17:00:52 <lhinds> #startmeeting security 17:00:53 <openstack> Meeting started Thu Oct 12 17:00:52 2017 UTC and is due to finish in 60 minutes. The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:55 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:58 <openstack> The meeting name has been set to 'security' 17:01:05 <lhinds> #topic roll-call.. 17:02:51 <openstack> macermak: Error: Can't start another meeting, one is in progress. Use #endmeeting first. 17:03:00 <lhinds> hi macermak 17:03:06 <macermak> hi, lhinds 17:03:18 <lhinds> just waiting to see if more turn up 17:04:05 <lhinds> macermak: I will try and dig into these zuul failures tomorrow that our holding up your bandit patch 17:04:50 <gagehugo> o/ 17:04:55 <lhinds> hey gagehugo 17:05:02 <gagehugo> zuul is very unstable atm 17:05:07 <mdong> o/ 17:05:14 <macermak> lhinds, Thank you, I have no idea why it fails. 17:05:37 * fungi is sort of around, but dealing with infra wildfires 17:05:42 <lhinds> macermak: its not your code, its like gagehugo says its not happy right now since they tried to upgrade to 3 17:05:50 <mdong> syntribos is also running into the same errors as bandit, it looks like 17:05:52 <lhinds> hey mdong 17:06:31 <lhinds> #topic agenda 17:06:39 <lhinds> #link https://etherpad.openstack.org/p/security-agenda 17:06:58 <lhinds> should be a lite meeting tonight, but anyone can add something should they wish too... 17:06:58 <fungi> for the record, the current issues are all unrelated to zuul v3 (broken xenial package mirroring, logs site filling up, et cetera) 17:07:03 <macermak> lhinds, I've read about the update, no problem, I get it. 17:07:51 <lhinds> fungi: This seems the common failure in bandit gate "ERROR: These requested packages were not installed:" ...followed by big list of OS packages 17:08:42 <fungi> lhinds: yep, that's a problem with our ubuntu xenial package mirror being several days behind due to updating breaking, and then images got built with newer packages (because our image building doesn't use our package mirrors) which leads to apt getting confused over version dependencies when trying to install things 17:09:13 <fungi> basically it tries to install something from the mirror and has newer packages already installed for something else with similar dependencies, but they disagree about which version they were built against 17:09:23 <gagehugo> ah 17:09:26 <fungi> and so it gives up 17:09:55 <lhinds> makes sense, so we will just wait for that issue to resolve and then see if we have anything specific to bandit failing 17:10:20 <lhinds> ok, I will spin through the agenda 17:10:27 <lhinds> #topic documentation 17:10:43 <lhinds> all clear for patches now: https://review.openstack.org/#/q/project:openstack/security-doc 17:11:13 <lhinds> If anyone is interested in working on security docs, we have a nice bug list now... 17:11:46 <lhinds> lhinds hunts for URL 17:12:05 <lhinds> #link https://bugs.launchpad.net/ossp-security-documentation 17:12:12 <lhinds> actually, will add this to the pad 17:12:28 <lhinds> #topic Bandit 17:12:45 <lhinds> so macermak , we have your contribution. 17:12:58 <lhinds> I guess this is waiting on gate, I promise I will make a review tomorrow 17:13:10 <lhinds> and it looks like you fixed up ebrowns nits 17:13:17 <lhinds> thanks for contributing 17:13:43 <lhinds> Rajath's patch should be good to go to, once gate is functioning again. 17:13:47 <macermak> lhinds, thank you.. I tried to fix as many things as I could. I was told about the blueprint thing, dunno how that exactly works. Should I make any? 17:14:31 <lhinds> typically that is ideal, but no concern now that you're this far..although I can't confess to know much about the plugin yet 17:14:44 <lhinds> I can show you where a blueprint goes though for next time. 17:14:56 <gagehugo> macermak what is that formatter going to be used for? 17:15:03 <lhinds> plugin / formatter 17:15:10 <gagehugo> just curious 17:17:00 <macermak> okay .. gagehugo except for another option for customizing the output, I am planning to add bandit as a plugin to csmock and since csmock has it customized parser, that is based on gcc / pylint like output, I found a new formatter for bandit would be ideal 17:17:38 <macermak> bandit will then be as another tool for static analysis 17:17:58 <gagehugo> https://github.com/kdudka/csmock 17:18:02 <gagehugo> is that it? 17:18:09 <macermak> Ye, I was just about to paste it 17:18:13 <gagehugo> interesting 17:18:36 <lhinds> ^ +1 17:18:49 <lhinds> so scan python-<application>.srpm 's ? 17:19:57 <macermak> lhinds, yes 17:20:03 <lhinds> so macermak , do you expect 'custom' to be a formatter used by any project who needs it, or is it quite specific to csmock? 17:20:17 <lhinds> I am just thinking if this should be a csmock formatter 17:20:49 <gagehugo> yeah if this is only designed for csmock, I would change the patch to specify that 17:23:29 <macermak> I believe that the output using this formatter is very flexible and can be used in various ways. Moreover, (and this is not completely up to me, tho) we are considering adding bandit scan as an optional output to our coverity scan implementation - it will be tested on csmock first 17:24:05 <macermak> hence, as for the name, I don't think csmock formatter would be very precise 17:24:42 <lhinds> ok, makes sense..and I cannot see anything specific in the tags you introduce. 17:25:09 <macermak> It allows user to access the report variables directly and parse it, as user wants, which had not been possible before 17:25:27 <lhinds> macermak: ack. 17:25:36 <lhinds> I will make sure I take a look tomorrow 17:25:41 <macermak> Thank you. 17:25:52 <lhinds> ok time is moving on towards the end 17:26:12 <lhinds> mdong: anything important for Syntribos? 17:26:37 <mdong> Finally got reviews on multithreading patch, I’m just waiting for the zuul errors to clear up 17:26:58 <lhinds> mdong: yep I saw that, that's good 17:27:03 <mdong> after that merges, probably going to cut a release 17:27:10 <lhinds> mdong: cool! 17:27:29 <lhinds> mdong: we could do a blog post , after release 17:27:46 <lhinds> that will get picked up by planet.openstack.org 17:27:47 <mdong> oh, that’d be great! 17:27:53 <lhinds> let's do it! 17:28:06 <mdong> =) 17:28:12 <lhinds> so for OSSN, there is only one outstanding, but it needs more info still 17:28:45 <lhinds> last but not least I have not forgot the STIG discussion, that might be on again next week 17:29:10 <lhinds> and threat analysis possibly next week too when me and fungi are freed up a bit more. 17:29:30 <lhinds> well fungi is never really freed up, but he does not need to be, I will take the lead on it. 17:29:38 <lhinds> ok, any other burning business? 17:29:49 <gagehugo> lhinds we might be pushing more threat analysis docs up for keystoneauth/oslo soonish 17:29:56 <gagehugo> just fyi 17:30:08 <lhinds> gagehugo: sounds great, look forward to it, and thanks for the efforts 17:30:28 <lhinds> ok, bang on :30 so thanks all, and see you next week 17:30:36 <lhinds> #endmeeting