15:00:54 <gagehugo> #startmeeting security 15:00:55 <openstack> Meeting started Thu Apr 26 15:00:54 2018 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:56 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:58 <openstack> The meeting name has been set to 'security' 15:01:10 <gagehugo> ping eeiden fungi gagehugo lhinds nickthetait browne 15:01:23 <fungi> ohai 15:01:28 <nickthetait> hey 15:02:00 <browne> o/ 15:02:17 <gagehugo> o/ 15:02:21 <eeiden> o/ 15:02:32 <browne> the migration has started! 15:02:36 <gagehugo> yup 15:02:48 <gagehugo> #topic Bandit Migration 15:03:07 <gagehugo> browne so is bandit officially pycqa now? 15:03:09 <browne> so can someone add me back as core 15:03:27 <browne> https://github.com/PyCQA/bandit 15:03:55 <browne> gagehugo: yeah, more or less official now 15:04:24 <gagehugo> cool 15:04:35 <nickthetait> will there be a migration of open issues to github? 15:04:50 <gagehugo> I assume so yeah 15:04:56 <gagehugo> launchpad -> github 15:05:17 <gagehugo> might be worth re-evaulating them as we move as well 15:05:17 <browne> yeah, I'm planning to move all the bugs/features over to issues 15:05:37 <nickthetait> ok 15:06:39 <gagehugo> I think lhinds pushed a ps to delete most of the code on gerrit as well 15:06:43 <browne> btw, the new IRC channel will be ##python-code-quality for bandit 15:07:37 <gagehugo> browne is there anything else for the migration? 15:08:08 <browne> I think we're all working off of https://etherpad.openstack.org/p/bandit-migration 15:08:23 * gagehugo updates the agenda 15:08:36 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda 15:08:40 <browne> i think a bunch of code tweaks will be needed and removal of openstacky stuff 15:09:07 <gagehugo> I think lhinds has a pull request for that 15:09:19 <gagehugo> but the copyright may need to be reverted 15:09:25 <browne> yeah 15:09:32 <gagehugo> wasn't sure how that worked 15:10:49 <browne> i believe you can add copyrights, but not remove them 15:11:02 <gagehugo> ah 15:11:13 <gagehugo> makes sense 15:12:01 <gagehugo> I don't think there's any Tatu or Docs updates 15:12:24 <nickthetait> copyrights can be transferred tho https://www.copyright.gov/help/faq/faq-assignment.html 15:12:34 <fungi> which specific copyright statements are you concerned about in bandit? 15:12:48 <gagehugo> fungi https://github.com/PyCQA/bandit/pull/1 15:13:46 <fungi> yeah, so i would question whether any of that was actually authored by an employee of the openstack foundation (if so, it wasn't me at least) 15:14:28 <gagehugo> hmm 15:14:41 <fungi> openstack projects don't practice copyright assignment to the foundation, and the openstack foundation isn't set up to handle having copyrights assigned to it by other individuals they aren't employing directly 15:15:05 <browne> https://wiki.openstack.org/wiki/Documentation/Copyright 15:15:07 <fungi> so it's entirely possible that copyright entry was added by mistake 15:15:22 <browne> this link states that a doc page should have OpenStack foundation 15:15:23 <fungi> thanks browne, i was just looking for that 15:16:13 <fungi> browne: what part are you interpreting to indicate that documentation should be (c) openstack foundation? 15:16:41 <browne> In a Nova dev doc page, for example, the copyright notice should be "© 2013, https://wiki.openstack.org/wiki/OpenStack Foundation" if the content has been updated this year or "© 2012, https://wiki.openstack.org/wiki/OpenStack Foundation" if the content was last updated in 2012. 15:16:53 <fungi> i fear you're misinterpretnig that section 15:17:00 <browne> maybe this is just an example 15:17:09 <fungi> it's talking about content which was previously copyrighted by "openstack, llc" 15:17:14 <browne> ah ok 15:17:21 <fungi> which was a copyright rackspace was using 15:17:35 <fungi> back before the foundation was formed in 2012 15:17:52 <fungi> rackspace handed over their existing openstack, llc copyrights to the openstack foundation 15:19:00 <fungi> but aside from things which were copyright openstack, llc back before 2012, the only things which should be copyright openstack foundation written since then would be things written by openstack foundation employees or as a work for hire by contract companies paid by the foundation 15:19:30 <fungi> so, e.g., content on www.openstack.org 15:20:17 <browne> fungi: could you add a comment to the PR 15:20:25 <fungi> the copyright entry in doc/source/conf.py ought to reflect the copyright in any of the docs content you have 15:20:41 <fungi> yep, happy to do so 15:21:07 <fungi> i'll want to do a little git pickaxing of that file first to determine where/when the line was added 15:21:13 <fungi> but happy to follow up there 15:21:29 <browne> most likely it was copy/pasted 15:21:45 <fungi> yep, that's what i expect as well 15:23:50 <browne> question: when migrating bugs to issues, do we can about closed bugs? do we want that history? if so, are there tools to migrate launchpad to github? 15:24:14 <nickthetait> will the info be lost otherwise? 15:24:27 <gagehugo> good question 15:24:48 <browne> yeah, I imagine launchpad will still have the history 15:25:03 <fungi> even if you close down bug reporting in lp, the existing bugs (open and closed) remain there 15:25:22 <fungi> you just no longer have a link from the project page for filing new bugs, and no bug index view for the project 15:25:42 <fungi> for that matter, you can't even stop people who find the old lp bugs from posting new comments 15:25:56 <nickthetait> thats kinda funny 15:26:16 <fungi> part of this is because lp's data model doesn't map bug reports directly to projects 15:26:31 <fungi> you have bug reports and then indicate one or more projects (and series) which are affected by them 15:26:40 <fungi> via bugtasks 15:26:58 <browne> ok, sounds like I don't need to bother with closed bugs 15:27:03 <fungi> so there aren't "bandit bugs" in lp, there are bugs which include "bandit bugtasks" 15:27:31 <browne> another question, what will happen with this: https://github.com/openstack/bandit 15:27:53 <fungi> that will continue to be a mirror of whatever is in review.openstack.org/git.openstack.org 15:28:14 <browne> ok, if that's the case, I think we need to point people to https://github.com/PyCQA/bandit 15:28:18 <fungi> so if you approve a change which deletes all content except a readme stating the project has move elsewhere, then that's what will be in the gh mirror too 15:29:03 <gagehugo> ok 15:29:12 <browne> oh ok, lhinds has done this 15:30:15 <browne> we need to remove bandit from the zuul jobs 15:31:52 <browne> ok, I'll do a patch to remove bandit from project-config 15:32:49 * gagehugo lost track of time 15:33:12 <gagehugo> we can spill over to either the ##python-code-quality or #openstack-security channels 15:33:15 <gagehugo> #endmeeting