#openstack-meeting-alt log

17:02:06 <lhinds> #startmeeting security
17:02:07 <openstack> Meeting started Thu Nov  3 17:02:06 2016 UTC and is due to finish in 60 minutes.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:08 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:10 <openstack> The meeting name has been set to 'security'
17:02:20 <lhinds> o/
17:02:30 <vds> o/
17:02:44 <hyakuhei> o/ ish - sorry on a call :'(
17:02:47 <capnoday> o/
17:02:57 <lhinds> #chair hyakuhei
17:02:59 <openstack> Current chairs: hyakuhei lhinds
17:03:07 <browne> o/
17:03:09 <Michaelxin__> Hi
17:03:13 <lhinds> #topic agenda
17:03:15 <elmiko> hi
17:03:26 <lhinds> todays agenda: https://etherpad.openstack.org/p/security-agenda
17:03:33 <lhinds> #link https://etherpad.openstack.org/p/security-agenda
17:03:49 <lhinds> please made additions / amendments if needed
17:03:55 <Michaelxin__> elmiko how are you?
17:04:21 <elmiko> Michaelxin__: not bad! just getting ready for kubecon and apachecon =)
17:04:24 <elmiko> how you doing?
17:04:28 <lhinds> #topic Privacy Badger + Security blog
17:04:46 <Michaelxin__> Doing ok
17:04:53 <Michaelxin__> Thanks
17:04:59 <lhinds> I can't recall where we are with Privacy Badger, anyone that can update there?
17:05:09 <elmiko> what's the issue here?
17:05:22 <elmiko> is the blog showing some unfriendliness in PB?
17:05:34 <lhinds> IIRC its an addon which does not like the blog?
17:05:51 <vds> Hi, I'm Vincenzo Di Somma, this is my first meeting, I'm a security architect, I'm between jobs and looking for ways to help you guys.
17:05:53 <elmiko> yeah, i use it all the time, didn't notice the security blog had warning
17:06:01 <lhinds> Security Blog..any posts pending?
17:06:03 <elmiko> it looks for tracking tokens and the like
17:06:41 <lhinds> #action hyakuhei to give lhinds mergies (or help him spot where the function is)
17:06:54 <lhinds> elmiko: something like that
17:07:03 <lhinds> I was half in the meeting when it was discussed
17:07:11 <lhinds> hi vds !
17:07:13 <elmiko> vds: welcome!
17:07:16 <lhinds> nice to have you!
17:07:20 <Michaelxin__> Welcome
17:07:21 <mcdong> Welcome!
17:07:43 <vds> thank you!
17:07:55 <lhinds> anymore on the blog...?
17:08:08 <lhinds> going, going, gone..
17:08:14 <lhinds> #topic OpenCIT
17:08:31 <elmiko> oh wait
17:08:31 <lhinds> I think we might need tmcpeak for this.
17:08:35 <lhinds> elmiko: sure...
17:08:47 <capnoday> openCIT?
17:08:50 <elmiko> just to add on to the blog thing, looks like the blog site has hidden links to google-analytics and something about google drive
17:08:54 <elmiko> that's what PB is reporting
17:09:08 <capnoday> ahh iirc thats because we are hosting some of the images on google drive
17:09:17 <elmiko> makes sense
17:09:24 <elmiko> just wanted to add that, sorry for the overlfow
17:09:31 <lhinds> so we need to move them into the gitpages repo?
17:09:35 <capnoday> yup
17:09:52 <elmiko> and remove the analytics stuff, i would imagine, although that kinda doesn't help with metrics lol
17:09:59 <capnoday> yeh thats annoying
17:10:00 <lhinds> #action lhinds to move images over to gitpages repo
17:10:06 <capnoday> thanks lhinds
17:10:18 <capnoday> i'd have thought every website in the world would trigger the analytics filter
17:10:36 <lhinds> not sure about if we should touch analytics, lets park that for next week maybe
17:10:43 <elmiko> capnoday: they mostly do lol
17:10:51 <elmiko> lhinds: +1
17:11:04 <lhinds> k OpenCIT
17:11:08 <lhinds> #link https://etherpad.openstack.org/p/security-cit
17:11:18 <lhinds> OpenCIT is intels next evo of trusted boot
17:11:20 <capnoday> lhinds +1
17:11:24 <capnoday> ahh yeah
17:11:35 <lhinds> they have re-wrote the openattestation stuff
17:11:37 <elmiko> looks neat
17:12:02 <lhinds> and can do new funky things like extend the trust from the kvm/qemu for the VM boot cycle
17:12:20 <lhinds> they shared with us about the new nova scheduler filter for trusted compute pools.
17:12:37 <lhinds> I think they want some community momentum so were seeking others to get involved
17:12:47 <lhinds> thus presenting to the OSSP at the summit
17:13:15 <lhinds> we gave some feedback, but not sure what the next steps were.
17:13:27 <lhinds> I guess we can check with tmcpeak when he is back
17:13:44 <lhinds> #topic Syntribos
17:14:25 <Michaelxin__> All team members went to a local security conference
17:14:35 <Michaelxin__> Lascon
17:14:46 <Michaelxin__> So, no update this week
17:14:52 <lhinds> k, thx Michaelxin__
17:15:02 <lhinds> #topic OSSN
17:15:26 <lhinds> So we have three embargoed notes being worked on by hyakuhei and tmcpeak
17:15:41 <lhinds> and a new public if anyone has an interest in getting into note authorship?
17:16:25 <lhinds> if not I will assign it to myself
17:16:38 <lhinds> #link https://bugs.launchpad.net/ossn/+bug/1562175
17:16:38 <openstack> Launchpad bug 1562175 in OpenStack Security Advisory "Pre-auth COPY in versioned_writes can result in a successful COPY that wouldn't have been authorized" [Undecided,Incomplete]
17:16:59 <lhinds> if anyone wants to read it first, and have a think about it, you can ping me later on and we can discuss whats needed
17:17:31 <lhinds> notes are a good way of getting involved into the security group, and there is some hand holding on the first few, so don't be concerned about taking on something major
17:17:43 <vds> can I take it?
17:17:50 <lhinds> vds: sure!
17:17:53 <lhinds> thanks!
17:18:01 <lhinds> do you have a launchpad account?
17:18:11 <vds> yup
17:18:23 <vds> vds
17:18:34 <lhinds> k, under 'OpenStack Security Notes' - changed 'UNassigned' to yourself
17:18:53 <lhinds> and I can help you get going from there, what TZ are you in?
17:19:15 <lhinds> s/changed/change
17:19:16 <capnoday> Isnt there a wiki page on how to get started writing notes?
17:19:37 <lhinds> capnoday: good Q..
17:19:41 <lhinds> <checking>
17:19:52 <sicarie> #link: https://wiki.openstack.org/wiki/Security/Security_Note_Process
17:20:08 <lhinds> yep, there we go vds ^
17:20:09 <vds> lhinds: UTC+2
17:20:35 <vds> great, thanks
17:20:44 <lhinds> vds: ok, so I am on UTC right now, so you can ping me if you need any help.
17:21:04 <capnoday> thanks sicarie
17:21:10 <vds> lhinds: will do, thx!
17:21:17 <sicarie> vds: I'm also secguide core and do quite a bit with documentation (of which this is a more relaxed version) so feel free to reach out to me as well, though lhinds will probably be more helpful
17:21:38 <vds> sicarie: thx
17:21:44 <lhinds> sicarie +1, he helped me a lot to get started
17:21:54 <lhinds> #topic Security Review
17:22:09 <lhinds> I doubt there is anything new here with the summit just passed?
17:22:37 <capnoday> did anything come out of the summit?
17:22:41 <capnoday> there were sessions on this?
17:23:16 <lhinds> So I copied and pasted the last etherpad entry...does this pertain to Threat Analysis or something else?
17:24:37 <lhinds> regarding the summit, we spoke about threat analysis, I showed the new Notes API I started prototyping, and there was a demo of the Bandit Jenkins plugin.
17:24:37 <capnoday> pasted it where?
17:24:49 <lhinds> https://etherpad.openstack.org/p/security-agenda
17:24:55 <capnoday> nothing on the threat analysis at the summit?
17:25:20 <hyakuhei> There was some good feedback. Unfortunately I'm on the phone right now
17:25:25 <lhinds> capnoday: yes, hyakuhei did a session with projects invited..like an ambassdor / out reach
17:25:46 <hyakuhei> Not much on the https://etherpad.openstack.org/p/BCN-security-ta
17:26:05 <capnoday> ok lets shelve this until next week
17:26:05 <lhinds> thanks hyakuhei
17:26:42 <lhinds> #topic security guide
17:27:00 <sicarie> nothing from me
17:27:04 <sicarie> been trying to recover
17:27:07 <lhinds> updates were merged for newton: https://review.openstack.org/#/c/382600/2/releasenotes/source/newton.rst
17:27:23 <lhinds> and the queue is empty: https://review.openstack.org/#/q/status:open+project:openstack/security-doc,n,z
17:27:43 <lhinds> hope your feeling better sicarie
17:27:53 <sicarie> just need sleep: new baby
17:27:54 <sicarie> :D
17:28:02 <sicarie> but I should be able to ramp up again soon
17:28:05 <lhinds> oh, I know those :)
17:28:33 <lhinds> #topic OpenStack Barcelona Washup
17:28:47 <lhinds> so this is for a post summit discussion.
17:29:15 <lhinds> I highlighted the key points above. I was thinking, those of us that went could maybe joint author a blog post?
17:29:24 <lhinds> hyakuhei sound like a good idea?
17:29:56 <lhinds> that will be a way of capturing for others, and having on record
17:30:25 <sicarie> i nominate gmurphy
17:30:33 <elmiko> lol
17:30:53 <sicarie> sorry, just had to give him a hard time :)
17:31:13 <lhinds> another topic of interest was the nova security summit: https://etherpad.openstack.org/p/ocata-nova-summit-security
17:31:17 <lhinds> #link https://etherpad.openstack.org/p/ocata-nova-summit-security
17:31:20 <elmiko> understandable, he's so loveable =)
17:31:41 <lhinds> Lot's on image signing, with feedback from myself and hyakuhei (well more hyakuhei then me)
17:32:09 <lhinds> k, that's all from me..
17:32:12 <lhinds> #topic AOB
17:32:42 <lhinds> I just noticed Bandit was not on the list, so if some Bandit cores are here, I could hash that as a topic?
17:32:46 <lhinds> same for anchor
17:33:05 <capnoday> anchor is currently a nop
17:33:13 <capnoday> so that can stay off the agenda for the moment
17:33:19 <lhinds> capnoday: thx
17:33:32 <capnoday> travis and tkelsey arent here, so lets leave bandit unless anyone wants to discuss it
17:34:02 <lhinds> k, thanks all!
17:34:06 <lhinds> #endmeeting