17:01:11 #startmeeting security 17:01:12 Meeting started Thu Jul 20 17:01:11 2017 UTC and is due to finish in 60 minutes. The chair is lhinds_. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:14 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:17 The meeting name has been set to 'security' 17:01:24 #chair hyakuhei 17:01:24 Current chairs: hyakuhei lhinds_ 17:01:59 #topic agenda 17:02:10 #link https://etherpad.openstack.org/p/security-agenda 17:02:47 michaelxin are you around for Syntribos? 17:03:09 dave-mccowan perhaps for bandit? 17:03:34 sorry, not dave-mccowan 17:04:02 hyakuhei: are you around bud? 17:05:52 anyone else online for the security project meeting, if so please say hi? 17:06:22 o/ 17:06:23 mostly lurking 17:06:35 hey mdong fungi 17:06:49 multitasking atm, but I’m here! 17:06:57 mdong: first up is syntribos 17:07:07 #topic syntribos 17:07:08 cool 17:07:27 I see you merged a few patches 17:07:43 Not much new to report, I haven’t been working on it as much as I’d like this week. But I did go and +2 some pending reviews 17:08:36 I have being trying to help out with reviews as well, but I still need to get up to speed a little before I might be very useful. 17:08:37 there’s 2 other members of the team who have been using syntribos testing their projects, I’m working on a CR that addresses some of their concerns with error handling and such 17:09:03 cool 17:09:08 I saw you putting some +1’s on CR’s lhinds, thank you for that, it’s appreciated for sure 17:09:16 no problem 17:09:57 the feature that’s being worked on is a non-deterministic fuzzer 17:10:29 we started working on it when OSIC was still around but we’re going back to it now 17:11:16 is syntribos planned as a gate (or already is)? 17:12:24 it’s definitely in the plans, the security team here at rackspace is working on a security CI/CD pipeline 17:12:52 that involves running different tools and collecting the results in Jenkins 17:13:16 I’ll be working with them in the next month or so to integrate syntribos into that project 17:13:49 is it something worth running upstream at all? 17:14:34 good question 17:14:40 or by "jenkins" do you mean our upstream ci (which doesn't actually use the jenkins service for the past year) 17:16:32 no, it’s a toolset that’s been developed internally, I’m sure it could be useful in an openstack context at some point 17:16:50 neat. definitely keep us posted 17:17:02 +1 17:17:14 but to get syntribos to that point would entail some changes that would make it more ci/cd friendly 17:17:28 such is the story with a lot of software ;) 17:17:31 I’ll for sure keep you posted on how that goes 17:17:57 I don’t have much else to add on syntribos 17:18:30 I recently rigged this into a downstream project (opnfv): https://github.com/opnfv/releng-anteater/ - its sort of the same as Bandit, but not AST, plain regex..this is using jjb / jenkins 17:18:58 off topic though, but maybe able to help with syntribos 17:19:27 any up-sides to the regex approach? 17:19:31 very interesting, I’ll definitely look into that 17:20:04 I’ll forward this to cneill too, he’s been the one working on the security cicd pipeline, he’d definitely be interested 17:20:10 i guess the point is to make it less language-specific? 17:20:18 fungi: language agnostic 17:20:19 (with that anteater tool i mean) 17:20:25 fungi: :) yep 17:20:28 okay, as i assumed then ;) 17:21:00 fungi: and we can look for stuff like curl | bash etc 17:21:28 anything you can write regex around, will get pulled out, but it also has an exception list, so you can grant 'waivers' 17:22:05 ok, i think OSSN, as Bandit folks are not here just now. 17:22:08 #topic OSSN 17:22:30 just the following in review: 17:22:34 #link https://review.openstack.org/#/c/484701/ 17:23:05 fungi: I removed the rh url from launchpad to keep it simple. I think the OSSN describes just what to do, thanks to the LP content 17:23:19 that should be close to merging soon. 17:23:42 removed which rh url? 17:24:16 ahh, you removed the [1] but left the url to their cve entry in the footer 17:24:43 i can't tell whether that was intentional or not 17:25:16 also you left the [1] in the prose 17:25:17 it kind of was not (I have been all over the place with this patch), but it was a reference used, so perhaps it can stay. 17:25:40 duh, let me send another patchset :) 17:25:44 too much multitasking 17:26:16 I should have the other open OSSN `get_identity_providers` in later next week 17:26:49 ok, that's it for OSSN 17:26:55 #topic AOB 17:27:25 (I skipped keystone VMT cov as gagehugo is unavailable) 17:28:33 I figure no AOB, ok thanks mdong & fungi ! 17:28:54 same time next week and have a nice weekend. 17:28:58 i have no idea what aob is 17:29:09 Sorry, any other business 17:29:14 aha 17:29:29 any plans for ptg yet? 17:29:34 nah, other than reviews on open public vulnerability reports are always welcome from the community 17:29:42 fungi: +1 17:29:56 #link https://bugs.launchpad.net/ossa/ open public vulnerability reports 17:30:06 dave-mccowan: good point, hyakuhei was going to check with barbican is we could room share 17:30:22 I will ask on his behalf and we could build out some topics then. 17:30:29 will you be there dave-mccowan ? 17:30:59 i will be there M-Th. last i saw security had a room M-T, and Barbican has a room W-Th. 17:31:25 we (barbican) don't have 2 days worth of topics, so we're up for extra topics. 17:31:45 one idea is custodia. has anyone in security group taken a look at that? 17:32:53 I have not in depth, but hopefully others have (and will input where I can) 17:33:26 room sharing sounds pragmatic, as we also won't have a full weeks worth of items. 17:33:39 i've never heard of it, and having trouble with web searches for it 17:33:58 dave-mccowan: has barbican got PTG planning underway, do you have an etherpad? 17:34:09 https://docs.google.com/spreadsheets/d/1xmOdT6uZ5XqViActr5sBOaz_mEgjKSCY7NEWcAEcT-A/pubhtml?gid=397241312&single=true 17:34:13 room schedule ^^ 17:34:20 i see there's an antivirus and personal firewall for windows named "custodia" but assuming that's not what it is 17:34:28 i haven't started an etherpad yet, but i'll start one today. 17:35:01 there was a summit presentation on custodia in boston. it's a way to encrypt passwords in openstack config files. 17:35:25 aha, found it (i think) 17:35:34 dave-mccowan: I have added PTG to next weeks agenda, and we can then combine topics if that sounds good to you? 17:35:37 #link https://github.com/latchset/custodia An API to manage secrets storage and retrieval 17:35:46 that? ^ 17:35:54 fungi: that's it 17:36:12 * fungi is now caught up ;) 17:36:41 makes sense in the context of barbican 17:36:57 yep 17:37:03 i think it solves a different problem then barbican. 17:37:35 since barbican requires keystone for authn/z, it can't be used for storing the passwords in config files. 17:37:58 custodia get the database and rabbit passwords out of nova.conf, for example. 17:38:00 sure, i just meant makes more sense to be something you're talking about than a windows-only desktop av/fw app 17:38:12 ah.. yes. :-) 17:38:38 which was the first remotely reasonable hit for my search results on the name 17:38:56 after lots of links to spanish dictionaries 17:40:16 dave-mccowan: is there plans to make it an openstack project? 17:41:02 i do recognize the names of some of the contributors, so that's reassuring 17:41:25 i don't know. the authors presented at the boston summit, so it's at least openstack friendly. 17:41:48 ooh, i missed that talk 17:42:09 I can check with nkinder or simo 17:42:36 I think we could definitely do some good topics around it. 17:43:20 we could maybe have incubated under the security project too? 17:43:35 it's a nice problem to solve. i get asked a lot why there are clear text passwords in the config file. 17:43:55 yeah, i get that one all the time too, 17:44:21 well, i also get it from people who don't think through the turtles-all-the-way-down situation with a lot of that 17:44:36 ok, I think we can close up for now. dave-mccowan please drop in next week again if you're around 17:45:03 ok, thanks again all, unless anyone has a burning need to say something? 17:45:10 not me! 17:45:34 thx again 17:45:37 #endmeeting