#openstack-meeting-alt log

16:59:45 <hyakuhei> #startmeeting Security
16:59:46 <openstack> Meeting started Thu Jan  5 16:59:45 2017 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:59:47 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:59:50 <openstack> The meeting name has been set to 'security'
17:00:03 <browne> o/
17:00:22 <tmcpeak> o/
17:00:59 <unrahul> o/
17:02:09 <tmcpeak> ...
17:02:24 <singlethink> o/
17:03:09 <hyakuhei> Quiet start to the year :)
17:03:44 <hyakuhei> #link https://etherpad.openstack.org/p/security-agenda
17:04:24 <tkelsey> o/
17:04:26 <hyakuhei> Our last meeting was quite some time back: #link http://eavesdrop.openstack.org/meetings/security/2016/security.2016-12-15-17.01.html
17:04:28 <tkelsey> sorry im late
17:04:35 <capnoday> o/
17:04:41 <sigmavirus> o/
17:04:42 <hyakuhei> welcome tkelsey capnoday
17:04:51 <sigmavirus> tkelsey: how dare you be late before I'm late?! :P
17:04:52 <tkelsey> hi hyakuhei
17:05:01 <tkelsey> lol :)
17:05:40 <hyakuhei> ok, lets roll on then :)
17:05:47 <hyakuhei> oh hi sigmavirus :P
17:05:58 <hyakuhei> #topic Syntribos
17:06:00 <sigmavirus> damnit. Thought I'd snuck in
17:06:11 <unrahul> Hi All, another year ahead :)
17:06:21 <hyakuhei> Excellent
17:06:23 <xin9972> :P
17:06:26 <unrahul> we are still working on modifying the templates
17:06:44 <unrahul> on adding ability to add meta variables to req templates
17:06:50 <unrahul> this is the patch for it: https://review.openstack.org/#/c/411415/
17:07:06 <unrahul> In the mean time a few of us are testing swift..
17:07:40 <unrahul> with things like if we can find any leakage of info , or privilege escalation or something like that
17:07:46 <capnoday> good work unrahul
17:07:51 <tkelsey> +1
17:08:04 <unrahul> we got a few 500 errors, still keeping the hopes high..
17:08:15 <unrahul> if we get something interesting will let you guys know..
17:08:19 <unrahul> thanks capnoday  tkelsey :)
17:08:27 <unrahul> thats it from us for this week..
17:09:35 <hyakuhei> Cool, thanks unrahul
17:10:04 <hyakuhei> Hmmm, I don't see our OSSN ninja here today.
17:10:10 <hyakuhei> #topic OSSN
17:10:15 <hyakuhei> lhinds you around ?
17:10:37 <hyakuhei> It looks like there's only two OSSN in the queue and they are both under embargo
17:10:55 <hyakuhei> So capnoday tmcpeak hyakuhei lhinds and whoever else is a core-sec, get on it :)
17:11:03 * capnoday looks
17:11:08 <hyakuhei> lhinds published a couple of OSSN over the holidays so I think we're all caught up
17:11:20 <tmcpeak> ahh, embargoed notes <3
17:11:21 <hyakuhei> For those who are interested, the list is here #link https://bugs.launchpad.net/ossn
17:12:02 <sigmavirus> hyakuhei: "#link" has to be on its own line I think?
17:12:10 <hyakuhei> grumble.
17:12:14 <hyakuhei> #link https://bugs.launchpad.net/ossn
17:12:15 <hyakuhei> heh
17:12:28 <hyakuhei> ok, I probably didn't need to use the #link anyway.
17:12:32 <hyakuhei> That'll teach me for being fancy.
17:13:04 <hyakuhei> The next item is the blog
17:13:07 <hyakuhei> #topic Blog
17:13:23 <hyakuhei> Lets levelset. Does everyone know we have a blog that cross posts with planet openstack?
17:13:41 <tmcpeak> actualy I didn't know it cross-posted
17:13:43 <hyakuhei> well. We do
17:13:44 <hyakuhei> Excellent.
17:13:51 <hyakuhei> yup
17:14:17 <capnoday> sweet
17:14:30 <hyakuhei> The actual blog is here
17:14:33 <hyakuhei> #link https://openstack-security.github.io/
17:14:45 <hyakuhei> Writing posts is easy, just markdown
17:14:47 <hyakuhei> Very easy
17:14:53 <hyakuhei> and I've not written my post for 2-3 months
17:15:14 <capnoday> are we waiting on any blog posts?
17:15:22 <hyakuhei> I'd like to take a second to gather some suggestions for articles
17:16:00 <tmcpeak> well not directly related but what's the plans for PTG?
17:16:06 <tmcpeak> I assume we want to do some cross-team work?
17:16:11 <tmcpeak> if we're going?
17:16:29 <capnoday> im waiting on funding confirmation
17:16:37 <hyakuhei> Security are going, but I don't know how many people from the group are going.
17:16:43 <hyakuhei> Lets add PTG to the agenda
17:17:24 <browne> i'll be at the PTG
17:17:51 <capnoday> great
17:17:53 <tmcpeak> is the idea with PTG that you spend (bulk) of time with whatever team you're closest to?
17:18:06 <hyakuhei> Yes but that you also collaborate with others
17:18:09 <hyakuhei> #topic PTG
17:18:13 <hyakuhei> ^ As travis can't wait
17:18:20 <tmcpeak> well it was leading to a blog post idea
17:18:27 <tmcpeak> albeit very slowly
17:18:29 <hyakuhei> #link https://www.openstack.org/ptg/
17:18:46 <hyakuhei> You'll notice that we are a Monday/Tuesday group
17:19:07 <hyakuhei> We are specifically in the first section so that we have more time to spend with the more security critical projects over the final three days.
17:19:27 <tmcpeak> right
17:19:28 <hyakuhei> The registration is still open: https://pikeptg.eventbrite.com/
17:20:09 <tmcpeak> the blog post I was thinking (although could just as easily be a OS-dev post) was about asking if any teams have noticed security concerns they want security advice for
17:20:45 <tmcpeak> probably more effective as dev-ML
17:20:50 <hyakuhei> Probably
17:20:56 <hyakuhei> Though you could do both I guess and reference it
17:21:05 <hyakuhei> Certainly we'd want a couple of post PTG writeups
17:21:13 <hyakuhei> It's going to be very interesting to see how the PTG goes
17:21:16 <tmcpeak> hyakuhei: do we have any numbers about viewers of our blog?
17:21:36 <hyakuhei> Nope
17:21:40 <tmcpeak> sorry, now I'm back on blog
17:21:43 <hyakuhei> lol
17:21:44 <tmcpeak> lol
17:22:00 <tmcpeak> I'm operating under the assumption that I won't be at PTG
17:22:12 <tmcpeak> I haven't had as much OpenStack time dedicated lately :(
17:22:30 <hyakuhei> Indeed
17:22:36 <tmcpeak> who here knows they're going to the security session at PTG?
17:22:48 <hyakuhei> I'll be there :)
17:23:10 <tmcpeak> what about rackers?
17:23:12 <unrahul> None from the OSIC team would be there.. , we were hoping to attend the next mid cycle meet (assuming it would be there)
17:23:31 <tmcpeak> unrahul: midcycle == PTG?
17:23:33 <hyakuhei> unrahul we'll see how the PTG goes. Their intent is to replace the mid-cycles.
17:23:42 <unrahul> :o
17:23:44 <hyakuhei> tmcpeak They're not quite the same
17:23:50 <hyakuhei> We might end up having a mid-cycle around the time of the summit
17:23:53 <tmcpeak> but midcycles are dead, are they not?
17:23:58 <hyakuhei> As the summit will know be more marchetecty
17:24:02 <hyakuhei> tmcpeak no-one knows
17:24:07 <tmcpeak> emm
17:24:10 <hyakuhei> It really depends if/how the PTG works
17:24:16 <browne> yeah, PTG is a replacement for midcycle
17:24:20 <hyakuhei> midcycles aren't an official openstack function
17:24:26 <capnoday> there is also the question of wether any technical folks will bother to go to the summit
17:24:33 <hyakuhei> so they can't be replaced or ended by the OS head honchos
17:24:46 <hyakuhei> However, the intention is that the PTG will remove the _need_ for a midcycle for most projects
17:24:52 <tmcpeak> well here's the thing
17:24:56 <hyakuhei> So as I said, it depends how the PTG goes
17:25:00 <unrahul> we haven't planned /budgeted for PTG  so this time around we cant come..
17:25:04 <tmcpeak> for our midcycles we usually pick a place that's conveniently located for a bulk of our members
17:25:11 <tmcpeak> so we get more participants by default
17:25:17 <tmcpeak> usually SA, Austin, or Seattle
17:25:22 <unrahul> who all will be in PTG .. hyakuhei  and .. ?
17:25:28 <tmcpeak> but Atlanta… everybody has to travel
17:25:33 <hyakuhei> I agree
17:25:35 <tmcpeak> conveniently located for.. nobody
17:25:39 <unrahul> :)
17:25:44 <hyakuhei> and have said as much to various TC peoples
17:26:07 <tmcpeak> it's not going to be much of a PTG session if only Rob goes
17:26:13 <tmcpeak> even though Rob is awesome and all
17:26:43 <hyakuhei> However, this is the direction they're going in and for the moment, I'm going to see if we can embrace it and get value from it. A few of us (like me) will have to go anyway. However if the PTG doesn't allow us to do what we need to (and I think the mid-cycles have generally been great events) then we can still have midcycles
17:26:58 <hyakuhei> but for now, we need to be good citizens and give this a fair try
17:27:03 <capnoday> i think thats reasonable
17:27:11 <capnoday> the opportunity to work with other teams is very valuable
17:27:16 <capnoday> i never have time for that at summits
17:27:22 <hyakuhei> For my part, my attendance is mostly going to be about the final three days, sitting in on the discussions with other teams and being the voice of security
17:27:35 <tmcpeak> seems reasonable
17:27:43 <hyakuhei> That's not an easy thing to pitch to a travel-budget holder though, I get that.
17:27:46 <unrahul> hmm.. that makes sense..
17:28:10 <capnoday> lol
17:28:16 <hyakuhei> I suspect after the PTG I'll talk to dave-mccowan and
17:28:26 <hyakuhei> as we often co-host midcycles, I'll get his take
17:28:34 <hyakuhei> If we are both PTLs then
17:28:39 <hyakuhei> Which brings me onto the next topic
17:28:49 <hyakuhei> #topic Elections
17:28:53 <hyakuhei> THE ELECTIONS ARE COMING
17:29:02 <capnoday> I nominate tmcpeak
17:29:10 <capnoday> wait, do i have to do that by email?
17:29:19 <sigmavirus> capnoday: via gerrit actually
17:29:22 <hyakuhei> January 30-Feb 03
17:29:25 <hyakuhei> ELECTIONS
17:29:25 <sigmavirus> and only once the nominations open
17:29:29 <hyakuhei> Right, you've all been told
17:29:43 <capnoday> sigmavirus got a link/howto?
17:29:43 <hyakuhei> sigmavirus I suspect capnoday was being facetious
17:29:45 <sigmavirus> hyakuhei: I recommend daily reminders until someone pukes ;)
17:29:48 <capnoday> i actually wasnt :D
17:29:56 <hyakuhei> sigmavirus heh
17:30:00 <sigmavirus> capnoday: it should be on docs.openstack.org
17:30:04 <sigmavirus> I don't have a link though
17:30:21 <sigmavirus> Could be https://governance.openstack.org/election/
17:30:38 <sigmavirus> (First result on google at least)
17:30:53 <hyakuhei> lol
17:30:59 <sigmavirus> #link https://governance.openstack.org/election/#how-to-submit-your-candidacy
17:31:01 <hyakuhei> Someone should teach capnoday how to google
17:31:03 <sigmavirus> ^If you want to run
17:31:08 <hyakuhei> Thanks sigmavirus
17:31:14 <unrahul> so the PTL nomination is PTL nomination	Jan 18, 2017 23:59 UTC	Jan 29, 2017 23:45 UTC
17:31:17 <unrahul> as per the link..
17:31:29 <unrahul> and elections from Jan 30
17:31:38 <capnoday> thanks sigmavirus hyakuhei
17:31:40 <sigmavirus> #info PTL Nominations are open from 18 Jan 2017 23:59 UTC until 29 Jan 2017 23:45 UTC
17:32:09 <hyakuhei> Ah see, I got the wrong dates.
17:32:13 <hyakuhei> This stuff is hard :P
17:32:15 <sigmavirus> I should probably land a commit in a security project so I can vote
17:32:16 <sigmavirus> but yolo
17:32:17 <hyakuhei> Timetable here
17:32:19 <hyakuhei> #link https://releases.openstack.org/ocata/schedule.html#pike-ptls-self-nomination
17:32:58 <tmcpeak> hyakuhei you running again?
17:33:18 <sigmavirus> hyakuhei: you should state your intention on the ML too, for greatest reach
17:33:26 <sigmavirus> We already had the Keystone PTL state they're not running again
17:34:07 <hyakuhei> I'm in talks with my management about it :)
17:34:25 <tmcpeak> :D
17:34:30 <sigmavirus> When you know, let us know ;)
17:34:33 <hyakuhei> I would like it if we had people who want to try, or to take things in a different direction also stand
17:34:33 <tmcpeak> is anybody else intending to run?
17:35:39 <sigmavirus> The collective eagerness is deafening
17:35:44 <hyakuhei> lol
17:35:46 <unrahul> lol
17:35:51 <hyakuhei> They're all sneaky, paranoid security types
17:36:04 <sigmavirus> Playing the cards close to their vests, etc., etc.?
17:36:09 <tmcpeak> if hyakuhei doesn't get management blessing what happens if we end up with no PTL?
17:36:26 <hyakuhei> Management makes tmcpeak do it.
17:36:28 <sigmavirus> tmcpeak: I could run, but again, I'd need to land code
17:36:28 <hyakuhei> :D
17:36:30 <capnoday> :D
17:36:33 <tmcpeak> haha
17:36:54 <tmcpeak> sigmavirus: surely you've landed something in Bandit?
17:37:05 <sigmavirus> tmcpeak: I don't think so
17:37:31 <tmcpeak> sigmavirus: run our docs through a grammar checker, there's surely some gold in there
17:37:46 <hyakuhei> lol
17:37:51 <sicarie> thanks tmcpeak - nice to know my efforts are valued ;)
17:38:04 <sigmavirus> I guess I co-authored a thing: http://stackalytics.com/?module=bandit&metric=commits&user_id=sigmavirus24
17:38:05 <tmcpeak> I meant Bandit docs actually, but yeah, even better!
17:38:08 <sicarie> hahaha
17:38:12 <unrahul> hehe..
17:38:13 <sigmavirus> Dunno if it's been merged though
17:39:08 <sigmavirus> I just don't have a reason to run for PTL, other than for us to have a PTL
17:39:21 <tmcpeak> fair enough
17:39:27 <michaelxin> That's a good reason
17:39:29 <tmcpeak> actually, let's play a little game
17:39:43 <sigmavirus> michaelxin: not to my management
17:39:48 <tmcpeak> realistically, on average, how many hours a week do you all have for OS-security?
17:40:04 <hyakuhei> Well that's relative.
17:40:17 <michaelxin> I am supposed to have 4 hours each week.
17:40:21 <sigmavirus> tmcpeak: assuming that these are hours are provided by management? 0
17:40:21 <hyakuhei> ouch
17:41:09 <michaelxin> The OSIC security team is full time
17:41:12 <tmcpeak> mine is probably 2
17:41:19 <sicarie> around 2-4, but that's assuming nothing's on fire
17:41:46 <tmcpeak> michaelxin: supposed to… but in actuality?
17:41:47 <capnoday> probably 2-4, although i havent had clear steer from my management
17:42:11 <michaelxin> tmcpeak: 1-2 hours.
17:42:19 <michaelxin> in reality
17:42:37 <singlethink> ~.75
17:43:17 <tmcpeak> so what I'm hearing is there are a few people with at most half a day per week to spend on OpenStack security except for OSIC
17:43:26 <hyakuhei> Not overly dissimilar myself. Though there's the occasional week where I loose days to it.
17:44:00 <sigmavirus> tmcpeak: worth noting that OSIC will disappear potentially given that they're going to focus on Nova, Glance, Cinder, Keystone, and 3 other projects in the future
17:44:14 <sigmavirus> heat, horizon, and ironic iirc
17:44:30 <tmcpeak> the reason I'm asking about all this is I want us to take this into account when we consider maintaining our existing projects and starting new ones
17:44:33 <sigmavirus> dunno when that ramp down is happening though
17:44:50 <michaelxin> good info
17:44:52 <tmcpeak> for example, it does not sound like we have the time to do security review across OpenStack right now
17:45:15 <tmcpeak> but we could, for example, keep notes going
17:45:15 <hyakuhei> Maybe.
17:45:16 <sigmavirus> tmcpeak: agreed
17:45:22 <hyakuhei> Review is interesting
17:45:34 <unrahul> OSIC with no security .. :o
17:45:37 <hyakuhei> I can put more people on reviews because they need review experience and to develop review processes
17:45:44 <unrahul> scary info
17:45:58 <tmcpeak> hyakuhei: yes, but there are internal properties that need reviewing too :)
17:47:06 <capnoday> tmcpeak sure, but there is a lot of crossover, at least with materials, process, etc
17:47:18 <tmcpeak> sorry, not trying to be debbie downer, just want us to think about what footprint we want to maintain
17:47:40 <sigmavirus> tmcpeak: being realistic isn't being a downer
17:47:47 <michaelxin> +1
17:47:49 <sigmavirus> it's being practical
17:48:04 <tmcpeak> personally I will probably spend majority of "openstack" dedication to keeping Bandit maintained
17:48:21 <sigmavirus> yeah, my current openstack dedication is working on craton
17:48:31 <tkelsey> Penelope Practical ?
17:48:38 <tmcpeak> lol
17:48:44 <tkelsey> :P
17:48:51 <tmcpeak> debbie's more fun sister
17:48:56 <hyakuhei> lol
17:49:12 <sigmavirus> moving alon
17:49:14 <sigmavirus> *along
17:49:16 <michaelxin> haha
17:49:18 <sigmavirus> with 10 min left
17:49:24 <tmcpeak> well one last thing
17:49:58 <tmcpeak> given that we have on average 3 hours a week, do we want to use one of them meeting, or should we cut meeting time in half, move to twice monthly and keep the allocated time to work on OSSP stuff?
17:50:20 <hyakuhei> It's rare that we finish a meeting in 30 minutes
17:50:25 <hyakuhei> Though they could be more structured
17:50:27 <sigmavirus> hyakuhei: I contend that we could
17:50:29 <hyakuhei> I'm open to trying shorter meetings
17:50:32 <tmcpeak> I have a fond place in my heart for the meetings but given that we have less in flight we probably don't need as much meeting
17:50:54 <tmcpeak> if we kept the hour block on the calendar we could steal 30 minutes to work on actual stuff for OSSP
17:50:56 <tmcpeak> :)
17:50:57 <sigmavirus> Having a strict agenda and sticking to it and timeboxing topics is good for this
17:51:03 <sigmavirus> Also having discussions on the ML first is always helpful
17:51:03 <hyakuhei> Every other week tends to get messy
17:51:09 <michaelxin> shorter meeting is good
17:51:12 <hyakuhei> That's also true
17:51:15 <sigmavirus> agreed with hyakuhei about every other week
17:51:18 <tmcpeak> hyakuhei: agreed two weeks is messy
17:51:36 <hyakuhei> ok, so we'll look to have shorter, 30 minute meetings, (still start at 1700UTC)
17:51:51 <hyakuhei> and we agree that we'll have to be more disciplined about agenda in order to make that work.
17:51:57 <michaelxin> hyakuhei: +1
17:51:59 <tmcpeak> cool, hyakuhei want to write a dev-ML bit about it? if not I can
17:52:00 <capnoday> try that next week?
17:52:11 <capnoday> like the openstack equivilant of speed-dating?
17:52:16 <hyakuhei> hah
17:52:17 <hyakuhei> Yes
17:52:48 <tmcpeak> cool
17:52:49 <hyakuhei> We kinda jumped around the agenda a bit as it's our first meeting, I wanted to mention the signing keys just because it's the sort of thing this group would be interested in: http://lists.openstack.org/pipermail/openstack-dev/2016-December/109111.html
17:53:00 <hyakuhei> I'll write something up tmcpeak
17:53:17 <hyakuhei> #topic Any other business
17:53:29 <tmcpeak> hyakuhei: +1
17:53:34 <sicarie> getting back into secguide touchups, core review here please: https://review.openstack.org/#/c/416138/
17:54:35 <dave-mccowan> i joined late, but i thought i'd throw in re: PTG and Barbican
17:55:02 <dave-mccowan> we're planning on using PTG instead of a midcycle, but attendance RSVPs are very low.
17:55:18 <tmcpeak> dave-mccowan: how low?
17:55:29 <hyakuhei> dave-mccowan ours too
17:55:38 <dave-mccowan> so far 2 confirmed, and 2 maybes.
17:55:52 <tmcpeak> eek
17:55:59 <tmcpeak> I think that's 1 more confirmed than us :P
17:56:04 <hyakuhei> lol yeah
17:56:15 <dave-mccowan> i don't think we'll be able to fill all the time we've reserved the last 3 days with barbican topics.  i'd be happy to share, if the security project needs a room for the second half of the week.
17:56:41 <hyakuhei> dave-mccowan currently I've got a room to myself for the first two days :P
17:56:51 <capnoday> think how much work you will get done!
17:56:57 <hyakuhei> Thanks for the offer though. I wonder how other teams are doing.
17:57:01 <hyakuhei> capnoday I am
17:57:03 <tmcpeak> dave-mccowan: I think we'd be lucky to fill ours too
17:57:06 <hyakuhei> ok last couple of minutes
17:57:20 <capnoday> that has to be a point on both mid-cycle/ptg and the time we spend on it, we get a LOT done when we all sit in the room for a week
17:57:36 <tmcpeak> yeah most of our forward momentum is at midcycles
17:58:03 <tmcpeak> if we average 2 hours per week normally, but then we get 24 hours done twice a year, that's pretty big
17:58:08 <hyakuhei> tmcpeak +1
17:58:23 <tmcpeak> so hyakuhei should I save my travel budget for a midcycle?
17:58:24 <tmcpeak> :)
17:58:43 <tmcpeak> OSSN bug smash, sec guide sprint, Bandit sprint, etc?
17:58:54 <capnoday> +1
17:59:02 <capnoday> except why dont you come to the PTG and do it there...
17:59:09 <hyakuhei> Seems that way. I haven't seen much about this on the ML, I'll ping it
17:59:18 <hyakuhei> Because we position the midcycle so many don't have to travel
17:59:21 <hyakuhei> or try to
17:59:25 <tmcpeak> hyakuhei: ++
17:59:27 <hyakuhei> anyway, that's our lot. Thanks all
17:59:32 <tmcpeak> o/
17:59:35 <hyakuhei> #endmeeting