16:59:49 #startmeeting security 16:59:50 Meeting started Thu Dec 8 16:59:49 2016 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:59:51 Hey. 16:59:52 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:59:54 o/ 16:59:55 The meeting name has been set to 'security' 16:59:56 o/ 16:59:57 Doug was supposed to be starting things 17:00:04 #chair hyakuhei 17:00:05 Current chairs: hyakuhei tmcpeak 17:00:09 I'll chair him when he comes 17:00:10 o/ 17:00:19 #link https://etherpad.openstack.org/p/security-agenda 17:00:26 o/ 17:00:29 o/ 17:00:34 hey, I'm here the first time 17:00:39 o/ 17:00:41 welcome ashcrack 17:00:58 Hi all, here for the first time also 17:01:01 hi, also here for the first time 17:01:09 wow 17:01:11 welcome everyone! 17:01:17 welcome iphutch, rarora 17:01:17 cool, lots of first timers :D welcome 17:01:24 while we're filing in you guys want to do quick intros? 17:01:31 #chair capnoday 17:01:31 Current chairs: capnoday hyakuhei tmcpeak 17:01:36 capnoday: take it away 17:01:38 o/ 17:01:43 we've got new members that are introducing themselves 17:01:52 I'm mostly gone for the first half of this, on a call 17:01:53 I'm on a call right now but I should be with you soonish :) 17:02:00 ok cool 17:02:16 thanks for starting the meeting tmcpeak 17:02:23 de nada 17:02:37 who have we got new with us today? 17:02:47 I'm Ianeta from docs team and I'd like to start contributing to security team via docs. Looking for a place to start, could be editing existing docs or working alongside devs on their docs. 17:03:06 hey iphutch 17:03:28 thanks for joining us, we desperatly need someone to help out with security docs 17:03:33 tmcpeak: sure, I'm working with some people and we are possibly looking to get bandit to be part of the cinder gate... it was kind of last minute so didn't have time to edit the agenda before attending and was hoping to possibly talk a little bit about experiences with bandit once the main topics are covered 17:03:49 oh cool, we can definitely add that to the agenda 17:03:50 rarora great we will cover bandit 17:04:00 tmcpeak will you be able to join us for bandit talks later on? 17:04:19 I can help with bandit stuff as well :) 17:04:39 awesome, thanks all! 17:04:46 capnoday: yep 17:05:08 ty 17:05:39 so, whats first on the agenda then? 17:05:48 agenda is here, add stuff if you have topics #link https://etherpad.openstack.org/p/security-agenda 17:05:54 first up is syntribos 17:06:10 #topic Syntribos 17:06:34 anyone here able to talk syntribos? ccneil? 17:06:58 I can talk about it 17:07:05 o/ 17:07:18 ok mdong 17:07:33 So this week we’re working with the Swift team to do a round of testing on it 17:08:30 it’s a good opportunity for us to test out our tool after the latest release to see if anything’s changed since the last time we did it 17:08:42 excellent 17:08:47 how is that progressing? 17:10:03 hey sicarie 17:10:07 we just started yesterday, but we have xin9972 in charge of doing code reviews and static analysis, and unrahul is doing a set of manual tests that the Swift team had us look into 17:10:08 * sicarie waves 17:11:05 other than that, we’re rewriting the way our templates are built to make them less cluttered 17:11:12 sounds like useful work, how do you plan to publish the results from this? 17:11:56 we’ll file anything we find as a launchpad bug, much the same as we did last time 17:12:04 sweet 17:12:15 it would be interesting to have some kind of overall summary of the results from cinder 17:12:20 i mean swift 17:12:53 once its done, maybe write a summary for this meeting, or consider a talk at the next summit? 17:13:18 what is the thing being discussed with the swift team? 17:13:27 sure thing, that would be valuable 17:14:23 great, anything else on syntribos? 17:14:36 notmyname: testing swift with Syntribos 17:14:44 I know unrahul got in touch with the swift team to get a list of things they felt could be vulnerable to help in our testing 17:14:48 that’s all I have for syntribos 17:14:50 (since no one else is answering you for unknown reasons) 17:15:07 sigmavirus: thanks. /me goes to google Syntribos 17:16:19 mdong got a link on syntribos for notmyname? 17:16:20 mdong: who did you talk to on the swift team? 17:16:24 I found it :-) 17:16:35 notmyname: github.com/openstack/syntribos 17:17:21 notmyname: that’s a question for unrahul, I’m afraid I don’t know 17:18:42 ok lets leave syntibos there 17:18:44 notmyname: I could send you a few names in the swift team we got in touch 17:18:47 #topic OSSN 17:19:00 can we come back to OSSN in 10 minutes please? 17:19:06 I'll be off my call then 17:19:13 ok 17:19:32 #topic Security Guide 17:20:10 sicarie whats the current status of the security guide? we have a new volunteer who is keen to help 17:20:12 vinaypotluri: thanks. I'm trying to catch up on this. I hadn't heard (or don't remember) anything with syntribos and swift before 17:20:18 So after moving laptops I found I was unable to actually post changes to the guide 17:20:33 I have a few very rough drafts of some changes, but it's been static 17:20:45 ok action tmcpeak - fix sicaries laptop 17:20:47 There are definitely good bugs out there, and as always we could do with a Neutron/Nova review 17:20:49 =1 17:20:50 +1 17:21:02 iphutch wanted to do documentation things IIRC 17:21:13 iphutch has joined us today and wanted some advice on where to start with our docs 17:21:20 awesome 17:22:04 i'll /msg him 17:22:07 them 17:22:20 yep, Im sure I can assist here 17:22:37 ok great 17:22:45 wheres the best place to get started on these? 17:23:04 docs is always just get a single bug - make sure the process is documented and up-to-date 17:23:19 once that's there, it's wherever the contributor feels most comfortable 17:23:23 I'm sure there are a few things we can do 17:24:37 sicarie: You can send me some ARs and we can get going 17:24:50 sounds good! and welcome :D 17:25:16 :) thanks! 17:27:03 lhinds hyakuhei where are we at with the blog? 17:27:09 #topic Blog 17:27:18 lhinds isn't around today. He has publish rights now though 17:27:34 I _still_ haven't written anything bloggy. Completely failed on that action. 17:27:57 thats fine, the day job is a thing 17:28:12 #Action hyakuhei write a blog post 17:28:22 spoiler alert - fixing sicarie's laptop is going to slip too 17:28:26 lol 17:28:28 lol 17:28:34 dang! 17:28:47 here I was looking forward to my first Lotus Notes experience 17:29:01 its actually better than you would expect 17:29:08 anyway 17:29:22 are you able to talk about OSSN yet hyakuhei? 17:30:51 ok 17:31:02 #topic Security Review 17:31:25 anyone got any updates on this? Its a no-op from me this week unfortunately, am hoping to get some more stuff pushed up for review this week 17:31:53 no updates on security review 17:31:55 The only update really is that we're continuing to work on some internal enhancements 17:32:01 That we should be able to push upstream soon. 17:32:13 great news 17:32:27 are those the internal enhancements you told me to write? 17:32:35 For the most part sure 17:32:57 excellent, two birds with one stone 17:33:01 :D 17:33:08 ok to talk OSSN? 17:33:09 So I can give a quick OSSN update if you like 17:33:20 #topic OSSN 17:33:38 We have four in the pipe. 17:33:49 Most of you will only see one because the other three are embargo 17:33:56 #link https://bugs.launchpad.net/ossn 17:34:07 One regarding Nova will be published later today 17:34:46 Apart from that not much to add TBH 17:35:08 ok great 17:35:33 #topic Bandit 17:35:51 tmcpeak tkelsey 17:35:56 yo 17:36:04 tkelsey: pushed a new version, know we've got that 17:36:11 gmurphy: has been filing up a storm of bugs too 17:36:11 so pushed out a new version last week 17:36:15 heh yeah 17:36:23 so whats new? 17:36:36 oooh bugs are good 17:36:37 pipe files into bandit is the main thing 17:37:02 so we can chain bandit with other tools? 17:37:11 #link https://github.com/openstack/bandit/releases/tag/1.3.0 17:37:14 pathcnotes ^ 17:37:42 I think browne needed it for the sublime plugin he is working on 17:37:48 thanks tkelsey 17:37:49 yep 17:37:53 #link https://github.com/ericwb/SublimeLinter-contrib-bandit 17:38:07 +1 17:38:08 still awaiting approval from sublime guys 17:38:44 That's very cool 17:39:39 rarora wanted to talk about bandit with cinder 17:39:40 thx 17:39:46 yeah, want to do that now? 17:39:49 hey, yeah! 17:40:03 tmcpeak do you have info on how to integrate bandit (a link or something) for rarora 17:40:13 integrate? 17:40:20 so we were talking about possibly adding bandit to the cinder gate as non-voting at the cinder IRC meeting yesterday 17:40:21 I think I do, one sec 17:40:25 as in use it in the gate 17:40:31 we would appreciate that link! 17:40:45 #link https://wiki.openstack.org/wiki/Security/Projects/Bandit#Gate_Testing_with_Bandit 17:40:53 tkelsey: yes, use it in the gate as non-voting so it doesn't stop any commits but gives people a heads up of possible issues 17:40:57 tmcpeak: thanks! 17:41:11 the main concern that they raised was false positives 17:41:20 two approaches 17:41:28 1) exclude noisy tests from your run 17:41:36 most of them hadn't used bandit in a while but they said that the results were overwhelmingly false positives 17:41:43 2) nosec legitimate tests that are OK in a particular instance 17:41:55 yeah, by default you're running Bandit with a bunch of informational tests 17:42:01 tmcpeak: right, that is what we were thinking too 17:42:02 things like "subprocess is being used" 17:42:08 try bandit -ll -ii 17:42:13 that should give you a better starting point 17:42:31 thanks, we hadn't tried that out before 17:42:44 that is "filter medium+ severity, medium+ confidence" 17:42:50 it will get rid of all the informational stuff 17:42:56 -ll and -ii configure a base level for severity and confidence, stuff that falls lower than that is ignored 17:43:16 so yeah, what tmcpeak said :) 17:43:20 :D 17:43:31 okay, yeah, I think that should help a lot because they seemed excited about the idea in general but didn't want too much extra noise 17:43:47 fair enough, you may have to further tune but that's a good starting point 17:44:09 we were also going to talk to some people from keystone since they use it in their gate to get an idea of things they have found helpful 17:44:16 that's pretty much all I had, thanks everyone! 17:44:40 yeah, bandit can be configured down to just a few tests easily as well, using the config file ... yeah the keystone folks have most experience using it outside of the bandit team 17:45:33 brb, might drop for a second. 17:45:37 thanks rarora, please let us know how you get on 17:45:42 hyakuhei we are almost done i think 17:45:44 will do! 17:46:07 #topic AOB 17:46:16 #link http://docs.openstack.org/developer/bandit/ 17:46:33 rarora: docs for bandit, incase you didn't find them already 17:46:41 moving to AOB, we have 'working like openstack' and 'MD5 everywhere' but i dont think we can talk to those today 17:46:53 tkelsey: thanks! 17:47:08 Can people who are merely "community members" (as opposed to "foundation members") still be members of the OSSG? 17:47:24 notmyname: our contacts on the Swift team are ntata, pdardeau, Mohit and Sashi - they’re all OSIC members I believe? 17:47:31 singlethink we welcome everybody 17:48:03 singlethink if you feel you can contribute to openstack security in any way, you're welcome here 17:48:12 ok... I got a notice that I was being knocked down to "community member" for not participating enough... and I don't know how soon that will change 17:48:27 singlethink: I got that too 17:48:33 lolz 17:49:09 #action tmcpeak participate more 17:49:15 LOL 17:49:21 I've been reinstated.. 17:49:23 by magics 17:49:36 singlethink feel free to push patches, open bugs, etc etc 17:49:40 when was that? 17:49:44 last week 17:50:04 capnoday: I feel free to... I just tend to be highly oversubscribed 17:50:13 I'm suspicious of my email filters. 17:50:21 lol 17:50:29 are you voting in elections hyakuhei? 17:50:33 singlethink I feel your pain! 17:50:59 I realize that can probably be said of everyone in this meeting. (Unfortunately OpenStack is not part of my day job anymore.) 17:51:32 singlethink: you aren't the only one 17:51:39 far from it. 17:51:40 I get far less allocation to it than I used to 17:51:51 i think this is something thats only going to get worse going forwards too 17:52:06 capnoday: ++ 17:52:19 anyway, any other AOB? 17:52:25 not from me 17:52:27 nopes 17:52:31 nope 17:52:36 excepting to say thanks to capnoday for chairing. 17:52:42 np 17:52:51 lets wrap that up then, thanks everybody for attending 17:52:54 thanks capnoday! 17:52:57 thanks capnoday 17:53:25 #endmeeting 17:53:36 #endmeeting