#openstack-meeting-alt log

17:06:16 <lhinds> #startmeeting security
17:06:17 <openstack> Meeting started Thu Nov 30 17:06:16 2017 UTC and is due to finish in 60 minutes.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:06:18 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:06:20 <openstack> The meeting name has been set to 'security'
17:06:22 <gagehugo> probably should have pinged you here
17:06:49 <lhinds> #topic agenda
17:06:54 <lhinds> #link https://etherpad.openstack.org/p/security-agenda
17:07:47 <lhinds> #topic docs
17:08:04 <lhinds> only one still floating which is mine, will try to fix it up this week:
17:08:05 <lhinds> https://review.openstack.org/#/c/518721/
17:08:09 <gagehugo> I will take a look
17:08:14 <lhinds> thx
17:08:19 <gagehugo> I'm actually back now so \o/
17:08:23 <gagehugo> november was a wash for me
17:08:43 <lhinds> no worries gagehugo , I was out a bit a well (colds and otehr stuff going on)
17:08:55 <lhinds> #topic bandit
17:09:00 <gagehugo> so
17:09:03 <gagehugo> https://review.openstack.org/#/q/project:openstack/bandit+status:open
17:09:20 <gagehugo> would you be ok with abandoning those older patch sets without updates
17:09:35 <gagehugo> they can always be reactivated if needed
17:10:17 <lhinds> gagehugo: yep, sounds fine to me, but would be nice to resurrect them at a later point.
17:10:48 <gagehugo> yeah
17:11:28 <lhinds> are you ok to abandon gagehugo ?
17:11:52 <gagehugo> I'm fine with the ones that haven't been updated in ~1 year
17:12:14 <gagehugo> not sure about that 3ders one
17:12:21 <lhinds> maybe we could use 1 year > as a metric for abandoning?
17:12:23 <gagehugo> 3des*
17:12:26 <gagehugo> yeah
17:13:23 <gagehugo> we don't have the activity of the larger projects so this probably won't be a huge issue
17:13:27 <gagehugo> or come up very often
17:13:28 <lhinds> gagehugo: seems like the main contention on that patch is the flag put forward (hiGH)
17:13:56 <gagehugo> I would keep it up then imo
17:14:03 <lhinds> maybe we could amend and put it as medium
17:14:57 <lhinds> I put myself on and test the code, as its been awhile and we can refloat with a medium priority
17:15:25 <gagehugo> ok
17:15:41 <lhinds> only other one (recent) we have open is: https://review.openstack.org/#/c/517888/
17:15:59 <gagehugo> yeah I need to test that one again
17:16:03 <gagehugo> I looked at it in sydney
17:16:13 <lhinds> cool, I will follow on from you then
17:16:16 <gagehugo> but ran into issues that the author helped me with
17:16:39 <gagehugo> that's all I got for bandit
17:16:44 <lhinds> me too.
17:17:03 <lhinds> one quick side channel comment: Will you be in Dublin / PTG?
17:17:14 <gagehugo> I hope so, no idea yet though
17:17:28 <lhinds> thinking if we should get a room.
17:17:38 <lhinds> well not us personally :P
17:17:42 <lhinds> the security project
17:17:42 <gagehugo> haha
17:17:58 <gagehugo> yeah I won't know until January probably if I'm going
17:18:21 <lhinds> no worries, I will put down `Maybe, Still Considering it`
17:18:53 <lhinds> might be worth doing it as 'Security SIG' and invite a lot of other projects
17:19:04 <gagehugo> sure
17:19:18 <lhinds> let's do that
17:19:22 <lhinds> ping fungi
17:19:34 <lhinds> #topic threat review
17:19:35 <fungi> i've been sort of skimming
17:19:52 * fungi has a meeting reminder for this, just tends to be multitasking quite often
17:20:09 <lhinds> no worries, fungi did you per chance take a look at the keystone m-client threat analysis?
17:20:13 * gagehugo does the same
17:20:59 <fungi> #link https://etherpad.openstack.org/p/keystonemiddleware-ta Keystonemiddleware Threat Analysis
17:21:33 <lhinds> yup
17:22:08 <gagehugo> nice
17:22:40 <fungi> what's there seems like it should be fine to go into a ta repo review. i don't suppose we have one yet?
17:23:01 <lhinds> fungi: yep, there is a patch..one sec.
17:23:06 <fungi> there was a todo to open some lp bugs for a few items in the pad
17:23:25 <lhinds> #link https://review.openstack.org/#/c/447139/
17:24:15 <fungi> aha, right, i've even been commenting on that one i guess
17:25:32 <lhinds> lhinds is lost
17:25:48 <lhinds> oh i see now, gerrit comment
17:26:13 <lhinds> gagehugo: how does it look to you so far, ok?
17:26:30 <fungi> i've just rechecked it too so we can get a fresh draft build (hopefully, if the docs job for this is working correctly)
17:26:37 <gagehugo> I think it looks alright, I'm not familiar with the process of it all
17:26:51 <gagehugo> not sure what the next steps would be
17:27:35 <fungi> was there information captured in the above etherpad which isn't yet added to the ta repo change?
17:28:26 <lhinds> fungi: yep, so the idea is the pad is used to perform the review...we then co-author the patch above with the information we put forward from the threat review (as well as Launchpads / recommendations)
17:28:53 <gagehugo> lbragstad https://etherpad.openstack.org/p/keystonemiddleware-ta
17:29:09 <gagehugo> ah
17:29:25 * lbragstad meanders in
17:29:56 <lhinds> fungi: we port pad contents into https://review.openstack.org/#/c/447139/6/doc/source/artifacts/keystonemiddleware/pike/review-findings.rst
17:30:01 <gagehugo> I see there is the pycrypto stuff in the docs
17:30:09 <gagehugo> lhinds ah ok
17:30:24 <lhinds> gagehugo: yep, that was the main one (which is good going)
17:30:52 <lhinds> its a fairly simple application though, so not many attack vectors
17:31:00 <gagehugo> yeah
17:31:02 <lhinds> not simple as in not good mind you.
17:31:08 <lhinds> simple is good
17:31:18 <gagehugo> it's easier for sure
17:31:23 <lhinds> especially in openstack :)
17:31:39 <gagehugo> I will read over the etherpad more and I can update the gerrit doc in review if that works
17:31:58 <lhinds> gagehugo: sure, that sounds great. I will get the LP up/
17:32:09 <lhinds> I guess we are at time now.
17:32:18 <lhinds> let's revisit this next week.
17:32:30 <gagehugo> sounds good
17:32:47 <lhinds> in hte meantime I will let the foundation know we would like a security sig room at the PTG
17:32:59 <gagehugo> cool
17:33:00 <lhinds> and we can invite keystoners, barbicanistas in.
17:33:12 <lhinds> ok, thanks gagehugo & fungi
17:33:16 <lhinds> #endmeeting