#openstack-meeting-alt log

17:02:06 <lhinds> #startmeeting security
17:02:07 <openstack> Meeting started Thu Feb 15 17:02:06 2018 UTC and is due to finish in 60 minutes.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:08 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:10 <openstack> The meeting name has been set to 'security'
17:02:45 <lhinds> #topic agena
17:02:49 <lhinds> #undo
17:02:50 <openstack> Removing item from minutes: #topic agena
17:02:53 <lhinds> #topic agenda
17:02:59 <lhinds> #link https://etherpad.openstack.org/p/security-agenda
17:03:24 <lhinds> browne: do you want a slot for the bandit migration, or no news yet?
17:04:12 <browne> no news yet.  I haven't sent an email yet to PyQCA.  Will do that today
17:04:25 <lhinds> no worries browne
17:04:43 <lhinds> I think the main time its needed is before the PTG, so we have another meeting before then
17:05:12 <lhinds> #topic PTG Planning
17:05:21 <lhinds> #link https://etherpad.openstack.org/p/security-ptg-rocky
17:06:06 <lhinds> Main one I would be interested in feedback is the SIG and how we kick things off, what we would like to see, expect etc..
17:06:17 <lhinds> so please do add to that session if you have any ideas
17:06:53 <lhinds> also other topics are welcome, but at the same time we have a good amount to justify a days room allocation now.
17:07:16 <lhinds> fungi: do you know if room info has been released (such as who is where?)
17:07:36 <fungi> yeah, it should be current on ptg.openstack.org now i believe
17:08:01 <fungi> finding
17:08:03 <gagehugo> oh nice
17:08:14 <gagehugo> many suites
17:08:16 <lhinds> Suite 691
17:08:19 <lhinds> cool!
17:08:39 <fungi> #link http://ptg.openstack.org/ptg.html Scheduled tracks
17:08:44 <fungi> check teh monday tab
17:09:01 <fungi> i see security booked into suite 691
17:09:30 <fungi> also ttx posted some good ptgbot reminders to the -dev ml:
17:09:38 <fungi> #link http://lists.openstack.org/pipermail/openstack-dev/2018-February/127413.html ptgbot HOWTO for track leads
17:09:41 <fungi> #link http://lists.openstack.org/pipermail/openstack-dev/2018-February/127414.html Booking reservable rooms with the ptgbot
17:10:09 <lhinds> nice!
17:10:57 <lhinds> k, anyone have anything more on PTG?
17:11:46 <lhinds> #topic docs
17:12:04 <lhinds> pretty good shape here, nothing to look at from what I can see:
17:12:05 <lhinds> https://review.openstack.org/#/q/project:openstack/security-doc
17:12:30 <lhinds> #topic bandit
17:12:52 <lhinds> clean queue! https://review.openstack.org/#/q/project:openstack/bandit
17:13:01 <lhinds> anything for bandit browne / gagehugo ?
17:13:11 <gagehugo> the pycrypto blacklist caused an issue
17:13:27 <gagehugo> https://bugs.launchpad.net/bandit/+bug/1749603
17:13:28 <openstack> Launchpad bug 1749603 in Bandit "import blacklisting false positive for prefix matches" [Medium,New] - Assigned to jessegler (je808k)
17:13:31 <gagehugo> but shouldn't be too bad to fix
17:13:34 <lhinds> is that the one by Tin Lam?
17:13:46 <gagehugo> yeah he did the patch to add it to the blacklist
17:13:57 <browne> yeah, that's a new one.  i think shouldn't be too bad to fix
17:14:26 <lhinds> looks like jessegler will be putting a patch up
17:14:29 <browne> I did a little triage yesterday.  One of the bugs wasn't referenced properly, so I marked it Fix commited
17:14:30 <jessegler> Yup
17:14:30 <fungi> prometheanfire also struck up a new -dev ml thread on moving remaining projects from pycrypto to pyca/cryptography
17:15:15 <lhinds> that might be a good topic for the PTG
17:15:22 <lhinds> will add it..
17:15:23 <fungi> #link http://lists.openstack.org/pipermail/openstack-dev/2018-February/127382.html Migration from pycrypto
17:15:26 <fungi> in case anyone missed it
17:15:32 <gagehugo> fungi thanks
17:16:40 * fungi serves as a meat-based mailing list index
17:17:47 <gagehugo> heh
17:18:09 <lhinds> its in a ton of requirements, but not seeing anyone making an import
17:18:33 <fungi> right, it could be fairly straightforward to get cleaned up in a lot of places
17:18:57 <fungi> i'm betting many of those were just cargo-culted in requirements lists for no good reason when copying from existing projects to start new ones
17:19:05 <gagehugo> possibly
17:19:14 <lhinds> oh, hold on: http://codesearch.openstack.org/?q=from%20Crypto.*&i=nope&files=&repos=
17:19:34 <lhinds> unless cryptography has the same namespace as pycrypto?
17:20:48 <lhinds> no, that looks like its pycrypto
17:21:00 <fungi> oh, yeah they won't always be direct imports
17:21:01 <lhinds> let's look at this at the PTG
17:22:04 <lhinds> ok, any other bandit matters?
17:22:04 <gagehugo> we can discuss tatu's pycrypto usage if they'll be in the room :)
17:22:30 <lhinds> gagehugo: yup..not that I know how they are.
17:22:31 <gagehugo> lhinds I think we are good
17:22:55 <lhinds> when I was a young lad, we had five projects I tell thee
17:22:57 <fungi> yeah, i do see them importing from it
17:23:11 <fungi> though tatu seems to have cargo-culted some other stuff
17:23:33 <lhinds> the only way of using that name space is 'import from cryptography as crypto"
17:23:51 <lhinds> so they are using the naughty one
17:23:51 <fungi> for example, i was noticing earlier today when we started talking about new projects deciding to use eventlet due to cargo-cult behavior, that tatu has it in their requirements.txt
17:24:00 <fungi> but they don't _actually_ seem to use eventley
17:24:03 <fungi> eventlet
17:24:21 <lhinds> redundant code that's not called?
17:24:47 <fungi> eventlet is included in their requirements.txt but never imported that i can see
17:25:21 <lhinds> see what you mean.
17:25:25 <fungi> probably worth encouraging them to generally revisit their dependency list (beyond just the pycrypto usage)
17:25:34 <lhinds> #topic OSSN
17:25:45 <lhinds> oh I need to get my finger out here.
17:25:57 <lhinds> anyone else fancy authoring some notes with me?
17:26:37 <lhinds> I did put out a blog as an outreach thing, but no one has tugged on the line and hook yet
17:27:19 <lhinds> I guess I can bang out a lot of these during PTG week
17:27:38 <lhinds> everyone else, take a look, and see if one tickles your fancy
17:27:54 <fungi> on a related note, the vmt always appreciates anyone in the community taking an interest in the various open public ossa bugs:
17:28:02 <fungi> #link https://bugs.launchpad.net/ossa/ OSSA bug list
17:28:07 <lhinds> fungi: +1
17:29:06 <fungi> usually those are sitting open purely due to lack of community interest in confirming exploitability of reported issues or coming up with backportable fixes
17:29:25 <lhinds> fungi: I added the list to the agenda.
17:29:32 * gagehugo makes a bookmark
17:29:45 <lhinds> fungi: just thought of something, is there a VMT meeting agenda/room at the PTG?
17:29:58 <fungi> not really, no
17:30:13 <lhinds> do you need a slot in the security room?
17:30:38 <fungi> probably not, but happy to participate in discussions there if needed
17:30:56 <lhinds> sounds good
17:30:58 <fungi> as i noted on the planning etherpad, just give me a heads up if there's something that comes up and i can usually arrange to drop in
17:31:10 <lhinds> ack, thanks!
17:31:17 <lhinds> ok, we are at that time already!
17:31:28 <lhinds> so next week, will be the last one before the PTG
17:31:33 <lhinds> thanks all!
17:31:36 <fungi> thanks!
17:31:39 <gagehugo> thanks
17:31:44 <lhinds> #endmeeting