17:02:17 <lhinds> #startmeeting Security Project Meeting 17:02:18 <openstack> Meeting started Thu Mar 16 17:02:17 2017 UTC and is due to finish in 60 minutes. The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:02:19 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:02:21 <openstack> The meeting name has been set to 'security_project_meeting' 17:02:22 <unrahul> o/ 17:02:23 <knangia> 0/ 17:02:25 <tkelsey> o/ 17:02:25 <capnoday> o/ 17:02:27 <lhinds> o/ 17:02:28 <vinaypotluri> o/ 17:02:34 <mdong> o/ 17:02:54 <lhinds> #topic agenda 17:02:57 <lhinds> #link https://etherpad.openstack.org/p/security-agenda 17:03:07 <lhinds> #chair hyakuhei 17:03:08 <openstack> Current chairs: hyakuhei lhinds 17:03:24 <capnoday> hyakuhei has got held up in a meeting, please carry on lhinds 17:03:34 <lhinds> feel free to make additions to agenda ^ 17:03:37 <lhinds> thanks capnoday 17:03:40 <lhinds> #chair capnoday 17:03:40 <openstack> Current chairs: capnoday hyakuhei lhinds 17:03:53 <lhinds> #topic Syntribos 17:03:59 <unrahul> we have been testing cinder 17:04:04 <lhinds> anything Syntribos devs? 17:04:05 <unrahul> as part of the core project testing 17:04:18 <unrahul> and have added i18n to syntribos 17:04:20 <aasthad> o/ 17:04:35 <unrahul> thats the major stuff we did this week on syntribos front 17:04:49 <lhinds> sounds good! 17:04:54 <lhinds> anything interesting found? 17:05:09 <unrahul> we have found few 500 and possible xss 17:05:17 <lhinds> ohh 17:05:20 <unrahul> more tests have to be done to confirm 17:05:40 <unrahul> mdong: can chip give further info on this 17:05:46 <lhinds> gj unrahul 17:05:57 <hyakuhei> Hey! 17:06:01 <hyakuhei> Thanks lhinds 17:06:02 <unrahul> hey hyakuhei 17:06:05 <lhinds> hi hyakuhei 17:06:06 <hyakuhei> I'm in a crazy call, running late 17:06:07 <vinaypotluri> welcome hyakuhei 17:06:12 <hyakuhei> Insane day, so sorry I'm late guys 17:06:17 <hyakuhei> lhinds please carry on! 17:06:24 <lhinds> no worries hyakuhei 17:06:43 <lhinds> #topic Security Docs 17:06:51 <lhinds> #link https://review.openstack.org/#/c/427760/ 17:06:57 * asettle runs in 17:07:22 <lhinds> hey asettle 17:07:22 <hyakuhei> hi asettle ! 17:07:26 <unrahul> hey asettle 17:07:26 <asettle> Hey teammmmm 17:07:31 <asettle> Aw that's a nice welcome 17:07:31 <unrahul> welcome. 17:07:32 <knangia> hey asettle 17:08:04 <asettle> p/ 17:08:07 <asettle> ... derp 17:08:11 <asettle> o/ 17:08:59 <unrahul> so with asettle s and the entire docs team awesome help, we were able to merge 5 security guide bugs, close 1 and have wishlist'd 1 B-) 17:09:09 <hyakuhei> You guys are all hereos! 17:09:16 <hyakuhei> I can't spell 17:09:19 <asettle> On that note... 17:09:23 <asettle> I'm going through and doing edits 17:09:24 <asettle> #link https://review.openstack.org/445911 17:09:28 <asettle> #link https://review.openstack.org/446033 17:09:30 <hyakuhei> but I am genuinely happy with all this progress 17:09:31 <capnoday> great work :) 17:09:31 <asettle> Please take the time to review 17:09:50 <asettle> They should be fast merges. Please take the patch off me instead of commenting if I've forgotten a little thing :) 17:09:51 <lhinds> great work! 17:09:56 <asettle> Also, I'm tracking some of the work here 17:09:57 <asettle> #link https://etherpad.openstack.org/p/sec-guide-pike 17:10:09 <asettle> EVeryone take the time to look if you can, and put your name down if you can :) 17:10:16 <asettle> that's a lot of 'if you cans' 17:10:18 <asettle> But you get me 17:10:20 <unrahul> thanks hyakuhei capnoday :) 17:10:32 <unrahul> looking at the patch now asettle 17:10:35 <asettle> Gracias 17:10:52 <unrahul> Guys we need the community input on a bug 17:10:57 <unrahul> vinaypotluri: can you fill in? 17:10:59 <knangia> thanks hyakuhei 17:11:18 <vinaypotluri> I've been working on this bug https://bugs.launchpad.net/ossp-security-documentation/+bug/1619485 and would need the community's input on it 17:11:18 <openstack> Launchpad bug 1619485 in OpenStack Security Guide Documentation "Annual Cipher Validation - Introduction to TLS and SSL in Security Guide" [Medium,Confirmed] - Assigned to Vinay Potluri (vinay-potluri) 17:11:40 <asettle> (I gotta go, have a great day people!) 17:11:46 <vinaypotluri> acccording to the bug the recommendation mentioned still holds good and i feel it should remain the same 17:11:51 <lhinds> #link https://bugs.launchpad.net/ossp-security-documentation/+bug/1619485 17:11:53 <unrahul> see you later asettle 17:12:10 <lhinds> thanks asettle 17:12:11 <vinaypotluri> I made a small gist explaining about it https://gist.github.com/vinaypotluri/6ea068e1073fd51267f2052a85479067 17:12:17 <vinaypotluri> thanks asettle 17:12:21 <knangia> thanks asettle 17:12:39 <asettle> o/ 17:13:10 <lhinds> thx vinaypotluri , will take a look 17:13:18 <lhinds> I put all the above links in the etherpad as well 17:13:21 <vinaypotluri> If you guys feel the recommendation still provides with high level of security for network communication we can close the bug 17:13:32 <vinaypotluri> sure lhinds 17:13:38 <unrahul> hyakuhei: lhinds capnoday ^ 17:13:55 <hyakuhei> asettle really thankful for the leadership you're providing here 17:14:11 <hyakuhei> vinaypotluri I think I'm happy with closing :) 17:14:28 <vinaypotluri> thank you hyakuhei 17:15:05 <lhinds> will a patch follow up to docs? 17:15:24 <unrahul> I don't think there is a need for a new patch ryt lhinds ? 17:15:43 <lhinds> ok cool, not read into it much so go with you folks 17:15:50 <lhinds> anything more on docs? 17:15:51 <unrahul> As the info as it is provided in the guide still valid? 17:16:00 <lhinds> unrahul: sgtm 17:16:10 <unrahul> nop.. we have assigned few more to ourselves..and have started on them 17:16:14 <unrahul> thats it from us on docs 17:16:26 <lhinds> #topic OSSN 17:16:55 <lhinds> one OSSN I want to 'won't fix', please let me know what you think: 17:16:57 <lhinds> https://bugs.launchpad.net/ossn/+bug/1649248 17:16:57 <openstack> Launchpad bug 1649248 in OpenStack Security Notes "Glance image upload wizard does not restrict invalid image files" [Undecided,New] 17:17:11 <lhinds> its yet another rate limit ' set admin only for glance upload. 17:18:05 <lhinds> I think sigmavirus agrees with me too, as well as another glance core 17:18:20 <lhinds> but happy to take other input, if people still think its a note. 17:18:25 * sigmavirus looks 17:19:09 <sigmavirus> Yeah, I don't know that that needs an OSSN 17:19:12 <sigmavirus> It's been covered before 17:19:39 <lhinds> agree, i will no fix that. 17:19:44 <sigmavirus> Part of the motivation behind glance tasks for v2 was to allow operators to write things to introspect uploaded data, but those are kind of not really well used (as v2 isn't adopted very well) 17:20:35 <lhinds> if some sort of escalation was possible, then its concern, but if not..meh 17:20:47 <lhinds> its no different to putting eicar.txt in dropbox. 17:21:04 <lhinds> well a little different, but you catch my drift 17:21:31 <lhinds> another new possible note is :https://bugs.launchpad.net/ossn/+bug/1673085 17:21:31 <openstack> Launchpad bug 1673085 in OpenStack Security Notes "scheduler hints are unbounded and never deleted" [Undecided,New] 17:21:46 <lhinds> awaiting to see if a mitgation is available. 17:22:20 <lhinds> if not, I am hesitant to send out a note, with no recommended action for operators to take. 17:22:41 <lhinds> I will get my inbox bombed with replies over what people should do. 17:22:56 <lhinds> thats it for notes. 17:23:06 <lhinds> #topic any other business? 17:23:39 <lhinds> we have 5 mins still if any more topics? 17:24:31 <lhinds> k. thanks all 17:24:34 <lhinds> #endmeeting