15:01:35 #startmeeting security 15:01:36 Meeting started Thu Jun 20 15:01:35 2019 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:01:37 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:01:39 The meeting name has been set to 'security' 15:01:46 #link https://etherpad.openstack.org/p/security-agenda agenda 15:01:47 o/ 15:02:30 light agenda this week, but that's a good topic there 15:03:32 #topic Spruce up the security.openstack.org page 15:04:19 yeah I believe we briefly touched on this last week? 15:04:48 hey 15:04:55 yep, it was also on our list of things we wanted help with 15:05:06 so this seems like a good way to kick off some of that 15:05:46 we can step through it section-by-section maybe and take notes on what it might need? 15:06:05 that sounds good 15:06:54 i just skimmed the preamble and it still seems fine to me, though it could maybe do with content about more than just ossa.ossn 15:07:15 yeah looking at that now 15:08:02 ideally any of the high-level sections of that page (at least any we don't decide should be (re)moved) would be good to introduce there as well 15:08:27 ok 15:08:58 #topic how to report security issues 15:09:10 I'm writing all this down in the agenda notes btw 15:09:41 thanks! 15:10:03 so on security reporting, we ought to include process for reporting via storyboard 15:10:13 definitely 15:10:27 that sounds good :) 15:10:47 maybe add info about not marking public things as private too, I've seen that before 15:10:49 it's a glaring omission at the moment, and recent feature improvements in storyboard also make for a much nicer workflow in this regard 15:11:07 oh, yeah that's a great suggestion gagehugo 15:11:52 basically warn reporters that if you initially report something in public, we're going to just assume it was disclosed at that point 15:12:03 as lots of people will have received notifications about it 15:12:15 and it's not worth trying to put that cat back in the bag 15:12:19 those beans back in the can 15:12:24 whatever metaphor you prefer 15:12:27 toothpaste in the tube! 15:12:34 that one! 15:13:16 otherwise i thnik this section is in good shape 15:13:17 sure 15:13:35 #topic security info for openstack deployers 15:13:50 ossa looks fine 15:14:05 the preamble here is a bit disconnected as a bullet list 15:14:36 remove the bullet list? 15:14:47 i thought we ought to rework it as prose (but also not try to significantly duplicate any summary we put in the top level preamble for the page) 15:15:03 maybe just a couple sentences there 15:15:37 sure 15:15:57 * fungi is not a fan of higher-level headings which are directly followed with lower-level headings and no information to introduce them 15:17:23 the ossa section seems fine, yeah. it's mostly just autogenerated from the most recent ossa titles anyway 15:17:58 the ossn section could probably stand to have "(OSSN)" appended to its heading title for consistency 15:18:10 ok 15:19:07 more of a separate-but-related project, getting the ossn corpus imported into a git repo would allow us to autogenerate content similar to how we do for ossa 15:19:30 the ossa section doesn't really have much in the way of internal description, while the ossn section is nothing but 15:19:59 sure 15:20:02 makes sense 15:20:24 we've also said in the past that we consider an ossn to be an addendum to the security guide, might be nice to mention that somewhere 15:20:53 (which is why they're sequentially numbered and not arranged by year) 15:21:03 ok 15:21:11 should I add that into security guide? 15:21:26 maybe? not sure 15:21:44 i'll keep eyes open to see if there is a good place 15:22:00 (currently reading through the whole thing) 15:22:12 in fact, we could stand to explain the numbering schemes for both ossa and ossn, maybe that belongs in the security information preamble prose 15:23:26 one other thing (not to get too far off topic, sorry) which ossn in git could provide is an easy way to transclude them as *actual* addenda in the security guide builds 15:23:49 or maybe even just as a generated index in an appendix or embedded into the toc 15:24:06 but that's a nice-to-have for later 15:24:16 ok 15:24:56 the security guide section looks okay to me, assuming we get the guide itself refreshed a bit 15:25:23 that's a rabbit hole heh 15:25:27 * nickthetait nods 15:25:29 but as nickthetait is the one who has presumably been looking most closely at it lately, he may have ideas for things we should add/remove in that paragraph 15:27:08 i feel like the security project blog section should probably be removed, unless we have volunteers to resurrect that effort 15:27:09 seems reasonable in its current state 15:27:27 yeah :S 15:27:42 hails from an era when we had far more folks in the ossg who liked to write editorials 15:28:06 we could still link to it from somewhere as a source of historical info, i dunno 15:28:24 it looks like it only really existed for ~1.5 years and hasn't been touched in almost 2 years now 15:28:55 yeah :/ 15:28:59 or longer if you ignore the most recent post which was nearly a year gap from the one preceding it 15:29:06 any blog posts that are particularly relevant/noteworthy? 15:30:24 some look like things which might make sense to incorporate into the security guide if they're still relevant, but also i don't see any license listed so would need to get permission from each author for the pieces in question 15:31:56 i was thinking of just a little bit of curation, linking to a few important ones 15:33:44 #topic security info for openstack devs 15:35:31 propose/review could be updated for storyboard, although the process is the same 15:39:41 the development guides could probably use curating 15:40:53 sorry, power went out briefly 15:41:25 no worries 15:41:34 and yeah, i might hold off on adding storyboard bits there until we get the attachments feature in place 15:42:02 it's close now, so we can soon recommend attaching patches instead of having to quote them in story comments 15:42:09 ok 15:43:47 just saves having to rewrite heavily 15:43:53 sure 15:44:01 #topic OpenStack Security Project¶ 15:44:17 this definitely needs some love 15:44:35 in need of a post-sig rewrite 15:44:38 yes 15:48:24 Do we want bandit & syntribos here? 15:50:52 i suspect not any longer 15:51:22 while bandit started within our community it has grown beyond and is now officially maintained outside openstack 15:51:27 so remove the security tool section then? 15:51:28 yeah 15:51:38 sure 15:51:41 syntribos looked promising, but seems like it may have been abandoned? 15:51:55 if so, then this section should likely go away 15:52:04 Yeah, it gets occasional zuul-related updates 15:52:07 afaik 15:52:20 (and we should perhaps visit retiring the syntribos repo) 15:53:07 ok 15:56:53 Nice job everyone, got a good list of todos 15:57:04 \o/ 15:57:28 I'll add retiring syntribos to the newsletter and maybe someone will respond 15:58:33 awesome 15:58:58 otherwise thanks everyone and have a good rest of the week & weekend! 15:59:01 #endmeeting