18:06:54 <hyakuhei_> #startmeeting OpenStack Security Group
18:06:55 <openstack> Meeting started Thu Aug  1 18:06:54 2013 UTC and is due to finish in 60 minutes.  The chair is hyakuhei_. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:06:56 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:06:58 <openstack> The meeting name has been set to 'openstack_security_group'
18:07:03 <elo> Hi
18:07:06 * joel-coffman waves hello
18:07:20 <hyakuhei_> Hi :) My appologies for not starting this sooner.
18:07:30 <hyakuhei_> Do we have anyone else with us today?
18:07:31 <nicolae_> Hi
18:07:38 <thomasbiege> hi
18:07:55 <hyakuhei_> Hi Guys, thanks for waiting around
18:08:16 <hyakuhei_> #topic Booksprint followup
18:08:54 <hyakuhei_> Right, the book is looking reasonably good at the moment. Does anyone have feedback on suggested improvements?
18:09:34 <hyakuhei_> I've written up the various security issues we identified during the sprint, I'll send the non-sensitive ones around the ML as a few require blueprints to be drafted
18:09:52 <hyakuhei_> Any thoughts?
18:10:12 <hyakuhei_> Fantastic, I'll do that then
18:10:15 <joel-coffman> sounds good
18:10:37 <hyakuhei_> #action hyakuhei to send non-sensitive security issues around the OSSG for the group to pick blueprints to run with
18:10:46 <elo> I'll flush out more of the networking stuff as there is a lot of churn with feature in Havana for Neutron
18:10:48 <hyakuhei_> I will see if we can pick up a few at HP too
18:11:02 <hyakuhei_> Great, thanks elo
18:11:15 <hyakuhei_> Are you familiar with the submission process?
18:11:35 <elo> in the process of getting up to speed
18:12:02 <hyakuhei_> ok great, feel free to reach out to the group if you run into problems. You can reach out to me directly too if you want
18:12:19 <hyakuhei_> make sure you ping us when you submit your changes and we'll get the reviewed quickly
18:12:37 <hyakuhei_> #topic Items that require OSSG attention
18:12:56 <hyakuhei_> If you're not already aware of it I'd encourage you all to take a look at https://review.openstack.org/#/c/33532/
18:13:21 <hyakuhei_> It is a bit of a mess with 9 different patch sets the last time I looked
18:13:36 <hyakuhei_> And some discussion of wether it's ok to have sensitive information in debug output
18:13:45 <hyakuhei_> Any thoughts on that last point specifically?
18:14:38 <hyakuhei_> ok, well if you get the opportunity please dive in and have a look at that
18:15:12 <hyakuhei_> Also, you'll notice we have security-related reviews being delivered to the OSSG mailing list, this is a good thing, if you see one please take the time to take a look at the review.
18:15:32 <hyakuhei_> #topic OSSG Logo
18:15:46 <hyakuhei_> Do we have any budding artists in the group?
18:16:08 <joel-coffman> not me
18:16:11 <thomasbiege> unfortunately not
18:16:15 <hyakuhei_> hah, not me either
18:16:36 <hyakuhei_> ok, well I guess the quest continues. I'm trying to find out if we can use/modify/adapt the OpenStack logo
18:16:45 <thomasbiege> I think a openstack icon with a lock can be made easily
18:16:51 <elo> me either
18:17:18 <hyakuhei_> thomasbiege: sure it can, if we can get permission to use it
18:17:25 <thomasbiege> *nod*
18:17:35 <hyakuhei_> Ok, I'll see if I can find someone 'creative' :)
18:17:54 <hyakuhei_> #topic Wiki / OSSG Organisation
18:18:14 <nicolae_> a lock would be easy to add to the openstack logo, i can try create some prototypese
18:18:26 <nicolae_> *prototypes
18:18:36 <hyakuhei_> Does anyone have thoughts on how the OSSG should operate in future, particularly in regard to onboarding new people into the group?
18:19:05 <joel-coffman> not particularly
18:19:20 <thomasbiege> getting the right people is the interesting part
18:19:45 <nicolae_> I'm going through this process right now -- well basically reading into source code to know the nuts and bolts of a project, that's the first step i thought of
18:19:52 <thomasbiege> people that have fun and time to bring their expertise into the group
18:20:13 <hyakuhei_> So I think the group is~70 people at the moment
18:20:15 <hyakuhei_> which is great
18:20:33 <hyakuhei_> but some induction / tasking / direction is probably required
18:20:39 <thomasbiege> yes
18:20:44 <hyakuhei_> Security peeps are difficult cats to herd at the best of times
18:21:01 <nicolae_> What about assigning some small tasks, like reviews, as a practice?
18:21:06 <hyakuhei_> Ok, I'll try to draft something this week and ping it around the group
18:21:11 <hyakuhei_> nicolae_: excellent idea.
18:21:35 <thomasbiege> depends much on their current function and preference in their daily security job
18:21:53 <nicolae_> They might not be definitive, but getting feedback on the review would surely help "get in" the process
18:22:07 <hyakuhei_> Yeah, but we can try it, if it doesn't work well that's fine too :)
18:22:41 <hyakuhei_> #action hyakuhei and bryan to discuss new-starter options
18:22:48 <hyakuhei_> #topic A.O.B
18:23:01 <thomasbiege> well we need initioation tasks for the different kind of sec people. development of code, secure design, network, etc
18:23:29 <hyakuhei_> Yeah
18:24:08 <hyakuhei_> I think one of the areas we struggle with (OpenStack) is making it easy for the people with the ideas to find the people who can get the work done, reviewed and submitted in the OpenStack world.
18:24:17 <hyakuhei_> It's less than trivial to do.
18:24:39 <thomasbiege> yes, that is a problem I encounter too ATM
18:24:46 <hyakuhei_> joel-coffman: are you guys doing anything in the world of Swift object encryption?
18:24:54 <joel-coffman> not at the moment
18:25:05 <joel-coffman> Cinder and ephemeral storage only right now
18:25:29 <joel-coffman> I think Mirantis had some patches / blueprints for Swift encryption
18:26:11 <joel-coffman> see http://www.mirantis.com/blog/on-disk-encryption-prototype-for-openstack-swift/
18:26:12 * notmyname lurks
18:26:17 <hyakuhei_> Ah yeah, I think they were pretty bad.
18:26:26 <hyakuhei_> but that's what I had in the back of my mind at least.#
18:26:32 <hyakuhei_> I'll go take another look
18:26:41 <hyakuhei_> In fact, that's a good newbie task :D
18:27:03 <joel-coffman> okay, we didn't look too closely at their proposal since Swift is off our radar at the moment
18:27:05 <nicolae_> +1! :)
18:27:36 <hyakuhei_> Ok, does anyone want to take an action to take a look at that and start an on-ML discussion before next week?
18:27:42 <hyakuhei_> ie. the next meeting
18:28:19 <thomasbiege> not me sorry (vacation)
18:28:42 <notmyname> FWIW, encryption doesn't belong in swift core, most likely. but we can discuss this in more depth when you turn focus to it
18:28:43 <nicolae_> If that's a newbie task then i can take it, but i won't be ablevto attend the next meeting
18:28:53 <joel-coffman> we're all swamped trying to get our Cinder code reviewed / accepted :(
18:29:33 <hyakuhei_> no worries joel-coffman - perhaps reach out to the OSSG explicitly for support on that ?
18:29:56 <hyakuhei_> We've got a good community of people but their quiet, if you mail the ML regarding some of the review challenges I'm sure you'll get help
18:30:08 <hyakuhei_> notmyname: can you elaborate on that in 30 seconds?
18:30:46 <notmyname> hyakuhei_: it either belongs in the client or as the responsibility of the storage volume. either way it is outside the scope of swift
18:31:04 <joel-coffman> will do, right now iterating with Cinder folks to address some of their questions
18:31:23 <hyakuhei_> In the client doesn't work well at all, there are already options for on-premise swift encryption
18:32:14 <thomasbiege> ok, need to go
18:32:19 <thomasbiege> bye!
18:32:25 <notmyname> hyakuhei_: the third possibility has to do with a deployer key per-tennant or something. but that too can be implemented as a plug-in and doesn't need to be in the core code
18:32:37 <hyakuhei_> The volume would need to be aware of the different tenants and how they're indipendantly keyed. Swift needs to be involved because there are all sorts of issues I think, compression, dedupe etc.
18:32:56 <notmyname> hyakuhei_: nope. same story for compression and dedupe ;-)
18:33:08 <hyakuhei_> Yeah, I don't really care where it is as long as a) It's not stupid and b) it actually works
18:33:28 <notmyname> hyakuhei_: valuable features, but not part of the storage engine code base
18:33:30 <hyakuhei_> notmyname: perhaps we can have an on Mailinglist discussion about it?
18:33:38 <hyakuhei_> we're over time here.
18:34:17 <hyakuhei_> Thank you everyone, productive meeting! Please feel free to follow-up any conversations on the ML
18:34:24 <hyakuhei_> #endmeeting