18:02:21 #startmeeting OpenStack Security Group 18:02:22 Meeting started Thu Jan 9 18:02:21 2014 UTC and is due to finish in 60 minutes. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:02:23 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:02:25 The meeting name has been set to 'openstack_security_group' 18:02:29 hi everyone 18:02:31 Hello :) 18:02:32 Woo, I'm here _again_ :D 18:02:39 hi 18:02:43 hopefully everyone enjoyed a little time off 18:02:52 Hi all 18:02:55 Yep! 18:03:21 #topic Agenda 18:03:46 hyakuhei pinged me about an Ironic security review 18:03:52 I'd like to discuss that a bit today 18:03:58 anything else on people's radar? 18:04:01 Yes I did! There's going to be one, it's very exciting :D 18:04:36 bdpayne: I have a few question on pending ossa bugs 18:04:46 OSSA or OSSN? 18:04:55 OSSA 18:04:58 Re OSSA... note that we shouldn't discuss embargoed things here 18:05:02 bdpayne: I'd like to discuss the cross-project security guidelines too 18:05:23 ...and status on in-progress OSSNs 18:05:33 ok great, sounds like a full agenda 18:05:49 #topic Ironic Security Review 18:05:58 Rob... care to provide some context / details? 18:06:07 Devananda has asked me to organise a review of Ironic 18:06:28 Initially I was going to do a HP Cloud review but I figured it would be a good platform to try an OSSG review 18:07:02 Threat Analysis -> Code Analysis basically, I have a few example documents I can share and I can bring in some resource to help 18:07:17 It makes sense to do a security review on Baremetal as a) its actually quite small 18:07:27 and b) its terrifingly insecure 18:07:48 Format is to be decided yet but I'd like to know who's interested in helping out 18:07:59 We've got buy in from several core contributors 18:08:14 so it's a great project to start with and refine the process.... thoughts? 18:08:35 yeah, this sounds interesting 18:08:48 I'll be happy to be involved in that 18:08:59 we were already planning on beating up Ironic a bit in the near term 18:09:02 so this fits in nicely 18:09:05 :-) 18:09:49 Jolly good, more info to follow towards the end of Jan, as Devananda will be back in his home timezone then 18:10:03 hyakuhei: by "process", do you mean the process of OSSG reviewing design/code for a project? 18:10:08 yup 18:10:23 I'd like to help with that aspect 18:10:47 Establish the scope, the inputs required, various stakeholders that need to be found, and a get a good feel for what the output should look/feel like 18:11:07 yeah 18:11:13 in fact, perhaps a small group to do that to start 18:11:25 and then from there we can figure out what skills are really needed for the full review 18:11:26 That would be great 18:11:37 Yeah I'd be up for that - kinda my dayjob anyway... 18:11:49 you're a lucky man 18:12:05 _so_ lucky 18:12:27 #action hyakuhei bdpayne and nkinder to setup plan of attack for Ironic security review 18:12:34 output wise something like http://homes.cs.washington.edu/~aczeskis/research/pubs/UW-CSE-13-08-02.PDF might be worth considering, seems to have been reasonably well received 18:13:22 nice author list ;-) 18:13:35 but yeah, that looks nice 18:13:52 when should we have the plan of attack nailed down? 18:13:59 let's set a deadline for ourselves here 18:14:13 I'd like to have it 'kick off' 1st of feb. 18:14:31 That is to say, we've worked out the basic wants/outputs by then, that'll be when the work starts 18:14:43 ok, that works reasonably well with my schedule 18:14:48 nkinder good with you? 18:14:58 I'm out of the country for the first 1.5 weeks of Feb, but it'd be nice to work on the plan before then. 18:14:59 We could feasibly do it sooner but the stakeholders from Ironic wont be ready any sooner anyway. 18:15:16 ok, sounds good 18:15:27 I'll be online and around though 18:15:34 hyakuhei I'll let you take the lead on getting the three of us in motion on this 18:15:42 but I'm happy to pitch in 18:15:50 Cheers, I'll be in touch. 18:16:05 ok, moving ahead 18:16:18 #topic OSSA reviews (non embargoed discussion only please!) 18:16:22 tristanC you had something here? 18:16:40 bdpayne: yes thanks, I meant public OSSA listed there: https://bugs.launchpad.net/ossa 18:16:59 The last one (#1174660 - when client disconnected, garbage collecting is too heavy) is marked as incomplete. I wonder what is missing 18:17:26 not sure, that would be best answered by the VMT 18:17:57 perhaps Thierry 18:17:58 I mean, the OSSA is unassigned, and the bug is quite old already... 18:18:08 I'd suggest commenting on the bug 18:18:12 Heh, I commented on that one, this must be from quite a while ago... 18:18:16 that will invoke a response 18:18:28 bdpayne: ok, good 18:18:37 excellent, anything else about OSSA? 18:18:41 well that was it, the others are ongoing work 18:18:51 thanks :) 18:18:58 Ongoing, but announced. 18:19:06 #topic Current OSSN Work 18:19:13 nkinder had some questions here? 18:19:29 First just a status update... 18:19:42 Sriram is updating his OSSN based off of my review. 18:20:03 The other pending Keystone OSSN I am writing up currently. Should be ready for a review later today. 18:20:05 We need a way to up the cadance on these 18:20:16 nkinder: Mail me and I'll review it when you're ready. 18:20:18 hyakuhei: +1 18:20:35 hyakuhei: Before the holidays, you had an action to "fix everything". :) 18:20:43 nkinder: sssh. 18:20:48 I think that was in relation to defining process around OSSN 18:20:59 Incidentally, I will address them this week 18:21:07 They're on my list - promise 18:21:13 Ok, I'm happy to help here too. 18:21:21 Folks, I can help on OSSNs, back to work in earnest 18:21:47 hyakuhei: If you want me to help writeup some of the process stuff on the wiki, I can take a stab at it today or tomorrow. 18:22:02 ...or I can wait if you have it in progress 18:22:11 I won't have the bandwidth until early next week, if you're available go nuts, we'll bash it out between us 18:22:20 Cool. I'll let you know. 18:22:29 That's it on OSSN related stuff for me. 18:22:53 where can we find the pending ossn ? 18:22:57 https://bugs.launchpad.net/ossn/+bugs 18:23:07 #topic Cross Project Security Guidelines 18:23:22 ok, we have the rest of the time (~5min) to discuss this 18:23:25 Guideline 1. Read the security guide! :D 18:23:31 heh 18:23:36 hyakuhei: ok thanks 18:23:39 I think the idea here is code-level security tips 18:23:44 Not actually that valuable to a developer. 18:23:49 For the security guidelines, I stole what paulmo started with and started creating a central area on the wiki 18:24:02 perfect, that was a nice starting place 18:24:04 Reference: https://wiki.openstack.org/wiki/Solum/SecurityRequirements 18:24:04 https://wiki.openstack.org/wiki/Security/Guidelines 18:24:19 Yes, are we talking basic python security or 'don't do stupid things like build a broadcast RPC layer without AuthN/Z or source attestation' ? 18:24:21 I took out Solum specific stuff (very little) 18:24:55 paulmo: I think you can clean up the Solum stuff to reference this central area for the OSSG related items. 18:25:01 hyakuhei a bit of both 18:25:07 Yep! Will do 18:25:17 Sounds good. So who's leading this? I'd like to help 18:25:29 I would like to see some cross over between these guidelines and the Ironic review 18:25:29 paulmo and I so far 18:25:39 separate efforts, to be sure 18:25:49 Where 'help'==Email me a specific task and I'll get it done 18:25:53 but, to apply these to Ironic to understand where the shortcomings are 18:26:04 Sounds good 18:26:11 I like how this could combine with the review work 18:26:18 and to have the Ironic review team feed back into the guidelines for other areas that need addressing 18:26:19 etc 18:26:19 Ok. I think I'd like to populate the "Details Link" pages that don't exist next. 18:26:37 and yes, feedback would be great from projects 18:26:43 Ok I'll take a stab and populating one or two tomorrow 18:26:59 And will try to get some of our internal people to have a look / feedback 18:27:09 PS: Thanks for maintaining the handy links for use in Gerrit reviews. :) 18:27:14 Great. This one is a good start - https://wiki.openstack.org/wiki/Security/Guidelines/logging_guidelines 18:27:22 paulmo: yes, I like that idea. 18:27:41 I'm going to go through all OSSNs to see that they all fit into these topics 18:27:54 It would be good to plan on that for OSSAs too 18:28:23 That's it from me. 18:28:33 #topic Wrapup 18:28:39 so let's record the other actions 18:29:11 what else are people committing to here? :-) 18:29:31 hello - back from the dead. 18:29:35 nkinder: love the idea of tying this into OSSNs too 18:29:51 #action nkinder to go through OSSNs to ensure security guidelines cover them 18:29:56 I still have that long-outstanding action to drive a sprint. I haven't actually forgotten about it. 18:29:56 Applyin RCA for OSSA and seeing where guidelines could have helped would be an excellent idea too 18:30:11 #action hyakuhei to fill in some details links at https://wiki.openstack.org/wiki/Security/Guidelines 18:30:30 #action kyakuhei and nkinder to organize OSSN process 18:30:43 Take that "kyakuhei" 18:30:44 hyakuhei: RCA? ewindisch: welcome back and what sprint? 18:30:56 #action hyakuhei and nkinder to organize OSSN process 18:30:59 that's better 18:31:00 #action paulmo to cleanup Solum security guidelines to prevent duplication with OSSG page 18:31:02 damn it 18:31:08 malini1: I had proposed driving a security-focused developer sprint back during the summit. 18:31:09 malini1: Root Cause Analysis 18:31:14 Will do! :) 18:31:25 (who fsked up) 18:31:32 malini1: then I changed my job and things have been in upheaval for me. I'm just now settling down where I can think about it again. 18:31:41 #action ewindisch to drive security sprint 18:31:55 and welcome back ewindsich 18:32:00 +1 18:32:03 bdpayne: thanks. 18:32:13 Give me a baby task and I shall warm up 18:32:24 may be an OSSN to research and writeup 18:32:24 Review the current OSSNs that are pending 18:32:25 #action nkinder to finish Keystone OSSN and send out for review 18:32:38 #action malini1 to review current pending OSSNs 18:32:46 hyakuhei: OK, will do 18:32:55 ok, that's about all we have time for today 18:32:58 thanks everyone! 18:33:05 good meeting, thanks bdpayne 18:33:08 Thanks! 18:33:15 #endmeeting