#openstack-meeting-alt log

16:59:39 <sigmavirus> #startmeeting security
16:59:39 <openstack> Meeting started Thu Jan 12 16:59:39 2017 UTC and is due to finish in 60 minutes.  The chair is sigmavirus. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:59:40 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:59:42 <openstack> The meeting name has been set to 'security'
16:59:44 <sigmavirus> #chair hyakuhei
16:59:45 <openstack> Current chairs: hyakuhei sigmavirus
17:00:22 <tkelsey> o/
17:00:39 <vds> o/
17:00:39 <sigmavirus> #topic roll call
17:00:41 <sigmavirus> o/
17:00:51 * sigmavirus goes off in search of the agenda
17:01:32 <sigmavirus> #link https://etherpad.openstack.org/p/security-agenda
17:01:40 <sigmavirus> #info The agenda can be found at https://etherpad.openstack.org/p/security-agenda
17:02:23 <sigmavirus> #topic Action Items from last meeting
17:02:26 <sigmavirus> #link http://eavesdrop.openstack.org/meetings/security/2017/security.2017-01-05-16.59.html
17:02:42 <sigmavirus> There look to have been no action items from last week
17:02:54 <unrahul> o/
17:03:29 <ccneill> o/
17:03:32 <sigmavirus> #info Reminder this is a 30 minute meeting
17:03:34 <knangia> o/
17:03:38 <elmiko> hi
17:03:40 <vinaypotluri> o/
17:03:41 <sigmavirus> Here we go
17:03:53 <sigmavirus> hyakuhei, tmcpeak, and others are still missing
17:04:10 <sigmavirus> I suspect they're in a meeting that we're not privy to so I'm just rolling with the 30 minute meeting
17:04:25 <sigmavirus> I'm going to go down the list for quick updates for projects since we haven't done this before
17:04:26 <elmiko> i'm here for moral support =)
17:04:30 <unrahul> :)
17:04:32 <sigmavirus> #topic Syntribos Updates
17:04:35 <sigmavirus> unrahul: ccneill ^
17:04:51 <sigmavirus> #link https://review.openstack.org/#/q/status:open+project:openstack/syntribos,n,z
17:04:55 <unrahul> We have split up testing of swift into diff parts
17:05:07 <unrahul> and we have found 2 issues
17:05:12 <sigmavirus> Very good!
17:05:24 <unrahul> one has been made public and it related to authentication when swifts own tempauth
17:05:35 <unrahul> is used.. it was writing auth tokens to log files..
17:05:48 <ccneill> ooh, nice find :)
17:05:59 <sigmavirus> hah
17:06:03 <unrahul> but it seems the team considers keystone as the standard auth module.. so didnt consider that as a security issue
17:06:03 <unrahul> :/
17:06:12 <sigmavirus> Any other highlights?
17:06:23 <michaelxin> o/
17:06:24 <sigmavirus> Also that's surprising but let's revisit after status updates
17:06:38 <unrahul> we have few patches up.. other than that we would be testing swift this week and next week as well.
17:06:44 <unrahul> thats all from us.. for now
17:06:50 <sigmavirus> Great unrahul. Thank you!
17:06:56 <unrahul> thanks sigmavirus  :)
17:06:58 <sigmavirus> #topic OSSN Updates
17:07:07 <sigmavirus> Anyone around to provide status updates on OSSNs? lhinds ?
17:07:53 <sigmavirus> We can circle back, I guess if no one's around.
17:08:15 * sigmavirus is hoping to keep us on schedule for 30 minute meetings
17:08:19 <unrahul> yeah..
17:08:28 <sigmavirus> #topic Blog updates
17:08:36 <elmiko> sadly, i have not kept up on docs or ossns
17:08:44 <sigmavirus> Anyone planning blog posts or have updates about the OpenStack security blog?
17:08:50 <sigmavirus> #link https://openstack-security.github.io/
17:09:25 <elmiko> not me
17:09:41 * unrahul think thats a no from everyone
17:09:45 <sigmavirus> Yeah
17:09:49 <sigmavirus> #topic Bandit Updates
17:09:54 <sigmavirus> #link https://review.openstack.org/#/q/status:open+project:openstack/bandit,n,z
17:10:03 <tkelsey> Bandit had a new release as well
17:10:21 <sigmavirus> Philip is an outsider to OpenStack so let's make him feel welcome :)
17:10:26 <elmiko> nice
17:10:32 * sigmavirus introduced him to bandit so he's found something to contribute
17:10:44 <tkelsey> hi Philip :)
17:10:47 <sigmavirus> Also, due to the requirements thread, I found out there are hostile forks of PyCrypto so our weak crypto key plugins need updates
17:10:51 <tkelsey> #link https://github.com/openstack/bandit/releases
17:10:53 * sigmavirus doesn't know if philip is here for the meeting
17:10:59 <unrahul> hey Philip welcome :)
17:11:07 <michaelxin> tkelsey: how are you? it has been a while.
17:11:17 <michaelxin> Philip welcome
17:11:49 <tkelsey> michaelxin: not bad thanks, not had much OS time recently though :( how are you?
17:12:02 <sigmavirus> I think that's it for Bandit
17:12:14 <tkelsey> yeah I have nothing else to report
17:12:17 <michaelxin> tkelsey: good. Thanks.
17:12:25 <tkelsey> :)
17:12:27 <sigmavirus> Looking at the other standing topics, there's "Security Reviews", so let's move on with that
17:12:31 <sigmavirus> #topic Security Reviews
17:12:35 <sigmavirus> Anyone have anything?
17:13:07 * sigmavirus waits until he can hear crickets
17:13:33 * ccneill hears crickets
17:13:41 <sigmavirus> #topic Security Guide
17:13:53 <sigmavirus> elmiko: hasn't been keeping up with it. Has anyone been keeping up with it?
17:14:02 * sigmavirus waves to browne
17:14:14 <browne> o/
17:14:24 <browne> sorry i'm late
17:14:29 <sigmavirus> browne: have you been keeping up with the Security Guide?
17:14:39 <browne> not much no
17:14:44 <sigmavirus> No worries. We're half-way through our first 30 minute meeting so people hopefully have 30 minutes to work on OSSP stuff
17:14:53 <sigmavirus> #topic Elections
17:15:01 <elmiko> haha
17:15:25 <sigmavirus> #info Reminder that PTL Nominations are open from 18 Jan 2017 23:59 UTC until 29 Jan 2017 23:45 UTC
17:15:33 <sigmavirus> #link https://governance.openstack.org/election/#how-to-submit-your-candidacy
17:15:40 <sigmavirus> #link https://releases.openstack.org/ocata/schedule.html#pike-ptls-self-nomination
17:15:57 <ccneill> wow, that was faster than I thought lol
17:16:13 <sigmavirus> ccneill: Yeah, ocata is a very short cycle
17:16:17 <ccneill> do we have new candidates? or will our fearless leader, hyakuhei, continue his reign?
17:16:19 <sigmavirus> That's due to the shift from Summit to PTG
17:16:31 <sigmavirus> ccneill: last meeting hyakuhei mentioned that he was still talking to leadership
17:16:40 <sigmavirus> No one else has had luck convincing their leadership to let them run
17:16:46 <ccneill> oof
17:16:47 <sigmavirus> Y'all should work on your leadership
17:17:00 <unrahul> I thought tmcpeak was also considering along with sigmavirus  anything decided..?
17:17:03 <sicarie> sigmavirus: apologies got caught in a meeting while waiting for this to start
17:17:05 <capnoday__> sigmavirus for ptl :D
17:17:07 <sigmavirus> I'm not sure how much work there is in being Security PTL but I'm sure hyahukei can help explain that
17:17:09 <unrahul> I think Friday is that last day ryt?
17:17:12 <sicarie> I have been working on the sec-guide
17:17:15 <sigmavirus> capnoday__: lol. I'll just run meetings
17:17:18 <ccneill> I'm sort of out of the OSIC loop at this point.. that might change in the future, but I can't guarantee anything or give any kind of timeline
17:17:28 <sigmavirus> unrahul: I posted the dates above
17:17:37 <capnoday__> sorry for the late arrival, firefighting
17:17:38 <sigmavirus> ccneill: yeah it's a heavy time commitment
17:17:39 * elmiko waves at sicarie
17:17:50 <sicarie> elmiko! long time no se!
17:17:53 <sigmavirus> sicarie: let's work back round to the security guide
17:17:54 <sicarie> see*
17:17:56 <sicarie> sure
17:17:57 <michaelxin> elmiko
17:17:58 <elmiko> totally =)
17:18:00 <capnoday__> ccneill hyakuhei has done a great job, but if you know any other candidates for PTL, please nominate them and we can have a vote
17:18:02 <unrahul> ryt sigmavirus
17:18:04 <elmiko> hey michaelxin !
17:18:21 <sigmavirus> Any other questions on PTL nominations? They're not open yet, there's 6 days until that happens
17:18:33 <michaelxin> hey
17:18:41 <ccneill> capnoday__: yep, definitely down for another cycle of hyakuhei at the helm if he can get approval to do so
17:18:48 * sigmavirus suspects that there aren't other questions
17:18:52 <michaelxin> so we have another week to figure it out
17:18:58 <sigmavirus> michaelxin: yes
17:19:08 <sigmavirus> And that's just when nominations *open*
17:19:11 <sigmavirus> They close a few days later
17:19:15 <ccneill> not suggesting we "need" another - just remembered we had decided to look for new candidate after the last PTL.. event
17:19:16 <sigmavirus> So there's a little over a week
17:19:22 <sigmavirus> But I'd rather us not play fast and loose
17:19:39 <sigmavirus> Everyone okay to move along?
17:19:43 <michaelxin> sure
17:19:50 <sicarie> sure
17:19:52 <sigmavirus> #topic Security Guide (Revisited)
17:19:57 <sigmavirus> sicarie: the floor is yours :)
17:20:15 <sicarie> There have been two updates - minor notes with release changes
17:20:31 <sicarie> there is a pending change I'd definitely like input on - keystone file ownership
17:20:45 * sicarie runs to get a link
17:20:52 <sigmavirus> #link https://review.openstack.org/#/c/413398/
17:20:55 <sigmavirus> sicarie: got it for you :)
17:20:58 <sicarie> thanks!
17:21:00 <ashcrack4> hey
17:21:06 <sigmavirus> o/ ashcrack4
17:21:19 <sicarie> So the thought is that keystone files should be owned by root user
17:21:43 <sicarie> I threw capnoday__ on it, but all input is appreciated
17:21:53 <sicarie> outside of that I am doing a Neutron review
17:21:58 <sigmavirus> sicarie: have you thrown that link into #openstack-keystone too?
17:22:01 <browne> why should keystone files not be owned by keystone?
17:22:07 * sigmavirus == browne
17:22:08 <sicarie> +1 browne
17:22:15 <sicarie> that's my question
17:22:35 <browne> what if there is no root
17:22:38 <sicarie> sigmavirus: i Have not, I will hop over there if I have time today
17:22:51 <sigmavirus> I'll add stevemar to the review
17:22:54 <sigmavirus> and dstanek
17:22:57 <sicarie> thanks
17:22:57 <stevemar> o/
17:23:31 <sigmavirus> \o stevemar
17:23:42 <sigmavirus> #topic PTG
17:23:45 <sicarie> so from there I am doing a neutron review based on the code - I'm not sure how up to date the docs are, especially from a security perspective, so I've started that process
17:23:47 <stevemar> added it to my list
17:23:52 <sicarie> thanks stevemar
17:23:53 <sigmavirus> woops :x
17:24:00 <sigmavirus> sorry sicarie thought you were finished up
17:24:03 <sicarie> no worries sigmavirus, that's the end of my stuff
17:24:11 <sigmavirus> Okay.
17:24:31 <sigmavirus> The PTG is coming up. hyakuhei mentioned he was going to be around for a few days last week. Anyone else have updates on their attendance?
17:24:35 <sigmavirus> I'm still not going =P
17:24:48 <elmiko> i won't be there
17:24:57 <browne> i'll be there the whole week
17:25:14 <unrahul> me, vinaypotluri , knangia  will not be there..
17:25:57 <sigmavirus> =(
17:25:58 <michaelxin> none from Rackspace
17:26:23 <stevemar> browne: nice to hear that
17:26:35 <sigmavirus> I'll let us have the last two minutes for Open Discussion, just to round it out
17:26:40 <sigmavirus> #topic Open Discussion
17:27:02 <ccneill> :[ so I know I haven't been super active, but it looks like we fought that big battle to stay big tent just to have the tent deflate
17:27:14 <sicarie> I'm trying to go; it was easier to sell to mgmt when the location was more flexible
17:27:32 <sigmavirus> ccneill: Yeah, so there are a lot of projects in the tent right now and the PTG was meant to make things cheaper
17:27:38 <sigmavirus> Also more productive for developers
17:27:59 <sigmavirus> Companies, however, have been laying off OpenStack developers and cutting commitments
17:28:06 <sigmavirus> Or reorganizing them onto different products
17:28:06 <ccneill> I was more referring to the OSSP project (sorry, bad metaphoring)
17:28:15 <sigmavirus> ccneill: No I know, but that also affects us
17:28:20 <ccneill> yep
17:28:39 <elmiko> sigmavirus: ouch, didn't realize it was spreading
17:29:03 <sigmavirus> OpenStack is at the point now where having developers focused on efforts rather than projects is more cost efficient and so cross project efforts are being led by some of those people and implemented
17:29:20 <elmiko> interesting
17:29:25 <sigmavirus> And most companies need people who can install/manage/triage an OpenStack cloud rather than develop their software into it
17:29:27 <elmiko> evolutionary even
17:29:30 <sigmavirus> Yeah
17:29:51 <sigmavirus> Anyway, we're over our 30 minute limit
17:29:53 <elmiko> since we're on open mic, i saw this last week and thought of the ossp https://github.com/dxa4481/truffleHog
17:30:00 <elmiko> has anyone checked it out?
17:30:16 <sigmavirus> elmiko: I heard about that from someone just yesterday
17:30:20 <elmiko> it searches git histories for high entropy variables
17:30:23 <ccneill> that thing's been spreading like wildfire haha
17:30:31 <ccneill> looks very interesting
17:30:36 * sigmavirus agrees
17:30:42 <elmiko> yeah, simple concept but nice package
17:30:47 <sigmavirus> I'm going to kill the meeting and we can all get to working on OSSP stuff
17:30:50 <sigmavirus> #endmeeting