#openstack-meeting log

15:01:27 <gagehugo> #startmeeting security
15:01:28 <openstack> Meeting started Thu Oct  4 15:01:27 2018 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:29 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:31 <openstack> The meeting name has been set to 'security'
15:01:49 <gagehugo> #chair lhinds
15:01:49 <openstack> Current chairs: gagehugo lhinds
15:02:04 <gagehugo> ping eeiden fungi gagehugo lhinds nickthetait browne redrobot
15:02:10 <fungi> howdy
15:02:12 <nickthetait> heyo
15:02:15 <redrobot> o/
15:02:16 <gagehugo> agenda: https://etherpad.openstack.org/p/security-agenda
15:02:27 * redrobot is only half here... also in an IRL meeting.
15:03:32 <jaypipes> efried: I don't see why we don't just have trait:HPET=require in the flavor extra specs?
15:03:48 <efried> jaypipes: move to -nova pls
15:03:59 <gagehugo> #topic ossa/ossn
15:04:02 <jaypipes> why add some magic "if I see hw:hpet extra spec, then create a trait:HPET=require" automatically?
15:04:33 <gagehugo> https://bugs.launchpad.net/keystone/+bug/1795800 was made public yesterday I believe
15:04:33 <openstack> Launchpad bug 1795800 in OpenStack Identity (keystone) "Username enumeration via response timing difference" [Undecided,New]
15:05:17 <nickthetait> ah yes
15:06:48 <gagehugo> getting the timings to match up was deemed not an easy task
15:07:24 <gagehugo> #topic Documentation
15:07:55 <gagehugo> I think doug pushed some tox changes to the security-doc repos
15:08:23 <gagehugo> https://review.openstack.org/#/q/status:open+project:openstack/security-doc+branch:master+topic:python3-first
15:10:00 <gagehugo> #topic Threat Analysis Docs
15:10:16 <gagehugo> Same 3 are up for review
15:10:47 <gagehugo> #topic general discussion
15:11:02 <gagehugo> fungi nickthetait redrobot do you guys have anything?
15:11:07 <nickthetait> no
15:12:05 <fungi> other than that new security hardening bug you linked for keystone, nothing from me
15:12:07 <fungi> thanks!
15:12:23 <fungi> also the two cinder potential ossa public bugs we mentioned last week still need some help
15:12:55 <smcginnis> fungi: Not sure I'm aware of those.
15:13:16 <gagehugo> https://bugs.launchpad.net/cinder/+bug/1784871
15:13:16 <openstack> Launchpad bug 1784871 in OpenStack Security Advisory "ScaleIO (thin) volumes contain previous data (follow-up to 1699573)" [Undecided,Confirmed]
15:13:45 <smcginnis> gagehugo: Ah, thanks!
15:14:01 <gagehugo> https://bugs.launchpad.net/cinder/+bug/1714858
15:14:02 <openstack> Launchpad bug 1714858 in OpenStack Security Advisory "Some APIs don't check the owner policy" [Undecided,Incomplete]
15:14:31 <fungi> one of them looks like it probably needs us to issue an advisory? less sure about the other one
15:14:45 <gagehugo> fungi: ack, I'll look them over
15:15:05 <fungi> (us being members of the vmt, but assistance from other interested parties is also welcome since they're public reports)
15:16:23 <gagehugo> Is anyone going to be in Berlin?
15:17:27 <gagehugo> next summit is little over a month away
15:18:07 <nickthetait> I cant :'(
15:18:34 <gagehugo> I don't think I will be either unfortunately
15:21:48 <gagehugo> If no one else has anything, we can end early
15:22:01 <gagehugo> give back a few mins
15:23:20 <gagehugo> Thanks everyone, have a good weekend!
15:23:24 <gagehugo> #endmeeting