18:00:18 <bdpayne> #startmeeting OpenStack Security Group
18:00:19 <openstack> Meeting started Thu Jul 18 18:00:18 2013 UTC.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:20 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:22 <openstack> The meeting name has been set to 'openstack_security_group'
18:00:36 <bdpayne> good morning / afternoon / evening everyone
18:00:41 <thomasbiege> hi
18:00:51 <bdpayne> who do we have for the security meeting today?
18:01:02 <thomasbiege> me, first time
18:01:08 <rellerreller> Nate - APL
18:01:15 <bdpayne> welcome thomasbiege
18:01:39 <joel-coffman> Joel from APL
18:01:53 <bdpayne> APL is here in force :-)
18:02:21 <bdpayne> #topic Previous Action Items
18:02:36 <hyakuhei> Morning all.
18:02:39 <bdpayne> So last week we had a few things that people were going to work on
18:02:50 <bdpayne> those people aren't here atm
18:03:01 <bdpayne> but I did have one
18:03:20 <bdpayne> I was supposed to work on taking action on the security issues identified in the book sprint
18:03:29 <bdpayne> unfortunately, my report is that I have not yet done that
18:03:34 <bdpayne> so I'll push it back to next week
18:03:49 <hyakuhei> bdpayne: I can do that tomorrow
18:03:52 <thomasbiege> bdpayne: is there already a list of security issues?
18:04:08 <bdpayne> hyakuhei that would be amazing, thanks!
18:04:14 <hyakuhei> There are some gaps/bugs/wishes that were identified during the booksprint
18:04:26 <bdpayne> hyakuhei note that I passed the list off to joel-coffman too, perhaps he could help
18:04:44 <hyakuhei> ok cool, I'll reach out
18:04:53 <bdpayne> thomasbiege this is a list that came out of the recent book sprint effort
18:05:00 <hyakuhei> some stuff is bugs, and needs bug reports, others need blueprints...
18:05:12 <bdpayne> just random things that the book authors wanted to see addressed
18:05:36 <joel-coffman> hyakuhei: yep, I converted bdpayne's picture of the whiteboard into text earlier today
18:05:48 <bdpayne> I've held the list somewhat close b/c there may be embargoed issued on there… once hyakihei flushes that out we can make the rest public
18:06:11 <bdpayne> s/hyakihei/hyakuhei/
18:06:21 <thomasbiege> bdpayne: ok. if the list is long we could split it of course
18:06:40 <bdpayne> not too long, I think hyakuhei and joel-coffman can handle that one
18:06:56 <thomasbiege> ok
18:06:58 <bdpayne> #action joel-coffman and hyakuhei to work on security issues from book sprint
18:07:08 <bdpayne> #topic Book Update
18:07:27 <bdpayne> The HTML and PDF versions of the book are now available http://docs.openstack.org/sec/
18:07:39 <bdpayne> You can also purchase the book from Lulu
18:07:50 <hyakuhei> Yeah, teh PDF is looking good. I've printed that off and have a bunch of on-paper edits.
18:07:52 <bdpayne> details, links, etc on the page ref'd above
18:07:58 <thomasbiege> nice
18:08:05 <AndroUser> Hi, joining a bit late, sorry
18:08:12 <bdpayne> hi!
18:08:16 <hyakuhei> Do we create bugs for things we're going to change ourselves or can we branch,fix,commit and review?
18:08:17 <thomasbiege> the security guide is a big step ahead for openstack security
18:08:25 <bdpayne> One great area for contributions is to help improve the book
18:08:36 <hyakuhei> +1
18:08:47 <bdpayne> We have a good starting place, but there lots of room for additional content, editing, etc.
18:09:20 <bdpayne> The book is in github, and PR's are welcome!  https://github.com/openstack/openstack-manuals/tree/master/doc/src/docbkx/openstack-security
18:09:31 <bdpayne> any other thoughts / questions on the book?
18:09:35 <thomasbiege> on my todo list is reviewing the book and applying the mentioned steps to SUSE Cloud as far as possible
18:09:44 <bdpayne> excellent
18:10:01 <thomasbiege> maybe some things will pop up then
18:10:16 <bdpayne> sure, makes sense
18:10:28 <hyakuhei> The language in the etworking section needs some helping along, I'm hoping to find some time for that tomorrow too.
18:10:45 <bdpayne> yeah, there's plenty of edits that would be useful
18:11:01 <bdpayne> perhaps just submit PR's one chapter at a time
18:11:21 <hyakuhei> Yeah that makes sense
18:11:35 <bdpayne> #topic Reviewing open security issues
18:11:50 <bdpayne> How's the volume encryption reviews coming along?
18:11:55 <bdpayne> Getting the feedback you guys need?
18:12:25 <bdpayne> Specifically asking rellerreller and joel-coffman here
18:12:36 <rellerreller> We had the key manager interface approved today.
18:12:45 <rellerreller> Sorry, I thought I would let Joel share the good news
18:13:07 <bdpayne> ah, nice!
18:13:25 <bdpayne> any other pieces that you guys still need eyes on?
18:13:41 <rellerreller> Yes, we still have two more commits yet
18:14:04 <bdpayne> https://review.openstack.org/#/c/30974/
18:14:06 <rellerreller> Any reviews on those would be helpful
18:14:09 <bdpayne> https://review.openstack.org/#/c/30976/
18:14:18 <bdpayne> Looks like those are the places still open
18:14:30 <joel-coffman> Sorry, my computer thought it was a good time to starting thrashing
18:14:51 <bdpayne> np
18:15:02 <rellerreller> Thanks for posting the links.
18:15:05 <joel-coffman> Both of those reviews are still marked work in progress as we finish some plumbing issues between them
18:15:05 <bdpayne> anything to add joel-coffman?
18:15:18 <bdpayne> oh, that's good to know
18:15:29 <joel-coffman> however, the vast majority of the code is finished
18:15:42 <bdpayne> looks like the reviews are generally positive at this time
18:15:45 <bdpayne> which is great, of course
18:16:40 <bdpayne> I also wanted to mention https://review.openstack.org/#/c/33532/
18:16:52 <bdpayne> this is related to masking the keystone tokens in the log feeds
18:17:02 <bdpayne> for some reason, this has become contriversial
18:17:25 <bdpayne> probably worth having some security eyes on it
18:17:39 <rellerreller> Why is that controversial?
18:17:51 <bdpayne> although, both hyakuhei and myself have already commented
18:18:13 <bdpayne> rellerreller see the comment on that review from McCabe at 6:12a
18:18:35 <bdpayne> and then my reply ;-)
18:18:55 <bdpayne> any other security reviews we should be mindful of right now?
18:19:09 <bdpayne> of course, please do track the mailing list for notifications of other security reviews
18:20:01 <bdpayne> #topic Open Discussion
18:20:18 <bdpayne> What else would people like to discuss today?
18:20:29 <thomasbiege> is there automatic testing and/or code scanning planned for the code?
18:20:45 <bdpayne> there's a lot of automatic testing that happens
18:20:53 <thomasbiege> security-wise?
18:20:54 <bdpayne> are you talking general testing or security specific testing?
18:21:02 <thomasbiege> security testing
18:21:06 <bdpayne> ahh
18:21:09 <thomasbiege> :)
18:21:21 <bdpayne> nothing that I'm aware of, but this would be a great area for us to work on
18:21:30 <bdpayne> is that something you could help with?
18:21:41 <ewindisch_> bdpayne: at the book sprint we identified that there might be some benefit to having some eyes on the live-migration code...
18:21:49 <thomasbiege> we currently try to use autom. sec. testing of the web-ui
18:22:02 <thomasbiege> if it will ever be done I will post it here
18:22:07 <ewindisch_> bdpayne: I might like to add the 'evacuate' feature to that, perhaps out of ignorance -- I'm not sure what it does, and it scares me a bit
18:23:09 <thomasbiege> only a bit related to openstack is crowbar, which is scanned now by brakeman,  http://ci.opensuse.org/view/Crowbar/job/crowbar-pebbles-travis_ci-trackupstream/
18:23:15 <bdpayne> ewindisch_ ok… perhaps hyakuhei and/or joel-coffman can include those items in the other things they are reviewing from the book sprint
18:23:41 <ewindisch_> also, I looked at the keystone token expiration issue and I've determined it is NOT possible for users to set arbitrary token expirations as I had suspected
18:24:00 <bdpayne> thomasbiege I would really love to see more automated security centric testing in place
18:24:27 <bdpayne> thomasbiege perhaps as a first step, you could help us document the current state of affairs and some potential goals?
18:24:27 <thomasbiege> bdpayne: we currently try to hammer a OWASP test-suite into jenkins too... let's see
18:24:53 <bdpayne> ewindisch_ good to know Re keystone tokens
18:26:26 <bdpayne> thomasbiege would you be willing to help with that?
18:26:28 <thomasbiege> bdpayne: state of affairs and goals for my company? here in the chat?
18:26:54 <bdpayne> sorry, I meant state of affairs for openstack in general with automated security testing
18:27:02 <bdpayne> for example, gating on commits and such
18:27:22 <thomasbiege> bdpayne: Yes I am willing to help you of course. I can write up something.
18:28:04 <bdpayne> great, thanks
18:28:26 <thomasbiege> you are welcome
18:28:27 <bdpayne> #action thomasbiege to writeup information on the current state of security testing in openstack and make some suggestions for how we can improve
18:28:41 <bdpayne> ok, anything else for today?
18:29:34 <bdpayne> ok, thanks everyone…
18:29:38 <bdpayne> see you next week!
18:29:43 <bdpayne> #endmeeting