will look it over 17:30:54 <sigmavirus> dg____: and if people can't see past BuzzFeed's headlines, I feel sorry for them 17:31:24 <elmiko> sigmavirus: that's a lot of feels to go around ;P 17:31:26 <dhellmann> Daviey : from one perspective it means a bit less management overhead for the team itself, although that's not really a prime reason 17:31:28 <sigmavirus> ccneill: I feel more comfortable with having a PTL if those goals are actually project goals 17:31:29 <dg____> sigmavirus i was actually thinking of the register 17:31:29 <hyakuhei> The short version is deliver on the things in the project team guide with a big focus on the mailing list / open communications principle 17:32:07 <sigmavirus> hyakuhei: frankly, there was enough negative feedback about the mailing list *on the mailing list* that I don't think you're providing yourself an attainable goal with that one 17:32:28 <tmcpeak> I'll be the first to say, I hate the mailing list 17:32:29 <dhellmann> Daviey : as I said to start, my motivation is to help the team decide what structure works for it, and then have that reflected correctly in the governance setup to avoid existential questions in the future 17:32:42 <tmcpeak> my security filter flags a bunch of stuff that isn't related to my project 17:32:46 <hyakuhei> Ye of little faith. Most of what we have done re: midcycle, electing cores etc has been conducted on the ML 17:32:51 <tmcpeak> we might be able to fix that by changing our tag to something specific to us "OSSP" 17:32:54 <sigmavirus> The overall attitude yesterday on that thread and in #openstack-security was "The mailing list contains no useful information for us and it's not my job to occasionally scan it for something that might be of import" 17:32:55 <Daviey> dhellmann: Right, i get that.. but i wanted to understand any potential benefits of switching 17:33:01 <hyakuhei> sigmavirus the bigger issue was really us not reading it as well as we should. 17:33:02 <tmcpeak> so I don't have to read about neutron security groups, etc 17:33:19 <dg____> sigmavirus disagree, it has useful information but it is lost in the noise 17:33:25 <tmcpeak> TONS of noise 17:33:25 <sigmavirus> hyakuhei: there's overwhelming sentiment that the mailing list provide no value to this group yesterday 17:33:44 <dhellmann> Daviey : I don't think there are significant benefits beyond not dealing with elections (which is also not that significant, imho) 17:33:51 <elmiko> sigmavirus: ouch, that's sad =( 17:33:57 <ccneill> sigmavirus: as one of the people relaying that sentiment, I will commit to reading the mailing list if that's really the thing that's holding our group back 17:33:59 <Daviey> sigmavirus: The mailing list is read... the thread that kicked this off was noticed and discussed within minutes of it being sent 17:34:00 <sigmavirus> tmcpeak: so the attitude that [security] gets more traffic than you think it should is worrisome to me 17:34:03 <dhellmann> tmcpeak : a tag change might make a lot of sense 17:34:06 <dg____> sigmavirus disagree, the sentiment is that stuff gets lost in noise. 17:34:07 <ccneill> ¯\_(ツ)_/¯ 17:34:07 <hyakuhei> sigmavirus as a read operation, currently that's true. but as dhellmann pointed out many people don't really know what we've been doing. I think that as we improve things in that area, relevant ML traffic will increase 17:34:13 <tmcpeak> sigmavirus: no, [security] is fine 17:34:19 <michaelxin> we should change our attitude for mail list. 17:34:21 <dhellmann> hyakuhei : ++ 17:34:21 <tmcpeak> "security" isn't, and that's how my gmail filter works 17:34:34 <sigmavirus> tmcpeak: ah, I see 17:34:37 <dhellmann> yeah, I think gmail filters drop punctuation 17:34:39 <dg____> hyakuhei clearly not enough people know what we do, as evidenced by dhellman not knowing what we do... 17:34:52 <dg____> thats something we have to fix 17:35:01 <elmiko> dg____++ 17:35:02 <hyakuhei> dg____ for sure. 17:35:03 <dhellmann> fwiw, we had similar complaints about using the "release" tag for both release announcements and release team discussions, so we changed to "new" for announcements 17:35:05 <tkelsey> dg____: ++ 17:35:07 <lhinds> I intend to ramp up participation on the list, and have filters set up. So its fine for me 17:35:13 <lhinds> -dev that is 17:35:20 <tmcpeak> should we change our tag to [OSSP]? 17:35:22 <tmcpeak> that might help 17:35:24 <dhellmann> dg____ : I apologize for not doing my homework before the meeting. :-) 17:35:28 <hyakuhei> That will (ironically) change soon as we start integrating TA with the VMT so basically all new teams will know about us and any going for vulnerability managed would too 17:35:29 <tmcpeak> not likely to see OSSP false positives 17:35:46 <Daviey> tmcpeak: doesn't roll off the tongue so much 17:35:49 <sigmavirus> tmcpeak: that would help for intra-project discussion (if we consider the security team a project, which I think we all do) 17:36:02 <dg____> dhellman as much a reflection on our community integration as yours 17:36:03 <lhinds> 'security' is certainly to wide a net as a filter 17:36:03 <ccneill> sigmavirus: +1 17:36:09 <tmcpeak> if email wasn't painful I'd definitely like to start using it more 17:36:18 <tmcpeak> helpful for synching with others in different TZ, etc 17:36:20 <ccneill> everyone can commit to reading internal mailing list, but not the whole OS list 17:36:26 <sigmavirus> tmcpeak: email is one of the worst possibly designed communication systems but it's what we have 17:36:37 <hyakuhei> I think the problem is that people tend to use [Security] as a tag that they want some sort of ethereal security body to add stuff to a thread 17:36:44 <tmcpeak> well we've decided to prefer IRC as a project 17:36:48 <dhellmann> for those of you not on gmail, you might find https://doughellmann.com/blog/2015/03/17/handling-high-email-volume-with-sup/ useful 17:36:48 <hyakuhei> more of a meta-tag than looking for us as a specific body. 17:37:01 <sigmavirus> ccneill: right, I do think we're missing discussions though where we could be gaining visibility and new contributors by not looking for those opportunities on the list though 17:37:03 <michaelxin> dhellmann: Thanks. 17:37:09 <Daviey> So, you could subscribe twice to the mailing list.. with one of them using email+security@gmail.com and subscribe to just the [SECURITY] tag. Then you can special case it easily enough as you have a unique TO address? 17:37:11 <dg____> dhellmann thanks 17:37:26 <lhinds> [openstack-sec] 17:38:08 <mvaldes> so have we decided that we want to do what is necessary to remain a big-tent project? 17:38:12 <hyakuhei> So I think the tag issue is relevant but probably something we don't have to decide right now 17:38:17 <tmcpeak> mvaldes: I think so 17:38:21 <mvaldes> and moved on to "how we improve as a big-tent project" 17:38:31 <tmcpeak> is anybody NOT in favor of security remaining a project? 17:38:31 <lhinds> mvaldes +1 17:38:35 <hyakuhei> I'd like to come back to "Are we staying in the big-tent for now" and "Who will be PTL" 17:38:52 <tmcpeak> hyakuhei: +1 17:38:56 <hyakuhei> mvaldes I think you're right but I'd like us to be explicit about it 17:39:04 <mvaldes> do we need a discussion of "how do we appeal to the community that we remain a big—tent project" 17:39:04 <sigmavirus> hyakuhei: I'd advocate for a formal vote for the first question 17:39:23 <hyakuhei> if we're ready to, lets vote 17:39:23 <michaelxin> If none ha additional question, we can vote. 17:39:38 <dg____> before we vote, did i miss the bit where we covered advantages to going to WG? 17:39:42 <sigmavirus> "#startvote Do the project members want to continue to be part of the Big Tent?" I think might work 17:39:46 <sigmavirus> dg____: no one's discussed it really 17:39:49 <Daviey> hmm.. I think it is largely been agreed by most people inside and outside ossp that it remains big tent. Not sure we need more than just a quick vote here? 17:39:57 <sigmavirus> dg____: one advantage is no one having to watch for PTL nominations 17:40:04 <hyakuhei> Daviey +1 17:40:11 <dg____> sigmavirus :) 17:40:17 <tmcpeak> quick vote should work 17:40:18 <mvaldes> -_- 17:40:25 <sigmavirus> dg____: I'm glad you appreciate my humor ;) 17:40:27 <ccneill> so no real advantages 17:40:43 <tmcpeak> #startvote Do the project members want to continue to be part of the Big Tent? 17:40:44 <openstack> Begin voting on: Do the project members want to continue to be part of the Big Tent? Valid vote options are Yes, No. 17:40:44 <michaelxin> ccneill: +1 17:40:45 <openstack> Vote using '#vote OPTION'. Only your last vote counts. 17:40:51 <tmcpeak> #vote Yes 17:40:53 <sigmavirus> #vote Yes 17:40:57 <lhinds> #vote Yes 17:40:58 <ccneill> #vote Yes 17:40:59 <mdong> #vote yes 17:40:59 <hyakuhei> #vote Yes 17:41:00 <elmiko> #vote Yes 17:41:01 <unrahul> #vote Yes 17:41:02 <sicarie> #vote yes 17:41:02 <dg____> #vote Yes 17:41:02 <Daviey> #vote Yes 17:41:04 <mvaldes> #vote Yes 17:41:05 <michaelxin> #vote Yes 17:41:10 <knangia> #vote yes 17:41:12 <greenhorn> #vote yes 17:41:13 <vinaypotluri> #vote yes 17:41:15 <browne> #vote yes 17:41:51 <tmcpeak> allright 17:41:54 <tkelsey> #vote yes 17:41:59 <tmcpeak> looks pretty conclusive :D 17:42:02 <sigmavirus> are we missing anyone? 17:42:03 <ccneill> 18 yays 17:42:10 <tmcpeak> ending vote in 1 min 17:42:22 <dg____> dhellman ? 17:42:25 * Daviey waits for 19 no's 17:42:36 <tmcpeak> #endvote 17:42:37 <openstack> Voted on "Do the project members want to continue to be part of the Big Tent?" Results are 17:42:40 <dhellmann> dg____ : oh, I wasn't going to vote, I'm not a part of the team. I'm just here to advise. 17:42:42 <sigmavirus> Daviey: i can probably whip up some IRC bots for you :P 17:42:58 <ccneill> aw come on openstack you're leaving me hanging! WHO WINS?! 17:43:00 <michaelxin> haha 17:43:02 <tmcpeak> ok now PTL 17:43:04 <sigmavirus> ccneill: NO ONE 17:43:06 <sigmavirus> ;P 17:43:07 <tmcpeak> who is interested? 17:43:08 <ccneill> :(((((((( 17:43:13 <ccneill> Donald J Trump 17:43:18 <sigmavirus> ccneill: too soon 17:43:18 <ccneill> sorry, strike that from the record 17:43:20 <lhinds> vote is rigged! 17:43:21 <elmiko> i really don't trust a 100% consensus, really needed a no in there to keep us honest 17:43:21 <sigmavirus> (also it's drumpf) 17:43:22 <lhinds> all bots 17:43:29 <hyakuhei> heh 17:43:31 <Daviey> I think most people assumed hyakuhei would stand again... did he want to do it? 17:43:38 <tkelsey> my bot is laggy :P 17:43:41 <sigmavirus> elmiko: hyakuhei's blog post convinced me of Yes this morning before the meeting 17:43:47 <michaelxin> Daviey: +1 17:43:50 <sigmavirus> Daviey: judging by said post, he does 17:43:52 <tmcpeak> yeah, hyakuhei do you want to continue doing it? 17:43:59 <hyakuhei> I'd quite like to 17:44:00 <elmiko> sigmavirus: nice, well that's an "almost no" 17:44:03 <sigmavirus> (I think it's in one of the last paragraphs) 17:44:05 <hyakuhei> lol 17:44:05 <lhinds> hyakuhei +1 17:44:11 <tmcpeak> cool, anybody else? 17:44:13 <dg____> I would nominate hyakuhei for this period, while we try and fix ourselves 17:44:19 <Daviey> sigmavirus: (just trying to be explicit) 17:44:22 <tkelsey> dg____: +1 17:44:24 <ccneill> dg____: seconded 17:44:24 <dg____> then seriously look at succession planning next time? 17:44:30 <hyakuhei> dg____ +1 17:44:38 <elmiko> agreed, hyakuhei ++ 17:44:54 <dg____> ideally with someone who remembers we need a ptl :P 17:44:57 <Daviey> It would probably be an idea of having a *goal* of having at least PTL nominations next cycle 17:45:03 <elmiko> dg____: lol, BURN! 17:45:04 <Daviey> (3 PTL nominations) 17:45:06 <sigmavirus> dg____: that's might be too much to ask 17:45:07 <ccneill> can we add a notification to openstack-bot? :) 17:45:11 <greenhorn> Deez +1 ; ) 17:45:24 <sicarie> Does Lotus Notes have a calendar function? 17:45:27 <ccneill> I think we established that our IRC attendance is better than our ML participation 17:45:29 <dg____> daviey that is a good point. we should have 3 suitable candidates 17:45:37 <hyakuhei> Daviey +1 17:45:43 <tkelsey> dg____: Daviey +1 17:45:48 <sigmavirus> dg____: Daviey curious about 3 being the magic number 17:45:57 <Daviey> sigmavirus: I just plucked it 17:46:05 <hyakuhei> dhellmann what are the next steps for us from a TC/organizational point of view? 17:46:09 <Daviey> I think captn0day had aspirations 17:46:09 <dhellmann> Daviey : it would be good to have some other folks thinking about rotating the responsibilities, but it's not a requirement that there be an election. if only one team member is able to commit to being PTL, that's OK. 17:46:22 <greenhorn> you're thinking cluster quorum maybe 17:46:32 <tmcpeak> Daviey: +++++ 17:46:41 <dg____> given the diversity of the areas we look at, 3 doesnt seem unreasonable 17:46:43 <sicarie> looool 17:46:50 <michaelxin> So, we control our fate or not? 17:46:56 <sigmavirus> tmcpeak: should run to make bandit great again ;) 17:47:03 <tmcpeak> lol 17:47:06 <dhellmann> hyakuhei : I think you've already been talking with ttx? I would make sure that he and the rest of the TC is aware that you're ready to serve, the team is going to work on the communication stuff to avoid the situation in the future, and then get it on the TC agenda for next week. 17:47:13 <sigmavirus> michaelxin: I think hyakuhei and a couple of us should attend the TC meeting on Tuesday 17:47:17 <dhellmann> #link https://wiki.openstack.org/wiki/Meetings/TechnicalCommittee 17:47:24 <dg____> ty 17:47:25 <tmcpeak> my support is behind hyakuhei :) 17:47:36 <Daviey> dhellmann: Does this mean that the recommendation to the TC will be that hyakuhei is appointed PTL for this cycle? 17:47:39 <dhellmann> there's already an item there about "Decide future of Security and OpenStackSalt project teams" 17:47:42 <tmcpeak> I'll help with the administrative crap though 17:48:00 <sigmavirus> tmcpeak: right, I'm also willing to help if hyakuhei needs it 17:48:04 <michaelxin> So, the decision will be next Tuesday? 17:48:10 <hyakuhei> Thanks sigmavirus tmcpeak 17:48:13 <sigmavirus> I just have no way of getting a commitment from my organization to be PTL 17:48:14 <dhellmann> Daviey : I don't want to speak for anyone else. I support that position. I think there's a strong likelihood that others will too. 17:48:19 <sigmavirus> (And I don't want to be PTL either) 17:48:29 <Daviey> dhellmann: super, thanks 17:48:50 <tmcpeak> I think fungi mentioned being interested? 17:48:51 <michaelxin> dhellmann: Thanks. 17:48:56 <hyakuhei> Just another week of waiting to hear my fate ;) 17:49:01 <Daviey> hyakuhei: 12 mins left.. might be a good idea to smash through the agenda? 17:49:10 <Daviey> err tmcpeak 17:49:28 <michaelxin> Do we need support from other TC members? 17:49:30 <tmcpeak> ok, anything else we need on this? 17:49:34 <dg____> dhellmann are you likely to be able to help in future (assuming we dont get thrown out) while we figure out how to be better engaged with the community? 17:49:37 <michaelxin> OSIC offered to help if needed. 17:49:37 <greenhorn> ugh meeting - gtg. fun meeting eveyrone 17:49:46 <hyakuhei> thanks greenhorn 17:49:47 <tmcpeak> thanks greenhorn 17:49:51 <tmcpeak> #topic dg for sec core 17:49:58 <dhellmann> dg____ : I can offer some advice, but we might also be able to find another TC member who can be more active with you. 17:49:58 <tmcpeak> we actually DID use the ML for this, didn't we 17:50:08 <dg____> dhellmann excellent, thanks 17:50:10 <dhellmann> thanks for including me folks. I appreciate the constructive discussion on what I know is a frustrating situation. 17:50:15 <fungi> tmcpeak: no, i was merely bemoaning the fact that i'm not able to find time to get involved enough in other things the security team works on to feel comfortable being ptl (not to mention, i'm already ptl of one of the most active teams in the community, so lack much free time) 17:50:17 <hyakuhei> This was sent out on the ML (hah!) and we had a response from fungi with a +1 17:50:18 <tmcpeak> thanks dhellmann, appreciate your help sorting it out 17:50:28 <tmcpeak> fungi: gotcha 17:50:33 <hyakuhei> thanks dhellmann you've been a good help here 17:50:37 <hyakuhei> s/good/big 17:50:40 <hyakuhei> ... long day. 17:50:42 <lhinds> thx dhellmann 17:50:43 <ccneill> dhellmann: thanks for coming. this discussion was definitely needed 17:50:44 <Daviey> thanks dhellmann 17:50:47 <michaelxin> dhellmann: Thanks. 17:51:30 <tmcpeak> allright, so dg 17:51:34 <tmcpeak> where did we get 17:51:40 <tmcpeak> I think we're all happy, any push back from the ML post? 17:51:46 <tmcpeak> I saw fungi agreed 17:51:58 <hyakuhei> Yeah, we're good to go. There's a space there. 17:52:05 <tmcpeak> also hyakuhei did you speak with nkinder? 17:52:44 <tmcpeak> I'd love his continued input but know he's swamped 17:53:23 <hyakuhei> Yes soryr 17:53:28 <hyakuhei> heh 17:53:34 <hyakuhei> Nkinder is stepping down from coresec 17:53:43 <hyakuhei> Doug gets his shoes. 17:53:48 <hyakuhei> If everyone agrees 17:53:57 <tmcpeak> ok, so with dg we have 4 active members able to assess security impact for embargoed issues? 17:54:18 <michaelxin> who are the 4 ? 17:54:27 <tmcpeak> hyakuhei, dg, lhinds, and me 17:54:38 <michaelxin> nice 17:54:38 <fungi> them's some big shoes. nkinder is awesome 17:54:40 <michaelxin> Thanks. 17:54:44 <tmcpeak> fungi: +1 17:55:00 <tmcpeak> great, seems like we're good there 17:55:03 <tmcpeak> #topic Syntribos 17:55:07 <hyakuhei> fungi +1 17:55:08 <tmcpeak> ccneill, unrahul: you're up 17:55:14 <elmiko> fungi: agreed, nkinder++ 17:55:14 <ccneill> so we're testing Nova right now 17:55:23 <ccneill> wrapped up testing Glance earlier this week 17:55:39 <ccneill> found one potential issue in Glance that's still embargoed 17:55:48 <dg____> awesome, thanks guys. sad nkinder had to step down thou :( 17:55:49 <ccneill> next week we test Cinder/Swift 17:55:53 <tmcpeak> ccneill: sick! 17:55:58 <ccneill> so that's the news on the testing front 17:56:05 <tmcpeak> ccneill: you guys should write an ML post about this 17:56:12 <Daviey> ccneill: How many compute hours does a scan take? 17:56:21 <ccneill> tmcpeak: agreed, we'll come up with a summary 17:56:29 <tmcpeak> great 17:56:30 <ccneill> Daviey: depends on the project under test, and the number of endpoints 17:56:41 <Daviey> ccneill: with the ones you have done so far? 17:56:44 <ccneill> Daviey: in the ballpark of an hour to 3 at this point :X 17:56:55 <fungi> yeah, we've (vmt) seen a few good reports come in from the syntribos team already, so glad it's picking up steam. thanks! 17:56:56 <Daviey> wow, that is much quicker than i anticipated 17:56:58 <ccneill> so, in terms of "lessons learned" from this round of testing 17:57:15 <ccneill> fungi: :) thanks, we'll keep trying to find fun stuff 17:57:25 <ccneill> - we need to work on performance where we can get it 17:57:56 <ccneill> we currently use unittest, and I'm convinced that we can streamline things with a queue and workers to significantly improve performance there 17:57:56 <tmcpeak> awesome, anything else for syntribos? 17:58:01 <tmcpeak> 2 mins 17:58:12 <tmcpeak> we're not going to get through the agenda today 17:58:15 <ccneill> last thing: we will hopefully have a new version up on pip soon :) 17:58:26 <fungi> ccneill: any parallelism (like we get with testr in other openstack projects)? 17:58:27 <unrahul> :) +1 ccneill 17:58:45 <ccneill> fungi: we're planning to explore it once we finish this first round of testing 17:58:54 <ccneill> but no parallelism built in at the moment 17:59:03 <fungi> cool, that's definitely one place i'd consider looking for performance improvements 17:59:41 <dg____> before we wrap up, please can I beg reviews of this: https://review.openstack.org/#/c/357978/5 17:59:41 <tmcpeak> allright guys, we've got to wrap 17:59:43 <fungi> though you need your tests quantized into non-interdependent units for parallelism to really be viable 18:00:00 <hyakuhei> dg____ already has my +2 18:00:02 <dg____> tmcpeak lhinds redrobot ^^ 18:00:03 <ccneill> fungi: yep, none of our tests are interdependent thankfully 18:00:14 <lhinds> dg____: +2 18:00:16 <tmcpeak> dg____: sire 18:00:20 <tmcpeak> #endmeeting