15:00:48 #startmeeting security 15:00:49 Meeting started Thu Dec 13 15:00:48 2018 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:50 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:53 The meeting name has been set to 'security' 15:02:05 ping eeiden fungi gagehugo lhinds nickthetait browne redrobot 15:02:21 hey 15:02:28 o/ but only kinda... also in a conference call :-\ 15:02:48 nickthetait redrobot: o/ 15:03:32 #link https://etherpad.openstack.org/p/security-agenda 15:03:56 nothing really on the agenda afaik for this week 15:04:03 do you guys have anything? 15:04:39 o/ 15:05:28 Luzi o/ 15:07:05 there has been some confusion for me about, what projects you all represent in here? 15:07:11 there was one concern raised on a security hardening bug about interest in an ossn 15:07:24 Luzi: we represent openstack 15:07:37 though we have backgrounds individually in lots of different pieces 15:08:16 fungi, i mean the backgrounds, in which openstack projects you are somehow active 15:08:53 i personally am on the technical committee, vulnerability management team, opendev/infra team and on the osf staff, among other hats 15:09:40 I'm mostly active with keystone and the vulnerability management team 15:10:10 fungi: that was the bug from april right? 15:10:44 no, getting the link 15:10:52 #link https://launchpad.net/bugs/1795800 Username enumeration via response timing difference 15:10:54 Launchpad bug 1795800 in OpenStack Identity (keystone) "Username enumeration via response timing difference" [Wishlist,Triaged] 15:10:58 for me, still pretty new. Contributed to some OSSNs and reviewing a few proposals that would have security impact. 15:10:59 ty 15:11:14 the reportter seems to be interested in more widely communicating that particular username enumeration oracle 15:11:14 oh that one 15:12:53 nickthetait: you worked/work on the bandit code security analyzer too, right? 15:13:14 hmm I wonder with the flask rework if that would be easier to fix 15:13:18 yup 15:14:08 Luzi: so anyway, a fairly diverse crowd, at least today 15:14:15 and you're with secustack, i gather? 15:16:30 and redrobot (who said he's "only kinda" around) is a core reviewer on barbican 15:16:45 fungi: yes, we have looked into a few different openstack projects like so far 15:16:55 and lhinds sometimes joins us, a long-time contributor to the openstack security guide 15:18:05 fungi, nice to know 15:21:05 quick (non-security) question: was there a proposal to change the length of releases? Don't remember where I heard this 15:22:05 nickthetait: it's come up off and on over the years. most recent discussion last year looked at options anywhere from quarterly to annually and concluded that semi-annual was still a good compromise for now 15:22:27 okay thx 15:23:00 a lot of that tied into the long-term-stable/extended-maintenance discussions as well as the skip-level/fast-forward upgrades discussions 15:23:57 i think once em and ffu get a little more entrenched it might be easier to shift our release cadence in the future 15:25:47 Luzi: anyway, as i mentioned on that recent openstack-discuss mailing list thread, people with a variety of backgrounds and involvement in various bits of openstack, but as a result we're also all pulled in lot of different directions, and we'd welcome involvement from people with backgrounds in some of the other popular components of openstack. particularly the ones i which you're trying to get a 15:25:48 foothold with the encrypted images specs 15:26:23 (cinder, glance, nova...) 15:26:54 (...oslo...) 15:27:25 i just wanted to update my knowledge so far :) it's good to know, with whom you are talking and what background they have 15:30:40 welcome to the security SIG luzi! 15:30:54 nickthetait, thank you 15:31:58 i tend to be particularly spotty with my input in these meetings because they overlap with the busiest technical committee office hour slot of the week 15:32:15 so my apologies 15:32:44 fungi, no problem - i know what overlapping meetings look like :) 15:34:27 double meetings 15:34:50 does anyone have anything else they want to discuss this week? 15:35:09 fungi: I can take a look at that bug 15:35:21 thanks gagehugo 15:35:30 no big news from me 15:35:33 I may need to find a lower power device to test it on though 15:36:28 and no, i didn't have anything especially exciting to bring up. i guess there's the ml thread on which the slow pace of moving the encrypted images work forward is progressing, and finding ways to better publicize/endorse the benefits of the feature Luzi and colleagues are designing 15:37:49 thread starts at: 15:37:58 #link http://lists.openstack.org/pipermail/openstack-discuss/2018-December/000464.html [all]Forum summary: Expose SIGs and WGs 15:38:39 cross-project specs always move slowly it seems 15:40:27 I thought I saw a temporary sig involving the projects get mentioned, not sure if that was in the email thread or tc chat 15:41:00 described as an even more informal "pop-up team" concept 15:41:31 basically the emergent behavior we tend to see when efforts like that (cinder/nova multi-attach for example) play out successfully 15:42:06 a way of pointing out what worked well and recommending similar sorts of patterns of interaction 15:46:33 interesting 15:51:01 thanks for coming everyone, feel free to ping in openstack-security if there are any more questions 15:51:11 #endmeeting