#openstack-meeting-alt log

17:01:16 <tmcpeak> #startmeeting security
17:01:16 <openstack> Meeting started Thu Oct  6 17:01:16 2016 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:17 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:17 <tmcpeak> o/
17:01:20 <openstack> The meeting name has been set to 'security'
17:01:26 <tkelsey> o/
17:01:32 <tmcpeak> #link https://etherpad.openstack.org/p/security-agenda
17:01:32 <ccneill> o/
17:02:12 <knangia> o/
17:02:20 <capnoday> o/
17:02:30 <michaelxin> o/
17:02:30 <mdong> o/
17:02:31 <dave-mccowan> o/
17:02:38 <vinaypotluri> o/
17:03:00 <tmcpeak> #topic Bandit Bugs
17:03:14 <unrahul> o/
17:03:15 <tmcpeak> tkelsey: we've had a few bugs that I think we need to address in Bandit
17:03:19 <tmcpeak> will you have some cycles?
17:03:23 <tmcpeak> I'll devote some too
17:03:34 <sicarie> o/
17:03:37 <tkelsey> tmcpeak: yeah
17:03:38 <tmcpeak> dave-mccowan: has offered to fix this yaml bug, but I'd like to do a bug squash and roll a new version
17:03:42 <tkelsey> will take a look
17:03:43 <tmcpeak> you good to help?
17:03:48 <tmcpeak> sweet
17:03:52 <tkelsey> yup yup
17:03:54 <tkelsey> :)
17:04:02 <tmcpeak> great
17:04:04 <tmcpeak> that was easy
17:04:15 <tmcpeak> #action tkelsey, tmcpeak to squash Bandit bugs & roll new version
17:04:19 <tmcpeak> #topic PTG
17:04:21 <tmcpeak> who's is this?
17:04:32 <dave-mccowan> i added it.
17:04:38 <tmcpeak> ahh cool, thank you
17:04:45 <tmcpeak> so this is what would have been our midcycle
17:05:02 <dave-mccowan> it's an item from the os-dev mail list.   the foundation is asking project to RSVP if they want a room at the PTG
17:05:03 <dave-mccowan> http://www.openstack.org/ptg
17:05:25 <capnoday> that is a _long_ way out
17:05:30 <tmcpeak> yeah it is
17:05:40 <tmcpeak> I might have quit security and be running a bar by then :P
17:05:40 <sicarie> So this is the "new" mid-cycle?
17:05:43 <capnoday> I have literally no idea if we will have a travel budget at that point in time
17:05:46 <tmcpeak> sicarie: yeah, think so
17:05:50 <capnoday> tmcpeak I'll drink to that
17:06:03 <tmcpeak> well suffice it to say that we'll have at least some security people that can make it, so we need to reserve a space
17:06:29 <tmcpeak> "The event is not the occasion to sell goods or to propose jobs to the attendees -- hiring managers and product vendors will therefore also probably feel out of place." boooo
17:06:32 <tmcpeak> ;)
17:06:35 <michaelxin> nice
17:06:38 <capnoday> plan. lets ask for a room and if it turns out no-one can make it, say we're sorry?
17:06:38 <sicarie> I should be able to make it to that one, but obviously pending approval, etc...
17:06:50 <tmcpeak> capnoday: yeah, think so
17:06:53 <dave-mccowan> for February, this would be instead of a mid-cycle, except it will actually be timed at the beginning of the Pike cycle.  Ocata will be a short cycle.
17:07:26 <michaelxin> capnoday: +1
17:07:36 <tmcpeak> dave-mccowan: do you know how we can request a space?
17:07:52 <dave-mccowan> Monday and Tuesday are for horizontal teams (QA, docs, performance), and Wednesday-Friday are for vertical projects (nova, cinder, ...)
17:07:59 <dave-mccowan> security could qualify for either or both.
17:08:05 <capnoday> both
17:08:05 <tmcpeak> hmm
17:08:12 <sicarie> +1 to both
17:08:17 <capnoday> if I'm flying 10 hours for it, I'm staying around all week
17:08:20 <tmcpeak> yeah, really is both
17:08:25 <tmcpeak> capnoday: not 10 hours
17:08:29 <tmcpeak> Atlanta, only like 5 hours
17:08:30 <sicarie> docs, OSSN, and TA could get dedicated time
17:08:48 <dave-mccowan> tmcpeak there's a form to fill out.  i'll send you and rob the link/email offline.  it went out to PTLs.
17:08:59 <tmcpeak> dave-mccowan: gotcha, thanks for bringing this to our attention
17:09:20 <capnoday> tmcpeak 9hrs for me :(
17:09:39 <tmcpeak> yikes
17:09:44 <capnoday> thanks dave-mccowan
17:09:49 <tmcpeak> +1 thanks!
17:10:03 <tmcpeak> #topic Syntribos
17:10:08 <tmcpeak> ccneill:
17:10:10 <tmcpeak> unrahul:
17:10:18 <ccneill> so we finished up our testing last week
17:10:26 <michaelxin> I gave them a break for this week
17:10:31 <ccneill> haven't had a chance to sift through launchpad/email to see if any bugs have been resolved
17:10:44 <mdong> ccneill wrote a great retrospective
17:10:46 <mdong> #link https://etherpad.openstack.org/p/syntribos-retrospective
17:10:55 <unrahul> mdong: ccneill +1 indeed.
17:11:00 <tmcpeak> you know where this needs to go...
17:11:01 <sicarie> blog post?
17:11:05 <ccneill> thanks mdong :D
17:11:07 <tmcpeak> boom!
17:11:13 <tmcpeak> sicarie: correct
17:11:13 <ccneill> sicarie: yep, we're planning on it
17:11:18 <michaelxin> ccneill: +1
17:11:21 <ccneill> as michaelxin said, we were off for a couple days this week relaxing
17:11:30 <tmcpeak> terrible, the bad guys, they don't relax
17:11:37 <michaelxin> hha
17:11:39 <tmcpeak> :P
17:11:40 <ccneill> but we will definitely get it in blog post form soon
17:11:53 <tmcpeak> this is an awesome retrospective though
17:11:58 <sicarie> +1
17:11:59 <michaelxin> Thanks.
17:12:13 <knangia> +1
17:12:20 <michaelxin> Great job! ccneill, mdong, unrahul, knangia, vinaypotluri
17:12:55 <ccneill> so yeah, check out the retrospective, let us know if you have any ideas for future development
17:13:00 <tmcpeak> cool, soundss good
17:13:01 <knangia> thank you michaelxin
17:13:10 <ccneill> we're planning on using launchpad more in the future so that our plans are more visible to the community
17:13:10 <vinaypotluri> thank you michaelxin
17:13:41 <ccneill> that's all I've got, unless someone else has more?
17:13:55 <tmcpeak> awesome, thanks guys
17:13:59 <tmcpeak> #topic OSSN
17:14:05 <tmcpeak> no lhinds today
17:14:16 <tmcpeak> so punting...
17:14:21 <tmcpeak> #topic Blog
17:14:48 <tmcpeak> looks like nothing new
17:15:05 <tmcpeak> although looking forward to lhinds post and one from Syntribos in the future
17:15:12 <tmcpeak> also encourage everybody to go out and write one, they're fun :)
17:15:32 <tmcpeak> #topic Barcelona Sessions
17:15:50 <tmcpeak> if you have anything to present please add it here
17:15:59 <tmcpeak> also if you know you're going to Barcelona please add your name
17:16:03 <tmcpeak> #link https://etherpad.openstack.org/p/barcelona-security-sessions
17:16:09 <sicarie> gmurphy is working on his - it's going to be awesome
17:16:19 <tmcpeak> working on what?
17:16:35 <Daviey> Is the OSSP having any input into sec' brown bag sessions?
17:16:38 <sicarie> whoops, got my nomenclature mixed up - presentation vs session
17:16:41 <sicarie> +1 Daviey
17:16:49 <capnoday> whys that Daviey?
17:16:58 <tmcpeak> lol
17:17:04 <tmcpeak> Daviey: good question
17:17:09 <tmcpeak> I don't know anything about brown bag sessions
17:17:11 <Daviey> capnoday: There were some security sessions at the last one... and the group had some feedback on it
17:17:12 <tmcpeak> does anybody
17:17:28 <capnoday> seems like an action for Rob
17:17:43 <capnoday> im aware there may be another one of those security sessions that we may have more feedback on
17:17:49 <tmcpeak> what is the deal with the brown bag sessions?
17:18:08 <tmcpeak> I mean, where are they even held? are they in a bar?
17:18:10 <tmcpeak> some back alley somewhere?
17:18:19 <tmcpeak> seems like something the foundation would have to be involved in, doesn't it
17:18:20 <capnoday> they film them, on youtube
17:18:23 <sicarie> They're in smaller rooms
17:18:24 <Daviey> just a room.. at lunctimes
17:18:34 <tmcpeak> fungi: you around?
17:18:35 <Daviey> sponsored by some corp
17:18:40 <sicarie> They have one or two rooms, and then do semi-"lightning talks" through the day
17:18:50 <fungi> yep, here
17:18:54 <Daviey> "lunch and learn"
17:19:01 <tmcpeak> do you know anything about brown bag sessions and how those topics are selected?
17:19:11 <tmcpeak> I'm just randomly picking on you because you work for the foundation
17:19:25 <tmcpeak> I guess if we don't get answers this could be a ML topic
17:19:44 <tmcpeak> but I don't want to blast it to everybody and I don't know who to address it to :)
17:19:54 <fungi> i think vbrownbag is an independent organization and the foundation sort of just gives them some space to "do their thing"
17:20:27 <Daviey> fungi: There were some quality concerns from Austin
17:20:33 <fungi> i know there have been issues in the past with conference organizers having limited input into what vbrownbag does and how
17:20:42 <Daviey> fungi: Such that the OSSP felt they had to respond to them
17:20:57 <tmcpeak> #link http://vbrownbag.com/2016/09/vbrownbag-techtalks-at-openstack-barcelona/
17:21:11 <fungi> perfectly valid, and i can pass that along to the organizers to help them decide whether to continue their relationship with vbrownbag
17:21:27 <tmcpeak> fungi: awesome, thank you
17:21:28 <fungi> what/where was the ossp response?
17:22:01 <capnoday> fungi on the blog, i'll find the link
17:22:13 <capnoday> #link http://openstack-security.github.io/vulnerabilities/2016/05/05/clearing-the-air.html
17:22:54 <fungi> thanks capnoday!
17:23:03 <fungi> i will make absolutely sure they see it
17:23:11 <tmcpeak> fungi: thank you!
17:23:16 <capnoday> you should probably watch the presentation first: https://www.youtube.com/watch?v=twOC6OqXBAU&list=PL2rC-8e38bUVvUc0oZ0RDXnzbxz5wFcJ5&index=57
17:23:17 <fungi> giving them a heads up on it now so that it's fresh in their minds
17:23:34 <Daviey> fungi: One of the talks talked about known vulnerabilities not being addressed... simply select a CVE and metasploit it with a few clicks
17:23:49 <capnoday> Daviey thats how you do it, right?
17:24:02 <fungi> heh
17:24:05 <Daviey> :)
17:24:12 <fungi> script kiddies with jobs
17:24:20 <tmcpeak> indeed
17:24:24 <Daviey> fungi: That is us. x
17:24:38 <capnoday> to be fair to that talk, it did motivate me to re-write the security.openstack.org
17:25:00 * fungi was referring to people who think that just because a nids says something is vulnerable they believe it
17:25:15 <tmcpeak> fungi: yeah, that about sums up the talk
17:25:22 <fungi> er, s/nids/scanner/
17:25:28 <capnoday> yeh
17:26:07 <capnoday> this talk wasnt even talking about vulns in current openstack, some of them were ancient, but you can form your own opinions
17:26:12 <capnoday> tmcpeak moving on?
17:26:16 <sicarie> or in 3rd party apps
17:26:28 <tmcpeak> heh, allright, not fully opening that can of worms again
17:26:50 <tmcpeak> #topic Sec Guide
17:26:55 <tmcpeak> sicarie:
17:27:22 <sicarie> So we have published release notes for recent changes
17:27:34 <sicarie> #link https://review.openstack.org/#/c/382600/
17:27:57 <sicarie> I tagged a few of you as FYI
17:28:41 <sicarie> There was discussion with docs resources about a bit of a roadmap for this next release, so working on TA materials and doing the neutron/nova chapter reviews
17:29:02 <tmcpeak> what kind of roadmap?
17:29:07 <sicarie> I'm not going to have much time to work on it this month, but I will be picking it up in Nov
17:29:17 <tmcpeak> yayy, sicarie has returned to us
17:29:17 <sicarie> TA materials and neutron/nova reviews
17:29:43 <sicarie> I've been opening bugs on some of the lighter chpaters, and they have been getting fixed, so that's a plus as well
17:29:54 <sicarie> and that's about it for the sec-guide for now
17:30:07 <tmcpeak> awesome, thanks sicarie
17:30:10 <tmcpeak> #topic AOB
17:30:11 <capnoday> sicarie TA stuff is WIP. we had a meeting with Kolla today that reminded me quite how much work I need to do on it :(
17:30:21 <tmcpeak> oh right
17:30:30 <tmcpeak> capnoday: want to give an update on the work with Kolla?
17:30:40 <capnoday> yeah sure
17:30:45 <sicarie> capnoday: yep - per our convo yesterday I put it in as a note, but made no promises :)
17:30:58 <capnoday> tmcpeak and I met with the Kolla team a couple of hours back in a google hangout.
17:31:32 <capnoday> We went over the TA work, explained a bit about the latest evolution of the TA process, talked about the requirements for artifacts
17:32:30 <capnoday> Kolla team are commited to completing this and were very understanding of our work-in-progress process and documentation
17:32:34 <Daviey> capnoday: dammit, i'd have joined that
17:32:38 <Daviey> (i'm kolla core now)
17:32:43 <capnoday> no way!
17:32:58 <tmcpeak> Daviey: sick! get with inc and work on it
17:32:59 <capnoday> we are going to have a hangout fairly soon
17:33:05 <capnoday> 2 weeks or so
17:33:13 <Daviey> capnoday: ok, keep me updated pls
17:33:14 <capnoday> then have a face to face in spain to wrap it up
17:33:33 <capnoday> daviey & tmcpeak you will have to lead the face to face, I'm unlikely to be there, particuarly if its late in the week
17:33:47 <tmcpeak> capnoday: boo
17:33:48 <Daviey> cheers bro.
17:34:12 <tmcpeak> cool
17:34:15 <tmcpeak> anything else?
17:34:23 <tmcpeak> otherwise I'll wrap us early
17:34:31 <capnoday> sgtm
17:34:36 <tmcpeak> #endmeeting