17:01:23 #startmeeting security 17:01:24 Meeting started Thu Aug 3 17:01:23 2017 UTC and is due to finish in 60 minutes. The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:25 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:27 The meeting name has been set to 'security' 17:01:34 #chair hyakuhei 17:01:35 Current chairs: hyakuhei lhinds 17:01:43 o/ 17:01:58 hi gagehugo , not sure how many around this week? 17:02:09 #info roll call for security project members / cores... 17:03:39 michaelxin mdong maybe? 17:04:01 #topic agenda 17:04:05 #link https://etherpad.openstack.org/p/security-agenda 17:04:26 gagehugo: we can jump to yours first, as I guess some are on holiday still. 17:04:36 ok 17:04:37 oh having said that, I bet fungi is around 17:04:52 #topic Keystone VMT Coverage 17:05:01 #link https://review.openstack.org/#/c/447139/ 17:05:08 hows this going now gagehugo ? 17:05:38 I'm not sure what else to add, if there is anything else missing 17:05:46 otherwise I assume all the info is in there? 17:05:57 This is my first security-review doc 17:06:12 yep 17:06:29 * fungi is always around, just juggling several things at once 17:06:38 hey fungi 17:06:51 gagehugo: architecture-page.rst looks good from a cursory look 17:06:57 i have a reminder for this meeting, just took me a few minutes to spot it 17:07:02 sorry 17:07:06 no worries fungi 17:07:19 appreciate you being here 17:07:43 gagehugo: Looks like /review-findings.rst needs some entries 17:08:11 unless I am misunderstanding the flow of work 17:08:29 lhinds I wasn't sure if that was supposed to be filled out by the auditors? 17:09:13 gagehugo: understood, will be honest I don't know too. But I will find out, and speak with doug and co who devised this. 17:09:25 I basically followed this: https://security.openstack.org/vmt-process.html 17:09:52 and followed what barbican did 17:10:06 https://github.com/openstack/security-analysis/tree/master/doc/source/artifacts/barbican/newton 17:10:35 fungi: was you part of the verification of the barbican threat analysis (as a gate for it reaching VMT approved)? 17:11:30 lhinds: i was not, no 17:11:50 the vmt mainly just wanted to see that someone had assembled and published and reviewed something we could refer to later 17:12:07 ack, I will look into this, we can then move it forward 17:12:56 #action lhinds to find out next steps for ksmiddleware threat analysis (specifically who reviews in doc review-findings.rst) 17:13:05 please let me know if you find anything else that I should do as well 17:13:39 gagehugo: leave it with me, I don't expect the meeting will be on next week, but will email you / ping you on irc. 17:13:53 definate want to make use of your good work 17:13:57 lhinds sounds good! 17:14:04 thx gagehugo 17:14:07 thanks for looking into this 17:14:27 so I don't believe we have any syntribos / bandit folks around now 17:14:33 #topic PTG 17:14:42 gagehugo: are you at the PTG at all? 17:14:53 yup I am planning on being there 17:15:10 i think i'm the only vmt member attending the ptg 17:15:39 ok cool, fungi gagehugo, if you're interested we will share rooms with barbican on wed/thurs 17:15:52 though my time will be pretty heavily split between infra/tc/elections/release related discussions as well 17:15:54 lhinds ok 17:16:05 we plan to go over custodia which is hoping to be an oslo driver 17:16:29 put simply, it means no more passwords hardcoded into configs, and instead there is a secure API that's used. 17:16:29 if you have something you want vmt input on in some discussions there, please reach out to me and i'll try to drop in 17:16:44 sure! 17:16:45 fungi: ack, sure will. 17:16:56 yeah I might come by for custodia stuff 17:17:13 this is the planning pad: 17:17:15 https://etherpad.openstack.org/p/barbican-ptg-queens 17:17:28 feel free to put your name on (but its not signing up as commmited) 17:17:34 will do 17:18:14 I expect we will also do some work on the security guide, including a sprint on key management. I will also add threat analysis 17:18:39 #topic OSSN 17:19:33 o/ hey guys, sorry to be late, I can give some quick syntribos updates at then end if you’d like 17:19:36 fungi: I still have that last OSSN to get out, we currently have an embargoed one for a non VMT managed project that I allowed to jump to the front, so they have time to merge into master for pike. 17:19:43 hey mdong ! 17:19:47 nice to see you man. 17:20:05 I think we can go to syntribos now 17:20:08 good to be here =) 17:20:10 #topic syntribos 17:20:16 lhinds: sounds good 17:20:35 mdong: are you at the PTG? 17:21:40 cool, so after talking to team members who are using syntribos, one of the concerns they have on syntribos is performance, so the next thing we’re going to do is to address that by rewriting our HTTP client using asynchronous networking libraries 17:21:48 since that is the main performance bottleneck 17:21:53 no, I’m not at the PTG, unfortunately 17:22:29 sounds interesting mdong , which library did you decide on? 17:22:56 Twisted looks promising 17:24:14 don't know it to well, but a colleague was using twisted.web and said it was pretty solid 17:25:12 I will make sure I bring up syntribos at the PTG to try and gather interest 17:25:16 thanks mdong 17:25:25 i have some not-so-fond memories of twisted-python, but it's been a few years since i tried to use it for anything serious so hopefully it's improved 17:26:24 for something that started out as a simple mud server backend, it got really complicated 17:26:27 python and anything asynchronous is a challenge I guess 17:26:53 ok, so we are almost at the .30 point and end of meeting 17:27:10 many thanks gagehugo , mdong and fungi for making it. 17:27:31 I don't expect the meeting will be on next week, as I am away and I don't think hyakuhei is around now. 17:28:03 so we can reconvene in two weeks (17th) 17:28:10 thanks all! 17:28:14 #endmeeting