#openstack-meeting-alt log

17:02:07 <tmcpeak> #startmeeting security
17:02:11 <openstack> Meeting started Thu Dec  1 17:02:07 2016 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:15 <openstack> The meeting name has been set to 'security'
17:02:18 <redrobot> o/
17:02:20 <tmcpeak> #chair hyakuhei
17:02:21 <openstack> Current chairs: hyakuhei tmcpeak
17:02:27 <hyakuhei> o/
17:02:29 <tkelsey> o/
17:02:42 <singlethink> o/
17:02:49 <hyakuhei> Hey tkelsey this is the right time, right ? :P
17:03:08 <tmcpeak> yep
17:03:09 <tkelsey> i guess lol, some folks seem to be here :)
17:03:10 <tmcpeak> 1700
17:03:11 <tmcpeak> #link https://etherpad.openstack.org/p/security-agenda
17:03:13 <hyakuhei> Hi tmcpeak singlethink
17:03:16 <hyakuhei> Thanks tmcpeak
17:03:19 <tmcpeak> hallo
17:03:21 <browne> hi
17:03:24 <singlethink> hi
17:03:32 <capnoday> sup guys
17:03:54 <hyakuhei> Sup dawg!
17:05:09 <hyakuhei> Question - did anyone see my mail about PTL elections on the ML?
17:05:13 <hyakuhei> I don't think it sent
17:05:17 <tmcpeak> nope
17:05:20 <ccneill> o/
17:05:44 <hyakuhei> pants
17:05:47 <browne> no
17:05:51 <tkelsey> hyakuhei: notes FTW
17:05:54 <hyakuhei> Hey ccneill - sorry I missed you earlier in the week
17:05:58 <hyakuhei> tkelsey lol
17:06:01 <tmcpeak> notes :'(
17:06:21 <hyakuhei> Oi, I'll have no Notes bashing here. You should all be so lucky.
17:06:23 <tmcpeak> allright, what we doing today?
17:06:31 <tmcpeak> #topic Syntribos
17:06:33 <tmcpeak> ccneill:
17:06:36 <hyakuhei> sigmavirus are you joining us today?
17:06:53 <ccneill> I don't know much wrt syntribos
17:06:58 <knangia> hey tmcpeak  unrahul here
17:07:03 <ccneill> unrahul, knangia ?
17:07:07 <hyakuhei> ^^ :)
17:07:27 <knangia> so after our design session on redesign of templates
17:07:41 <knangia> we are now working on the agreed upon design
17:08:02 <knangia> ccneill: was also involved in the design, the last design session he was part of :)
17:08:21 <knangia> We had a few bugs in syntribos as well, that we have fixed and a few we are looking into
17:08:32 <knangia> thats it from us for this week
17:08:39 <tmcpeak> sweet
17:08:39 <ccneill> link to the notes from our templates discussion: https://etherpad.openstack.org/p/syntribos-templates
17:08:42 <tmcpeak> seems like good progress
17:09:15 <ccneill> I think it's gonna ultimately make syntribos muuuch easier to spin up for new projects
17:09:19 <lhinds> oh dam
17:09:20 <ccneill> way less boilerplate
17:09:21 <lhinds> o/
17:09:26 <knangia> +2
17:09:28 <hyakuhei> ccneill +1
17:09:31 <hyakuhei> Looks good
17:09:34 <tmcpeak> that would be good, that's the biggest barrier to entry IMO
17:09:38 <tmcpeak> lhinds: just in time
17:09:42 <tmcpeak> #topic OSSN
17:09:43 <xin9972> +1
17:09:49 <lhinds> tmcpeak: phew <wipes brow>
17:10:15 <tmcpeak> by the seat of your pants, what a risk taker
17:10:23 <lhinds> OSSN: So we still have the same embargoed notes, so need to do my weekly poke of hyakuhei and tmcpeak
17:10:38 <hyakuhei> lhinds I just poked the Bug tracker re mine
17:10:44 <capnoday> lhinds please add me to the review and I'll take a look
17:10:48 <hyakuhei> It's waiting for a core from the affected project to review IIRC
17:11:10 <lhinds> hyakuhei: ack, will monitor that and make sure they come in.
17:11:16 <tmcpeak> lol, weekly poke
17:11:19 <hyakuhei> Thanks
17:11:23 <hyakuhei> tmcpeak steady now...
17:11:38 <tmcpeak> :D
17:11:51 <lhinds> that's really it for now, as per last week I hope to do some work on the API over Christmas
17:11:54 <tmcpeak> cool
17:11:59 <tmcpeak> oh yeah, saw your change on the doc
17:12:00 <tmcpeak> good stuff
17:12:10 <tmcpeak> #topic Blog
17:12:20 <tmcpeak> hyakuhei: you do any writeup on LF badge?
17:12:29 <hyakuhei> tmcpeak I did not because I suck
17:12:29 <tmcpeak> and/or do you still want to?
17:12:36 <tmcpeak> lol, fair enough
17:12:37 <hyakuhei> Could potentially bash something out tomorrow AM though.
17:12:49 <hyakuhei> Then you can refine it in the PM?
17:12:55 <hyakuhei> Failing that I'll probably write it on the plane.
17:13:03 <tmcpeak> sure
17:13:05 <tmcpeak> I can do that
17:13:16 <lhinds> there is also my OSSN post which we can put out now
17:13:38 <lhinds> that will fill a gap until the LF badge stuff gets put up
17:13:43 <hyakuhei> ok cool, I'll get you guys the +2w anyway
17:13:53 <lhinds> hyakuhei thx
17:14:06 <tmcpeak> aight
17:14:14 <hyakuhei> #action hyakuhei to give tmcpeak and lhinds merge privs on the Blog repo
17:14:28 <tmcpeak> capnoday just dropped and I doubt we have anything else on security review
17:14:30 <tmcpeak> is that a fair statement?
17:14:50 <hyakuhei> Almost
17:14:50 <tmcpeak> gr8
17:14:53 <lhinds> tmcpeak: there was a guy on the mailing list
17:14:58 <tmcpeak> oh yeah?
17:15:01 <tmcpeak> with security tag?
17:15:01 <lhinds> he wants to help with threat reviews
17:15:07 <lhinds> intern i think.
17:15:13 <tmcpeak> awesome
17:15:14 <lhinds> I asked him to come on here and help out
17:15:16 <hyakuhei> So upstream we haven't done a bunch but we've been working on the internal process, that we mirror that upstream largely so it's good
17:15:19 <hyakuhei> lhinds excellent
17:15:29 <singlethink> hyakuhei: re LF badge, is this notifying other projects about the program?
17:15:40 <lhinds> he emailed yesterday, so you should see it on the openstack-security mailing list
17:15:48 <lhinds> I think its a guy called Bjorn
17:16:06 <tmcpeak> is it with a [security] tag? hope my ML juju isn't failing again
17:16:22 <lhinds> Björn Stübe
17:16:30 <hyakuhei> lhinds you're "lukehinds" on Github right?
17:16:37 <hyakuhei> tmcpeak +1 didn't land in my inbox
17:16:41 <lhinds> hyakuhei: yup
17:16:43 <tmcpeak> :'(
17:16:49 <lhinds> subject: [Openstack-security] Security Audit
17:16:55 <tmcpeak> ahh
17:17:08 <tmcpeak> then at least mailman isn't broken
17:17:09 <hyakuhei> That's the list that we really should have made R/O 2 releases ago
17:17:11 <lhinds> let me know if you don't have it tmcpeak , I can forward
17:17:16 <tmcpeak> I don't, please do
17:17:30 <hyakuhei> I vaguely remember that fungi had some ideas around how to do that ..... <slopes shoulders>
17:17:43 <lhinds> tmcpeak: in the post
17:18:04 <fungi> ahh, yep
17:18:05 <hyakuhei> lhinds you have an invite for write privs. tmcpeak you already had them :)
17:18:14 <tmcpeak> tha powa!!!
17:18:28 <lhinds> thanks hyakuhei
17:18:29 <fungi> we just did a similar configuration for the release-announce ml, so shouldn't be hard to repeat
17:18:30 <hyakuhei> fungi what's required for us to cut that over to R/O for everyone apart from a few specific system generated email addresses?
17:18:33 <lhinds> got it and accepted
17:18:46 <tmcpeak> I'm not even subscribed to that old one anymore
17:18:47 <hyakuhei> Cool, what do I need to do fungi ?
17:19:05 <fungi> set the list to moderate and reject posts by default, and then add a whitelist entry for the addresses you want to be able to continue to post to it that bypass moderation
17:19:34 <fungi> probably shouldn't waste meeting time walking you through it--have time immediately after?
17:20:42 <hyakuhei> +1 on later, though predicatbly I don't have a bunch of time right now, can we sync by email?
17:21:17 <tmcpeak> cool
17:21:27 <tmcpeak> you guys all good to skip security guide?
17:21:38 <tmcpeak> with the exception of lhinds thoughtful addition I don't think there's much going on
17:21:39 <lhinds> tmcpeak: quick one
17:21:47 <lhinds> reviews please: https://review.openstack.org/#/c/404139/
17:21:48 <tmcpeak> #topic Security Guide
17:21:58 <hyakuhei> sicarie was supposed to be able to  continue on with that but I don't know if that's still the case.
17:21:58 <lhinds> #link https://review.openstack.org/#/c/404139/
17:21:58 <tmcpeak> I <3 this already
17:22:19 <tmcpeak> yeah, dunno
17:22:22 <lhinds> its a round up of new horizon goodies adopted from django
17:22:24 <tmcpeak> hyakuhei: can you mergies that ^
17:22:54 <hyakuhei> doneth
17:22:58 <lhinds> thx
17:23:14 <tmcpeak> sweet
17:23:37 <tmcpeak> #topic MD5
17:23:53 <tmcpeak> ok  so there was some discussion of this on ML, but… I don't think we got anywhere definitive
17:24:20 <tmcpeak> as we thought migration seems to be insurmountable
17:24:30 <lhinds> tmcpeak: yep, I need to revist this. I plan to do an audit at least.
17:24:51 <lhinds> so I wanted to ask what medium I should use? Etherpad or patch?
17:24:51 <hyakuhei> The main point is that i's extremely hard to change for existing deployments.
17:24:59 <tmcpeak> yeah
17:25:12 <hyakuhei> I think the best that could ever be achieved would be to have a flag that allows you to toggle at install time
17:25:15 <lhinds> I found a python patch which I am going to look at possible getting landed
17:25:29 <tmcpeak> lhinds: you file that bug too?
17:25:39 <lhinds> you can pass `usedforsecurity = False` in hashlib.md5()
17:25:59 <lhinds> tmcpeak: I read that a bit more, and was going to chat with you again.
17:26:05 <tmcpeak> ok cool
17:26:06 <lhinds> just mad busy
17:26:24 <tmcpeak> yeah sames
17:26:26 <tmcpeak> let's catch up next week
17:26:46 <tmcpeak> ok
17:26:49 <lhinds> will do. I will start dumping down a plan in etherpad, and we can mull it over next week
17:26:53 <tmcpeak> #topic Working like OpenStack
17:26:56 <tmcpeak> hyakuhei: is this you?
17:27:11 * hyakuhei nods
17:27:19 <hyakuhei> We're on a short release cycle this time around
17:27:35 <hyakuhei> and it would be good to ensure that all our code projects are behaving like OpenStack code projects.
17:27:48 <ccneill> i.e. formal release process with the cycles?
17:27:55 <hyakuhei> Yeah
17:28:02 <hyakuhei> but tbh I don't really know what the requirements are
17:28:11 <tmcpeak> does that mean we cant push new versions of Bandit in between?
17:28:21 <ccneill> hmm.. I won't speak for the syntribos team since I'm only a minor component at this point, but I don't think it's ready for strict versioning yet
17:28:30 <ccneill> it's not on 1.0 yet, which is when that would be more appropriate imio
17:28:32 <ccneill> imo*
17:29:10 <tmcpeak> I don't know what we gain from release cycles in Bandit either
17:29:31 <tkelsey> tmcpeak: +1
17:29:32 <hyakuhei> I think there's a noop / stable thing that can be done
17:30:14 <ccneill> I don't think it would be *bad* to release a version at cycle completion
17:30:46 <hyakuhei> Yeah, there's the milestone stuff too, though I'm not sure how that changes as we migrate away from LP
17:31:05 <ccneill> oh crap, I didn't know we were migrating away from LP lol
17:31:14 <tmcpeak> we are? lol
17:31:20 * tkelsey feels out of the loop
17:31:22 * ccneill too
17:31:32 <ccneill> spoiler alert! :P
17:31:44 <hyakuhei> lol
17:31:46 <tkelsey> lol
17:32:06 <hyakuhei> #link https://lists.launchpad.net/openstack/msg25443.html
17:33:00 <ccneill> oh hmm
17:33:06 <ccneill> I'm definitely not subscribed to the launchpad mailing list o_O
17:33:14 <tmcpeak> yeah me neither
17:33:24 <ccneill> or at least, I don't think I have ever affirmatively chosen to be - maybe I am..
17:33:57 <ccneill> rofl +1 the link to this gif in that first email https://i.imgur.com/MQUmmqo.gif
17:33:59 <tmcpeak> hey all, I've got to roll out
17:34:01 <tkelsey> heh seeds of confusion sown
17:34:03 <tmcpeak> hyakuhei: can you finish this up?
17:34:30 <tmcpeak> lhinds: ?
17:34:49 <browne> tmcpeak: any way we can get a new bandit release push up?
17:34:55 <browne> pushed
17:34:55 <tmcpeak> #chair lhinds
17:34:56 <openstack> Current chairs: hyakuhei lhinds tmcpeak
17:35:07 <hyakuhei> hehe that's completely the wrong one.
17:35:09 <tmcpeak> browne: sure, we just did one a couple weeks ago
17:35:11 <tmcpeak> we ready for a new one?
17:35:13 <tkelsey> browne: I can help with that
17:35:19 <tmcpeak> tkelsey: is the pusher man
17:35:23 <tkelsey> lol
17:35:25 <browne> yep, i'd like one with the stdin stuff
17:35:30 <browne> thanks tkelsey
17:35:49 <tkelsey> sure no probs
17:35:58 <browne> also anchor woefully needs review attention.  currently openstack bot is blocked
17:35:58 <hyakuhei> Thread title is "Migration from Launchpad" but I cant find it in the archives
17:36:39 <tkelsey> browne: I can also help with that, though I think I have reviewed most stuff in the pipe already
17:37:13 <tkelsey> need a second for +W etc
17:37:45 <browne> https://review.openstack.org/#/c/393019/
17:38:26 <tkelsey> browne: ah right OK
17:38:29 * tkelsey looks
17:38:40 <hyakuhei> bonk
17:38:59 <browne> thx
17:39:46 <hyakuhei> I looked previously but it was when my MFA broke and one I fixed that it had dropped off my radar.
17:41:45 <tkelsey> browne: +2/+w'd
17:41:50 <browne> thx
17:42:13 <tmcpeak> #topic AOB
17:42:29 <tmcpeak> anything else?
17:43:00 <ccneill> <random> if y'all haven't seen this, pretty cool: http://seiferteric.com/?p=356 </random>
17:43:03 <browne> btw, i'm working on a sublime bandit linter
17:43:05 <browne> https://github.com/ericwb/SublimeLinter-contrib-bandit
17:43:05 <ccneill> IP over QR codes
17:43:12 <tkelsey> browne: oh nice
17:43:18 <tmcpeak> browne: awesome!
17:43:32 <ccneill> whoa nice!
17:43:34 <browne> yeah, think it'll be useful
17:43:41 <hyakuhei> browne that's epic :)
17:43:51 <ccneill> browne: when is the vim version coming? O:-)
17:44:08 <browne> ccneill: ha! i'd love to see that
17:44:14 <ccneill> maybe I'll have to look into it..
17:44:20 <tkelsey> :D
17:44:26 <ccneill> I can definitely see a lot of value there
17:45:27 <lhinds> emacs4life
17:45:33 <ccneill> boooooo :P
17:45:49 <tmcpeak> allright I'm wrapping this before we have a holy war
17:45:54 <ccneill> haha
17:45:58 <ccneill> +1
17:46:03 <tmcpeak> #endmeeting