17:06:16 #startmeeting security 17:06:17 Meeting started Thu Nov 30 17:06:16 2017 UTC and is due to finish in 60 minutes. The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:06:18 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:06:20 The meeting name has been set to 'security' 17:06:22 probably should have pinged you here 17:06:49 #topic agenda 17:06:54 #link https://etherpad.openstack.org/p/security-agenda 17:07:47 #topic docs 17:08:04 only one still floating which is mine, will try to fix it up this week: 17:08:05 https://review.openstack.org/#/c/518721/ 17:08:09 I will take a look 17:08:14 thx 17:08:19 I'm actually back now so \o/ 17:08:23 november was a wash for me 17:08:43 no worries gagehugo , I was out a bit a well (colds and otehr stuff going on) 17:08:55 #topic bandit 17:09:00 so 17:09:03 https://review.openstack.org/#/q/project:openstack/bandit+status:open 17:09:20 would you be ok with abandoning those older patch sets without updates 17:09:35 they can always be reactivated if needed 17:10:17 gagehugo: yep, sounds fine to me, but would be nice to resurrect them at a later point. 17:10:48 yeah 17:11:28 are you ok to abandon gagehugo ? 17:11:52 I'm fine with the ones that haven't been updated in ~1 year 17:12:14 not sure about that 3ders one 17:12:21 maybe we could use 1 year > as a metric for abandoning? 17:12:23 3des* 17:12:26 yeah 17:13:23 we don't have the activity of the larger projects so this probably won't be a huge issue 17:13:27 or come up very often 17:13:28 gagehugo: seems like the main contention on that patch is the flag put forward (hiGH) 17:13:56 I would keep it up then imo 17:14:03 maybe we could amend and put it as medium 17:14:57 I put myself on and test the code, as its been awhile and we can refloat with a medium priority 17:15:25 ok 17:15:41 only other one (recent) we have open is: https://review.openstack.org/#/c/517888/ 17:15:59 yeah I need to test that one again 17:16:03 I looked at it in sydney 17:16:13 cool, I will follow on from you then 17:16:16 but ran into issues that the author helped me with 17:16:39 that's all I got for bandit 17:16:44 me too. 17:17:03 one quick side channel comment: Will you be in Dublin / PTG? 17:17:14 I hope so, no idea yet though 17:17:28 thinking if we should get a room. 17:17:38 well not us personally :P 17:17:42 the security project 17:17:42 haha 17:17:58 yeah I won't know until January probably if I'm going 17:18:21 no worries, I will put down `Maybe, Still Considering it` 17:18:53 might be worth doing it as 'Security SIG' and invite a lot of other projects 17:19:04 sure 17:19:18 let's do that 17:19:22 ping fungi 17:19:34 #topic threat review 17:19:35 i've been sort of skimming 17:19:52 * fungi has a meeting reminder for this, just tends to be multitasking quite often 17:20:09 no worries, fungi did you per chance take a look at the keystone m-client threat analysis? 17:20:13 * gagehugo does the same 17:20:59 #link https://etherpad.openstack.org/p/keystonemiddleware-ta Keystonemiddleware Threat Analysis 17:21:33 yup 17:22:08 nice 17:22:40 what's there seems like it should be fine to go into a ta repo review. i don't suppose we have one yet? 17:23:01 fungi: yep, there is a patch..one sec. 17:23:06 there was a todo to open some lp bugs for a few items in the pad 17:23:25 #link https://review.openstack.org/#/c/447139/ 17:24:15 aha, right, i've even been commenting on that one i guess 17:25:32 lhinds is lost 17:25:48 oh i see now, gerrit comment 17:26:13 gagehugo: how does it look to you so far, ok? 17:26:30 i've just rechecked it too so we can get a fresh draft build (hopefully, if the docs job for this is working correctly) 17:26:37 I think it looks alright, I'm not familiar with the process of it all 17:26:51 not sure what the next steps would be 17:27:35 was there information captured in the above etherpad which isn't yet added to the ta repo change? 17:28:26 fungi: yep, so the idea is the pad is used to perform the review...we then co-author the patch above with the information we put forward from the threat review (as well as Launchpads / recommendations) 17:28:53 lbragstad https://etherpad.openstack.org/p/keystonemiddleware-ta 17:29:09 ah 17:29:25 * lbragstad meanders in 17:29:56 fungi: we port pad contents into https://review.openstack.org/#/c/447139/6/doc/source/artifacts/keystonemiddleware/pike/review-findings.rst 17:30:01 I see there is the pycrypto stuff in the docs 17:30:09 lhinds ah ok 17:30:24 gagehugo: yep, that was the main one (which is good going) 17:30:52 its a fairly simple application though, so not many attack vectors 17:31:00 yeah 17:31:02 not simple as in not good mind you. 17:31:08 simple is good 17:31:18 it's easier for sure 17:31:23 especially in openstack :) 17:31:39 I will read over the etherpad more and I can update the gerrit doc in review if that works 17:31:58 gagehugo: sure, that sounds great. I will get the LP up/ 17:32:09 I guess we are at time now. 17:32:18 let's revisit this next week. 17:32:30 sounds good 17:32:47 in hte meantime I will let the foundation know we would like a security sig room at the PTG 17:32:59 cool 17:33:00 and we can invite keystoners, barbicanistas in. 17:33:12 ok, thanks gagehugo & fungi 17:33:16 #endmeeting