17:00:08 <hyakuhei> #startmeeting Security
17:00:09 <openstack> Meeting started Thu Sep 22 17:00:08 2016 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:11 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:13 <openstack> The meeting name has been set to 'security'
17:00:16 <lhinds> o/
17:00:18 <sigmavirus> o/
17:00:22 <michaelxin> o/
17:00:24 <hyakuhei> o/
17:00:28 <hyakuhei> #chair tmcpeak
17:00:29 <elmiko> o/
17:00:29 <unrahul> o/
17:00:29 <openstack> Current chairs: hyakuhei tmcpeak
17:00:32 <tmcpeak> o/
17:00:37 <Daviey> \o
17:00:44 <knangia> o/
17:00:50 <mdong> o/
17:01:28 <ccneill> o/
17:01:30 <hyakuhei> Righto guys, as normal the agenda is over here #link https://etherpad.openstack.org/p/security-agenda
17:01:36 <vinaypotluri> o/
17:01:38 <browne> o/
17:02:11 <tkelsey> o/ all
17:02:17 <tmcpeak> packed meeting today :D
17:02:20 <hyakuhei> Good turnout today...
17:02:31 <hyakuhei> So I suppose we should level-set
17:02:32 <tkelsey> lol
17:02:42 <lhinds> nice blog post hyakuhei (from my speed read)
17:02:44 <hyakuhei> Most of the meeting today will be talking about the future of the Security Project
17:02:50 <michaelxin> even elmiko is here
17:03:09 <greenhorn> Adam here, just listening this round
17:03:10 <hyakuhei> Which, as lhinds alluded to, I blogged about here #link https://openstack-security.github.io/organization/2016/09/22/maturing-the-security-project.html
17:03:18 <dg____> o/
17:03:20 <tmcpeak> welcome greenhorn
17:03:35 <hyakuhei> Thanks for joining us greenhorn
17:03:40 <greenhorn> you bet
17:03:46 <Daviey> hyakuhei: great blog post, well outlined and reflective
17:03:51 * elmiko waves at michaelxin
17:04:13 <hyakuhei> Thanks Daviey the truth is there are things we need to do better, this has been a welcome wakeup call in that regard
17:04:23 <Daviey> +1
17:04:28 <hyakuhei> I think dhellmann might be joining us today?
17:04:53 <hyakuhei> ttx also may want to be involved
17:05:01 <dhellmann> o/
17:05:13 <elmiko> wow
17:05:19 <hyakuhei> elmiko ?
17:05:52 <hyakuhei> #topic Future of the Security Project
17:05:57 <elmiko> oh, just emoting about the big-wigs getting involved ;)
17:06:07 <hyakuhei> It's nice to matter ;)
17:06:11 <elmiko> definitely
17:06:27 <elmiko> i didn't think my pulling back would have such a big effect.... /s
17:06:33 <hyakuhei> So yes, I missed the PTL election, for the second time. I had what most people would call a good reason but it was still a major screwup on my part and I hold my hand up to that
17:06:34 <michaelxin> haha
17:06:43 <tmcpeak> so for starters, is there anybody in here that wants to go to working group, and  if so, why?
17:06:45 <michaelxin> good blog
17:06:47 <hyakuhei> It did however raise a bunch of issues beyond "why is there no PTL"
17:07:18 <ccneill> like "what is a PTL, really?"
17:07:20 <tmcpeak> including others that aren't OSSP members and want us to be a working group
17:07:22 <ccneill> especially for our project
17:07:23 <hyakuhei> Which lead me to look at a number of things I hadn't really been aware of (likely because I was grandfathered into PTL) like the project team guide
17:07:50 <dg____> tmcpeak - it would be good to get some clarity from dhellman over 'what a working group is' and 'how is it different to a project team'
17:07:57 <hyakuhei> dhellmann I'm not really sure where to take this conversation. Do you have time to take a look at my blog post ?
17:07:57 <greenhorn> and possibly the risk of having one become a PTL by just volunteering from outside the project. if I thought about it, others might
17:08:14 <hyakuhei> greenhorn You're absolutely right but I don't want to focus on the election
17:08:17 <hyakuhei> That's not going to happen again
17:08:20 <greenhorn> sure sure
17:08:30 <sigmavirus> greenhorn: also you have to qualify to be PTL first
17:08:31 <dhellmann> hyakuhei : I'm looking now, but let me also try to answer some of the questions
17:08:43 <hyakuhei> of course.
17:08:46 <dhellmann> first, it's very unlikely that someone who has not contributed at all to the team would be "appointed" to lead the team
17:08:53 <sigmavirus> So it would be unlikely to be totally outside the project
17:09:13 <dhellmann> yeah, I mean if you all decided to leave openstack entirely that would be a different story, but no one thinks that's what happened
17:09:42 <dhellmann> and just to be completely clear, I have no preconceived notion of the best outcome here other than that we should help the team find what it thinks is the best outcome
17:10:00 <dhellmann> so exploring the idea of a WG instead of a big tent team is just that, a discussion exploring it
17:10:31 <hyakuhei> My position is that there are clearly things that we need to do to be better community members, I think I can guide us to that place and that's what I want to do. I think we should stay in the big tent, at least until we've done a good job of showing that we should work that way.
17:10:32 <dhellmann> as to the difference, there are a couple of areas to talk about
17:11:13 <dhellmann> hyakuhei : great, I am happy to support you in that if that's what the team agrees to
17:11:28 <michaelxin> Do we want to vote?
17:11:42 <dhellmann> a working group is a less formal structure than a project team. membership in a working group does not automatically confer atc status, which means members don't automatically get to vote for tc just by participating in the wg
17:11:44 <tmcpeak> michaelxin: +1
17:11:45 <lhinds> I also really believe we need no change, we know where we went wrong, but aside to that productivity and synergy in the group is great
17:12:16 <Daviey> dhellmann: and less summit timetable?
17:12:19 <dhellmann> if they have atc status from elsewhere (patches in another project, or extra-atc status from another project) that would give them voting rights in those project elections and the tc election
17:12:30 <tkelsey> lhinds: +1
17:12:36 <sigmavirus> Daviey: yes, but that's already something that's changing with the split of the summit
17:12:38 <dhellmann> yes, a working group is likely to have fewer summit resources, although we don't know for sure what the ptg allocation is going to look like
17:12:50 <ccneill> for precedent purposes, looking at projects vs. working groups, it's not entirely clear that there is a "right" and "wrong" way. QA is a project, performance is a working group
17:13:14 <tmcpeak> let's vote on big-tent, working group
17:13:17 <sigmavirus> ccneill: so that's the thing, is that we occupy both spaces in a way
17:13:23 <tmcpeak> #startvote
17:13:24 <sigmavirus> tmcpeak: can we wait until people have all the information?
17:13:24 <openstack> Unable to parse vote topic and options.
17:13:25 <dhellmann> it's quite likely, but I'm not the authority on this, that the security team would be considered cross-project enough to meet on the first day or two of the ptg, leaving vertical team meetings for later in the week
17:13:32 <tmcpeak> sigmavirus: ?
17:13:37 <tmcpeak> I didn't do it correctly anyway
17:13:47 <sigmavirus> tmcpeak: dhellmann is still answering questions
17:13:49 <hyakuhei> dhellmann we've often worn two hats in that regard
17:14:01 <tmcpeak> ok
17:14:09 <hyakuhei> That'll be even more the case with our TA work complimenting the VMT
17:14:30 <hyakuhei> I'm looking forward to exploring how things will work with the ptg too
17:14:33 <dhellmann> yes, there's a bit of grey area there but the case can be made either way
17:14:53 <tmcpeak> something that I brought up yesterday, and was echoed by others is that we're likely to receive a measurable drop in participation and funding for a working group
17:14:56 <sigmavirus> ccneill: to explain, since AIUI you're new to openstack, performance WG issues guidelines/suggestions/etc. and doesn't produce much of a deliverable besides documented best practices (like the API WG)
17:15:08 <dg____> with my corporate hat on, I think I will struggle to get funds for contribution to working group, particuarly things like meals at meetups, etc. I realise this will change with ptg, but historically we have funded mid-cycles etc.
17:15:12 <Daviey> dhellmann: Well truth be told, there were issues in previous summit where required people couldn't be there due to clashes.  Would WG make cross-project this more possible? who knows
17:15:12 <dhellmann> ccneill is right to point out the performance working group. another example is the new architecture group
17:15:16 <sigmavirus> ccneill: while QA works on tempest, hacking, etc.
17:15:28 <ccneill> sigmavirus: right. so in those two buckets, I see us doing both of those things (tools + docs)
17:15:41 <dhellmann> Daviey: couldn't attend at all, or couldn't attend specific session(s)?
17:15:46 <ccneill> so I think logically it makes sense that we should come to a decision about which we think WE are
17:15:50 <sigmavirus> ccneill: although from what I gathered yesterday from private conversations, we've been more tooling heavy
17:15:57 <ccneill> since we are best able to assess our goals vs. the larger OS goals
17:16:04 <Daviey> dhellmann: specific
17:16:18 <dhellmann> Daviey : ok
17:16:30 <hyakuhei> My personal opinion (which I tend to be stating a lot at the moment) is that I'd like for us to stay in the big tent and up our game in terms of operating appropriately in that space we can re-assess at that point.
17:16:33 <dg____> sigmavirus - dong forget the security guide, OSSNs and security review (TA) work
17:16:35 <hyakuhei> Nothing is set in stone
17:16:43 <dhellmann> those sorts of conflicts are one of the things we're trying to address with the new ptg schedule
17:16:59 <hyakuhei> I'm cautiously optimistic about the ptg.
17:17:03 <dg____> +1
17:17:07 <greenhorn> WG or BigTent, do either prevent the work from getting done or is it funding related mostly?
17:17:14 <sigmavirus> dg____: right, I said we do both, but have leaning more towards tooling lately (based on the impression of people more aware than I am of the docs portion)
17:17:22 <dhellmann> yeah, we're going to need to hold a ptg once to really figure out what we need to change
17:17:39 <michaelxin> what's ptg?
17:17:44 <hyakuhei> greenhorn there's more of a disconnect with regards to use being a gating function for the VMT re the changes to the vulnerability managed tag
17:17:56 <Daviey> In the future, it might be piratical for OSSP to become a WG which focusses on projects in their own right (which the OSSP is currently guardian of)
17:17:56 <hyakuhei> michaelxin the breakout of the design sessions from the conferences
17:18:04 <Daviey> practical*
17:18:05 <dhellmann> michaelxin : sorry, "project team gathering" is the name of the new contributor-only event to be held in february next year
17:18:19 <michaelxin> Thanks hyakuhei dhellmann
17:18:35 <sigmavirus> greenhorn: so some people have asserted that we will lose people working on OSSP if it becomes a WG
17:18:52 <hyakuhei> Me among them.
17:18:57 <tmcpeak> me too
17:19:05 <michaelxin> OSIC will suffer too.
17:19:15 <dhellmann> hyakuhei, tmcpeak: you would be lost to the team, or you think that will be an outcome?
17:19:33 <michaelxin> If OSSP is not a project, it is very likely Rackspace and Intel will stop contributing.
17:19:34 <elmiko> wow... that's huge imo
17:19:43 <tmcpeak> I personally will get considerable less (if any) time commitment
17:19:44 <dhellmann> that's unfortunate
17:19:48 <michaelxin> For OSIC project.
17:20:02 <ccneill> I can't say for sure, but myself, mdong, unrahul, vinaypotluri, and knangia all work on OSSP projects full-time; I can't speak for OSIC, but it's definitely a risk that they don't continue to fund us
17:20:18 <hyakuhei> It shouldn't (and isn't) just about funding
17:20:24 <hyakuhei> but that's a major concern for me
17:20:28 <lhinds> I think we are thinking of changes cars as we had a flat tyre. We just need to monitor for announcements better, but everything else from my end was working really well.
17:20:30 <dhellmann> sure, I share that concern
17:20:39 <lhinds> s/changes/changing
17:20:40 <michaelxin> ccneill: I talked with Homer. They are very concerned.
17:20:44 <dg____> HPE will probably cut us back. Mostly due to the 'security leaves openstack' headlines
17:21:03 <dg____> of course, HPE might cut us anyway :)
17:21:07 <sigmavirus> hyakuhei: okay, so you're the first person to have a concern other than funding
17:21:07 <hyakuhei> ouch.
17:21:09 <elmiko> i like hyakuhei's statement about upping our game, that seems like an excellent course if we can follow it
17:21:21 <tmcpeak> should we ignore the funding component?
17:21:31 <tmcpeak> seems like a big deal to gloss over
17:21:32 <hyakuhei> sigmavirus I don't think that's true but I have probably been the most vocal
17:21:52 <ccneill> hyakuhei: I agree - I don't want it to be about funding, but it is a reality. I think though that we can look at it as a positive opportunity to really grow into the Project title rather than "giving up" so to speak and reverting to WG
17:22:01 <hyakuhei> +1
17:22:04 <tmcpeak> ccneill: +1
17:22:06 <dg____> +1
17:22:06 <hyakuhei> That's exactly what I want
17:22:09 <lhinds> +1
17:22:14 <hyakuhei> Hence the long rambling blog post
17:22:26 <hyakuhei> Oh, I also want Gmail to support special characters in filters.
17:22:30 <sigmavirus> tmcpeak: I'm not saying it's unimportant, I'm saying that before hyakuhei's blog post no one had anything to argue in favor of a PTL besides "They organize our events for us and being in the big tent gives us funding"
17:22:31 <elmiko> turn into the headwind, eh?
17:22:47 <Daviey> Being 'downgraded' to a WG to me, is making a statement that security isn't a first priority of OpenStack
17:22:48 <tmcpeak> PTL has nothing to do with it.  The question is are we a big-tent project
17:22:54 <dg____> +1
17:23:04 <dhellmann> aside from the fact that the vmt is folded into this team, would anyone object to it being called "security tools" rather than "security"? Does that adequately capture the nature of the work being done?
17:23:11 <greenhorn> @hyakuhei +1
17:23:11 <dg____> no
17:23:15 <tmcpeak> dhellmann: not at all
17:23:16 <tkelsey> if the OSSP leaves the big tent how will that impact bandit/anchor/etc
17:23:18 <hyakuhei> dhellmann maybe 50% of what we do
17:23:22 <sigmavirus> Daviey: so then you think the API design, architecture, and performance working groups aren't important to OpenStack because they're working groups?
17:23:30 <tkelsey> will they need to re-enter as their own thing each?
17:23:31 <lhinds> dhellmann: we do more then tooling though, I don't agree with that myself
17:23:31 <ccneill> whoa tkelsey in the house :)
17:23:34 <tmcpeak> we own the security guide, security notes, sec-core (advice for security on embargoed issues)
17:23:39 <tkelsey> ccneill: hi :)
17:23:40 <dg____> dhellman for example: http://docs.openstack.org/security-guide/
17:23:45 <hyakuhei> dhellmann we have a decent infographic here https://wiki.openstack.org/wiki/Security
17:23:46 <tmcpeak> secure development guidelines
17:23:54 <dhellmann> ok, it sounds like a name change is too narrowly focused, thanks for clarifying that
17:23:56 <hyakuhei> Basically tooling as a thing we do isn't the big priority
17:24:04 <dg____> dhellman theres also this: http://security.openstack.org
17:24:05 <michaelxin> By moving to WG for security project might conflict with the goal of getting Openstack Enterprise ready (security is a big part).
17:24:11 <elmiko> sigmavirus: if attendence is any metric, api-wg is not seen as important... =(
17:24:11 <Daviey> sigmavirus: No.. that isnn't quite what i mean... but those are not primary deliverable
17:24:12 <hyakuhei> and we need to update that with Syntribos, now that Secure API testing has a proper name
17:24:27 <unrahul> +1
17:24:57 <hyakuhei> #action hyakuhei to update the Security wiki image to give Syntribos their due place
17:25:01 <greenhorn> furthermore an argument*could* be made that if security leaves ghe bigtestnt, it portrays a message we might not want to send ('security was kicked out' = not so great msg)
17:25:07 <sigmavirus> michaelxin: unsurprisingly (to me) OSIC needs serious education about how OpenStack works, but that's for another channel and another discussion
17:25:16 <dhellmann> I really don't understand the distinction being made between a project team and a working group then. If the point of the team is not to deliver a product, but to deliver advice, etc., then a chartered working group seems just as good a fit.
17:25:26 <hyakuhei> We do both
17:25:28 <michaelxin> sigmavirus: +1
17:25:39 <dhellmann> greenhorn : you wouldn't be "leaving" though, just having a status change
17:25:43 <hyakuhei> In pretty much equal parts
17:25:45 <tmcpeak> we deliver lots of products
17:25:49 <dhellmann> is there anyone on the team who is only an atc because of contributions to this team?
17:25:50 <lhinds> we have three development projects putting in around 20-30 patches a day
17:25:57 <tmcpeak> o/
17:26:02 <sicarie> o/
17:26:04 <sigmavirus> dhellmann: certainly there are
17:26:08 <unrahul> o/
17:26:09 <mdong> o/
17:26:16 <vinaypotluri> o/
17:26:16 <tmcpeak> actually no, that's not true.  I contribute to security to other projects (such as Bandit gates)
17:26:20 <dhellmann> ok, that's good information to have, too
17:26:24 <tkelsey> o/
17:26:26 <lhinds> o/
17:26:32 <michaelxin> o/
17:26:33 <mdong> I know all of us OSIC members certainly are
17:26:33 <knangia> o/
17:26:34 <ccneill> dhellmann: think of our advice as "this is good" and our tools as "hopefully this will make it even better." we can't have the tools without people with the expertise to give the advice, but we can't have the level of contributions if some people can't work on it in a full-time way (i.e. on an on-going product development or other effort)
17:26:36 <hyakuhei> o/ (96% sure that's correct for the last cycle)
17:26:38 <tkelsey> actually no, i have others as well
17:26:40 <dg____> i think there definitely are some of us who are only ATC because of this project
17:26:45 <ccneill> o/
17:26:46 <hyakuhei> ccneill I like that
17:26:50 <hyakuhei> Well put sir
17:26:57 <Daviey> but those people who are ATC just because of OSSP, could get ATC if the projects were themselevs projects
17:27:04 <Daviey> Such as OSSN becoming a project itself
17:27:05 <elmiko> at some point, wasn't the security guide an actual product that this group produced?
17:27:09 <hyakuhei> Most aren't big enough to stand on their own
17:27:10 <dg____> daviey yup
17:27:24 <tmcpeak> Daviey: but then we need tons of PTLs instead
17:27:24 <tkelsey> so we would swap one project for many small ones, and multiply the admin overhead
17:27:26 <hyakuhei> We're good at self managing these things at the moment (election and ML aside)
17:27:26 <michaelxin> hyakuhei: +1
17:27:29 <tkelsey> not great IMHO
17:27:32 <dhellmann> yeah, I'm not sure that the best outcome is to turn each repo into its own team
17:27:35 <sigmavirus> aren't some of the doc-related things co-owned by the documentation team?
17:27:35 <dg____> Daviey - if we cant manage to elect a PTL for OSSP, could we get one for Anchor, Bandit, OSSN, Security Doc.....
17:27:38 <Daviey> tmcpeak: well.. one PTL could cover them all
17:27:54 <Daviey> (I don't agree with it, but i am suggesting it)
17:27:55 <dg____> like a security PTL?
17:27:59 * greenhorn wishes IRC was threaded
17:27:59 <Daviey> hah
17:28:06 <dhellmann> that sounds quite a bit like what you have now :-)
17:28:20 <Daviey> dhellmann: and it kinda works :)
17:28:23 <ccneill> with more overhead, it sounds like
17:28:29 <dhellmann> Daviey : mostly :-)
17:28:33 <dg____> so it seems like switching to a WG is going to have a bunch of negative effects, without adding much benefit
17:28:35 <Daviey> somewhat
17:28:45 <hyakuhei> dg____ that's my feeling at the moment.
17:28:47 <michaelxin> I do not think that we have enough people to do it.
17:28:48 <elmiko> sigmavirus: i think you may be right about that
17:29:01 <tmcpeak> I think we're just pushing around beans here.  We have a bunch of projects that we think benefit from having a PTL.  Whether those are under one project or a bunch of different projects doesn't matter
17:29:02 <dhellmann> so it sounds like folks want to stay a big tent team, and that there's some recognition that there are expectations from outside the team to maintain that status
17:29:13 <michaelxin> We have been struggling with growing team for a while.
17:29:26 <tmcpeak> dhellmann: yes
17:29:32 <dg____> by switching to a WG we get a bunch of extra admin for our existing projects, probably reduce funding and resource, generate negative publicity
17:29:37 <dhellmann> tmcpeak : sort of. we want to find a stable state where the team is actually working together and not just lumped under a title because of pattern matching
17:29:49 <dg____> we work together quite well
17:29:50 <sigmavirus> dg____: all publicity is good publicity, or so I'm told
17:29:57 <greenhorn> eh
17:30:12 <greenhorn> tell that to snowden. ; )
17:30:13 <hyakuhei> dhellmann I think that's fair. We're certainly willing to revisit it and I'm going to be accountable for us delivering on the things we should be doing from a project point of view
17:30:15 <michaelxin> sigmavirus: +1
17:30:15 <dg____> sigmavirus 'openstack abandons security'
17:30:23 <ccneill> dhellmann: from your perspective, do the goals outlined in hyakuhei's post get us closer to being like other projects?
17:30:33 <Daviey> dhellmann: To change tack slightly... what would the benefits be of switching to a WG?
17:30:48 <dhellmann> ccneill : I've been talking here, not reading, but I will look it over
17:30:54 <sigmavirus> dg____: and if people can't see past BuzzFeed's headlines, I feel sorry for them
17:31:24 <elmiko> sigmavirus: that's a lot of feels to go around ;P
17:31:26 <dhellmann> Daviey : from one perspective it means a bit less management overhead for the team itself, although that's not really a prime reason
17:31:28 <sigmavirus> ccneill: I feel more comfortable with having a PTL if those goals are actually project goals
17:31:29 <dg____> sigmavirus i was actually thinking of the register
17:31:29 <hyakuhei> The short version is deliver on the things in the project team guide with a big focus on the mailing list / open communications principle
17:32:07 <sigmavirus> hyakuhei: frankly, there was enough negative feedback about the mailing list *on the mailing list* that I don't think you're providing yourself an attainable goal with that one
17:32:28 <tmcpeak> I'll be the first to say, I hate the mailing list
17:32:29 <dhellmann> Daviey : as I said to start, my motivation is to help the team decide what structure works for it, and then have that reflected correctly in the governance setup to avoid existential questions in the future
17:32:42 <tmcpeak> my security filter flags a bunch of stuff that isn't related to my project
17:32:46 <hyakuhei> Ye of little faith. Most of what we have done re: midcycle, electing cores etc has been conducted on the ML
17:32:51 <tmcpeak> we might be able to fix that by changing our tag to something specific to us "OSSP"
17:32:54 <sigmavirus> The overall attitude yesterday on that thread and in #openstack-security was "The mailing list contains no useful information for us and it's not my job to occasionally scan it for something that might be of import"
17:32:55 <Daviey> dhellmann: Right, i get that.. but i wanted to understand any potential benefits of switching
17:33:01 <hyakuhei> sigmavirus the bigger issue was really us not reading it as well as we should.
17:33:02 <tmcpeak> so I don't have to read about neutron security groups, etc
17:33:19 <dg____> sigmavirus disagree, it has useful information but it is lost in the noise
17:33:25 <tmcpeak> TONS of noise
17:33:25 <sigmavirus> hyakuhei: there's overwhelming sentiment that the mailing list provide no value to this group yesterday
17:33:44 <dhellmann> Daviey : I don't think there are significant benefits beyond not dealing with elections (which is also not that significant, imho)
17:33:51 <elmiko> sigmavirus: ouch, that's sad =(
17:33:57 <ccneill> sigmavirus: as one of the people relaying that sentiment, I will commit to reading the mailing list if that's really the thing that's holding our group back
17:33:59 <Daviey> sigmavirus: The mailing list is read... the thread that kicked this off was noticed and discussed within minutes of it being sent
17:34:00 <sigmavirus> tmcpeak: so the attitude that [security] gets more traffic than you think it should is worrisome to me
17:34:03 <dhellmann> tmcpeak : a tag change might make a lot of sense
17:34:06 <dg____> sigmavirus disagree, the sentiment is that stuff gets lost in noise.
17:34:07 <ccneill> ¯\_(ツ)_/¯
17:34:07 <hyakuhei> sigmavirus as a read operation, currently that's true. but as dhellmann pointed out many people don't really know what we've been doing. I think that as we improve things in that area, relevant ML traffic will increase
17:34:13 <tmcpeak> sigmavirus: no, [security] is fine
17:34:19 <michaelxin> we should change our attitude for mail list.
17:34:21 <dhellmann> hyakuhei : ++
17:34:21 <tmcpeak> "security" isn't, and that's how my gmail filter works
17:34:34 <sigmavirus> tmcpeak: ah, I see
17:34:37 <dhellmann> yeah, I think gmail filters drop punctuation
17:34:39 <dg____> hyakuhei clearly not enough people know what we do, as evidenced by dhellman not knowing what we do...
17:34:52 <dg____> thats something we have to fix
17:35:01 <elmiko> dg____++
17:35:02 <hyakuhei> dg____ for sure.
17:35:03 <dhellmann> fwiw, we had similar complaints about using the "release" tag for both release announcements and release team discussions, so we changed to "new" for announcements
17:35:05 <tkelsey> dg____: ++
17:35:07 <lhinds> I intend to ramp up participation on the list, and have filters set up. So its fine for me
17:35:13 <lhinds> -dev that is
17:35:20 <tmcpeak> should we change our tag to [OSSP]?
17:35:22 <tmcpeak> that might help
17:35:24 <dhellmann> dg____ : I apologize for not doing my homework before the meeting. :-)
17:35:28 <hyakuhei> That will (ironically) change soon as we start integrating TA with the VMT so basically all new teams will know about us and any going for vulnerability managed would too
17:35:29 <tmcpeak> not likely to see OSSP false positives
17:35:46 <Daviey> tmcpeak: doesn't roll off the tongue so much
17:35:49 <sigmavirus> tmcpeak: that would help for intra-project discussion (if we consider the security team a project, which I think we all do)
17:36:02 <dg____> dhellman as much a reflection on our community integration as yours
17:36:03 <lhinds> 'security' is certainly to wide a net as a filter
17:36:03 <ccneill> sigmavirus: +1
17:36:09 <tmcpeak> if email wasn't painful I'd definitely like to start using it more
17:36:18 <tmcpeak> helpful for synching with others in different TZ, etc
17:36:20 <ccneill> everyone can commit to reading internal mailing list, but not the whole OS list
17:36:26 <sigmavirus> tmcpeak: email is one of the worst possibly designed communication systems but it's what we have
17:36:37 <hyakuhei> I think the problem is that people tend to use [Security] as a tag that they want some sort of ethereal security body to add stuff to a thread
17:36:44 <tmcpeak> well we've decided to prefer IRC as a project
17:36:48 <dhellmann> for those of you not on gmail, you might find https://doughellmann.com/blog/2015/03/17/handling-high-email-volume-with-sup/ useful
17:36:48 <hyakuhei> more of a meta-tag than looking for us as a specific body.
17:37:01 <sigmavirus> ccneill: right, I do think we're missing discussions though where we could be gaining visibility and new contributors by not looking for those opportunities on the list though
17:37:03 <michaelxin> dhellmann: Thanks.
17:37:09 <Daviey> So, you could subscribe twice to the mailing list.. with one of them using email+security@gmail.com and subscribe to just the [SECURITY] tag. Then you can special case it easily enough as you have a unique TO address?
17:37:11 <dg____> dhellmann thanks
17:37:26 <lhinds> [openstack-sec]
17:38:08 <mvaldes> so have we decided that we want to do what is necessary to remain a big-tent project?
17:38:12 <hyakuhei> So I think the tag issue is relevant but probably something we don't have to decide right now
17:38:17 <tmcpeak> mvaldes: I think so
17:38:21 <mvaldes> and moved on to "how we improve as a big-tent project"
17:38:31 <tmcpeak> is anybody NOT in favor of security remaining a project?
17:38:31 <lhinds> mvaldes +1
17:38:35 <hyakuhei> I'd like to come back to "Are we staying in the big-tent for now" and "Who will be PTL"
17:38:52 <tmcpeak> hyakuhei: +1
17:38:56 <hyakuhei> mvaldes I think you're right but I'd like us to be explicit about it
17:39:04 <mvaldes> do we need a discussion of "how do we appeal to the community that we remain a big—tent project"
17:39:04 <sigmavirus> hyakuhei: I'd advocate for a formal vote for the first question
17:39:23 <hyakuhei> if we're ready to, lets vote
17:39:23 <michaelxin> If none ha additional question, we can vote.
17:39:38 <dg____> before we vote, did i miss the bit where we covered advantages to going to WG?
17:39:42 <sigmavirus> "#startvote Do the project members want to continue to be part of the Big Tent?" I think might work
17:39:46 <sigmavirus> dg____: no one's discussed it really
17:39:49 <Daviey> hmm.. I think it is largely been agreed by most people inside and outside ossp that it remains big tent.  Not sure we need more than just a quick vote here?
17:39:57 <sigmavirus> dg____: one advantage is no one having to watch for PTL nominations
17:40:04 <hyakuhei> Daviey +1
17:40:11 <dg____> sigmavirus :)
17:40:17 <tmcpeak> quick vote should work
17:40:18 <mvaldes> -_-
17:40:25 <sigmavirus> dg____: I'm glad you appreciate my humor ;)
17:40:27 <ccneill> so no real advantages
17:40:43 <tmcpeak> #startvote Do the project members want to continue to be part of the Big Tent?
17:40:44 <openstack> Begin voting on: Do the project members want to continue to be part of the Big Tent? Valid vote options are Yes, No.
17:40:44 <michaelxin> ccneill: +1
17:40:45 <openstack> Vote using '#vote OPTION'. Only your last vote counts.
17:40:51 <tmcpeak> #vote Yes
17:40:53 <sigmavirus> #vote Yes
17:40:57 <lhinds> #vote Yes
17:40:58 <ccneill> #vote Yes
17:40:59 <mdong> #vote yes
17:40:59 <hyakuhei> #vote Yes
17:41:00 <elmiko> #vote Yes
17:41:01 <unrahul> #vote Yes
17:41:02 <sicarie> #vote yes
17:41:02 <dg____> #vote Yes
17:41:02 <Daviey> #vote Yes
17:41:04 <mvaldes> #vote Yes
17:41:05 <michaelxin> #vote Yes
17:41:10 <knangia> #vote yes
17:41:12 <greenhorn> #vote yes
17:41:13 <vinaypotluri> #vote yes
17:41:15 <browne> #vote yes
17:41:51 <tmcpeak> allright
17:41:54 <tkelsey> #vote yes
17:41:59 <tmcpeak> looks pretty conclusive :D
17:42:02 <sigmavirus> are we missing anyone?
17:42:03 <ccneill> 18 yays
17:42:10 <tmcpeak> ending vote in 1 min
17:42:22 <dg____> dhellman ?
17:42:25 * Daviey waits for 19 no's
17:42:36 <tmcpeak> #endvote
17:42:37 <openstack> Voted on "Do the project members want to continue to be part of the Big Tent?" Results are
17:42:40 <dhellmann> dg____ : oh, I wasn't going to vote, I'm not a part of the team. I'm just here to advise.
17:42:42 <sigmavirus> Daviey: i can probably whip up some IRC bots for you :P
17:42:58 <ccneill> aw come on openstack you're leaving me hanging! WHO WINS?!
17:43:00 <michaelxin> haha
17:43:02 <tmcpeak> ok now PTL
17:43:04 <sigmavirus> ccneill: NO ONE
17:43:06 <sigmavirus> ;P
17:43:07 <tmcpeak> who is interested?
17:43:08 <ccneill> :((((((((
17:43:13 <ccneill> Donald J Trump
17:43:18 <sigmavirus> ccneill: too soon
17:43:18 <ccneill> sorry, strike that from the record
17:43:20 <lhinds> vote is rigged!
17:43:21 <elmiko> i really don't trust a 100% consensus, really needed a no in there to keep us honest
17:43:21 <sigmavirus> (also it's drumpf)
17:43:22 <lhinds> all bots
17:43:29 <hyakuhei> heh
17:43:31 <Daviey> I think most people assumed hyakuhei would stand again... did he want to do it?
17:43:38 <tkelsey> my bot is laggy :P
17:43:41 <sigmavirus> elmiko: hyakuhei's blog post convinced me of Yes this morning before the meeting
17:43:47 <michaelxin> Daviey: +1
17:43:50 <sigmavirus> Daviey: judging by said post, he does
17:43:52 <tmcpeak> yeah, hyakuhei do you want to continue doing it?
17:43:59 <hyakuhei> I'd quite like to
17:44:00 <elmiko> sigmavirus: nice, well that's an "almost no"
17:44:03 <sigmavirus> (I think it's in one of the last paragraphs)
17:44:05 <hyakuhei> lol
17:44:05 <lhinds> hyakuhei +1
17:44:11 <tmcpeak> cool, anybody else?
17:44:13 <dg____> I would nominate hyakuhei for this period, while we try and fix ourselves
17:44:19 <Daviey> sigmavirus: (just trying to be explicit)
17:44:22 <tkelsey> dg____: +1
17:44:24 <ccneill> dg____: seconded
17:44:24 <dg____> then seriously look at succession planning next time?
17:44:30 <hyakuhei> dg____ +1
17:44:38 <elmiko> agreed, hyakuhei ++
17:44:54 <dg____> ideally with someone who remembers we need a ptl :P
17:44:57 <Daviey> It would probably be an idea of having a *goal* of having at least PTL nominations next cycle
17:45:03 <elmiko> dg____: lol, BURN!
17:45:04 <Daviey> (3 PTL nominations)
17:45:06 <sigmavirus> dg____: that's might be too much to ask
17:45:07 <ccneill> can we add a notification to openstack-bot? :)
17:45:11 <greenhorn> Deez +1 ; )
17:45:24 <sicarie> Does Lotus Notes have a calendar function?
17:45:27 <ccneill> I think we established that our IRC attendance is better than our ML participation
17:45:29 <dg____> daviey that is a good point. we should have 3 suitable candidates
17:45:37 <hyakuhei> Daviey +1
17:45:43 <tkelsey> dg____: Daviey +1
17:45:48 <sigmavirus> dg____: Daviey curious about 3 being the magic number
17:45:57 <Daviey> sigmavirus: I just plucked it
17:46:05 <hyakuhei> dhellmann what are the next steps for us from a TC/organizational point of view?
17:46:09 <Daviey> I think captn0day had aspirations
17:46:09 <dhellmann> Daviey : it would be good to have some other folks thinking about rotating the responsibilities, but it's not a requirement that there be an election. if only one team member is able to commit to being PTL, that's OK.
17:46:22 <greenhorn> you're thinking cluster quorum maybe
17:46:32 <tmcpeak> Daviey: +++++
17:46:41 <dg____> given the diversity of the areas we look at, 3 doesnt seem unreasonable
17:46:43 <sicarie> looool
17:46:50 <michaelxin> So, we control our fate or not?
17:46:56 <sigmavirus> tmcpeak: should run to make bandit great again ;)
17:47:03 <tmcpeak> lol
17:47:06 <dhellmann> hyakuhei : I think you've already been talking with ttx? I would make sure that he and the rest of the TC is aware that you're ready to serve, the team is going to work on the communication stuff to avoid the situation in the future, and then get it on the TC agenda for next week.
17:47:13 <sigmavirus> michaelxin: I think hyakuhei and a couple of us should attend the TC meeting on Tuesday
17:47:17 <dhellmann> #link https://wiki.openstack.org/wiki/Meetings/TechnicalCommittee
17:47:24 <dg____> ty
17:47:25 <tmcpeak> my support is behind hyakuhei :)
17:47:36 <Daviey> dhellmann: Does this mean that the recommendation to the TC will be that hyakuhei is appointed PTL for this cycle?
17:47:39 <dhellmann> there's already an item there about "Decide future of Security and OpenStackSalt project teams"
17:47:42 <tmcpeak> I'll help with the administrative crap though
17:48:00 <sigmavirus> tmcpeak: right, I'm also willing to help if hyakuhei needs it
17:48:04 <michaelxin> So, the decision will be next Tuesday?
17:48:10 <hyakuhei> Thanks sigmavirus tmcpeak
17:48:13 <sigmavirus> I just have no way of getting a commitment from my organization to be PTL
17:48:14 <dhellmann> Daviey : I don't want to speak for anyone else. I support that position. I think there's a strong likelihood that others will too.
17:48:19 <sigmavirus> (And I don't want to be PTL either)
17:48:29 <Daviey> dhellmann: super, thanks
17:48:50 <tmcpeak> I think fungi mentioned being interested?
17:48:51 <michaelxin> dhellmann: Thanks.
17:48:56 <hyakuhei> Just another week of waiting to hear my fate ;)
17:49:01 <Daviey> hyakuhei: 12 mins left.. might be a good idea to smash through the agenda?
17:49:10 <Daviey> err tmcpeak
17:49:28 <michaelxin> Do we need support from other TC members?
17:49:30 <tmcpeak> ok, anything else we need on this?
17:49:34 <dg____> dhellmann are you likely to be able to help in future (assuming we dont get thrown out) while we figure out how to be better engaged with the community?
17:49:37 <michaelxin> OSIC offered to help if needed.
17:49:37 <greenhorn> ugh meeting - gtg. fun meeting eveyrone
17:49:46 <hyakuhei> thanks greenhorn
17:49:47 <tmcpeak> thanks greenhorn
17:49:51 <tmcpeak> #topic dg for sec core
17:49:58 <dhellmann> dg____ : I can offer some advice, but we might also be able to find another TC member who can be more active with you.
17:49:58 <tmcpeak> we actually DID use the ML for this, didn't we
17:50:08 <dg____> dhellmann excellent, thanks
17:50:10 <dhellmann> thanks for including me folks. I appreciate the constructive discussion on what I know is a frustrating situation.
17:50:15 <fungi> tmcpeak: no, i was merely bemoaning the fact that i'm not able to find time to get involved enough in other things the security team works on to feel comfortable being ptl (not to mention, i'm already ptl of one of the most active teams in the community, so lack much free time)
17:50:17 <hyakuhei> This was sent out on the ML (hah!) and we had a response from fungi with a +1
17:50:18 <tmcpeak> thanks dhellmann, appreciate your help sorting it out
17:50:28 <tmcpeak> fungi: gotcha
17:50:33 <hyakuhei> thanks dhellmann you've been a good help here
17:50:37 <hyakuhei> s/good/big
17:50:40 <hyakuhei> ... long day.
17:50:42 <lhinds> thx dhellmann
17:50:43 <ccneill> dhellmann: thanks for coming. this discussion was definitely needed
17:50:44 <Daviey> thanks dhellmann
17:50:47 <michaelxin> dhellmann: Thanks.
17:51:30 <tmcpeak> allright, so dg
17:51:34 <tmcpeak> where did we get
17:51:40 <tmcpeak> I think we're all happy, any push back from the ML post?
17:51:46 <tmcpeak> I saw fungi agreed
17:51:58 <hyakuhei> Yeah, we're good to go. There's a space there.
17:52:05 <tmcpeak> also hyakuhei did you speak with nkinder?
17:52:44 <tmcpeak> I'd love his continued input but know he's swamped
17:53:23 <hyakuhei> Yes soryr
17:53:28 <hyakuhei> heh
17:53:34 <hyakuhei> Nkinder is stepping down from coresec
17:53:43 <hyakuhei> Doug gets his shoes.
17:53:48 <hyakuhei> If everyone agrees
17:53:57 <tmcpeak> ok, so with dg we have 4 active members able to assess security impact for embargoed issues?
17:54:18 <michaelxin> who are the 4 ?
17:54:27 <tmcpeak> hyakuhei, dg, lhinds, and me
17:54:38 <michaelxin> nice
17:54:38 <fungi> them's some big shoes. nkinder is awesome
17:54:40 <michaelxin> Thanks.
17:54:44 <tmcpeak> fungi: +1
17:55:00 <tmcpeak> great, seems like we're good there
17:55:03 <tmcpeak> #topic Syntribos
17:55:07 <hyakuhei> fungi +1
17:55:08 <tmcpeak> ccneill, unrahul: you're up
17:55:14 <elmiko> fungi: agreed, nkinder++
17:55:14 <ccneill> so we're testing Nova right now
17:55:23 <ccneill> wrapped up testing Glance earlier this week
17:55:39 <ccneill> found one potential issue in Glance that's still embargoed
17:55:48 <dg____> awesome, thanks guys. sad nkinder had to step down thou :(
17:55:49 <ccneill> next week we test Cinder/Swift
17:55:53 <tmcpeak> ccneill: sick!
17:55:58 <ccneill> so that's the news on the testing front
17:56:05 <tmcpeak> ccneill: you guys should write an ML post about this
17:56:12 <Daviey> ccneill: How many compute hours does a scan take?
17:56:21 <ccneill> tmcpeak: agreed, we'll come up with a summary
17:56:29 <tmcpeak> great
17:56:30 <ccneill> Daviey: depends on the project under test, and the number of endpoints
17:56:41 <Daviey> ccneill: with the ones you have done so far?
17:56:44 <ccneill> Daviey: in the ballpark of an hour to 3 at this point :X
17:56:55 <fungi> yeah, we've (vmt) seen a few good reports come in from the syntribos team already, so glad it's picking up steam. thanks!
17:56:56 <Daviey> wow, that is much quicker than i anticipated
17:56:58 <ccneill> so, in terms of "lessons learned" from this round of testing
17:57:15 <ccneill> fungi: :) thanks, we'll keep trying to find fun stuff
17:57:25 <ccneill> - we need to work on performance where we can get it
17:57:56 <ccneill> we currently use unittest, and I'm convinced that we can streamline things with a queue and workers to significantly improve performance there
17:57:56 <tmcpeak> awesome, anything else for syntribos?
17:58:01 <tmcpeak> 2 mins
17:58:12 <tmcpeak> we're not going to get through the agenda today
17:58:15 <ccneill> last thing: we will hopefully have a new version up on pip soon :)
17:58:26 <fungi> ccneill: any parallelism (like we get with testr in other openstack projects)?
17:58:27 <unrahul> :) +1 ccneill
17:58:45 <ccneill> fungi: we're planning to explore it once we finish this first round of testing
17:58:54 <ccneill> but no parallelism built in at the moment
17:59:03 <fungi> cool, that's definitely one place i'd consider looking for performance improvements
17:59:41 <dg____> before we wrap up, please can I beg reviews of this: https://review.openstack.org/#/c/357978/5
17:59:41 <tmcpeak> allright guys, we've got to wrap
17:59:43 <fungi> though you need your tests quantized into non-interdependent units for parallelism to really be viable
18:00:00 <hyakuhei> dg____ already has my +2
18:00:02 <dg____> tmcpeak lhinds redrobot ^^
18:00:03 <ccneill> fungi: yep, none of our tests are interdependent thankfully
18:00:14 <lhinds> dg____: +2
18:00:16 <tmcpeak> dg____: sire
18:00:20 <tmcpeak> #endmeeting