#openstack-meeting log

15:02:18 <gagehugo> #startmeeting security
15:02:19 <openstack> Meeting started Thu Aug  2 15:02:18 2018 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:20 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:22 <openstack> The meeting name has been set to 'security'
15:02:33 <gagehugo> ping eeiden fungi gagehugo lhinds nickthetait browne redrobot
15:03:00 <fungi> around but also in tc office hour as usual
15:03:09 <fungi> (back from vacation at least!)
15:03:35 <gagehugo> fungi o/ hope the vacation was good
15:05:00 <gagehugo> I will be covering for lhinds chairing for the next 3 weeks, I believe he is out on PTO
15:05:27 <gagehugo> nickthetait o/
15:06:30 <nickthetait> Hey
15:07:00 <gagehugo> #topic bandit migration
15:07:23 <gagehugo> I believe lhinds had this on his agenda, no updates from me
15:07:52 <gagehugo> #topic OSSN/OSSA
15:08:10 <gagehugo> fungi nickthetait any updates?
15:08:25 <nickthetait> No
15:09:16 <fungi> there's this:
15:09:35 <fungi> #link https://review.openstack.org/586896 Remove Security project team
15:09:55 <fungi> basically cleanup and reassigning its deliverable repos to the security sig
15:09:55 <gagehugo> oh yeah
15:10:20 <fungi> easier than bothernig to have someone volunteer to be ptl of a defunct team for another cycle
15:10:26 <fungi> er, bothering
15:11:13 <fungi> also there's been some followup discussion on ossa-2018-002 that it may be an incomplete fix
15:11:26 <nickthetait> Hmm
15:11:40 <gagehugo> https://bugs.launchpad.net/keystone/+bug/1779205
15:11:40 <openstack> Launchpad bug 1779205 in OpenStack Identity (keystone) rocky "[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)" [Critical,Fix released] - Assigned to Lance Bragstad (lbragstad)
15:11:55 <fungi> #link https://launchpad.net/bugs/1779205
15:12:03 <fungi> yeah
15:12:30 <fungi> anyone who wants to pitch in on that is welcome. it's all public
15:14:56 <gagehugo> #topic documentation
15:15:16 <gagehugo> nothing from me here
15:15:31 <nickthetait> Same
15:15:36 <fungi> nada
15:15:51 <gagehugo> #topic threat analysis
15:16:24 <gagehugo> https://review.openstack.org/#/q/project:openstack/security-analysis
15:16:43 <gagehugo> there's some projects under the keystone umbrella that have drafts
15:16:53 <gagehugo> I think the pycadf one should be close
15:17:02 <gagehugo> it's a pretty simple library
15:17:53 <gagehugo> not sure about the other two, I need to double check
15:18:09 <gagehugo> but that's all I got for this
15:18:33 <nickthetait> Ok
15:19:32 <gagehugo> #topic PTG
15:19:48 <gagehugo> little over a month away now
15:20:06 <gagehugo> we're sharing a room with Barbican I believe Mon/Tue
15:20:13 * nickthetait gets excited
15:21:26 <gagehugo> keystone is being weird this time and having Mon/Thur/Fri sessions, so Mon I will likely be more involved in there, but I should be around
15:21:51 <gagehugo> I believe it's for a cross-project day
15:22:25 <fungi> yeah, mon/tue are focused on cross-project activities
15:22:38 <fungi> for the ptg in general i mean
15:22:44 <gagehugo> I can reach out to Ade and we can figure out an agenda for us sharing
15:23:45 <gagehugo> If anyone has anything they want to discuss there, please add it to the agenda
15:23:55 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda
15:24:28 <gagehugo> #topic open discussion
15:24:35 <gagehugo> floor is open
15:24:40 <lbragstad> qq on #link https://bugs.launchpad.net/keystone/+bug/1779205
15:24:40 <openstack> Launchpad bug 1779205 in OpenStack Identity (keystone) rocky "[OSSA-2018-002] GET /v3/OS-FEDERATION/projects leaks project information (CVE-2018-14432)" [Critical,Fix released] - Assigned to Lance Bragstad (lbragstad)
15:24:56 <gagehugo> lbragstad o/
15:24:58 <lbragstad> the patches we merged were to all supported releases
15:25:33 <lbragstad> and it makes the implementation consistent regardless of the branch - but i think people were a little confused about the vulnerability description
15:25:48 <lbragstad> is there anyway to change that after disclosing the report?
15:25:54 <lbragstad> or has that ship sailed?
15:25:59 <gagehugo> the bit about enabling via policy.json?
15:26:05 <lbragstad> yeah
15:26:13 <gagehugo> fungi: ^
15:26:16 <lbragstad> and some of that gyee had input on is valueable
15:26:43 <lbragstad> or do we just keep evolving the context in the bug report?
15:27:22 <fungi> we issue errata in that case
15:27:59 <nickthetait> Some relevant personal news... On Aug 20 I start as a Security Engineer for Red Hat focusing on OpenStack 😊
15:28:00 <fungi> basically we update the ossa, add a history section to it noting the modification, and send another round of public announcements about the errata
15:28:35 <fungi> it happens infrequently enough we might be lacking documentation about that process
15:28:35 <lbragstad> fungi: ack - so is that some i can initiate?
15:28:38 <gagehugo> nickthetait grats!
15:29:08 <fungi> lbragstad: definitely! the openstack/ossa repo is in public code review for precisely that reason. we love having the community involved
15:29:08 <nickthetait> thanks. I am pretty excited
15:29:14 <lbragstad> fungi: yeah - i was going to say, i've never had to step through this after a disclosure goes public
15:29:24 <gagehugo> fungi: ah ok
15:29:31 <fungi> lbragstad: if you skim/git grep older ossas you should be able to find an errata example
15:29:38 <fungi> if you can't, lmk and i'll dig one up
15:29:53 <lbragstad> cool - i can try and get something worked up today and propose it for review
15:30:03 <fungi> thanks! i'll be around
15:30:11 <lbragstad> see if i can get gyee and kmalloc to weigh in on it
15:30:12 <fungi> happy to review when you have it up
15:30:19 <lbragstad> thanks for the help
15:32:17 <gagehugo> thanks everyone!
15:32:22 <gagehugo> #endmeeting