#openstack-meeting log

15:00:26 <lhinds> #startmeeting Security Sig
15:00:26 <openstack> Meeting started Thu Apr 19 15:00:26 2018 UTC and is due to finish in 60 minutes.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:27 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:29 <openstack> The meeting name has been set to 'security_sig'
15:00:41 <gagehugo> o/
15:00:49 <gagehugo> hey lhinds
15:00:50 <lhinds> pings: eeiden fungi gagehugo lhinds nickthetait ebrown
15:00:54 <lhinds> hey gagehugo !
15:01:05 <lhinds> I think fungi is on leave today or out and about
15:01:05 <nickthetait> heyo
15:01:07 <browne> o/
15:01:10 <lhinds> hey nickthetait !
15:01:11 <eeiden> o/
15:01:15 <lhinds> hey browne
15:01:25 <browne> Sorry for missing previous meetings.  Didn't realize the time changed
15:01:28 <lhinds> forgot you don't have an e at the front of browne
15:01:36 <browne> no worries
15:01:39 <lhinds> browne: no worries, understandable
15:01:41 <lkwan> is here the telemetry meeting?
15:01:48 <lhinds> lkwan: nope, security
15:02:07 <lhinds> ok, let's get this party started..
15:02:13 <lhinds> #topic agenda
15:02:18 <lhinds> #link https://etherpad.openstack.org/p/security-agenda
15:02:25 <lhinds> #chair gagehugo
15:02:26 <openstack> Current chairs: gagehugo lhinds
15:02:42 <lhinds> anyone have any additions? I put bandit migration to the top.
15:03:16 <lhinds> ok..
15:03:34 <gagehugo> I saw browne pushed a change for that
15:03:37 <lhinds> #topic Bandit Migration
15:03:47 <lhinds> gagehugo: that was just for the new pypi site.
15:03:54 <gagehugo> ah ok
15:03:55 <lhinds> not the move to pycqa
15:04:02 <lhinds> I though it was that too :)
15:04:14 <gagehugo> heh
15:04:15 <takashin> python-novaclient stable maintainers for pike, would you review https://review.openstack.org/#/c/562500/ ? This patch fixes pike gate job failure.
15:04:23 <lhinds> so I think we should be good to make the move next week
15:04:33 <lhinds> takashin: please try #openstack-nova
15:04:44 <browne> I think we need to start by sending an email to the ML announcing bandit's migration
15:04:45 <lhinds> #link https://etherpad.openstack.org/p/bandit-migration
15:04:52 <takashin> lhinds: sorry.
15:04:55 <lhinds> browne: just did that 10 mins ago.
15:04:57 <lhinds> :)
15:05:01 <browne> oh cool
15:05:20 <lhinds> browne / gagehugo did you both get pycqa org invites?
15:05:28 <browne> i did yes
15:05:29 <gagehugo> yup
15:05:35 <lhinds> great.
15:05:57 <browne> so who has admin on the github openstack/bandit
15:06:12 <gagehugo> good question
15:06:20 <browne> still wondering how the github project group changes from openstack to pyqca
15:06:29 <lhinds> ok..
15:06:34 <lhinds> so here is how it will work
15:07:07 <lhinds> I will do the import from review.openstack.org/bandit.git to github.com/pycqa/bandit
15:07:24 <lhinds> github has an import feature that automates this, I already did a test run and it works very well.
15:08:00 <lhinds> after that is done, we will push a patch to the openstack (gerrit based) repo to 'git rm' all files, apart from the readme
15:08:23 <lhinds> the readme will then tell users where to go to contribute or raise issues (which will be on github/pycqa/bandit)
15:08:40 <lhinds> if you check out the etherpad I am compiling the specific steps.
15:09:09 <gagehugo> ah ok
15:09:23 <lhinds> I have spoke with fungi a lot and we don't need to do anything else in regards to patches, as all projects use tox / pypi, and pycqa will continue using pypi to release
15:09:51 <lhinds> I just need to check with ian around pypi account maters (for sdist upload / twine operations)
15:09:54 <lhinds> and also...
15:10:07 <browne> but unit testing will switch from zuul to travis CI or something
15:10:13 <lhinds> how will bandit/docs/*.rst get hosted on readthedocs.
15:10:40 <lhinds> browne: was just typing out how I need to work that out with ian too :)
15:10:43 <lhinds> good call!
15:11:10 <lhinds> I think it will be travis-ci
15:11:17 <lhinds> as that's what the other projects are working on.
15:11:20 <browne> cool, i like travis-ci
15:11:41 <nickthetait> appears as though the use travis and appveyor
15:11:48 <lhinds> my recommendation is that we hold off on any pull requests until we get a .travis file in place.
15:12:16 <browne> yep
15:12:24 <lhinds> I am happy to make a PR with a .travis and we can review from there.
15:12:39 <browne> I should also add that functional testing on bandit no longer works.  It previously did
15:12:52 <browne> so much of the plugin testing isn't happening, which is bad
15:13:10 <nickthetait> is there an open issue for that?
15:13:14 <lhinds> browne: we could do some functional tests in bandit
15:13:18 <browne> hmm, i'll poen one
15:13:22 <browne> open
15:13:25 <gagehugo> sounds good
15:13:42 <lhinds> browne: as long as they have an failure exit code that travis will pick up.
15:14:21 <lhinds> I also need to work out how this redirect is happening: https://bandit.readthedocs.io/en/latest/
15:14:42 <lhinds> or rather how has upload rights
15:14:48 <lhinds> (its not a redirect)
15:14:52 <lhinds> any idea browne ?
15:15:11 <browne> ha, didn't know of that link.  strange
15:15:24 <browne> but normally on github, with admin you can setup readthedocs
15:15:39 <lhinds> actually it might be in bandits sphinx config
15:15:46 <lhinds> that's where you set the theme
15:15:52 <lhinds> I bet they are using the openstack theme
15:16:06 <browne> i also think we'll need the PyPI user/password from one of the former cores (Travis, etc)
15:16:11 <lhinds> and we just need to change to this one: https://pycodestyle.readthedocs.io/en/latest/
15:16:38 <lhinds> browne: yep. I am touch with travis and ian so I can get in touch with them.
15:16:48 <lhinds> browne: I guess you will be handling releases?
15:17:07 <lhinds> or at least heading them up initially, with back fill from others?
15:17:16 <browne> lhinds: sure i can handle releases
15:17:21 <lhinds> browne: cool
15:17:25 <browne> but we should have backups
15:17:54 <lhinds> browne: +1
15:18:31 <lhinds> ok, anything else on bandit migration..I will make sure all of the above is captured
15:19:00 <browne> sounds good.
15:19:30 <lhinds> ok, not sure if mr tatu is here.
15:19:52 <lhinds> nothing new for docs, let's go to nickthetait 's OSSN
15:19:57 <lhinds> thanks nickthetait !
15:20:03 <nickthetait> :)
15:20:25 <lhinds> It looks good to me, once another core +2's I will send out an email to the lists and make a wiki entry (both will credit you).
15:20:34 <lhinds> gagehugo: do you have +2 on security docs?
15:20:40 <gagehugo> lhinds nah
15:21:07 <lhinds> k, I will ask the docs ptl to add you, if that's ok by you?
15:21:12 <gagehugo> lhinds sure
15:21:22 <gagehugo> nickthetait I have an email to review that, I'll do it today
15:21:22 <lhinds> great!
15:21:43 <lhinds> gagehugo: if you +1 that's good enough for me to do mergies
15:21:44 <nickthetait> thx gagehugo
15:21:54 <gagehugo> lhinds sounds good
15:21:55 <nickthetait> +1 means "this change is ok by me", but +2 means what?
15:22:20 <lhinds> nickthetait: +2 is like extra powers that allow you to merge the change
15:22:29 <nickthetait> ok
15:22:36 <gagehugo> double ok by me
15:22:41 <lhinds> 'core reviewer'
15:22:47 <lhinds> ok
15:22:51 <lhinds> thanks again nickthetait
15:23:03 <lhinds> great to have you on board
15:23:12 <lhinds> #topic threat analysis
15:23:19 <nickthetait> if any other OSSNs were to be confirmed I might take a crack at them too ;)
15:23:31 <lhinds> nickthetait: sounds great!
15:23:43 <lhinds> gagehugo: I am little out of touch here, anything needed for TA?
15:23:58 <lhinds> is the keystone-middlewareclient ok now?
15:24:11 <gagehugo> lhinds I believe it's good
15:24:16 <lhinds> oh I see it 'Approved'
15:24:17 <gagehugo> the tag was added
15:24:25 <lhinds> so oslo and pycadf
15:24:27 <gagehugo> not sure if anything else is needed but I don't believe so
15:24:35 <lhinds> I will take an action to look at those
15:24:49 <gagehugo> lhinds yeah I need to look through those
15:24:56 <lhinds> #action lhinds look at pycadf / oslo.cache TA
15:25:08 <lhinds> great!
15:25:18 <lhinds> ok, the other one to get in before the end.
15:25:27 <lhinds> #topic chair rotation
15:25:36 <lhinds> so been meaning to sort this out for a while
15:25:45 <lhinds> the current SIG chairs are lhinds and gagehugo
15:25:58 <lhinds> and we planned to have a rotation on chairing meetings.
15:26:17 <lhinds> I thought we should put it open to the sig.
15:26:40 <lhinds> gagehugo: any preferences, every month / week / 2 months?
15:26:52 <gagehugo> lhinds month would be good for me
15:26:53 <lhinds> i think each week is to frequent
15:26:58 <gagehugo> agreed
15:27:02 <nickthetait> month seems reasonable
15:27:06 <lhinds> let's do that then
15:27:09 <gagehugo> 2 months and I'm liable to forget
15:27:20 <lhinds> so this would mean you take on May
15:27:26 <lhinds> I will wrap up April
15:27:44 <lhinds> sounds good gagehugo ?
15:27:58 <gagehugo> lhinds works for me
15:28:07 <gagehugo> maybe we can put this down on a schedule somewhere?
15:28:17 <gagehugo> like the agenda
15:28:20 <lhinds> gagehugo: will do
15:28:34 <lhinds> #action lhinds to update wiki about chair rotation information
15:28:47 <lhinds> k, let's end this now, as ian is over in openstack-security
15:28:51 <lhinds> gagehugo / browne
15:29:05 <lhinds> can we meet in there now / after this to go over the Q's we had?
15:29:10 <gagehugo> sure
15:29:12 <lhinds> thanks all!
15:29:14 <browne> sure
15:29:16 <lhinds> #endmeeting