#openstack-meeting log

15:00:23 <gagehugo> #startmeeting security
15:00:24 <openstack> Meeting started Thu May  3 15:00:23 2018 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:25 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:27 <openstack> The meeting name has been set to 'security'
15:00:39 <gagehugo> ping eeiden fungi gagehugo lhinds nickthetait browne
15:00:46 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda
15:00:49 <gagehugo> o/
15:00:56 <nickthetait> hi everyone
15:01:07 <gagehugo> hey nickthetait
15:01:35 <fungi> as usual, i'm mostly focused on tc office hour, but ping me if something needs my input here
15:01:51 <gagehugo> will do
15:02:04 <jessegler> o/
15:02:17 <gagehugo> o/ jessegler
15:02:53 <gagehugo> give people another minute or so
15:04:20 <gagehugo> #topic Bandit Migration
15:04:33 <gagehugo> #link https://etherpad.openstack.org/p/bandit-migration
15:05:03 <gagehugo> I saw that the change to remove bandit gating merged
15:05:10 <gagehugo> so https://review.openstack.org/#/c/564453/ will hopefully pass now
15:05:11 <patchbot> patch 564453 - bandit - Project Migration to PyCQA
15:06:00 <nickthetait> thats a big change set :O
15:06:28 <gagehugo> nickthetait yup, it'll change the openstack repo to point people to the new one on pycqa
15:06:31 <gagehugo> #link https://github.com/PyCQA/bandit
15:07:08 <nickthetait> so as far as the bandit code itself, this should include "everything" required to move it over?
15:08:04 <gagehugo> on the openstack repo side
15:08:14 <gagehugo> the migration is done afaia
15:08:50 <nickthetait> nice
15:09:15 <gagehugo> I know browne was spending a good part of last week migrating the launchpad bugs to github issues
15:09:47 <gagehugo> but I think so far everything is moving good
15:10:03 <gagehugo> #topic PTG (denver)
15:10:24 <gagehugo> would like lhinds here for this, but does anyone know if they can attend?
15:10:37 <nickthetait> I will be
15:10:54 <gagehugo> cool
15:11:08 <nickthetait> Only a 1 hour drive away :)
15:11:11 <gagehugo> I haven't gotten approval yet, but I'll update once I know
15:11:13 <gagehugo> oh nice
15:11:53 <gagehugo> Denver was pretty cool last fall when we were there
15:12:34 <gagehugo> #topic Tatu
15:12:42 <gagehugo> I'm not aware of any updates here
15:13:45 <gagehugo> #topic Documentation
15:14:02 <gagehugo> same here, nothing to update atm
15:14:59 <gagehugo> #topic #OSSN
15:15:22 <nickthetait> Is this one ready to start turning into a notice? https://bugs.launchpad.net/ossn/+bug/1699573
15:15:23 <openstack> Launchpad bug 1699573 in OpenStack Security Notes "ScaleIO volumes contain previous data" [Undecided,New]
15:15:32 <nickthetait> not sure if all the software changes have happened yet
15:16:08 <fungi> i've also been told by a friend at emc that it's no longer called "scaleio"
15:16:43 <gagehugo> looks like https://review.openstack.org/#/c/555546/ merged
15:16:44 <patchbot> patch 555546 - cinder - ScaleIO: Prevent usage of unsafe volumes (MERGED)
15:16:59 <nickthetait> yep
15:17:18 <gagehugo> fungi is there a new name for it?
15:17:37 <fungi> they renamed the product to something like "VxFlex OS" (though i suppose that's immaterial from the standpoint of the ossn)
15:18:28 <gagehugo> ah
15:18:39 <fungi> the engineers are annoyed because it's not an operating system, but marketing seemed to think that name would sell it better
15:18:49 <nickthetait> fungi: if you can find a public press briefing for me I'll update the naming when making the ossn
15:18:49 <gagehugo> lol
15:19:27 <fungi> we probably ought to stick to whatever naming cinder is using for the driver anyway
15:19:40 <nickthetait> ok
15:22:17 <gagehugo> #topic OSSA
15:22:27 <gagehugo> any updates here?
15:23:20 <fungi> #link https://bugs.launchpad.net/ossa/ Public OSSA bugs under review
15:23:35 <fungi> as usual, that's a great place for people who want to pitch in to help the vmt
15:24:19 <fungi> #link https://security.openstack.org/ossa/OSSA-2018-001.html OSSA-2018-001: Raw underlying encrypted volume access
15:24:36 <fungi> that one happened a couple weeks ago, but i didn't get a chance to mention in last week's meeting
15:25:00 <fungi> first advisory of the year, which seems pretty good
15:25:20 <gagehugo> interesting
15:26:04 <fungi> even better that it's only a denial of service vector
15:26:47 <nickthetait> roughly how many ossas were there in 2017?
15:31:02 * gagehugo fails at searching by age opened in launchpad
15:31:57 <gagehugo> looks like ~11 or so
15:32:13 <gagehugo> if I didn't completely mess up this advanced search
15:32:34 <gagehugo> #topic Threat Analysis Documents
15:32:55 <gagehugo> there's a couple drafts for pycadf and oslo.cache up
15:33:09 <gagehugo> #link https://review.openstack.org/#/c/527202/
15:33:09 <patchbot> patch 527202 - security-analysis - Initial draft for Oslo.Cache Review
15:33:22 <gagehugo> #link https://review.openstack.org/#/c/529945/
15:33:22 <patchbot> patch 529945 - security-analysis - Initial draft for pyCADF security review
15:33:43 <gagehugo> I need to take a look at them when I get a chance
15:34:56 <fungi> nickthetait: only 6 in 2017
15:35:07 <fungi> #link https://security.openstack.org/ossalist.html OpenStack Security Advisories
15:35:21 <nickthetait> ok thanks
15:35:24 <fungi> (as opposed to 13 in 2016)
15:35:32 <gagehugo> fungi thanks
15:36:55 <nickthetait> is there somewhere that I can subscribe to new threat analysis documents?
15:38:56 <gagehugo> I'm subbed on launchpad: https://bugs.launchpad.net/ossa
15:39:03 <gagehugo> ossn too
15:40:32 <gagehugo> #topic Chair Rotation
15:40:34 <nickthetait> so these analysis docs will either not be a real threat or into ossa/ossn?
15:41:02 <gagehugo> nickthetait I believe they are triaged in ossa/ossn once submitted
15:41:12 <nickthetait> ok
15:41:26 <fungi> if the thread analysis documents are being submitted to gerrit, you could just subscribe your gerrit account to that repository
15:41:34 <fungi> er, threat analysis
15:41:45 <gagehugo> oh I misread
15:41:51 <gagehugo> nickthetait, do what fungi said
15:42:06 <nickthetait> thx
15:42:09 <gagehugo> https://review.openstack.org/#/q/project:openstack/security-analysis
15:42:13 <gagehugo> that's the gerrit repo
15:42:56 <gagehugo> lhinds and I will alternate months chairing the meeting just fyi, I am currently scheduled to chair for the month of May
15:43:09 <gagehugo> #topic General Discussion
15:43:14 <gagehugo> floow is open :)
15:43:18 <gagehugo> floor*
15:47:17 <gagehugo> thanks for coming everyone
15:47:22 <gagehugo> o/
15:47:24 <nickthetait> later
15:47:26 <gagehugo> #endmeeting