17:00:53 <hyakuhei> #startmeeting Security
17:00:57 <openstack> Meeting started Thu Jun  1 17:00:53 2017 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:58 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:00 <openstack> The meeting name has been set to 'security'
17:01:16 <lhinds> o/
17:01:17 <hyakuhei> #chair lhinds
17:01:17 <mdong> o/
17:01:18 <asettle> o/
17:01:18 <openstack> Current chairs: hyakuhei lhinds
17:01:23 <hyakuhei> Hey all!
17:01:28 <vds> o/
17:01:31 <hyakuhei> :)
17:01:35 <mdong> hey!
17:01:52 <hyakuhei> I'll see if I can rustle-up sicarie.
17:01:59 <browne> o/
17:02:15 <lhinds> a few more this week, that's good.
17:02:20 <hyakuhei> heh
17:03:06 <hyakuhei> ok, the agenda is up in the normal place
17:03:11 <hyakuhei> #link https://etherpad.openstack.org/p/security-agenda
17:04:13 <hyakuhei> So while I see if we can find capnoday and sicarie check out the agenda
17:04:39 <asettle> hyakuhei: any chance we could scoot the docs up? I'm sorry, I gotta run :(
17:05:01 <hyakuhei> It is pretty much top
17:05:10 <hyakuhei> #topic Team commitments
17:05:15 <asettle> Ah, "at risk" I see :)
17:05:18 <asettle> I just saw "secuirty docs"
17:05:20 <asettle> .... ugh
17:05:22 <asettle> security*
17:05:32 <hyakuhei> Heh yeah sorry, we have a standing update for docs too
17:05:37 <asettle> Love it :D
17:06:07 <hyakuhei> Ok, the team has gone through some shrinkage recently, not just because of OSIC but the general (apparent) contraction of $corp investment at the moment
17:06:11 <hyakuhei> welcome tkelsey
17:06:18 <tkelsey> o/
17:06:20 <hyakuhei> Because of this we need to do a few things.
17:06:30 <hyakuhei> Work out what we can support with our current capacity
17:06:39 <hyakuhei> and work out what is at risk if we don't find more people to help
17:07:06 <hyakuhei> One area we've struggled with (even with stronger numbers) is keeping the security docs up to doate
17:07:08 <hyakuhei> *date
17:07:31 <hyakuhei> asettle has been helping tremendously with a planned reboot of the docs
17:07:48 <asettle> o/
17:07:50 <hyakuhei> but that was pre-OSIC
17:07:51 <hyakuhei> asettle want to explain more ?
17:08:12 <asettle> TL;DR I was a part of the OSIC fallout. As a result of that, I am continuing my employment at Rackspace but I am no longer working on OpenStack. I have been advised I can finalise my tenure as PTL for OpenStack docs, but then I am to step down.
17:08:28 <asettle> So, my top priority right now is sorting out what load we do have, and figuring out future plans for everything
17:08:31 <asettle> Similar to waht you guys are doing
17:08:52 <asettle> The security-doc has always lived out of the openstack-manuals tree, and has been in part managed by us, and in part managed by teh security team
17:09:07 <asettle> I know you also have a diminishing team, I am thinking that we potentially halt all development work on the Security Guide, and “stamp” an EOL date on the guide in the Abstract. Something like, “This was last updated as of $DATE and $RELEASE and may contain some out of date information.”
17:09:18 <asettle> Thoughts? I know it’s a bit of a band aid solution, but I am admittedly running out of ideas on how to make sure we’re not leading our users astray, but also keeping a maintainable workload.
17:10:21 <hyakuhei> I would prefer to have a way to avoid this but currently I don't see any other avenues
17:10:33 <hyakuhei> Without recruiting significant numbers
17:10:40 <lhinds> sounds a resonable approach to me. Did we lose the sec core who was working on reviewing sec docs?
17:10:41 <asettle> Which, like, I'm sure we would do first. And have been doing.
17:10:44 <tkelsey> +1 at least it is clear to readers that this is on hold etc, nothing worse than stale docs
17:10:50 <hyakuhei> (the act of onboarding new contributors will itself cut into our available resource for a while)
17:10:55 <hyakuhei> tkelsey +1
17:11:10 <dhellmann> asettle : should we move the guide into its own repo? or leave it where it is for now?
17:11:14 <lhinds> Nathaniel Dillon?
17:11:16 <asettle> dhellmann: it is in its own repo :)
17:11:22 <dhellmann> ah, good
17:11:23 <asettle> lhinds: that's the one, I haven't heard from him for *quite* a while
17:11:31 <dhellmann> I can't keep up with which are in the manuals repo and which are on their own
17:11:35 <asettle> dhellmann: dude tell me about it
17:11:49 <hyakuhei> Nathaniel Dillon = sicarie
17:11:55 <vds> I'm still pretty new here, I know it's not easy, but if there's a way to get a defined task, I'd be very happy to help. In general, having clear tasks is very helpful to onboard new people.
17:12:02 <hyakuhei> He's involved on a best effort / spare time basis
17:12:10 <asettle> Ah, hyakuhei that explains a lot. I did not konw.
17:12:11 <hyakuhei> Thanks vds
17:12:30 <hyakuhei> Generally speaking we like to get new people working on OSSNs while they get used to the various processes/people
17:12:31 <asettle> But that aside, it might be helpful if someone could do a quick review of the guide, and just give a best effort guess of when it was last updated
17:12:32 <lhinds> I can care take alongside vds too.
17:12:53 <lhinds> one thing, we always used docs people to +1 workflow, is that still the case?
17:13:07 <lhinds> (or rather will be it be case going forward)?
17:13:09 <hyakuhei> That's always been a useful arrangement
17:13:12 <asettle> lhinds: I don't believe it has to be. It was useful, though
17:14:05 <lhinds> So I will make a concerted effort to browse new patches each day and help get those in limbo through.
17:14:15 <asettle> That's really helpful, thank you lhinds :)
17:14:15 <hyakuhei> thank you lhinds
17:14:27 <lhinds> mp
17:14:38 <asettle> #link https://review.openstack.org/#/q/project:openstack/security-doc+status:open
17:14:42 <asettle> Seems like we still got Dave's patch up
17:14:48 <asettle> I have a review on that one
17:15:07 <hyakuhei> Ok, so it looks like lhinds is going to help stabilize what's there and perhaps vds/lhinds can help to work out how "current" the current guide is...
17:15:21 <asettle> Awesome :D thanks lhinds and vds :)
17:15:24 <lhinds> #link https://review.openstack.org/#/c/451965/
17:15:28 <vds> thx!
17:15:32 <asettle> #link https://docs.openstack.org/security-guide/
17:15:35 <asettle> Should be an awesome read
17:15:40 <asettle> ;)
17:16:01 <hyakuhei> Cool
17:16:16 <hyakuhei> Happy with the progress here, thank you vds lhinds asettle
17:16:25 <bsilverman_> asettle: sorry I missed the meeting, had a fire to put out that had all my attention. No issues with bug triage
17:16:35 <hyakuhei> Next up in the "at risk" category is Security Review
17:16:42 <asettle> bsilverman_: thanks - i'll ping you on our chan
17:16:48 <asettle> THanks hyakuhei :) i gotta run o/
17:16:48 <hyakuhei> Generally we wanted to have this in place to support the VMT
17:16:49 <bsilverman_> ok
17:16:53 <hyakuhei> TY asettle
17:17:31 <hyakuhei> Talking with fungi at the summit I explained that we might not be able to deliver what we wanted
17:17:50 <hyakuhei> but the indication was that it might only be once per cycle
17:18:18 <hyakuhei> So we might be able to manage that
17:18:26 <hyakuhei> basically we won't have a fully formalized process though
17:18:30 <hyakuhei> because we can't invest in it
17:18:30 <fungi> i think that's still a perfectly useful cadence
17:19:06 <hyakuhei> We can continue to have security architects like myself, doug and anyone else who's in a similar position spend time to look at services on a more adhoc basis
17:19:15 <fungi> so far we've i think accepted one new deliverable in the past year
17:19:27 <hyakuhei> I wanted it to be much slicker.
17:20:08 <hyakuhei> the other at-risk item is Anchor
17:20:38 <hyakuhei> I know it gets used in a few places some doing OpenStack Clouds, others not
17:21:00 <hyakuhei> Support there has really dropped to a best-effort too
17:21:19 <hyakuhei> tkelsey browne thoughts?
17:21:58 <tkelsey> yeah, its not seen a lot of love in recent months. I guess a best effort is all its ever had for a while now
17:22:06 <browne> yeah, i know Anchor needs some work, since not even the requirements.txt can be updated anymore
17:22:26 <hyakuhei> Yup
17:22:34 <browne> https://review.openstack.org/#/c/438424/
17:23:20 <hyakuhei> So we need to decide what to do there, we could have a sprint to tidy it all up then move it into a more stable/maintenance mode
17:23:28 <hyakuhei> Whatever we are doing we need to formalize it
17:23:53 <tkelsey> that would be ideal, but finding cycles is hard
17:23:58 <hyakuhei> Agreed
17:24:13 <hyakuhei> Can't figure it out now but we need to work it out.
17:24:20 <hyakuhei> Ok, we need to move along
17:24:30 <tkelsey> +1
17:24:57 <hyakuhei> Do we think we can continue to maintain and develop/deliver OSSN Bandit Syntribos
17:25:06 <hyakuhei> mdong michaelxin lhinds tkelsey browne
17:25:45 <lhinds> OSSN is fine.
17:25:53 <browne> i've been slowly maintaining Bandit, but it definitely needs more contributors
17:25:53 <mdong> on syntribos: we’ve been using it internally to test some rackspace projects
17:25:54 <tkelsey> im not sure how much work Bandit needs, just keeping ontop of updates and adding in new tests as people make them
17:26:01 <hyakuhei> I thought so but wanted to confirm lhinds :)
17:26:13 <browne> Bandit is mostly stable, maintenance
17:26:37 <tkelsey> browne: +1, I know I have dropped the ball my end, I'll try and look in on it more often
17:26:37 <hyakuhei> browne we know a few companies outside of OpenStack are using Bandit, I wonder if we can get them to contribute.
17:26:42 <hyakuhei> ty tkelsey
17:26:50 <lhinds> browne: do you need people to help maintain or to contribute new features / specs?
17:26:53 <mdong> as for further development, it’s going to be slow, but we’re still planning on adding new features as they’re needed
17:26:56 <browne> hyakuhei: that would be nice
17:26:59 <hyakuhei> Thank you mdong
17:27:09 <hyakuhei> So no objections to these projects not being on the "at risk" list
17:27:15 <hyakuhei> however we accept some need a bit more time in the sun
17:27:16 <hyakuhei> ?
17:27:24 <mdong> I’d agree with that
17:27:29 <tkelsey> +1
17:27:33 <lhinds> +1
17:27:49 <hyakuhei> Cool
17:27:50 <hyakuhei> ok moving swiftly on
17:27:51 <hyakuhei> #topic PTG
17:27:52 <hyakuhei> Do we want/need a room at the PTG
17:27:58 <hyakuhei> Based on recent contractions I'm not sure
17:28:37 <hyakuhei> We _did_ get lots done at the last PTG...
17:28:49 <hyakuhei> #link https://www.openstack.org/ptg/
17:28:53 <hyakuhei> Think about it and let me know
17:28:59 <hyakuhei> #topic Any Other Business
17:29:08 <hyakuhei> Jumping straight to AOB as we're almost out of time
17:29:24 <hyakuhei> I'm out for the next two thursdays (Honeymoon!)
17:29:35 <hyakuhei> lhinds can you hold down the fort/delegate as required please?
17:29:43 <browne> hyakuhei: congrats!
17:29:50 <lhinds> hyakuhei: no problem
17:30:23 <hyakuhei> Ty :)
17:30:25 <hyakuhei> ok that's time
17:30:26 <mdong> grats hyakuhei!
17:30:30 <hyakuhei> Thanks all, useful meeting!
17:30:35 <lhinds> thanks all
17:30:40 <hyakuhei> #endmeeting