17:00:15 <hyakuhei> #startmeeting Security 17:00:16 <openstack> Meeting started Thu Feb 9 17:00:15 2017 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:17 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:19 <openstack> The meeting name has been set to 'security' 17:00:20 <unrahul> o/ 17:00:25 <vinaypotluri> o/ 17:00:36 <sigmavirus> o/ 17:00:44 <dave-mccowan> o/ 17:00:51 <knangia> 0/ 17:01:09 <aasthad> o/ 17:01:46 <capnoday> o/ 17:01:55 <hyakuhei> Hey guys :D 17:02:08 <hyakuhei> I've been back to back all day, I'll just update the agenda now 17:02:18 <hyakuhei> oh wait 17:02:23 <hyakuhei> Someone else did it. 17:02:26 <hyakuhei> OMG. 17:02:31 <hyakuhei> The agenda fairy 17:02:38 <unrahul> :D 17:02:44 <hyakuhei> I'm assuming that's sigmavirus ? 17:02:53 <hyakuhei> #link https://etherpad.openstack.org/p/security-agenda 17:03:03 <sigmavirus> Yes that was 17:03:12 <capnoday> ty 17:03:16 <hyakuhei> ty sir! 17:03:23 <vinaypotluri> great 17:03:34 <hyakuhei> ok, so lhinds passed his apologies for not being able to make it today 17:03:37 <sigmavirus> Just one item 17:04:39 <hyakuhei> Added a couple but lets start with OSSN 17:04:42 <hyakuhei> #topic OSSN 17:05:02 <hyakuhei> A couple of embargoed OSSN will go out this week, I think they've already gone to the pre-notify people 17:05:17 <hyakuhei> There's a public OSSN that needs an owner: https://bugs.launchpad.net/ossn/+bug/1606495 17:05:17 <openstack> Launchpad bug 1606495 in OpenStack Security Notes "copy_from in api v1 allows network port scan" [Undecided,New] - Assigned to Travis McPeak (travis-mcpeak) 17:05:52 <hyakuhei> tmcpeak say's he is fine with it 17:06:50 <hyakuhei> Ok, no one wants it. That's ok I'll un-assign it for now 17:07:11 <hyakuhei> sigmavirus did you add the other one? 17:08:19 <sigmavirus> I did 17:08:35 <sigmavirus> It was more of a "Should we have an OSSN about this given that it's in the public now?" 17:08:52 <hyakuhei> Oh I see 17:08:57 <sigmavirus> I tend towards not, because it's a problem that's disregarded across openstack (drivers disabling TLS verification) 17:09:33 <sicarie> sigmavirus: if not, is that in the driver documentation (or service documentation)? 17:09:35 <hyakuhei> Interesting. If that is the case then we should probably still have an OSSN but regarding TLS being disabled in many services. 17:09:45 <sicarie> +1 17:10:15 <sigmavirus> sicarie: it's not. And I only have that opinion because I tried to fight this battle in glance's glance-store project before 17:10:34 <sicarie> then I'm of the opinion we should have an OSSN 17:11:11 <hyakuhei> I'm inclined to agree 17:12:26 <hyakuhei> sigmavirus thoughts? 17:12:42 <sigmavirus> I'm always in favor of telling people their software is doing silly things 17:13:03 <sigmavirus> I think it would be valuable if we gave driver authors some common patterns to use though for dealing with this 17:13:23 <sigmavirus> i.e., drivers should be able to handle client certificates, certificate authority pem paths, and toggling verification 17:13:48 <sigmavirus> That's an ideal though, and I don't know how many of those drivers use requests, but those are all things they'd just need to pass into requests 17:14:06 <sigmavirus> For socket level stuff, I can also provide some documentation around doing it correctly there too 17:14:10 <sigmavirus> But that's a separate concern 17:14:13 <hyakuhei> It gets messy when there's so many different implementations 17:14:16 <sicarie> So IMO that should be sec-guide material, specific drivers disabling TLS in a service should be an OSSN 17:14:22 <hyakuhei> +1 17:14:35 <sigmavirus> agreed 17:14:41 <sigmavirus> I meant that should all be in addition to the OSSN 17:14:42 <hyakuhei> Though it would be nice if the OSSN could point to the relevant info in the sec guide. 17:14:50 <sigmavirus> Because too many driver authors don't know any of this 17:15:03 <sicarie> +1 hyakuhei I'll see what I can do 17:16:45 <michaelxin> sigmavirus: Are you still working on Glance Project? 17:16:58 <sigmavirus> michaelxin: for certain quantities of "work" 17:17:10 <sigmavirus> Just like I still work on this project 17:17:17 <sigmavirus> And the 4 others I'm assigned to work on 17:17:51 <hyakuhei> sheesh 17:18:37 <hyakuhei> ok, so we're agreed 17:18:46 <hyakuhei> Next up, security docs 17:18:52 <hyakuhei> #topic Security Guide 17:18:59 <hyakuhei> We had a productive conversation last week 17:19:14 <hyakuhei> My key concern is still that we need other teams to be more involved. 17:19:43 <hyakuhei> I was considering sending out a plea to the mailing list, which I might still do, however, I wondered if we should try to coordinate this with something at the PTG too 17:21:00 <hyakuhei> Hmm, no thoughts on that, ok, well I'll wait for the PTG then. 17:21:03 <unrahul> We the OSIC ppl would be contributing to the sec guide from now on as we discussed last week, we have initiated talks with the docs PTL and she has given us some pointers on things were we can contribute , around 26 bugs for now .. 17:21:10 <unrahul> michaelxin: ^ 17:21:17 <hyakuhei> Oh excellent 17:21:27 <hyakuhei> I'd still like project teams to be more involved 17:21:40 <unrahul> hyakuhei: agreed .. 17:21:45 <michaelxin> we finished our priority planning for next cycle. I put helping security guide into it. OSCI is ok with it. 17:21:54 <hyakuhei> Excellent! 17:22:11 <knangia> michaelxin: +1 17:22:30 <ankur-gu_> +1 17:22:33 <hyakuhei> ok cool, lets move swiftly on :) 17:22:45 <hyakuhei> #topic Barbican SimpleCryptoThingy 17:22:50 <hyakuhei> #link https://review.openstack.org/#/c/431228/2/specs/pike/enhance-simple-crypto.rst 17:22:58 <hyakuhei> Crypto monkies, Attack! 17:23:08 <hyakuhei> That is to say, please give this a thoughtful review. 17:23:14 <hyakuhei> I've put a cautious -1 on there at the moment 17:23:26 <hyakuhei> @dave-mccowan fyi ^^^ 17:23:56 <dave-mccowan> hyakuhei thanks! please, all, provide input early in Pike, so we have time to implement. :-) 17:24:19 <hyakuhei> Cool, you all heard the man, have at it! 17:24:52 <hyakuhei> We're doing well time wise, lets move to AOB 17:24:56 <hyakuhei> #topic Any Other Business 17:25:20 <hyakuhei> I won't be available for a meeting next week because of the way my travel has fallen regarding the PTG 17:25:31 <hyakuhei> Are others happy to take it or should we postpone? 17:25:43 <hyakuhei> oh and a reminder to keep this up to date 17:25:45 <hyakuhei> #link https://etherpad.openstack.org/p/ptg-security-team 17:26:10 <hyakuhei> sicarie did you get auth to go ? 17:26:20 <sicarie> I got time, but not funding 17:26:24 <sicarie> so I will not be attending 17:26:56 <capnoday> :( 17:27:07 <sicarie> +1 17:27:20 <hyakuhei> booo, sorry to hear that sicarie 17:27:27 <hyakuhei> ok, anything else to discuss? 17:28:21 <unrahul> hyakuhei: We are working on glance testing from this week had a very productive meeting with the glance PTL.. nothing as of yet on bugs, will keep you all posted. 17:28:33 <unrahul> Also we have one more person who joined our team 17:28:35 <unrahul> aasthad: 17:29:01 <hyakuhei> welcome aasthad! 17:29:20 <aasthad> Hello everyone .. I am happy to be a part of osic security team.. 17:29:20 <sigmavirus> hyakuhei: calling back to your question, if people want to have the meeting, I'm happy to chair it 17:29:37 <hyakuhei> Thanks sigmavirus might as well see what happen then :) 17:29:47 <hyakuhei> ok that's time people! Thanks everyone, thanks sigmavirus for your help! 17:29:51 <hyakuhei> #endmeeting