17:03:07 #startmeeting security 17:03:08 Meeting started Thu Feb 8 17:03:07 2018 UTC and is due to finish in 60 minutes. The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:03:10 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:03:12 The meeting name has been set to 'security' 17:03:18 agenda: 17:03:21 #link https://etherpad.openstack.org/p/security-agenda 17:03:39 please do add if you have something and we will see if we can fit it in. 17:03:47 #topic PTG planning 17:04:00 #link https://etherpad.openstack.org/p/security-ptg-rocky 17:04:11 we have some new additions. 17:04:33 a project called tatu that I have no had a chance to read up on yet. 17:04:55 " OpenStack SSH (Certificate management and bastion hosts) as a Service" 17:05:33 other news, we have a room set for Monday 17:05:34 hmm 17:05:46 I expect we can get most done in a full day 17:06:30 gagehugo: would you be able to check if keystoners can make it in for the Policy Security Roadmap discussion? 17:06:48 yeah, where is the schedule at? 17:07:12 oh it's on the site now 17:07:20 maybe kmalloc can weigh in there 17:07:40 we should figure out a time then 17:07:50 fungi: yup, kmalloc would be a great help in that discssion 17:07:58 definitely 17:08:21 gagehugo: have keystone got a room on Monday? I think the first two days are x project stuff? 17:08:47 just thinking if I need to schedule around keystone activities? 17:09:06 #action lhinds set agenda 17:09:18 lhinds I think we're doing policy/scope stuff mon/tue 17:09:45 so you plan to cover this in the keystone room? 17:10:08 most likely, but that won't be until wed-fri 17:10:18 would like to pull people in on Monday 17:10:26 lbragstad 17:10:32 ^ 17:11:02 o/ 17:11:31 lbragstad can we setup a time monday to meet with security for the vmt keystonemiddleware coverage? 17:11:34 are we going to go over RBAC security stuff with the security team/ 17:11:40 that too 17:11:43 oh - sure 17:11:48 let me grab the schedule 17:12:08 this is what we have open for wednesday - friday 17:12:10 #link https://etherpad.openstack.org/p/keystone-rocky-ptg 17:12:38 this is what we have for availability on monday and tuesday 17:12:41 #link https://etherpad.openstack.org/p/baremetal-vm-rocky-ptg 17:12:54 since keystone is going to be involved in a bunch of cross-project discussions those days 17:13:01 so sometime between 1330-17 17:13:08 for monday anyway 17:13:09 thx lbragstad 17:13:12 yep 17:13:20 monday afternoon is pretty open at this point 17:13:41 we also have several open times wednesday - friday for the VMT stuff, since that's probably more project specific 17:13:59 friday would be good 17:14:05 whatever time you pick for the vmt coverage discussion, i'll try to prioritize that in my schedule 17:14:23 as we only have a room on Monday (and need a little of the afternoon for some other topics) 17:14:31 sure 17:14:34 awesome - friday we're setting time aside to do peer-reviews and peer-programming (hopefully) 17:14:40 though hopefully kmalloc can be in on the ksm vmt discussion even if i have a conflict 17:14:58 so we should have plenty of time to dig into the vmt stuff then 17:15:24 lbragstad / gagehugo for the threat review do you want to come over the security room? 17:15:34 sure 17:15:38 i'm fine with that 17:15:41 same 17:16:13 ok cool, I will set our agenda to have the keystone threat analysis discussion at 13:30? 17:16:29 s/keystone/keystonemiddleware 17:17:15 Done: https://etherpad.openstack.org/p/security-ptg-rocky 17:17:24 I will set the others over the next few days 17:17:40 cool 17:18:02 so that's the main things for the PTG 17:18:14 anyone have anything to add? 17:18:27 fungi: any VMT x-discussions you want to have? 17:18:48 perhaps how things will work when we become a SIG? 17:19:39 maybe... it's as much a tc discussion as anything i think 17:20:09 fungi: true, should we put it to a TC discussion? 17:20:15 i'm in favor of doing the sig transition first and then the vmt can put together whatever tc resolution we need to just have a delegation process or something for vmt efforts 17:20:35 i'd rather not unnecessarily complicate the security sig formation 17:21:02 the vmt isn't going to stop doing what it does regardless of the resulting formality of its charter 17:21:35 ack, makes sense. we have some discussions around the SIG during the PTG too, so what comes out of there. 17:21:36 and the vmt members are still likely to be participants in the sig 17:21:54 good to hear :0 17:21:57 (not speaking for anyone else, but i intend to anyway) 17:22:16 ok, moving on to Bandit 17:22:20 #topic Bandit 17:22:29 new contributor! 17:22:38 excellent news 17:22:39 a few patches in which is nice. 17:22:47 yay! 17:22:53 https://review.openstack.org/#/q/project:openstack/bandit 17:23:08 nice to see some django stuff 17:23:42 I think he needs some help with the developer flow around gerrit 17:24:05 I will drop him an email. shall I include you gagehugo ? 17:24:21 / browne 17:25:04 yeah, so I wanted to pitch possibly moving Bandit to the Python Code Quality Authority on GitHub 17:25:23 do you have a link browne ? 17:25:25 Bandit really has only one plugin that is specific to OpenStack 17:26:01 yeah, let me find it 17:26:01 https://github.com/PyCQA ? 17:26:14 browne: ^ 17:26:27 ha, yep 17:26:42 so that's the home of pylint, flake8 and many other linters 17:26:48 browne: have you already disscussed this with PyCQA? were they receptive to the idea? 17:27:00 so makes sense to put bandit there also. but i need to ask them if they are ok with it 17:27:18 i know signmavirus liked the idea a while back 17:27:28 so I personally have no objection to that myself 17:27:53 sure 17:27:54 especially if it helps the project gain more contributions / testers and users (which I think it will) 17:28:10 cool. yes, i do think it'll allow it to gain contributions 17:28:29 in the spirit of embracing the wider python ecosystem and making it clear this tool is of general interest, i think it's a great idea 17:28:33 browne: would perhaps me and gagehugo be able to get some sort of merge oversight (perhaps join the org)? 17:28:37 alright, i'll talk with pycqa folks and see if they are ok with it 17:28:42 I guess you would need to ask that first 17:29:07 yeah, i think we could maintain the same core (maintainers) in github 17:29:25 yeah I'm fine with that 17:29:35 that way we can be there as key stakeholders to ensure nothing breaks anyhing for openstack 17:29:46 other question, is there someone in the openstack side to ask about removing a project from that domain 17:30:41 please enlarge on removing a project? 17:30:49 do you mean from a config somewhere? 17:31:11 yeah, config, gerrit, etc 17:31:25 not sure how that's generally handled 17:31:42 if you're concerned about changes to bandit after moving to github breaking openstack use cases, the infra team is now piloting jobs in our ci system reporting on pull requests for projects developed in github 17:31:53 we will need to some due-diligence there. 17:32:18 lets see what they say (PyCQA) and we can take it from there. 17:32:27 ok sounds good 17:32:35 a lot of the planning side of the migration could be fleshed out at the PTG 17:32:40 right now our zuul is running shade integration tests incorporating pull requests from ansible/ansible on github and reporting back results on them 17:32:50 hmm 17:32:53 acting as a third-party ci system basically 17:33:19 fungi: that would be good. we could then run Bandit against some key projects and insure it passes 17:33:32 right, we are out of time folks. 17:33:36 yeah, or, you know, whatever 17:34:00 browne: we have a documented repository retirement process too 17:34:07 I will add this to the agenda and browne please let us know what the python peoples say 17:34:14 i can provide links to the documentation when the time comes 17:34:25 +1 fungi 17:34:37 we have used it for other repos which moved from gerrit to github 17:35:20 lhinds: will do 17:35:36 cool thanks 17:35:51 right great meeting everyone, feels like the band is back together again :) 17:36:19 see you all again next time! 17:36:37 thanks all! 17:36:39 o/ 17:36:42 #endmeeting