15:06:46 #startmeeting security 15:06:47 Meeting started Thu May 31 15:06:46 2018 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:06:48 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:06:50 The meeting name has been set to 'security' 15:06:56 * fungi is around 15:07:07 * gagehugo was stuck in another meeting 15:07:19 * nickthetait waves 15:07:20 (also in tc office hour, so ping me if you need input on something) 15:07:34 :o/ 15:07:50 will do 15:07:56 redrobot o/ 15:08:08 and let me know when we get to the ossn portion, i had something which came up during the summit which would get good to get a draft going for if someone's interested 15:08:21 fungi go ahead if you are free now 15:08:24 #topic OSSN 15:08:32 oh, sure 15:08:45 i guess most of you have seen the spectre-ng news by now 15:09:02 disclosed last week while many of us were at the summit 15:09:41 i realized that while ttx had put together a really great blog post on meltdown/spectre we don't have an actual ossn with guidance for operators as to what configuration options we have for mitigating some of the impact 15:10:31 so if someone's interested in putting one together, it could probably draw from his blog post pretty readily 15:10:42 * nickthetait raises hand 15:10:52 and could incorporate spectre-ng related recommendations too now that it's timely 15:11:16 * fungi looks for the nova stable patches for exposing the new cpu flags 15:11:34 fungi do you have a link to ttx's blog post? 15:12:21 #link https://ttx.re/openstack-spectre-meltdown-faq.html 15:13:22 #link https://review.openstack.org/#/q/I72085016c8756ff88a4da722368f62359bcd7080 Add ssbd and virt-ssbd flags to cpu_model_extra_flags whitelist 15:13:48 those are the stable patches for spectre-ng related cpu flag passthrough 15:14:29 fungi: kashyap had a blog post around it iirc 15:14:30 looks like we've got them in queens and pike, ocata is approved as of roughly an hour ago but hasn't merged yet 15:14:52 https://kashyapc.fedorapeople.org/Reducing-OpenStack-Guest-Perf-Impact-from-Meltdown.txt 15:15:00 #link https://kashyapc.fedorapeople.org/Reducing-OpenStack-Guest-Perf-Impact-from-Meltdown.txt 15:15:04 thanks! 15:15:13 not really a blog post but meh 15:17:30 ttx thanks! 15:18:15 nickthetait do you want to look into that then? 15:20:08 yes 15:20:30 to be honest, i _thought_ we had one but then when i went looking for it i realized that we didn't 15:20:56 so with the renewed interest around spectre-ng this seems like a good opportunity 15:21:22 ++ 15:22:00 sounds like a plan 15:22:05 fungi was there anything else? 15:22:30 nothing from me 15:22:43 at least not on the ossn front 15:27:08 #topic OSSA 15:27:33 Not sure if any updates here as well 15:27:52 #topic Bandit Migration 15:28:25 #link https://github.com/PyCQA/bandit/pull/311 15:28:56 looks like there are specific OpenStack plugins still left over? 15:29:07 yes 15:29:35 * gagehugo needs to get caught up on bandit issues 15:30:16 basically the question is: does openstack need to re-add these plugins? are they still used? 15:30:30 this may be a question for fungi 15:33:42 not really sure, i hadn't seen them before now 15:34:17 openstack might want a separate repository for those plugins if they're being used anywhere 15:35:11 hmm 15:36:20 i'm not super familiar with bandit... are all plugins from its repo loaded at runtime automatically, or do they need to be explicitly enabled? 15:36:42 if the latter, we should be able to figure out whether any projects are relying on those particular plugins 15:38:04 I think former: documentation on how to invoke bandit says "optional config file to use for selecting plugins and overriding defaults" 15:38:42 and "are autodiscovered from the plugins directory" 15:49:45 hmm 15:50:34 I'll update the agenda 15:51:14 may need to continue looking into this 15:52:03 #topic General Discussion 15:52:26 I added the security sig to the list of sigs on the governance page 15:52:28 #link https://governance.openstack.org/sigs/ 15:52:36 someone at the PTG mentioned it was missing 15:52:40 s/PTG/Summit 15:52:53 feel free to make any edits 15:53:07 Does anyone have anything else? 15:53:49 I have a draft OSSN waiting for review 15:53:51 https://review.openstack.org/#/c/570010/ 15:54:03 I will take a look 15:54:23 * gagehugo adds it to his list of chrome tabs to review 15:54:30 thanks :) 15:55:07 how was the summit? I've watched a video or two so far 15:55:37 I thought it was pretty productive 15:55:45 the venue was beautiful 15:58:06 Open Security Summit is next week btw 15:58:12 https://open-security-summit.org/ 15:59:00 UK? 15:59:13 yes, possible to participate remotely too 16:00:08 ah ok 16:00:11 we are out of time 16:00:18 thanks everyone for coming! 16:00:21 #endmeeting