17:00:53 <hyakuhei> #startmeeting Security 17:00:57 <openstack> Meeting started Thu Jun 1 17:00:53 2017 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:58 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:00 <openstack> The meeting name has been set to 'security' 17:01:16 <lhinds> o/ 17:01:17 <hyakuhei> #chair lhinds 17:01:17 <mdong> o/ 17:01:18 <asettle> o/ 17:01:18 <openstack> Current chairs: hyakuhei lhinds 17:01:23 <hyakuhei> Hey all! 17:01:28 <vds> o/ 17:01:31 <hyakuhei> :) 17:01:35 <mdong> hey! 17:01:52 <hyakuhei> I'll see if I can rustle-up sicarie. 17:01:59 <browne> o/ 17:02:15 <lhinds> a few more this week, that's good. 17:02:20 <hyakuhei> heh 17:03:06 <hyakuhei> ok, the agenda is up in the normal place 17:03:11 <hyakuhei> #link https://etherpad.openstack.org/p/security-agenda 17:04:13 <hyakuhei> So while I see if we can find capnoday and sicarie check out the agenda 17:04:39 <asettle> hyakuhei: any chance we could scoot the docs up? I'm sorry, I gotta run :( 17:05:01 <hyakuhei> It is pretty much top 17:05:10 <hyakuhei> #topic Team commitments 17:05:15 <asettle> Ah, "at risk" I see :) 17:05:18 <asettle> I just saw "secuirty docs" 17:05:20 <asettle> .... ugh 17:05:22 <asettle> security* 17:05:32 <hyakuhei> Heh yeah sorry, we have a standing update for docs too 17:05:37 <asettle> Love it :D 17:06:07 <hyakuhei> Ok, the team has gone through some shrinkage recently, not just because of OSIC but the general (apparent) contraction of $corp investment at the moment 17:06:11 <hyakuhei> welcome tkelsey 17:06:18 <tkelsey> o/ 17:06:20 <hyakuhei> Because of this we need to do a few things. 17:06:30 <hyakuhei> Work out what we can support with our current capacity 17:06:39 <hyakuhei> and work out what is at risk if we don't find more people to help 17:07:06 <hyakuhei> One area we've struggled with (even with stronger numbers) is keeping the security docs up to doate 17:07:08 <hyakuhei> *date 17:07:31 <hyakuhei> asettle has been helping tremendously with a planned reboot of the docs 17:07:48 <asettle> o/ 17:07:50 <hyakuhei> but that was pre-OSIC 17:07:51 <hyakuhei> asettle want to explain more ? 17:08:12 <asettle> TL;DR I was a part of the OSIC fallout. As a result of that, I am continuing my employment at Rackspace but I am no longer working on OpenStack. I have been advised I can finalise my tenure as PTL for OpenStack docs, but then I am to step down. 17:08:28 <asettle> So, my top priority right now is sorting out what load we do have, and figuring out future plans for everything 17:08:31 <asettle> Similar to waht you guys are doing 17:08:52 <asettle> The security-doc has always lived out of the openstack-manuals tree, and has been in part managed by us, and in part managed by teh security team 17:09:07 <asettle> I know you also have a diminishing team, I am thinking that we potentially halt all development work on the Security Guide, and “stamp” an EOL date on the guide in the Abstract. Something like, “This was last updated as of $DATE and $RELEASE and may contain some out of date information.” 17:09:18 <asettle> Thoughts? I know it’s a bit of a band aid solution, but I am admittedly running out of ideas on how to make sure we’re not leading our users astray, but also keeping a maintainable workload. 17:10:21 <hyakuhei> I would prefer to have a way to avoid this but currently I don't see any other avenues 17:10:33 <hyakuhei> Without recruiting significant numbers 17:10:40 <lhinds> sounds a resonable approach to me. Did we lose the sec core who was working on reviewing sec docs? 17:10:41 <asettle> Which, like, I'm sure we would do first. And have been doing. 17:10:44 <tkelsey> +1 at least it is clear to readers that this is on hold etc, nothing worse than stale docs 17:10:50 <hyakuhei> (the act of onboarding new contributors will itself cut into our available resource for a while) 17:10:55 <hyakuhei> tkelsey +1 17:11:10 <dhellmann> asettle : should we move the guide into its own repo? or leave it where it is for now? 17:11:14 <lhinds> Nathaniel Dillon? 17:11:16 <asettle> dhellmann: it is in its own repo :) 17:11:22 <dhellmann> ah, good 17:11:23 <asettle> lhinds: that's the one, I haven't heard from him for *quite* a while 17:11:31 <dhellmann> I can't keep up with which are in the manuals repo and which are on their own 17:11:35 <asettle> dhellmann: dude tell me about it 17:11:49 <hyakuhei> Nathaniel Dillon = sicarie 17:11:55 <vds> I'm still pretty new here, I know it's not easy, but if there's a way to get a defined task, I'd be very happy to help. In general, having clear tasks is very helpful to onboard new people. 17:12:02 <hyakuhei> He's involved on a best effort / spare time basis 17:12:10 <asettle> Ah, hyakuhei that explains a lot. I did not konw. 17:12:11 <hyakuhei> Thanks vds 17:12:30 <hyakuhei> Generally speaking we like to get new people working on OSSNs while they get used to the various processes/people 17:12:31 <asettle> But that aside, it might be helpful if someone could do a quick review of the guide, and just give a best effort guess of when it was last updated 17:12:32 <lhinds> I can care take alongside vds too. 17:12:53 <lhinds> one thing, we always used docs people to +1 workflow, is that still the case? 17:13:07 <lhinds> (or rather will be it be case going forward)? 17:13:09 <hyakuhei> That's always been a useful arrangement 17:13:12 <asettle> lhinds: I don't believe it has to be. It was useful, though 17:14:05 <lhinds> So I will make a concerted effort to browse new patches each day and help get those in limbo through. 17:14:15 <asettle> That's really helpful, thank you lhinds :) 17:14:15 <hyakuhei> thank you lhinds 17:14:27 <lhinds> mp 17:14:38 <asettle> #link https://review.openstack.org/#/q/project:openstack/security-doc+status:open 17:14:42 <asettle> Seems like we still got Dave's patch up 17:14:48 <asettle> I have a review on that one 17:15:07 <hyakuhei> Ok, so it looks like lhinds is going to help stabilize what's there and perhaps vds/lhinds can help to work out how "current" the current guide is... 17:15:21 <asettle> Awesome :D thanks lhinds and vds :) 17:15:24 <lhinds> #link https://review.openstack.org/#/c/451965/ 17:15:28 <vds> thx! 17:15:32 <asettle> #link https://docs.openstack.org/security-guide/ 17:15:35 <asettle> Should be an awesome read 17:15:40 <asettle> ;) 17:16:01 <hyakuhei> Cool 17:16:16 <hyakuhei> Happy with the progress here, thank you vds lhinds asettle 17:16:25 <bsilverman_> asettle: sorry I missed the meeting, had a fire to put out that had all my attention. No issues with bug triage 17:16:35 <hyakuhei> Next up in the "at risk" category is Security Review 17:16:42 <asettle> bsilverman_: thanks - i'll ping you on our chan 17:16:48 <asettle> THanks hyakuhei :) i gotta run o/ 17:16:48 <hyakuhei> Generally we wanted to have this in place to support the VMT 17:16:49 <bsilverman_> ok 17:16:53 <hyakuhei> TY asettle 17:17:31 <hyakuhei> Talking with fungi at the summit I explained that we might not be able to deliver what we wanted 17:17:50 <hyakuhei> but the indication was that it might only be once per cycle 17:18:18 <hyakuhei> So we might be able to manage that 17:18:26 <hyakuhei> basically we won't have a fully formalized process though 17:18:30 <hyakuhei> because we can't invest in it 17:18:30 <fungi> i think that's still a perfectly useful cadence 17:19:06 <hyakuhei> We can continue to have security architects like myself, doug and anyone else who's in a similar position spend time to look at services on a more adhoc basis 17:19:15 <fungi> so far we've i think accepted one new deliverable in the past year 17:19:27 <hyakuhei> I wanted it to be much slicker. 17:20:08 <hyakuhei> the other at-risk item is Anchor 17:20:38 <hyakuhei> I know it gets used in a few places some doing OpenStack Clouds, others not 17:21:00 <hyakuhei> Support there has really dropped to a best-effort too 17:21:19 <hyakuhei> tkelsey browne thoughts? 17:21:58 <tkelsey> yeah, its not seen a lot of love in recent months. I guess a best effort is all its ever had for a while now 17:22:06 <browne> yeah, i know Anchor needs some work, since not even the requirements.txt can be updated anymore 17:22:26 <hyakuhei> Yup 17:22:34 <browne> https://review.openstack.org/#/c/438424/ 17:23:20 <hyakuhei> So we need to decide what to do there, we could have a sprint to tidy it all up then move it into a more stable/maintenance mode 17:23:28 <hyakuhei> Whatever we are doing we need to formalize it 17:23:53 <tkelsey> that would be ideal, but finding cycles is hard 17:23:58 <hyakuhei> Agreed 17:24:13 <hyakuhei> Can't figure it out now but we need to work it out. 17:24:20 <hyakuhei> Ok, we need to move along 17:24:30 <tkelsey> +1 17:24:57 <hyakuhei> Do we think we can continue to maintain and develop/deliver OSSN Bandit Syntribos 17:25:06 <hyakuhei> mdong michaelxin lhinds tkelsey browne 17:25:45 <lhinds> OSSN is fine. 17:25:53 <browne> i've been slowly maintaining Bandit, but it definitely needs more contributors 17:25:53 <mdong> on syntribos: we’ve been using it internally to test some rackspace projects 17:25:54 <tkelsey> im not sure how much work Bandit needs, just keeping ontop of updates and adding in new tests as people make them 17:26:01 <hyakuhei> I thought so but wanted to confirm lhinds :) 17:26:13 <browne> Bandit is mostly stable, maintenance 17:26:37 <tkelsey> browne: +1, I know I have dropped the ball my end, I'll try and look in on it more often 17:26:37 <hyakuhei> browne we know a few companies outside of OpenStack are using Bandit, I wonder if we can get them to contribute. 17:26:42 <hyakuhei> ty tkelsey 17:26:50 <lhinds> browne: do you need people to help maintain or to contribute new features / specs? 17:26:53 <mdong> as for further development, it’s going to be slow, but we’re still planning on adding new features as they’re needed 17:26:56 <browne> hyakuhei: that would be nice 17:26:59 <hyakuhei> Thank you mdong 17:27:09 <hyakuhei> So no objections to these projects not being on the "at risk" list 17:27:15 <hyakuhei> however we accept some need a bit more time in the sun 17:27:16 <hyakuhei> ? 17:27:24 <mdong> I’d agree with that 17:27:29 <tkelsey> +1 17:27:33 <lhinds> +1 17:27:49 <hyakuhei> Cool 17:27:50 <hyakuhei> ok moving swiftly on 17:27:51 <hyakuhei> #topic PTG 17:27:52 <hyakuhei> Do we want/need a room at the PTG 17:27:58 <hyakuhei> Based on recent contractions I'm not sure 17:28:37 <hyakuhei> We _did_ get lots done at the last PTG... 17:28:49 <hyakuhei> #link https://www.openstack.org/ptg/ 17:28:53 <hyakuhei> Think about it and let me know 17:28:59 <hyakuhei> #topic Any Other Business 17:29:08 <hyakuhei> Jumping straight to AOB as we're almost out of time 17:29:24 <hyakuhei> I'm out for the next two thursdays (Honeymoon!) 17:29:35 <hyakuhei> lhinds can you hold down the fort/delegate as required please? 17:29:43 <browne> hyakuhei: congrats! 17:29:50 <lhinds> hyakuhei: no problem 17:30:23 <hyakuhei> Ty :) 17:30:25 <hyakuhei> ok that's time 17:30:26 <mdong> grats hyakuhei! 17:30:30 <hyakuhei> Thanks all, useful meeting! 17:30:35 <lhinds> thanks all 17:30:40 <hyakuhei> #endmeeting