19:00:57 <SotK> #startmeeting storyboard
19:00:59 <openstack> Meeting started Wed Oct 31 19:00:57 2018 UTC and is due to finish in 60 minutes.  The chair is SotK. Information about MeetBot at http://wiki.debian.org/MeetBot.
19:00:59 <fungi> hey howdy!
19:01:00 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
19:01:02 <openstack> The meeting name has been set to 'storyboard'
19:01:08 <diablo_rojo> Hello!
19:02:06 <SotK> #link https://wiki.openstack.org/wiki/Meetings/StoryBoard#Agenda_for_next_meeting Agenda
19:02:37 <SotK> #topic Migration Updates
19:02:44 <SotK> any updates this week diablo_rojo?
19:03:48 * fungi hopes we're not keeping SotK from evening hallowe'en festivities
19:04:08 <diablo_rojo> Sadly not, just that I still haven't had time to dig into the LP API to figure why things are being cut short of the full migration
19:04:15 <diablo_rojo> Yeah we can make this quick
19:04:36 <fungi> full neutron migration, right
19:04:44 <diablo_rojo> Right
19:04:59 <clarkb> On the attachment spec I think it would be helpful for storyboard to describe the requirements it feels it has for this feature. Then we can build around that rather than going with whatever infra could do today. THis helps inform both directions of the needs and limitations I think.
19:05:27 * fungi thinks clarkb is jumping ahead on the agenda ;)
19:05:34 * diablo_rojo thinks so too
19:05:44 <clarkb> sorry
19:05:54 <diablo_rojo> Attachments are just so exciting :0
19:05:54 <clarkb> (that was my update)
19:06:25 <clarkb> they are!
19:06:54 <SotK> diablo_rojo: no worries, I've also not had much time this week
19:07:06 <SotK> #topic Berlin
19:07:18 <clarkb> (I now see the topic was specifically migration updates)
19:07:23 <diablo_rojo> WRT the neutron migration, I am kind of prioritizing the attachment spec and moving that forward higher. Hence the lack of progress.
19:07:28 <diablo_rojo> clarkb, lol
19:07:36 <SotK> yeah that makes sense to me
19:08:03 <diablo_rojo> Nothing new on the Berlin topic, just wanted to make sure those watching knew about it.
19:09:37 <SotK> #topic Story Attachments
19:09:55 <diablo_rojo> I could send something to the ML telling people to bring last concerns to the Berlin forum session?
19:10:07 <diablo_rojo> Just a thought
19:10:14 <clarkb> diablo_rojo: ++ and remind them that storyboard will be there is probably worthwhile
19:10:24 <SotK> diablo_rojo: yep that sounds worthwhile
19:10:31 * diablo_rojo adds that as a todo for today
19:11:03 <diablo_rojo> Anywho, attachment things now :)
19:11:04 <fungi> so on the attachments spec, i feel like the actual requirements are fairly nominal/flexible, but a lot of that has to do with how we design the feature
19:11:14 <fungi> storage requirements i mean
19:11:48 <clarkb> ya I'm sure we can make something work. But I think it would be valuable to undersatnd how storyboard would like to see it work
19:11:58 <clarkb> Then see if the hosting can accomodate that (rather than the other way around)
19:12:03 <fungi> i'm also curious as to whether the comments i posted make sense, with regards to a simpler way to go about this security-wise
19:12:53 <diablo_rojo> fungi, it mostly made sense, I think I was failing to see how it was different than the undiscoverable URIs?
19:12:58 <fungi> if an attachment is only reachable by knowing its url which includes a uuid someone would have to guess or otherwise be provided, is that sufficiently secure?
19:13:37 <diablo_rojo> I would guess so? but I certainly am no security expert
19:13:38 <fungi> other parts of the spec described temporary urls and/or proxying all the content requests through storyboard
19:13:38 <SotK> I think the part I was misunderstanding from your idea was that the URL is determined at upload time and recorded in storyboard, rather than being generated on demand
19:13:56 <SotK> I think this way sounds much easier to implement
19:14:08 <SotK> but I don't really feel entirely qualified to comment on its security
19:14:24 <SotK> I don't see anything immediately wrong
19:14:34 <persia> One of the differences is that if there is a magic open URI, that can be pasted to e.g. IRC.  Conversely, if control is managed by storyboard directly, pasting the URI doesn't disclose anything.  Personally, I think having a separate storage system (with guessable UUIDs) is probably sufficiently secure for task tracking, but others may be more concerned.
19:15:05 <clarkb> The two big things seem to be controllable URIs and indexable content
19:15:23 <fungi> yeah, my take is that if someone can leak the persistent url to the attachment, then they can just as easily leak the contents of the attachment or other aspects of the private story anyway
19:15:24 <persia> What is the benefit of indexable content?
19:15:42 <clarkb> persia: you can store adsvertisements or similar that show up in google seraches
19:15:44 <persia> fungi: Absolutely.
19:16:09 <persia> clarkb: I consider that a detriment, but I can see the potential for abuse.
19:16:09 <clarkb> this is the sort of spamming we've seen on our wiki
19:16:37 <fungi> yeah, i think what clarkb means is we don't want them indexable. i mentioned some possible solutions to that as well
19:16:40 <persia> Has anyone asked #launchpad how they deal with the potential for spam?
19:17:15 <diablo_rojo> persia, I have not
19:17:18 <fungi> doesn't prevent someone from posting the url to an attachment somewhere else where it can then be indexed by a search engine i guess, but these days that's a less attractive prospect
19:17:20 <diablo_rojo> but that would be useful information
19:17:47 <fungi> basically if they already have somewhere unpoliced to post the url, then they'd just post the raw content there instead
19:17:58 <persia> My vague memory is that they have a policy and a means to delete things that seems to work.  Dunno about volume of LP-hosted projects vs. OSF-hosted projects.
19:18:04 <fungi> that's what we saw happening with our wiki, fwiw
19:19:00 <diablo_rojo> fungi, posting advertisemnets or logs of things?
19:19:16 <fungi> i do agree with clarkb that it's something we should keep an eye out for, and don't think it should really factor too much into the design
19:19:41 <fungi> diablo_rojo: these days it's mostly people posting urls to scams or phone numbers for the same
19:19:58 <diablo_rojo> Got it.
19:20:12 <fungi> so that when you google "miscrosoft office support" you get friendly results for a phone number to call where they'll take your credit card info
19:20:24 <clarkb> fungi: from the design side if say swift publicly served content doesn't allow you to not index (or alternatively index at all) that is something that should factor in? I agree ti shouldn't be the main consideration, just another thing to check when considering options
19:21:00 <fungi> yes, if the object store conveniently provides a public index to all content you serve from it, that would be something to discount it
19:21:26 <fungi> i don't think swift forces a public index of your objects, for precisely this reason
19:21:35 <diablo_rojo> Something we don't want.
19:22:47 <fungi> basically, under my suggested design, we would want storyboard to privately maintain its index of (persistent public) object urls, and would not want the object store to serve an index of those
19:23:11 <clarkb> fungi: makes sense to me
19:23:21 <fungi> we also would want to be sure said urls couldn't be enumerated in any achievable amount of time
19:23:34 <fungi> by someone who lacks access to that index
19:24:18 * SotK thinks that this sounds like the best solution of the ones that have been suggested
19:24:37 <persia> Indeed
19:24:44 <fungi> anyway, i didn't want to monopolize the discussion, just want to be sure we don't go off overengineering complex solutions where simpler ones are possible
19:25:04 <clarkb> ++
19:25:31 <diablo_rojo_phon> Lost connection on laptop. But I'll go back through meeting logs and get the spec updated with this approach.
19:25:53 <fungi> thanks diablo_rojo_phon! and i hope your laptop didn't have too much candu
19:25:56 <fungi> candy
19:25:58 <SotK> makes sense, I don't really see any worthwhile benefit to the more complicated suggestions I noted now
19:26:09 <diablo_rojo_phon> I had most comments addressed aside from this section so I should have it up today ish.
19:26:23 <SotK> nice, thanks :)
19:26:44 <fungi> my old life as a security wonk mostly involved reminding people that complex security solutions are really just increased opportunities for vulnerabilities
19:27:04 <diablo_rojo_phon> Maintenance is in my apartment and flipped the breakers so I haz no internets.
19:27:52 <SotK> I think that basically covers attachments then
19:27:58 <SotK> #topic In Progress Work
19:28:00 <diablo_rojo_phon> Cool :)
19:28:02 <fungi> and you're sure these aren't neighborhood hooligans disguised as maintenance workers?
19:28:37 <diablo_rojo_phon> fungi: pretty sure since he's fixed a bunch of other things in the apartment previously
19:28:52 <diablo_rojo_phon> I have two patches that could use reviews.
19:28:54 <persia> It's a long con then?
19:28:56 <fungi> offer candy anyway
19:29:33 <clarkb> could be a really good costume
19:29:39 <diablo_rojo_phon> High level of dedication just to flip my breakers.
19:29:44 * SotK failed to get anywhere with his backlog of reviews to do, I'll attempt to get to them this week
19:29:55 * diablo_rojo_phon doesn't have any candy in the apartment
19:30:00 <fungi> i only managed to review the attachments spec, fwiw
19:30:11 <fungi> diablo_rojo_phon: shots then?
19:30:20 <diablo_rojo_phon> Thanks SotK :) We are all juggling a lot of stuff so we understand
19:30:47 <diablo_rojo_phon> fungi: could do that, there's no shortage of alcohol here lol
19:30:52 <fungi> when i lived in raleigh, there was a townhouse of russians across the street who always set up a bar in their driveway and served vodka shots to the parents taking their kids around
19:31:06 <fungi> it was pretty awesome
19:31:21 <diablo_rojo_phon> That is excellent.
19:31:40 <diablo_rojo_phon> SotK: I don't think I got around to reviewing your patch either so I guess it's only fair lol
19:31:56 <SotK> ha, that's a great idea
19:32:06 <SotK> I don't think I have enough alcohol around to do it though
19:32:12 <SotK> diablo_rojo_phon: no worries :)
19:32:45 <SotK> I think folk have mostly learnt the workaround for the bug that patch fixes at this point
19:32:51 * diablo_rojo_phon thought about sharing a photo and decided that proof doesn't need to exist on the internet.
19:32:53 <SotK> or at least, I've not noticed anyone complain recently
19:33:10 <diablo_rojo_phon> Still nice to get it fixed SotK :)
19:33:16 <SotK> indeed
19:35:41 <diablo_rojo_phon> Was someone investigating what happened with fatema's patch?
19:35:59 <SotK> I was going to but also didn't get around to that
19:36:49 <diablo_rojo_phon> What say we end early to do some of these things?
19:36:59 <diablo_rojo_phon> Unless someone else has something to talk about?
19:37:01 <SotK> sounds good to me
19:37:05 <SotK> I don't have anything else
19:37:16 <fungi> i'll review some storyboard changes
19:37:17 <diablo_rojo_phon> Oh! clarkb is there gonna be an infra dinner at the summit?
19:37:26 <diablo_rojo_phon> fungi: much appreciated!
19:39:46 <clarkb> diablo_rojo_phon: I haven't put together one
19:40:21 <clarkb> I guess I can take a look. Mostly its a huge pain to figure out reservations for a large group and half the time they want a deposit
19:40:37 <clarkb> Denver is easy because beer garden and nice weather. Berlin probably has the beer gardens but not the nice weather
19:41:15 <fungi> berlin doesn't seem to have actively staffed biergartens in november
19:41:35 <fungi> you need a bierstube instead, and seating will be more complicated
19:41:52 <clarkb> We can probably do an informal thing? I expect a smaller but also differentish group (frickler and ajaeger but no paul or david or robyn etc)
19:42:18 <clarkb> I'll send out an email trying to schedule an informal thing with the expectation that different tables/locations may happen
19:42:20 <clarkb> I think that is easiest
19:42:26 <fungi> we can say "everybody meet at $venue and we can try to get tables nearish to each other"
19:42:32 <clarkb> ++
19:42:42 <fungi> but not actually organize anything
19:43:36 <diablo_rojo_phon> That works.
19:47:07 <SotK> ok, lets end the meeting
19:47:15 <SotK> thanks for coming folks :)
19:47:21 <SotK> #endmeeting