17:03:26 <lhinds> #startmeeting security-project 17:03:27 <openstack> Meeting started Thu Jan 11 17:03:26 2018 UTC and is due to finish in 60 minutes. The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:03:28 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:03:31 <openstack> The meeting name has been set to 'security_project' 17:03:42 <lhinds> hey gagehugo , just checking if you're around 17:03:52 <gagehugo> o/ 17:04:14 <lhinds> hey gagehugo ! 17:04:17 <gagehugo> how was your holiday? 17:04:24 <lhinds> nice thanks, how about you? 17:04:46 <gagehugo> it was ok, I was sick for part of it but oh well 17:05:08 <lhinds> eugh, glad you got over that 17:05:16 <lhinds> never nice during non work times. 17:05:19 <gagehugo> for the most part haha 17:05:20 <fungi> i somehow managed not to let my family infect me with any maladies 17:06:12 <lhinds> hey fungi 17:06:26 <lhinds> so here is our weekly agenda: 17:06:30 <lhinds> #link https://etherpad.openstack.org/p/security-agenda 17:06:52 <lhinds> I am still a little in catch up mode, so main topic from me would be PTG planning 17:06:59 <lhinds> anyone have anything they want to go over? 17:07:09 <fungi> i'm only just coming out of the meltdown patching tunnel 17:07:50 <fungi> ttx had a good openstack faq about spectre and meltdown vulnerabilities, if you didn't see it 17:08:01 <fungi> #link https://ttx.re/openstack-spectre-meltdown-faq.html OpenStack Spectre/Meltdown FAQ 17:08:17 <lhinds> great, good work there. 17:08:41 <lhinds> I was out of the loop totally when those hit..I had a few days completely offline 17:09:00 <fungi> good planning on your part! ;) 17:09:18 <gagehugo> oh nice 17:09:25 <lhinds> yep, I had an endurance race thing on and wanted to get my head down for that. 17:09:34 <lhinds> so I have a PTG pad here: 17:09:43 <lhinds> https://etherpad.openstack.org/p/security-agenda 17:09:44 <fungi> totally understand, it's been a few years since my last race. i need to get back into it 17:10:10 <lhinds> wrong link. you should fungi , I do it to keep me sane :S 17:10:21 <lhinds> https://etherpad.openstack.org/p/security-ptg-rocky 17:10:21 <fungi> #link https://etherpad.openstack.org/p/security-ptg-rocky 17:10:38 <lhinds> I sent out an email to try and rouse some x-project topics. 17:11:27 <lhinds> hoping some projects bite, but if you two know of anything that needs collaboration or is proviing tricky to get consensus on, please do propose what will be the security SIG room 17:11:31 <gagehugo> I don't have confirmation yet if I will be going, but might hear something soon 17:11:56 <gagehugo> I just have the keystone policy roadmap 17:12:05 <lhinds> fingers crossed gagehugo , I want to buy you a pint of the black stuff 17:12:08 <gagehugo> but that's on there already so that's good 17:12:11 <gagehugo> yay 17:12:37 <lhinds> https://www.thesun.co.uk/wp-content/uploads/2017/03/nintchdbpict000309517795.jpg 17:13:09 <gagehugo> awesome 17:13:42 <fungi> i'm not sure whether my compatriots on the vmt will be in dublin or whether it's just me again, but i sent along the url to the planning pad just in case they have suggestions 17:14:02 <fungi> aha, kmalloc says affirmative! 17:14:10 <lhinds> good idea fungi 17:14:11 <kmalloc> o/ 17:14:19 <lhinds> hey kmalloc 17:14:21 <kmalloc> i plan on trying to be there 17:14:25 <kmalloc> but it's up in the air 17:14:27 <gagehugo> kmalloc o/ 17:14:53 <lhinds> so yes, if you want to have any VMT sessions, use our room...its there for the good of all things Security 17:15:19 <fungi> sounds great 17:15:40 <gagehugo> sure 17:16:17 <lhinds> kmalloc / gagehugo and any keystone'y things too that need other projects involvement. 17:16:34 <cleong> hi 17:16:52 <kmalloc> just continuation of previous initiatives 17:16:55 <lhinds> Hey cleong 17:17:00 <kmalloc> nothing new iirc, but gagehugo might have more thoughts 17:17:07 <gagehugo> policy input for sure 17:17:15 <gagehugo> as that will affect everything 17:17:15 <lhinds> have that on ^ 17:17:48 <lhinds> there is also the keystone-pyclient Threat-a we could wrap up 17:18:34 <lhinds> ok, so that should do for PTG 17:18:44 <fungi> oh, a few new hardening opportunities are publicly disclosed now. as usual, see the openstack-security ml where those notifications get copied 17:18:56 <fungi> #link http://lists.openstack.org/pipermail/openstack-security/2018-January/thread.html security ml archive for january, 2018 17:20:14 <lhinds> thx, had not seen that 17:20:52 <fungi> actually i guess only one of those is a new hardening opportunity 17:21:02 <lhinds> which one do you think fungi ? 17:21:05 * gagehugo takes a look 17:21:40 <fungi> the other threads there are also hardening opportunities, just not new ones 17:22:00 <fungi> technically the new one isn't new either, we just overlooked lifting teh embargo on it for a month or so 17:22:18 <gagehugo> ah ok 17:22:47 <fungi> but it may still be interesting to pay attention to developments on them 17:23:14 <fungi> for example, the one there for bug 1649634 is noting that a previously in-progress change claiming to address teh issue was abandoned for inactivity 17:23:16 <openstack> bug 1649634 in Cinder "Insecure Randomness for AES Passphrase Generation" [Low,In progress] https://launchpad.net/bugs/1649634 - Assigned to Tin Lam (lamt) 17:24:32 <fungi> so could be low-hanging fruit to restore and adopt that change 17:25:18 <fungi> the sort of stuff we could be highlighting for people who are interested in getting involved, per the outreach question on the ptg planning pad 17:26:10 <lhinds> added that fungi , there are no big objections to the patch on there, so someone could fix the merge conflicts and try to get it landed. 17:26:29 <lhinds> There are also a lot of security-doc bugs folks could pick up on. 17:26:48 <lhinds> so plenty around for getting feet wet 17:27:02 <lhinds> ok..other topics/ 17:27:09 <lhinds> #topic bandit 17:27:18 <lhinds> gagehugo: just landed your patch 17:27:27 <gagehugo> \o/ 17:27:33 <lhinds> doc/requirement.txt 17:28:11 <lhinds> #topic OSSN 17:28:35 <lhinds> I need to get my finger out here and clear the backlog. I will also push for involvement at the PTG too. 17:29:11 <lhinds> gagehugo: makes sense to clean up the VMT keystonemiddleware client TA at the PTG? 17:29:24 <lhinds> clean up as in finish up 17:29:28 <gagehugo> definitely 17:29:37 <lhinds> ok, let's do that 17:29:50 <lhinds> k, so unless any other burning topics..I think we can close for this week 17:29:52 <gagehugo> would be nicer to have people in the room to get that done 17:30:02 <lhinds> gagehugo: +1 , agree 17:30:10 <fungi> nothing else on my end 17:30:25 <gagehugo> I am good 17:30:31 <lhinds> gagehugo: all ok for you? 17:30:36 <gagehugo> yup 17:31:08 <lhinds> great, see you all next week ! 17:31:10 <fungi> thanks lhinds! 17:31:14 <lhinds> #endmeeting