#openstack-meeting log

15:06:46 <gagehugo> #startmeeting security
15:06:47 <openstack> Meeting started Thu May 31 15:06:46 2018 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:06:48 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:06:50 <openstack> The meeting name has been set to 'security'
15:06:56 * fungi is around
15:07:07 * gagehugo was stuck in another meeting
15:07:19 * nickthetait waves
15:07:20 <fungi> (also in tc office hour, so ping me if you need input on something)
15:07:34 <redrobot> :o/
15:07:50 <gagehugo> will do
15:07:56 <gagehugo> redrobot o/
15:08:08 <fungi> and let me know when we get to the ossn portion, i had something which came up during the summit which would get good to get a draft going for if someone's interested
15:08:21 <gagehugo> fungi go ahead if you are free now
15:08:24 <gagehugo> #topic OSSN
15:08:32 <fungi> oh, sure
15:08:45 <fungi> i guess most of you have seen the spectre-ng news by now
15:09:02 <fungi> disclosed last week while many of us were at the summit
15:09:41 <fungi> i realized that while ttx had put together a really great blog post on meltdown/spectre we don't have an actual ossn with guidance for operators as to what configuration options we have for mitigating some of the impact
15:10:31 <fungi> so if someone's interested in putting one together, it could probably draw from his blog post pretty readily
15:10:42 * nickthetait raises hand
15:10:52 <fungi> and could incorporate spectre-ng related recommendations too now that it's timely
15:11:16 * fungi looks for the nova stable patches for exposing the new cpu flags
15:11:34 <gagehugo> fungi do you have a link to ttx's blog post?
15:12:21 <fungi> #link https://ttx.re/openstack-spectre-meltdown-faq.html
15:13:22 <fungi> #link https://review.openstack.org/#/q/I72085016c8756ff88a4da722368f62359bcd7080 Add ssbd and virt-ssbd flags to cpu_model_extra_flags whitelist
15:13:48 <fungi> those are the stable patches for spectre-ng related cpu flag passthrough
15:14:29 <ttx> fungi: kashyap had a blog post around it iirc
15:14:30 <fungi> looks like we've got them in queens and pike, ocata is approved as of roughly an hour ago but hasn't merged yet
15:14:52 <ttx> https://kashyapc.fedorapeople.org/Reducing-OpenStack-Guest-Perf-Impact-from-Meltdown.txt
15:15:00 <fungi> #link https://kashyapc.fedorapeople.org/Reducing-OpenStack-Guest-Perf-Impact-from-Meltdown.txt
15:15:04 <fungi> thanks!
15:15:13 <ttx> not really a blog post but meh
15:17:30 <gagehugo> ttx thanks!
15:18:15 <gagehugo> nickthetait do you want to look into that then?
15:20:08 <nickthetait_> yes
15:20:30 <fungi> to be honest, i _thought_ we had one but then when i went looking for it i realized that we didn't
15:20:56 <fungi> so with the renewed interest around spectre-ng this seems like a good opportunity
15:21:22 <gagehugo> ++
15:22:00 <nickthetait_> sounds like a plan
15:22:05 <gagehugo> fungi was there anything else?
15:22:30 <fungi> nothing from me
15:22:43 <fungi> at least not on the ossn front
15:27:08 <gagehugo> #topic OSSA
15:27:33 <gagehugo> Not sure if any updates here as well
15:27:52 <gagehugo> #topic Bandit Migration
15:28:25 <gagehugo> #link https://github.com/PyCQA/bandit/pull/311
15:28:56 <gagehugo> looks like there are specific OpenStack plugins still left over?
15:29:07 <nickthetait_> yes
15:29:35 * gagehugo needs to get caught up on bandit issues
15:30:16 <nickthetait_> basically the question is: does openstack need to re-add these plugins? are they still used?
15:30:30 <gagehugo> this may be a question for fungi
15:33:42 <fungi> not really sure, i hadn't seen them before now
15:34:17 <fungi> openstack might want a separate repository for those plugins if they're being used anywhere
15:35:11 <gagehugo> hmm
15:36:20 <fungi> i'm not super familiar with bandit... are all plugins from its repo loaded at runtime automatically, or do they need to be explicitly enabled?
15:36:42 <fungi> if the latter, we should be able to figure out whether any projects are relying on those particular plugins
15:38:04 <nickthetait_> I think former: documentation on how to invoke bandit says "optional config file to use for selecting plugins and overriding defaults"
15:38:42 <nickthetait_> and "are autodiscovered from the plugins directory"
15:49:45 <gagehugo> hmm
15:50:34 <gagehugo> I'll update the agenda
15:51:14 <gagehugo> may need to continue looking into this
15:52:03 <gagehugo> #topic General Discussion
15:52:26 <gagehugo> I added the security sig to the list of sigs on the governance page
15:52:28 <gagehugo> #link https://governance.openstack.org/sigs/
15:52:36 <gagehugo> someone at the PTG mentioned it was missing
15:52:40 <gagehugo> s/PTG/Summit
15:52:53 <gagehugo> feel free to make any edits
15:53:07 <gagehugo> Does anyone have anything else?
15:53:49 <nickthetait_> I have a draft OSSN waiting for review
15:53:51 <nickthetait_> https://review.openstack.org/#/c/570010/
15:54:03 <gagehugo> I will take a look
15:54:23 * gagehugo adds it to his list of chrome tabs to review
15:54:30 <nickthetait_> thanks :)
15:55:07 <nickthetait_> how was the summit? I've watched a video or two so far
15:55:37 <gagehugo> I thought it was pretty productive
15:55:45 <gagehugo> the venue was beautiful
15:58:06 <nickthetait_> Open Security Summit is next week btw
15:58:12 <nickthetait_> https://open-security-summit.org/
15:59:00 <gagehugo> UK?
15:59:13 <nickthetait_> yes, possible to participate remotely too
16:00:08 <gagehugo> ah ok
16:00:11 <gagehugo> we are out of time
16:00:18 <gagehugo> thanks everyone for coming!
16:00:21 <gagehugo> #endmeeting