18:00:40 #startmeeting OpenStack Security Group 18:00:41 Meeting started Thu Aug 22 18:00:40 2013 UTC and is due to finish in 60 minutes. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:42 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:44 The meeting name has been set to 'openstack_security_group' 18:01:02 hi OSSG 18:01:09 who's here today? 18:01:17 hey! 18:01:26 hi 18:01:31 hello 18:02:17 excellent, let's get started 18:02:26 btw, review.openstack.org seems to be down 18:02:44 it was restarted 18:03:01 ah, ok 18:03:11 I only have a few things for the agenda, so let me know if you have others 18:03:13 I have: 18:03:20 1) discussing the new wiki page 18:03:32 2) discussing addressing security review requests 18:03:39 3) discussing ongoing projects 18:03:49 4) discussing the logo effort 18:04:02 what else would people like to talk about? 18:04:10 maybe there is an open action item from our ML 18:04:22 ? 18:04:29 the common state of security slide deck is open AFAIK 18:04:37 oh, yes 18:04:47 greetings 18:05:02 hi malini1 18:05:05 hi, we're just discussing agenda items 18:06:02 ok, I think I'm organized over here 18:06:08 we can begin :-) 18:06:16 #topic new wiki page 18:06:27 https://docs.google.com/document/d/1TmygsnqU2MeHMYf_mqIV_dZpDaeLEzR7mGSE9n9SWKk/edit?usp=sharing 18:06:40 I've still been receiving nice feedback on the page. 18:06:56 Or rather the content that I want to put up 18:07:04 Is there anyone that hasn't seen it / commented yet? 18:07:51 ok, I'll take that as a no 18:07:57 I've looked through it a couple of times, and it looks good to me 18:07:59 so, here's my plan on this 18:08:14 #action bdpayne will move ahead with making some edits and posting the wiki page this week 18:08:42 Since it is a wiki, we can always work together to improve it over time as well 18:08:49 and getting something up as a starting place is useful 18:08:59 hello all - sorry i was in the wrong channel. 18:09:01 agreed 18:09:14 hi sriramhere, welcome and glad you made it 18:09:17 :)Good work on the page 18:09:28 ok, I think that's all about the wiki page 18:09:32 so I'll move foward 18:09:38 #topic security slide deck 18:09:52 malini1 you had volunteered to work on this, any updates? 18:10:04 I have a confession -- got started on it, checked the email thread, started, but not enough progress to share this week 18:10:17 was distracted by other deliverables at this end, sorry 18:10:23 np, understandable 18:10:38 malini1 - if you want an extra hand on that, i can help. would like to contribute 18:11:28 :-) will rope you in sriramhere 18:11:35 thx 18:11:39 excellent 18:12:01 @action @malini1 to continue work on slide deck, and will get help from sriramhere 18:12:12 late in the day question, how does one get from IM name to email? 18:12:52 my email is sriram@sriramhere.com if it is easier for u. WHOIS might help 18:13:07 never mind sriramhere, have your email contact from a message from bdpayne 18:13:48 #topic security review requests 18:14:06 :)I did a couple of those! 18:14:17 Question for the group… are you on the openstack-security mailing list? 18:14:27 yes :) 18:14:35 yes 18:14:39 yes 18:14:50 groovy 18:14:53 yes 18:15:01 so, if anyone is not please join http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security 18:15:06 yes 18:15:29 the volume is relatively low 18:15:47 are we tagging [ossg] to the subjects still? 18:15:48 as you guys have seen, we do get pinged semi-regularly for security review help 18:15:53 in the emails i meant 18:16:14 [OSSG] can go in subject on emails to openstack-dev, but not necessary on the openstack-security list 18:16:39 fwiw, if you put [OSSG] in subject on opentack dev, my email client treats it as higher priority ;-) 18:16:50 :) 18:16:54 I unsubscribed from openstack-dev 18:17:02 yeah, it's pretty high volume 18:17:12 anyway, my point is this 18:17:17 we are being asked to review stuff 18:17:25 and often we are not following through 18:17:48 I would argue that these security reviews may be the single most useful thing we can do for the openstack community 18:17:59 and it's a great way for people to get involved 18:18:16 ok, n00b question - are the emails to openstack-security list our way to communicate such requests to the groups? 18:18:18 so… any suggestions for how we can encourage more to take part in this process? 18:18:32 or do we track them as bugs? 18:18:48 maybe involve developers with interest in security. I don't have any python knowledge 18:19:13 sriramhere not sure I understand your question, but emails are sent to openstack-security mailing list when someone files a security bug or when someone marks a review as having securityimpact 18:19:33 more developers would be good 18:19:40 i will spread the word about the list at Intel to get my colleagues to participate. Some in China wanted to join this meeting, but it is hard, so i represent our team here 18:19:42 anyway to find all Gerrit reviews that include "SecurityImpact" 18:19:44 OSSG has actually grown quite a bit 18:19:52 ok that answers my question. thx 18:20:08 maybe some person are well known for their security knowledge, maybe calling for help on the next summit would help 18:20:31 we actually have 74 people that are members of OSSG on launchpad 18:20:45 and only 20% are active I assume 18:20:49 and we tend to have about 5-8 in the weekly meetings 18:20:52 right 18:20:53 based on some that I've seen, what we really need are developers who are already familiar with the project *and* have an interest in security 18:21:04 so, I'd like to explore tapping into that interest a bit more 18:21:18 joel-coffman I agree 18:21:30 I'm not familiar with enough of the code to be much good sometimes 18:21:34 I'm not sure, but I wonder how many people that are members of the group fit into that category 18:21:45 perhaps a simple email to the group would help 18:21:51 specifically to the launchpad group 18:21:52 what about goiing back to openstack-dev with the review request and asking for help there 18:21:56 * joel-coffman will try to review more as time allows 18:22:14 going back to openstack-dev is kind of circular 18:22:20 ;) ok 18:22:26 they are basically the ones asking use for security help 18:22:28 I think it would be better to be involved in the design phase then the code review. 18:22:37 yes, this is true too 18:22:39 yes, but maybe to the wrong ppl :) 18:22:43 That way if you don't know the code then it is easier to participate 18:22:54 rellerreller: agreed 18:23:02 the design phase is hard with openstack 18:23:05 lots of back room discussions 18:23:11 that means tag blueprints as security-impact 18:23:18 +1 18:23:23 malini1 is that possible? 18:23:33 malini1: good idea 18:23:40 +1, but not sure if that would slow the design discussions 18:23:54 not today, but we could ask the Gods of opnestack to add such an alert?/tag? 18:23:58 slow is sometimes good 18:23:59 also need to ensure sufficient information regarding the design is available 18:24:14 ok, so I see a few separate things here 18:24:16 three line blueprint with SecurityImpact won't be much help 18:24:37 first, we should email the launchpad group to see if there are people wanting to help with code reviews 18:24:45 perhaps after the wiki page is posted 18:24:49 so we can refer people there 18:25:05 #action bdpayne to email launchpad group to attempt to spark interest in code reviews 18:25:16 ome of my colleagues do code reviews that have sec impact… maybe I could ask them to get more invovled 18:25:19 second, we should see if there's a way to get a security impact tag on blueprints 18:25:22 joel-coffman -- 3 lines is another discussion, there was commentary on openstack mailing list about how sometimes code born first before blueprint (like a checkbox done) 18:25:34 ome=some 18:25:49 thomasbiege that would be helpful, thanks 18:25:53 bpayne - whom to ping on adding new tag to bps? 18:26:01 yes, just pointing out the difficultly given the *current* state of affairs 18:26:19 I'm not sure who to ask about the blueprint tagging 18:26:50 @annegentle? 18:26:51 let us try theirry for tagging 18:26:54 perhaps start with Theirry 18:26:57 yeah 18:27:04 anyone want to take that on? 18:27:08 ok, i can take that 18:27:43 #action sriramhere to ping Theirry on adding new security tag to blueprints 18:27:47 #action sriramhere will talk with Theirry about getting a SecurityImpact tag added to blueprints… net affect should be that it emails the openstack-security mailing list 18:27:53 heh, yeah that! 18:28:05 ok 18:28:17 third, of course, is to encourage better blueprints 18:28:33 this is where I was making a reference to backroom discussions, and code before design and such 18:28:40 I think that there isn't too much we can do here 18:28:55 but, one suggestion, is to be a little more strategic with how we attend the upcoming summit 18:29:19 related to this, is there a howto to write blueprint? 18:29:31 i was about to chime on that - when bps get reviews, we can raise security impact there 18:29:34 we should coordinate to get good coverage of the design sessions and report back to OSSG on how we should engage with new ideas 18:30:05 thomasbiege there is, but I don't have it handy…see the openstack how to contribute guide 18:30:14 bdpayne -- excellent idea on coverage at summit 18:30:20 #topic Final Words 18:30:25 bdpayne: ok 18:30:27 look at the time… we're about done here 18:30:31 one more quick note 18:30:33 too bad 18:30:36 blueprints - https://wiki.openstack.org/wiki/Process#Creating_Blueprints 18:30:40 thx 18:30:46 I have an artist lined up for working on the OSSG logo 18:30:57 WOW!!! 18:31:03 woohoo, skulls/ eye patches :) 18:31:03 great! 18:31:07 waiting on approval from the openstack people on the intial design before moving ahead with that 18:31:15 cool 18:31:29 so, hopefully I'll have something pretty to share next week 18:31:31 stay tuned 18:31:53 thanks eveyone, feel free to continue these and any other discussions on openstack-security mailing list 18:32:00 bye 18:32:03 thanks 18:32:05 bye 18:32:07 cya 18:32:07 thanks 18:32:08 bye 18:32:11 #endmeeting