16:59:39 #startmeeting security 16:59:39 Meeting started Thu Jan 12 16:59:39 2017 UTC and is due to finish in 60 minutes. The chair is sigmavirus. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:59:40 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 16:59:42 The meeting name has been set to 'security' 16:59:44 #chair hyakuhei 16:59:45 Current chairs: hyakuhei sigmavirus 17:00:22 o/ 17:00:39 o/ 17:00:39 #topic roll call 17:00:41 o/ 17:00:51 * sigmavirus goes off in search of the agenda 17:01:32 #link https://etherpad.openstack.org/p/security-agenda 17:01:40 #info The agenda can be found at https://etherpad.openstack.org/p/security-agenda 17:02:23 #topic Action Items from last meeting 17:02:26 #link http://eavesdrop.openstack.org/meetings/security/2017/security.2017-01-05-16.59.html 17:02:42 There look to have been no action items from last week 17:02:54 o/ 17:03:29 o/ 17:03:32 #info Reminder this is a 30 minute meeting 17:03:34 o/ 17:03:38 hi 17:03:40 o/ 17:03:41 Here we go 17:03:53 hyakuhei, tmcpeak, and others are still missing 17:04:10 I suspect they're in a meeting that we're not privy to so I'm just rolling with the 30 minute meeting 17:04:25 I'm going to go down the list for quick updates for projects since we haven't done this before 17:04:26 i'm here for moral support =) 17:04:30 :) 17:04:32 #topic Syntribos Updates 17:04:35 unrahul: ccneill ^ 17:04:51 #link https://review.openstack.org/#/q/status:open+project:openstack/syntribos,n,z 17:04:55 We have split up testing of swift into diff parts 17:05:07 and we have found 2 issues 17:05:12 Very good! 17:05:24 one has been made public and it related to authentication when swifts own tempauth 17:05:35 is used.. it was writing auth tokens to log files.. 17:05:48 ooh, nice find :) 17:05:59 hah 17:06:03 but it seems the team considers keystone as the standard auth module.. so didnt consider that as a security issue 17:06:03 :/ 17:06:12 Any other highlights? 17:06:23 o/ 17:06:24 Also that's surprising but let's revisit after status updates 17:06:38 we have few patches up.. other than that we would be testing swift this week and next week as well. 17:06:44 thats all from us.. for now 17:06:50 Great unrahul. Thank you! 17:06:56 thanks sigmavirus :) 17:06:58 #topic OSSN Updates 17:07:07 Anyone around to provide status updates on OSSNs? lhinds ? 17:07:53 We can circle back, I guess if no one's around. 17:08:15 * sigmavirus is hoping to keep us on schedule for 30 minute meetings 17:08:19 yeah.. 17:08:28 #topic Blog updates 17:08:36 sadly, i have not kept up on docs or ossns 17:08:44 Anyone planning blog posts or have updates about the OpenStack security blog? 17:08:50 #link https://openstack-security.github.io/ 17:09:25 not me 17:09:41 * unrahul think thats a no from everyone 17:09:45 Yeah 17:09:49 #topic Bandit Updates 17:09:54 #link https://review.openstack.org/#/q/status:open+project:openstack/bandit,n,z 17:10:03 Bandit had a new release as well 17:10:21 Philip is an outsider to OpenStack so let's make him feel welcome :) 17:10:26 nice 17:10:32 * sigmavirus introduced him to bandit so he's found something to contribute 17:10:44 hi Philip :) 17:10:47 Also, due to the requirements thread, I found out there are hostile forks of PyCrypto so our weak crypto key plugins need updates 17:10:51 #link https://github.com/openstack/bandit/releases 17:10:53 * sigmavirus doesn't know if philip is here for the meeting 17:10:59 hey Philip welcome :) 17:11:07 tkelsey: how are you? it has been a while. 17:11:17 Philip welcome 17:11:49 michaelxin: not bad thanks, not had much OS time recently though :( how are you? 17:12:02 I think that's it for Bandit 17:12:14 yeah I have nothing else to report 17:12:17 tkelsey: good. Thanks. 17:12:25 :) 17:12:27 Looking at the other standing topics, there's "Security Reviews", so let's move on with that 17:12:31 #topic Security Reviews 17:12:35 Anyone have anything? 17:13:07 * sigmavirus waits until he can hear crickets 17:13:33 * ccneill hears crickets 17:13:41 #topic Security Guide 17:13:53 elmiko: hasn't been keeping up with it. Has anyone been keeping up with it? 17:14:02 * sigmavirus waves to browne 17:14:14 o/ 17:14:24 sorry i'm late 17:14:29 browne: have you been keeping up with the Security Guide? 17:14:39 not much no 17:14:44 No worries. We're half-way through our first 30 minute meeting so people hopefully have 30 minutes to work on OSSP stuff 17:14:53 #topic Elections 17:15:01 haha 17:15:25 #info Reminder that PTL Nominations are open from 18 Jan 2017 23:59 UTC until 29 Jan 2017 23:45 UTC 17:15:33 #link https://governance.openstack.org/election/#how-to-submit-your-candidacy 17:15:40 #link https://releases.openstack.org/ocata/schedule.html#pike-ptls-self-nomination 17:15:57 wow, that was faster than I thought lol 17:16:13 ccneill: Yeah, ocata is a very short cycle 17:16:17 do we have new candidates? or will our fearless leader, hyakuhei, continue his reign? 17:16:19 That's due to the shift from Summit to PTG 17:16:31 ccneill: last meeting hyakuhei mentioned that he was still talking to leadership 17:16:40 No one else has had luck convincing their leadership to let them run 17:16:46 oof 17:16:47 Y'all should work on your leadership 17:17:00 I thought tmcpeak was also considering along with sigmavirus anything decided..? 17:17:03 sigmavirus: apologies got caught in a meeting while waiting for this to start 17:17:05 sigmavirus for ptl :D 17:17:07 I'm not sure how much work there is in being Security PTL but I'm sure hyahukei can help explain that 17:17:09 I think Friday is that last day ryt? 17:17:12 I have been working on the sec-guide 17:17:15 capnoday__: lol. I'll just run meetings 17:17:18 I'm sort of out of the OSIC loop at this point.. that might change in the future, but I can't guarantee anything or give any kind of timeline 17:17:28 unrahul: I posted the dates above 17:17:37 sorry for the late arrival, firefighting 17:17:38 ccneill: yeah it's a heavy time commitment 17:17:39 * elmiko waves at sicarie 17:17:50 elmiko! long time no se! 17:17:53 sicarie: let's work back round to the security guide 17:17:54 see* 17:17:56 sure 17:17:57 elmiko 17:17:58 totally =) 17:18:00 ccneill hyakuhei has done a great job, but if you know any other candidates for PTL, please nominate them and we can have a vote 17:18:02 ryt sigmavirus 17:18:04 hey michaelxin ! 17:18:21 Any other questions on PTL nominations? They're not open yet, there's 6 days until that happens 17:18:33 hey 17:18:41 capnoday__: yep, definitely down for another cycle of hyakuhei at the helm if he can get approval to do so 17:18:48 * sigmavirus suspects that there aren't other questions 17:18:52 so we have another week to figure it out 17:18:58 michaelxin: yes 17:19:08 And that's just when nominations *open* 17:19:11 They close a few days later 17:19:15 not suggesting we "need" another - just remembered we had decided to look for new candidate after the last PTL.. event 17:19:16 So there's a little over a week 17:19:22 But I'd rather us not play fast and loose 17:19:39 Everyone okay to move along? 17:19:43 sure 17:19:50 sure 17:19:52 #topic Security Guide (Revisited) 17:19:57 sicarie: the floor is yours :) 17:20:15 There have been two updates - minor notes with release changes 17:20:31 there is a pending change I'd definitely like input on - keystone file ownership 17:20:45 * sicarie runs to get a link 17:20:52 #link https://review.openstack.org/#/c/413398/ 17:20:55 sicarie: got it for you :) 17:20:58 thanks! 17:21:00 hey 17:21:06 o/ ashcrack4 17:21:19 So the thought is that keystone files should be owned by root user 17:21:43 I threw capnoday__ on it, but all input is appreciated 17:21:53 outside of that I am doing a Neutron review 17:21:58 sicarie: have you thrown that link into #openstack-keystone too? 17:22:01 why should keystone files not be owned by keystone? 17:22:07 * sigmavirus == browne 17:22:08 +1 browne 17:22:15 that's my question 17:22:35 what if there is no root 17:22:38 sigmavirus: i Have not, I will hop over there if I have time today 17:22:51 I'll add stevemar to the review 17:22:54 and dstanek 17:22:57 thanks 17:22:57 o/ 17:23:31 \o stevemar 17:23:42 #topic PTG 17:23:45 so from there I am doing a neutron review based on the code - I'm not sure how up to date the docs are, especially from a security perspective, so I've started that process 17:23:47 added it to my list 17:23:52 thanks stevemar 17:23:53 woops :x 17:24:00 sorry sicarie thought you were finished up 17:24:03 no worries sigmavirus, that's the end of my stuff 17:24:11 Okay. 17:24:31 The PTG is coming up. hyakuhei mentioned he was going to be around for a few days last week. Anyone else have updates on their attendance? 17:24:35 I'm still not going =P 17:24:48 i won't be there 17:24:57 i'll be there the whole week 17:25:14 me, vinaypotluri , knangia will not be there.. 17:25:57 =( 17:25:58 none from Rackspace 17:26:23 browne: nice to hear that 17:26:35 I'll let us have the last two minutes for Open Discussion, just to round it out 17:26:40 #topic Open Discussion 17:27:02 :[ so I know I haven't been super active, but it looks like we fought that big battle to stay big tent just to have the tent deflate 17:27:14 I'm trying to go; it was easier to sell to mgmt when the location was more flexible 17:27:32 ccneill: Yeah, so there are a lot of projects in the tent right now and the PTG was meant to make things cheaper 17:27:38 Also more productive for developers 17:27:59 Companies, however, have been laying off OpenStack developers and cutting commitments 17:28:06 Or reorganizing them onto different products 17:28:06 I was more referring to the OSSP project (sorry, bad metaphoring) 17:28:15 ccneill: No I know, but that also affects us 17:28:20 yep 17:28:39 sigmavirus: ouch, didn't realize it was spreading 17:29:03 OpenStack is at the point now where having developers focused on efforts rather than projects is more cost efficient and so cross project efforts are being led by some of those people and implemented 17:29:20 interesting 17:29:25 And most companies need people who can install/manage/triage an OpenStack cloud rather than develop their software into it 17:29:27 evolutionary even 17:29:30 Yeah 17:29:51 Anyway, we're over our 30 minute limit 17:29:53 since we're on open mic, i saw this last week and thought of the ossp https://github.com/dxa4481/truffleHog 17:30:00 has anyone checked it out? 17:30:16 elmiko: I heard about that from someone just yesterday 17:30:20 it searches git histories for high entropy variables 17:30:23 that thing's been spreading like wildfire haha 17:30:31 looks very interesting 17:30:36 * sigmavirus agrees 17:30:42 yeah, simple concept but nice package 17:30:47 I'm going to kill the meeting and we can all get to working on OSSP stuff 17:30:50 #endmeeting