17:01:11 <lhinds_> #startmeeting security
17:01:12 <openstack> Meeting started Thu Jul 20 17:01:11 2017 UTC and is due to finish in 60 minutes.  The chair is lhinds_. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:14 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:17 <openstack> The meeting name has been set to 'security'
17:01:24 <lhinds_> #chair hyakuhei
17:01:24 <openstack> Current chairs: hyakuhei lhinds_
17:01:59 <lhinds_> #topic agenda
17:02:10 <lhinds_> #link https://etherpad.openstack.org/p/security-agenda
17:02:47 <lhinds_> michaelxin are you around for Syntribos?
17:03:09 <lhinds_> dave-mccowan perhaps for bandit?
17:03:34 <lhinds_> sorry, not dave-mccowan
17:04:02 <lhinds_> hyakuhei:  are you around bud?
17:05:52 <lhinds_> anyone else online for the security project meeting, if so please say hi?
17:06:22 <mdong> o/
17:06:23 <fungi> mostly lurking
17:06:35 <lhinds_> hey mdong fungi
17:06:49 <mdong> multitasking atm, but I’m here!
17:06:57 <lhinds_> mdong: first up is  syntribos
17:07:07 <lhinds_> #topic syntribos
17:07:08 <mdong> cool
17:07:27 <lhinds_> I see you merged a few patches
17:07:43 <mdong> Not much new to report, I haven’t been working on it as much as I’d like this week. But I did go and +2 some pending reviews
17:08:36 <lhinds_> I have being trying to help out with reviews as well, but I still need to get up to speed a little before I might be very useful.
17:08:37 <mdong> there’s 2 other members of the team who have been using syntribos testing their projects, I’m working on a CR that addresses some of their concerns with error handling and such
17:09:03 <lhinds_> cool
17:09:08 <mdong> I saw you putting some +1’s on CR’s lhinds, thank you for that, it’s appreciated for sure
17:09:16 <lhinds_> no problem
17:09:57 <mdong> the feature that’s being worked on is a non-deterministic fuzzer
17:10:29 <mdong> we started working on it when OSIC was still around but we’re going back to it now
17:11:16 <lhinds_> is syntribos planned as a gate (or already is)?
17:12:24 <mdong> it’s definitely in the plans, the security team here at rackspace is working on a security CI/CD pipeline
17:12:52 <mdong> that involves running different tools and collecting the results in Jenkins
17:13:16 <mdong> I’ll be working with them in the next month or so to integrate syntribos into that project
17:13:49 <fungi> is it something worth running upstream at all?
17:14:34 <mdong> good question
17:14:40 <fungi> or by "jenkins" do you mean our upstream ci (which doesn't actually use the jenkins service for the past year)
17:16:32 <mdong> no, it’s a toolset that’s been developed internally, I’m sure it could be useful in an openstack context at some point
17:16:50 <fungi> neat. definitely keep us posted
17:17:02 <lhinds_> +1
17:17:14 <mdong> but to get syntribos to that point would entail some changes that would make it more ci/cd friendly
17:17:28 <fungi> such is the story with a lot of software ;)
17:17:31 <mdong> I’ll for sure keep you posted on how that goes
17:17:57 <mdong> I don’t have much else to add on syntribos
17:18:30 <lhinds_> I recently rigged this into a downstream project (opnfv): https://github.com/opnfv/releng-anteater/ - its sort of the same as Bandit, but not AST, plain regex..this is using jjb / jenkins
17:18:58 <lhinds_> off topic though, but maybe able to help with syntribos
17:19:27 <fungi> any up-sides to the regex approach?
17:19:31 <mdong> very interesting, I’ll definitely look into that
17:20:04 <mdong> I’ll forward this to cneill too, he’s been the one working on the security cicd pipeline, he’d definitely be interested
17:20:10 <fungi> i guess the point is to make it less language-specific?
17:20:18 <lhinds_> fungi: language agnostic
17:20:19 <fungi> (with that anteater tool i mean)
17:20:25 <lhinds_> fungi: :) yep
17:20:28 <fungi> okay, as i assumed then ;)
17:21:00 <lhinds_> fungi: and we can look for stuff like  curl | bash  etc
17:21:28 <lhinds_> anything you can write regex around, will get pulled out, but it also has an exception list, so you can grant 'waivers'
17:22:05 <lhinds_> ok, i think OSSN, as Bandit folks are not here just now.
17:22:08 <lhinds_> #topic OSSN
17:22:30 <lhinds_> just the following in review:
17:22:34 <lhinds_> #link https://review.openstack.org/#/c/484701/
17:23:05 <lhinds_> fungi: I removed the rh url from launchpad to keep it simple. I think the OSSN describes just what to do, thanks to the LP content
17:23:19 <lhinds_> that should be close to merging soon.
17:23:42 <fungi> removed which rh url?
17:24:16 <fungi> ahh, you removed the [1] but left the url to their cve entry in the footer
17:24:43 <fungi> i can't tell whether that was intentional or not
17:25:16 <fungi> also you left the [1] in the prose
17:25:17 <lhinds_> it kind of was not (I have been all over the place with this patch), but it was a reference used, so perhaps it can stay.
17:25:40 <lhinds_> duh, let me send another patchset :)
17:25:44 <lhinds_> too much multitasking
17:26:16 <lhinds_> I should have the other open OSSN `get_identity_providers` in later next week
17:26:49 <lhinds_> ok, that's it for OSSN
17:26:55 <lhinds_> #topic AOB
17:27:25 <lhinds_> (I skipped keystone VMT cov as gagehugo is unavailable)
17:28:33 <lhinds_> I figure no AOB, ok thanks mdong & fungi !
17:28:54 <lhinds_> same time next week and have a nice weekend.
17:28:58 <fungi> i have no idea what aob is
17:29:09 <lhinds_> Sorry, any other business
17:29:14 <fungi> aha
17:29:29 <dave-mccowan> any plans for ptg yet?
17:29:34 <fungi> nah, other than reviews on open public vulnerability reports are always welcome from the community
17:29:42 <lhinds_> fungi: +1
17:29:56 <fungi> #link https://bugs.launchpad.net/ossa/ open public vulnerability reports
17:30:06 <lhinds_> dave-mccowan: good point,  hyakuhei was going to check with barbican is we could room share
17:30:22 <lhinds_> I will ask on his behalf and we could build out some topics then.
17:30:29 <lhinds_> will you be there dave-mccowan ?
17:30:59 <dave-mccowan> i will be there M-Th.  last i saw security had a room M-T, and Barbican has a room W-Th.
17:31:25 <dave-mccowan> we (barbican) don't have 2 days worth of topics, so we're up for extra topics.
17:31:45 <dave-mccowan> one idea is custodia.  has anyone in security group taken a look at that?
17:32:53 <lhinds_> I have not in depth, but hopefully others have (and will input where I can)
17:33:26 <lhinds_> room sharing sounds pragmatic, as we also won't have a full weeks worth of items.
17:33:39 <fungi> i've never heard of it, and having trouble with web searches for it
17:33:58 <lhinds_> dave-mccowan: has barbican got PTG planning underway, do you have an etherpad?
17:34:09 <dave-mccowan> https://docs.google.com/spreadsheets/d/1xmOdT6uZ5XqViActr5sBOaz_mEgjKSCY7NEWcAEcT-A/pubhtml?gid=397241312&single=true
17:34:13 <dave-mccowan> room schedule ^^
17:34:20 <fungi> i see there's an antivirus and personal firewall for windows named "custodia" but assuming that's not what it is
17:34:28 <dave-mccowan> i  haven't started an etherpad yet, but i'll start one today.
17:35:01 <dave-mccowan> there was a summit presentation on custodia in boston.  it's a way to encrypt passwords in openstack config files.
17:35:25 <fungi> aha, found it (i think)
17:35:34 <lhinds_> dave-mccowan: I have added PTG to next weeks agenda, and we can then combine topics if that sounds good to you?
17:35:37 <fungi> #link https://github.com/latchset/custodia An API to manage secrets storage and retrieval
17:35:46 <fungi> that? ^
17:35:54 <lhinds_> fungi: that's it
17:36:12 * fungi is now caught up ;)
17:36:41 <fungi> makes sense in the context of barbican
17:36:57 <lhinds_> yep
17:37:03 <dave-mccowan> i think it solves a different problem then barbican.
17:37:35 <dave-mccowan> since barbican requires keystone for authn/z, it can't be used for storing the passwords in config files.
17:37:58 <dave-mccowan> custodia get the database and rabbit passwords out of nova.conf, for example.
17:38:00 <fungi> sure, i just meant makes more sense to be something you're talking about than a windows-only desktop av/fw app
17:38:12 <dave-mccowan> ah.. yes. :-)
17:38:38 <fungi> which was the first remotely reasonable hit for my search results on the name
17:38:56 <fungi> after lots of links to spanish dictionaries
17:40:16 <lhinds_> dave-mccowan: is there plans to make it an openstack project?
17:41:02 <fungi> i do recognize the names of some of the contributors, so that's reassuring
17:41:25 <dave-mccowan> i don't know.  the authors presented at the boston summit, so it's at least openstack friendly.
17:41:48 <fungi> ooh, i missed that talk
17:42:09 <lhinds_> I can check with nkinder or simo
17:42:36 <lhinds_> I think we could definitely do some good topics around it.
17:43:20 <lhinds_> we could maybe have incubated under the security project too?
17:43:35 <dave-mccowan> it's a nice problem to solve.  i get asked a lot why there are clear text passwords in the config file.
17:43:55 <lhinds_> yeah, i get that one all the time too,
17:44:21 <fungi> well, i also get it from people who don't think through the turtles-all-the-way-down situation with a lot of that
17:44:36 <lhinds_> ok, I think we can close up for now. dave-mccowan please drop in next week again if you're around
17:45:03 <lhinds_> ok, thanks again all, unless anyone has a burning need to say something?
17:45:10 <fungi> not me!
17:45:34 <lhinds_> thx again
17:45:37 <lhinds_> #endmeeting