#openstack-meeting log

15:00:19 <gagehugo> #startmeeting security
15:00:20 <openstack> Meeting started Thu Jun 18 15:00:19 2020 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:21 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:23 <openstack> The meeting name has been set to 'security'
15:00:47 <gagehugo> #link https://etherpad.opendev.org/p/security-agenda agenda
15:00:54 <gagehugo> o/
15:02:58 <rosmaita> o/
15:03:08 <rosmaita> (i have something for open discussion)
15:03:09 <fungi> aloha, y'all
15:03:20 <Luzi> o/
15:03:35 <gagehugo> #topic follow-up from last week
15:03:54 <gagehugo> fungi: I'll reach out to the docs core about adding people for the security-docs today
15:04:06 <gagehugo> been pre-occupied this week unfortunately
15:04:28 <gagehugo> also will attempt to send out a meeting poll for a new meeting time
15:04:40 <fungi> sounds great
15:05:07 <gagehugo> that's all I had
15:05:10 <gagehugo> #topic open discussion
15:05:14 <fungi> it's been a quiet week for security bugs too (so far, hope i don't jinx us)
15:05:20 <gagehugo> rosmaita: o/
15:05:20 <rosmaita> jinx
15:05:30 * fungi glares at rosmaita
15:05:31 <rosmaita> ok, this is about ossn-0086
15:05:39 <rosmaita> https://review.opendev.org/#/q/Ie2db587c3bc379acd53cfd449788d171ae58dec5
15:05:56 <rosmaita> so, it turns out when you run the os-brick part of the fix under py2.7, it breaks
15:06:12 <fungi> that's probably not so helpful
15:06:20 <rosmaita> so doesn't apply to u or master
15:06:42 <fungi> "breaks" as in fails open or fails secure (just doesn't work at all)
15:06:44 <fungi> ?
15:06:54 <rosmaita> just doesn't work
15:07:12 <rosmaita> so i guess it also doesn't leak info
15:07:14 <gagehugo> hmm
15:07:24 <fungi> doesn't work to fix the vulnerability, or renders the driver inoperable?
15:07:40 <rosmaita> thinking
15:08:00 <rosmaita> i guess just makes it inoperable
15:08:20 <rosmaita> the cinder side will no longer pass the password to brick
15:08:27 <rosmaita> and brick is unable to get it out of the config file
15:08:47 <fungi> okay, so basically anyone who applied this fix on older releases under python 2 broke their deployments, but it didn't continue to leave them vulnerable to the identified security risk at least
15:09:33 <rosmaita> yeah ... though in reality, it broke staging and they didn't update production
15:09:41 <fungi> (so they most likely knowingly backed out the fix, and are aware they're running a vulnerable configuration)
15:09:42 <rosmaita> which would still be vulnerable
15:09:50 <rosmaita> what fungi said
15:10:09 <fungi> still, far better than having them think they're safe when they're still vulnerable
15:10:32 <rosmaita> so, what i have to do is: get the brick fixes merged, release new brick version, get u-c updated, update cinder requirements, release new cinder
15:10:59 <fungi> sounds right. and then update the ossn and probably send out an errata announcement
15:11:02 <rosmaita> for the EM branches ... rocky gate is hosed ATM, so fix to rocky brick has not merged, and has not been backported to queens
15:11:26 <rosmaita> yeah, that was my plan, update the OSSN as soon as stuff is available
15:11:33 <fungi> those branches also won't get point releases anyway, so it's fine to just point to the patches in review i guess
15:11:56 <rosmaita> ok
15:12:13 <fungi> so long as you're fairly confident they're correct
15:12:32 <rosmaita> well, i added tests to catch this particular problem
15:12:36 <fungi> i mean, for security advisories we always reference teh patches in review (for the sake of expediency)
15:12:57 <rosmaita> the issue is that we rely on the vendor third-party CI for validation
15:13:13 <rosmaita> and we requested that they all run py3 in their CI
15:13:27 <fungi> right, driver patching for proprietary stuff is an imperfect process
15:14:09 <fungi> i mean, they wouldn't be able to test master with python 2 at this point anyway
15:14:25 <rosmaita> so, i guess we do have some validation that this works with py27, from the bug reporter
15:14:40 <fungi> i would consider that "probably good enough"
15:14:45 <rosmaita> :)
15:15:18 <rosmaita> ok, i will talk to smcginnis about allowing the queens patch to be posted before rocky merges
15:15:24 <rosmaita> (he really hates that)
15:15:43 <rosmaita> but that will allow me to get the OSSN updated and an announcement out to the ML
15:15:52 <fungi> somebody's gotta troll him, might as well be you
15:15:57 <rosmaita> just wanted to give y'all a heads-up
15:16:05 <fungi> thanks for the detailed explanation!
15:16:16 <fungi> feel free to reach out if you need my help with any of that
15:16:17 <rosmaita> yeah, sorry about this, it's kind of embarrassing
15:16:22 <rosmaita> for me anyway
15:16:42 <rosmaita> i did write nice unit tests for it though (this time)
15:16:51 <fungi> shouldn't be embarrassing, it's complicated software, made harder trying to work indirectly with third parties for drivers to proprietary products
15:17:13 <rosmaita> i like your attitude!
15:17:35 <rosmaita> ok, that's all from me
15:18:25 <gagehugo> yeah getting that fix working coordinated with 3rd party drivers doesn't sound simple at all lol
15:19:38 <rosmaita> no, and this kind of py3 working fine but not on py27 problem is likely to bite us again
15:20:15 <fungi> Luzi: welcome to the security sig meeting, good to see you here! did you have anything you wanted to discuss (image encryption stuff, something else)?
15:22:22 <Luzi> ah yes, as we would like to add encryption/decryption code in os_brick, it would be nice to have someone look over it,  currently its just a WIP-patch to give a sight of what we are doing
15:22:46 <fungi> you're in luck, rosmaita's right here! ;)
15:22:55 <Luzi> https://review.opendev.org/709432
15:23:18 <rosmaita> yeah, i have been meaning to get to it, but some other stuff has interferred
15:23:52 <fungi> RE THERE OTHER BRICK DEVS WHO WOULD BE GOOD TO TRY TO PULL IN?
15:23:57 <fungi> argh
15:24:06 <fungi> sorry, didn't see caps lock was on
15:24:21 <fungi> hit caps lock instead of a :/
15:24:21 <gagehugo> haha
15:24:33 <Luzi> rosmaita, no worries :D i will need to talk to the glance guys also - after my vacation
15:24:34 <rosmaita> well, that certainly got your message across!
15:24:37 <fungi> trying to type one-handed while holding lunch
15:24:55 <gagehugo> vacation sounds good
15:25:12 <fungi> i could use one too
15:26:34 <rosmaita> Luzi: when is your vacation? we have cinder mid-cycle next week (wednesday)
15:26:51 <Luzi> the next two weeks
15:27:08 <rosmaita> ok, have a good one!
15:27:20 <Luzi> thank you :)
15:30:57 <fungi> i suppose this could be a good time to remind folks we have a lot of open (public!) bugs for suspected vulnerabilities, which could use all the help they can get (confirming if there's an actual exploit scenario, identifying duplicates, testing, proposing patches to review....)
15:31:10 <gagehugo> yes
15:31:25 <fungi> #link https://bugs.launchpad.net/ossa/ Suspected Security Vulnerability Reports
15:31:44 <fungi> currently 32 there
15:34:52 <gagehugo> updated the etherpad
15:35:06 <gagehugo> Does anyone else have anything for this week?
15:37:11 <gagehugo> fungi Luzi rosmaita: thanks!  Have a good rest of the week
15:37:18 <gagehugo> #endmeeting