17:01:52 <sigmavirus> #startmeeting security 17:01:53 <openstack> Meeting started Thu Feb 2 17:01:52 2017 UTC and is due to finish in 60 minutes. The chair is sigmavirus. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:54 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:57 <openstack> The meeting name has been set to 'security' 17:01:59 <unrahul> 0/ 17:01:59 <openstack> hyakuhei: Error: Can't start another meeting, one is in progress. Use #endmeeting first. 17:02:00 <hyakuhei> nvm 17:02:01 <hyakuhei> heh 17:02:02 <sigmavirus> heh 17:02:05 <hyakuhei> Thanks sigmavirus 17:02:06 <sigmavirus> #chair hyakuhei 17:02:06 <lhinds> o/ 17:02:06 <openstack> Current chairs: hyakuhei sigmavirus 17:02:07 <knangia> o/ 17:02:15 <sigmavirus> yw hyakuhei 17:02:17 <michaelxin> o/ 17:02:28 <sigmavirus> \o 17:02:32 <tkelsey> o/ 17:02:40 <sigmavirus> Congratulations to our (returning) PTL :) 17:02:40 <hyakuhei> #link https://etherpad.openstack.org/p/security-agenda 17:02:48 <lhinds> +1 17:02:49 * hyakuhei waves 17:02:53 <unrahul> :) 17:02:57 <hyakuhei> Thanks y'all 17:02:58 <knangia> :) 17:03:13 <hyakuhei> Only 5 projects were contested I think, the rest had single-candidates 17:03:19 <hyakuhei> Democracy in action.... 17:03:28 <browne> o/ 17:03:29 <hyakuhei> However, thanks for the support :) 17:03:33 <hyakuhei> sup browne 17:03:52 <sigmavirus> hyakuhei: i think you meant "Democracy inaction" 17:03:58 <mdong> o/ 17:03:59 <hyakuhei> heh. 17:04:02 <vinaypotluri> o/ 17:04:27 <hyakuhei> ok, 30 minute meeting so lets crack on - welcome mdong vinaypotluri michaelxin et al. 17:04:39 <hyakuhei> We can skip the PTL bit 17:04:43 <hyakuhei> #link PTG 17:04:46 <hyakuhei> Sigh 17:04:50 <hyakuhei> #topic PTG 17:04:57 <hyakuhei> #link https://etherpad.openstack.org/p/ptg-security-team 17:05:10 <hyakuhei> Reminder to update this if you are coming and either way please add to the topics list. 17:05:18 * mhayden stumbles in late 17:05:23 <hyakuhei> sup mhayden 17:05:31 <lhinds> hey mhayden 17:05:44 <michaelxin> hi mhayden 17:05:44 <hyakuhei> Just poking people to update https://etherpad.openstack.org/p/ptg-security-team with ideas for security topics for hte PTG 17:05:48 <hyakuhei> and if they're attending 17:06:10 <michaelxin> at least we have some people attending 17:06:10 <michaelxin> Thanks 17:06:35 <hyakuhei> Yeah a couple yet to confirm, I think lhinds is a no-go, is that correct? 17:06:54 <lhinds> sadly yes, but will be going to future PTGs 17:07:03 <michaelxin> Major is going. Woho 17:07:09 <hyakuhei> whoop! 17:07:11 <hyakuhei> :D 17:07:24 <hyakuhei> Anything more on the PTG? 17:07:40 <browne> i'll be there 17:07:57 <michaelxin> browne: +1 17:08:03 <hyakuhei> Excellent :) 17:08:12 <hyakuhei> Should I add you to the etherpad? 17:08:31 <browne> oh i'll add myself 17:08:37 <hyakuhei> :D 17:08:44 <hyakuhei> Cool, lets roll on then 17:08:52 <hyakuhei> #topic Security Docs 17:09:04 <hyakuhei> Do we have a sicarie today? 17:09:10 * sicarie waves 17:09:20 <hyakuhei> Hey, have you caught up on your email from the docs ptl ? 17:09:23 <sicarie> yes 17:09:28 <hyakuhei> Want to update here? 17:09:31 <sicarie> sure 17:09:43 <sicarie> So contributions to the sec-guide have slowed, and the docs team is looking for ways to keep that content fresh 17:09:59 <sicarie> The first move is to change where bugs are reported: https://review.openstack.org/#/c/427760/ 17:10:25 <sicarie> and the eventual migration would be to move the sec-guide to where the rest of the specialty guides reside 17:10:54 <sicarie> As the docs team could then better curate and encourage contributions from the pool of those who contribute to docs 17:11:06 <sicarie> hyakuhei: did I miss anything? 17:11:08 <hyakuhei> We need to sync on this at the PTG because it felt to me more like they wanted to remove the security guide from docs.o.o rather than drum up support 17:11:32 <hyakuhei> I'm yet to see how any description of how moving the content from one repo to another will improve contribution 17:11:43 <michaelxin> why do them want to remove security guide? 17:11:55 <hyakuhei> It is low on contribution and falling behind projects 17:12:24 <hyakuhei> I pointed out in email that's because we need contributions _from_ these projects. However I do think we could do a lot more to chase these projects and orchestrate the updates 17:12:26 <sicarie> for example: i've been pinging neutron resources for about the last year, and we have no meaningful contributions to that area in that time 17:12:30 <sigmavirus> asettle: ping 17:12:49 <sicarie> so much so that I am now doing a code review of neutron on my own to look at what hte current state is 17:12:59 <hyakuhei> As before, we'll have a meeting about this at the PTG, but as we likely only have one more meeting before the PTG I wanted people to start thinking about it 17:13:08 <sicarie> +1 17:13:08 <michaelxin> gee 17:13:18 <asettle> sigmavirus: wassup 17:13:25 <asettle> Worried Iw asn't attending your 3rd meeting for the day? 17:13:32 <hyakuhei> lol 17:13:36 <michaelxin> Is there anything that OSIC can help? 17:13:42 <hyakuhei> hi asettle we're talking about the security docs 17:13:45 <hyakuhei> michaelxin possible 17:13:51 <sigmavirus> asettle: do the docs team want to remove the security content from docs.o.o? 17:13:51 <asettle> Oh no this is legit 17:13:52 <asettle> Hahahah 17:13:53 <michaelxin> In OSIC here, we seem to have people working on different projects 17:13:53 <asettle> let me read it up 17:13:54 <asettle> One second 17:13:56 <sigmavirus> heh 17:14:02 <michaelxin> lots of core members 17:14:03 <asettle> *back scroll time* 17:14:07 <mhayden> FWIW, we could add some docs in there more focused around host machine / base host security 17:14:09 <unrahul> osic has a docs member ianeta who we worked closely for some syntribos stuff 17:14:59 <hyakuhei> Interesting unrahul I didn't know that :) That would be useful but fundamentally we have an engagement problem. Swift seem to be pretty good but I can't think of other good examples 17:15:04 <asettle> Hey! So :) I can speak to a few of the concerns and questions above. 17:15:12 <michaelxin> unrahul: +1 17:15:15 <asettle> My proposal was just that, a proposal. With obviously no backing to it. 17:15:25 <unrahul> we could take some ownership and helpout in any way.. we are sitting with around 80 ppl working on all kinds of openstack stuff 17:15:28 <asettle> My point was: we don't want to 'dump and run' but we want to find a better place for people to be looking at this guide. 17:15:28 <michaelxin> hyakuhei: We can defintely help for engagement 17:15:30 <knangia> unrahul: +1 17:15:42 <asettle> So, when you say hyakuhei that "I'm yet to see how any description of how moving the content from one repo to another will improve contribution" 17:15:51 <michaelxin> Before we do any security testing, we always engage with some core members of the projects. 17:15:52 <asettle> I agree with you, but that's simply because we're getting nothing in the manuals repo. 17:16:03 <sigmavirus> asettle++ 17:16:04 <asettle> At the moment, it's turning into tech debt for our team. We are dwindling, and fast, and we cannot keep up with all the guides we have. 17:16:05 <michaelxin> unrahul has been talking with them quite a lots. 17:16:16 <knangia> michaelxin: +1 17:16:31 <asettle> I would like to look into, further, where people go for their security content. Manuals, or the sec repo (what has the most hits based on analytics) 17:16:33 <sigmavirus> michaelxin: that doesn't translate to security-doc activity 17:16:37 <asettle> That, to me, would determine where the guide should live. 17:16:40 <sigmavirus> Most project core teams are already swamped with enough 17:16:57 <michaelxin> At least we can start the conversation and use the relationship 17:17:11 <asettle> unrahul: Ianeta will be working with me (I am also OSIC and docs PTL) on HA guide engagement. 17:17:13 <michaelxin> If needed, we can contribute one full time doc guy 17:17:19 <unrahul> michaelxin: +1 true.. we can reach out more easily I guess.. 17:17:30 <asettle> michaelxin: problem is, you have already dedicated one full time 'doc guy' and we are in this situation. 17:17:37 <asettle> Nathaniel is swamped. 17:17:38 <unrahul> asettle: yup I know :).. she is sitting next to me.. so said 17:17:43 <asettle> There are 28 bugs alone reported for the sec guide. 17:17:51 <asettle> That is the highest count for any individual guide. 17:18:08 <michaelxin> So, our top priority is to work on 28 current bugs 17:18:10 <sigmavirus> And of our own security team the people who review content to that repo has dwindled as well 17:18:18 <knangia> yes, we can reach out here easily ...since we have many ppl here sitting around working on different openstack projects 17:18:20 <sigmavirus> michaelxin: I think Intel sets OSIC's priorities 17:18:24 <hyakuhei> To some extent that's true 17:18:28 <sigmavirus> Which for security participation was syntribos last I heard 17:18:32 <hyakuhei> However I expect that most of those bugs require input from the project teams. 17:18:37 <asettle> My point is, this needs to be addressed properly. I do believe the bugs should be moved out of the manuals repo and reported to you all directly. From there, we can work on best placement for the guide itself. 17:18:37 <asettle> https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide 17:18:52 <hyakuhei> I'm happy enough to move bugs over 17:18:55 <asettle> This is the proposal patch for moving the bugs: 17:18:55 <asettle> https://review.openstack.org/#/c/427760/ 17:19:02 <hyakuhei> Probably makes things simpler 17:19:03 <michaelxin> sigmavirus: For security project, I work with Intel peer to setup our priority. 17:19:03 <asettle> We need one more security core (docs people have approved) 17:19:11 <unrahul> michaelxin: +1 17:19:23 <sigmavirus> michaelxin: good to hear that 17:19:32 <vinaypotluri> michaelxin: +1 17:19:57 <sigmavirus> I'm going by what I hear in the random one-off meetings but I think asettle has a good sense of what's going on with the docs team and this seems to be a joint OSSP+Docs team project 17:19:59 <michaelxin> If there is need for security doc, we might be able to get resource working on it. 17:20:02 <knangia> michaelxin: +1 17:20:12 <unrahul> OSIC security will be adding one more person to the group from Intel side .. so we have people to help out.. 17:20:20 <unrahul> just need the structure on how we can help .. 17:20:24 <hyakuhei> I've had customers reference the security guide back to me before 17:20:26 <unrahul> asettle: michaelxin ^ 17:20:30 <sigmavirus> unrahul: Are they a documentation person or just a random security person? 17:20:41 <asettle> michaelxin: that OSIC person would have to be security, not documentation. Just to clarify. 17:20:43 <hyakuhei> My understanding is that when it was in print and up to date it was the best selling tree-form openstack book at the time 17:20:47 <unrahul> A new joinee not a documentation per se sigmavirus 17:20:58 <michaelxin> It is security. 17:20:59 <unrahul> we would have more bandwidth 17:21:01 <hyakuhei> I think we know there's a need for it, it just turns out to be hard to maintain 17:21:06 <asettle> Yes, I don't wish to come across and bash and smash the idea - but we are not short of writers. We need someone with the bandwidth and security knowledge. 17:21:06 <knangia> unrahul: +1 17:21:07 <michaelxin> But we can help with documentation 17:21:09 <unrahul> michaelxin: +1 17:21:26 <knangia> michaelxin: +1 ..we can help with documentation 17:21:28 <sigmavirus> knangia: unrahul the +1s are noisey and kind of useless at this point, please stop 17:21:39 <unrahul> asettle: I think that is where we can help.. as documentation is your forte 17:21:41 <hyakuhei> I'm loving all the positivity :) It should be a very easy meeting at the PTG 17:21:54 <asettle> Okay, just so I can ensure we are all on the same page - give me 5 seconds here people :) 17:21:56 <vinaypotluri> michaelxin: +1 yes we can all help with that 17:22:05 <asettle> 1. Happy to move bug reporting to the ossg launchpad, and out of docs. 17:22:12 <asettle> I need a sec core please: https://review.openstack.org/#/c/427760/ 17:22:25 <asettle> 2. The guide will be worked on by OSIC michaelxin to check in and report back 17:22:32 <hyakuhei> 1. done 17:22:40 <asettle> michaelxin: please include me in any emails you send off (osic or otherwise - ping me, and I can give you my RAX email) 17:22:49 <asettle> 3. I will move pre-exisiting bugs over to ossg for monitoring 17:23:09 <asettle> 3. I will check in with analytics and report back on how highly viewed the sec-guide is and we can begin a discussion at the PTG on the home of hte guide 17:23:10 <hyakuhei> We have a sec-guide topic for the PTG session which has been productive in the past. 17:23:21 <asettle> *nods* hyakuhei perfect. What day would that be on? 17:23:34 <hyakuhei> We're in teh first block 17:23:58 <asettle> hyakuhei: damnit, same. Okay, well, we will sync up and coordinate further :) please drop me a line: a.settle@outlook.com (openstack email too many emails) 17:24:02 <hyakuhei> We haven't scheduled out what's happening when exactly yet but that will form up over the next week or so, we've got notes here: https://etherpad.openstack.org/p/ptg-security-team 17:24:03 <asettle> And we can ensure we are on teh same page. 17:24:11 <asettle> hyakuhei: great, I will add to that properly. 17:24:21 <asettle> Thanks for including it on your list :) 17:24:28 <sicarie> unfortunately it's looking more and more like I'm not going to make it to the PTG 17:24:35 <hyakuhei> Sure thing 17:25:00 <asettle> Great :) thanks for your input everyone 17:25:02 <hyakuhei> Like I said previously (and in our email) the big issue for us is that we need involvement (sporadic) from individual project teams 17:25:09 <asettle> michaelxin: ping me in a PM sec OSIC email things 17:25:12 <hyakuhei> We need to work out how to drive that better 17:25:28 <asettle> hyakuhei: yeah totally, it's hard. Perhaps we can work togehter further and you can utilise our doc-liaisons. 17:25:31 <hyakuhei> Maybe look at making it part of the vulnerability managed tag that you have to help keep your sec-info up to date. 17:25:40 <hyakuhei> asettle That sounds like a good first step 17:25:57 <michaelxin> asettle, will do it 17:25:58 <asettle> hyakuhei: perfect. We're updating the list at the moment, actually. So I can get back to you after the list is finalised. 17:26:01 <asettle> michaelxin: thanks :) 17:26:23 <hyakuhei> That sounds good. We're thankful for the support asettle 17:26:36 <asettle> No, thank YOU guys :) 17:26:41 <asettle> Appreciate you all taking this on board! 17:26:46 <asettle> We need to find a good action plan :) 17:27:03 <lhinds> sorry, crash / reboot..back now 17:27:09 <hyakuhei> Perfectly reasonable, letting it wither on the vine is not an option :) 17:27:28 <asettle> Ahhhhmennnnn 17:27:32 <hyakuhei> ok, lets move the conversation to AOB, you can provide any important OSSN/Syntribos stuff there (2.5 minutes left) 17:27:37 <hyakuhei> #topic Any other business 17:27:41 <hyakuhei> Thanks again asettle 17:27:56 <lhinds> OSSN,we only have one public now: https://bugs.launchpad.net/ossn/+bug/1606495 17:27:56 <openstack> Launchpad bug 1606495 in OpenStack Security Notes "copy_from in api v1 allows network port scan" [Undecided,New] - Assigned to Travis McPeak (travis-mcpeak) 17:28:12 <lhinds> if anyone thinks they can really do some magic with it, let me know and will reassign 17:28:16 <hyakuhei> Cool, I'm not sure tmcpeak has time to manage this atm 17:28:20 <lhinds> if not i will pick it up 17:28:31 <lhinds> hyakuhei: yep thats fines 17:28:35 <hyakuhei> I suggest posting on the bug asking as much, if he doesn't reply by Monday then cut it over to someone who's free I guess 17:28:41 <lhinds> its not a killer OSSN, so its ok to sit for awhile 17:28:45 <hyakuhei> Righto 17:28:47 <unrahul> syntribos we have started looking into glance.. along with some improvements to the tool 17:28:51 <lhinds> hyakuhei: sounds good 17:29:27 <unrahul> For now we have stopped swift testing, thats it from us, unless I am missing something.. michaelxin ? 17:29:39 <michaelxin> unrahul: you are right 17:29:43 <vinaypotluri> unrahul: +1 17:30:00 <hyakuhei> Excellent, thanks for coming guys, remember to hang out in #openstack-security when you can. 17:30:02 <hyakuhei> #endmeeting