18:04:26 <bdpayne> #startmeeting OpenStack Security Group
18:04:27 <openstack> Meeting started Thu Jun 20 18:04:26 2013 UTC.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:04:28 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:04:30 <openstack> The meeting name has been set to 'openstack_security_group'
18:04:34 <bdpayne> hi all, sorry I'm a little late
18:04:44 <elo_> Hi
18:04:49 <hyakuhei> Thank good, I was just going to google how to startmeeting again lol
18:04:56 <bdpayne> ha
18:05:08 <bdpayne> so who all do we have today?
18:05:10 <bdpayne> Bryan from Nebula here :-)
18:05:30 <elo_> Eric from VMware/Nicira here
18:05:41 <bdpayne> hi Eric
18:05:48 <bdpayne> an hi Rob
18:05:52 <bdpayne> s/an/and/
18:05:55 <abhisri> abhinav from AT&T Research here.
18:06:04 <joel-coffman> Joel from API
18:06:10 <bpb> Bruce from APL
18:06:14 <joel-coffman> s/API/APL
18:06:18 <bdpayne> great, nice group
18:06:20 <hyakuhei> :) Nice to have some people here today.
18:06:35 <bdpayne> So first thing to mention is that there will be *no* IRC meeting next week
18:06:53 <bdpayne> Next week is the book sprint effort, so many of us will be knee deep in that
18:07:00 <bdpayne> We'll return to our normal schedule the following week
18:07:07 <bdpayne> I'll update the web page accordingly
18:07:13 <bdpayne> this one https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity
18:07:22 <bdpayne> Any items that people want to discuss today?
18:08:22 <hyakuhei> Yeah, can someone take a look at https://bugs.launchpad.net/ossn/+bug/1174153 check it for accuracy/stupidity before I publish it?
18:08:24 <uvirtbot> Launchpad bug 1174153 in ossn "data from previous tenants accessible with nova baremetal" [High,New]
18:08:57 <bdpayne> interesting
18:09:23 <bdpayne> uvirtbot you have a link?
18:09:24 <uvirtbot> bdpayne: Error: "you" is not a valid command.
18:09:39 <bdpayne> oh, that really is a bot?
18:09:50 <bdpayne> ok, moving on
18:10:04 <bdpayne> so I'd like to discuss growing the group, getting more people involved, etc
18:10:08 <noslzzp> noslzzp is here..
18:10:21 <bdpayne> since no one else suggested topics, let's start with that one
18:10:26 <hyakuhei> I also have an SSL one and a keystone one coming soon. Anyone else fancy writing some
18:10:39 <bdpayne> basically, we have lots of people joining OSSG lately
18:10:55 <bdpayne> and I'd like to have a better intro process and clear paths for getting people involved
18:11:06 <hyakuhei> It would be good to get more discussion running on-list and a better way to welcome people in too
18:11:08 <bdpayne> so… where do you guys see as places that need help these days
18:11:33 <bdpayne> #action improve email list discussion
18:11:40 <hyakuhei> I'd be interested to hear from guys like APL here.
18:11:49 <bdpayne> #action find better way to introduce new people
18:12:25 <bdpayne> and new people too (looking at you abhisri)
18:12:41 <rellerreller> What do you mean by need help?  I'm a little confused.
18:12:46 <bdpayne> ahh
18:12:57 <rellerreller> You mean like actions like review each service.
18:12:58 <rellerreller> ?
18:12:59 <bdpayne> so the typical workflow is that someone joins OSSG
18:13:04 <bdpayne> then asked me how they can help
18:13:22 <bdpayne> I'd like to have a set way to get people integrated into OS projects, help improve security in various ways, etc
18:13:33 <hyakuhei> Projects like OSSN are a good way to start out
18:13:35 <bdpayne> so by help, I mean… what needs to be done
18:13:44 <bdpayne> to improve openstack security
18:14:02 <bdpayne> clearly there's people helping at the code level (code reviews, etc)
18:14:07 <hyakuhei> TBH I don't think asking new people to integrate into OS projects will work, it needs to be the inverse. We need to recruit people into the OSSG who are already well integrated in projects
18:14:26 <bdpayne> do we need someone reviewing security development lifecycle stuff (for example)?
18:14:53 <joel-coffman> I tend to agree with hyakuhei
18:15:02 <bdpayne> hyakuhei I hear you, but reality says that it won't always happen that way
18:15:26 <bdpayne> I guess we could just tell new people to go get involved in a project and come back when they have some experience
18:15:37 <hyakuhei> I'm open to both options - you guys hired all the tech leads, can't nebula just make this happen 1?! ;)
18:15:44 <bdpayne> but what about less technical people… is there a role for them here too?
18:16:01 * bdpayne has no comment
18:16:20 <joel-coffman> bdpayne: or encourage people interested in security to become involved in a particular project
18:16:21 <hyakuhei> Yes, OSSN is a good place to start once the hardening guide is released there'll be lots of scope for help developing that
18:16:58 <bdpayne> this is a good point
18:17:00 <joel-coffman> i.e., they may be able to position themselves as the de facto security person for that project
18:17:12 <bdpayne> getting some initial work laid down, will make it easier for people to make incremental contributions
18:17:29 <bdpayne> joel-coffman yes, this is what I'd really like to see happen
18:17:38 <bdpayne> specifically to have OSSG people on each project
18:17:39 <rellerreller> Reviewing security blue prints and code submissions would be helpful
18:18:00 <bdpayne> getting there has proven challenging though
18:18:07 <bdpayne> so I'm open to ideas
18:18:18 <bdpayne> hmm, here's a thought
18:18:35 <bdpayne> perhaps we should come up with good security projects that happen in each core project
18:18:37 <hyakuhei> Yes it would
18:18:42 <bdpayne> so a security person could work on that
18:18:50 <rellerreller> And open security questions that need research
18:18:51 <bdpayne> and then use that to learn the core project
18:18:56 <bdpayne> and then transition to the core project rep
18:19:07 <bdpayne> sort of like what APL has done with volume encryption
18:19:24 <bdpayne> assuming someone from APL would then be willing to be an OSSG rep for nova and/or cinder
18:19:43 <bdpayne> thoughts on that approach?
18:20:00 <hyakuhei> Are we happy with the way we currently use LP for the OSSG. Would it be better served on the openstack wiki?
18:20:08 <hyakuhei> Approach seems sound
18:20:23 <bdpayne> I think there would be value in using the wiki
18:20:49 <bdpayne> we could have it be a landing place for security improvement projects for each core project
18:20:54 <bdpayne> and for security research ideas
18:21:02 <joel-coffman> starting with a "large" security project has been challenging at times
18:21:14 <bdpayne> I have no doubt
18:21:26 <bdpayne> but I'm sure you have learned a ton in the process
18:21:30 <joel-coffman> bug fixes and incremental changes may be a better way to become involved in the large projects (e.g., nova)
18:22:02 <bdpayne> I'm starting to envision a series of steps for getting involved
18:22:10 <bdpayne> 1) do some bug fixes
18:22:17 <bdpayne> 2) find useful incremental changes
18:22:24 <bdpayne> 3) take on a larger security improvement
18:22:30 <bdpayne> 4) become OSSG rep for said project
18:22:54 <bdpayne> and then we could provide a wiki page with ideas of what people could do for 1-3 for each of the core projects
18:23:45 <bdpayne> clearly people with existing expertise could short circuit the process, for example if they wanted to be an OSSG rep and had the skills to do so
18:23:54 <bdpayne> but this would help guide people on getting their feet wet
18:23:57 <bdpayne> thoughts?
18:23:59 <joel-coffman> agreed, a triage system for bugs and ideas for incremental changes would be a good place to start
18:24:30 <bdpayne> I wonder if the wiki could show a search result as part of the page
18:24:57 <bdpayne> we could setup a search for security bugs, and things commits with security impact tags, etc
18:25:40 <bdpayne> #action bdpayne to setup landing page (wiki??) to help guide new OSSG members for getting started with code-level contributions
18:25:40 <hyakuhei> ^ The ML already covers some of that of course
18:25:42 <uvirtbot> hyakuhei: Error: "The" is not a valid command.
18:25:58 <bdpayne> yeah
18:26:10 <bdpayne> but new people may or may not find it useful to search ML archives
18:26:21 <bdpayne> having a web page to point people at would be useful here, I think
18:26:31 <bdpayne> ok, this has been very helpful guys… thanks!
18:26:37 <bdpayne> anything else to discuss today?
18:26:40 <joel-coffman> agreed, the wiki is better (even if it links to the mailing list archives)
18:26:53 <bpb> Just wanted to give a heads up that the APL work on volume encryption is progressing.  Shooting for Havana-2
18:27:01 <bpb> Nova changes (uses a hard-coded key instead of upcoming key manager) https://review.openstack.org/#/c/30976/
18:27:01 <bdpayne> nice!
18:27:06 <joel-coffman> we're getting ready to remove the "work in progress" tag for part of our volume encryption submission
18:27:16 <bpb> Nova changes to incorporate key manager interface https://review.openstack.org/#/c/30973/
18:27:33 <bpb> And lastly, the Cinder changes https://review.openstack.org/#/c/30974/
18:27:53 <hyakuhei> bdp would you be interested in chatting with some of the HP Labs cryptographers? They might be in a position to lend a hand
18:28:04 <bdpayne> #action let's get some eyes on those
18:28:18 <bpb> Let's talk offline
18:28:34 <joel-coffman> thanks, we'd appreciate the reviews 'cause we want volume encryption to land in H2
18:28:59 <bdpayne> ok, I think that's all for today
18:29:06 <bdpayne> thanks for everyone for joining in
18:29:19 <bdpayne> remember, next meeting is in 2 weeks
18:29:24 <hyakuhei> Thanks bdpayne !
18:29:33 <bdpayne> #endmeeting