18:00:19 #startmeeting OpenStack Security Group 18:00:20 Meeting started Thu Jan 30 18:00:19 2014 UTC and is due to finish in 60 minutes. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:21 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:23 The meeting name has been set to 'openstack_security_group' 18:00:34 Hi security people :-) 18:00:39 #topic Roll Call 18:00:48 hi 18:01:12 o/ 18:01:53 While we are waiting for a few others to join in... I wanted to take a moment to mention that we have been doing these OSSG meetings for 1 year now 18:01:57 Just passed 1 year last week 18:02:09 Lots have happened in that short time! 18:02:49 this project sure seems to have a lot of people looking for vulnerabilities 18:03:02 this project? 18:03:03 OSSG? 18:03:11 the whole openstack project 18:03:15 ahh 18:03:18 that's a good thing 18:03:54 Hey, here. sorry. 18:04:04 hi there! 18:04:07 :D 18:04:19 #topic Today's Agenda 18:04:22 hi 18:04:27 What would people like to discuss today? 18:04:31 hi bryan 18:05:22 No topics for discussion? 18:05:33 Ok, I'd like to review status of OSSNs 18:05:41 We still need to figure out summit talks. 18:05:43 And look at how well we are addressing security review requests 18:05:44 We need moar! 18:06:01 Yes, I have been completely negligent on the summit talk issue 18:06:12 What is the deadline for summit talks again? 18:06:15 2/14 18:06:28 ok, I *will* get that discussion going this week 18:06:33 :) 18:06:45 * bdpayne needs to clone himself 18:07:13 #topic OSSN 18:07:29 hyakuhei what's the latest on the OSSN front? 18:07:35 any more in the queue? 18:08:37 I ran into an issue this week where it is all too easy to configure keystone to log db sql statements... which results in password hashes getting logs... may be a useful OSSN 18:09:24 anyone else have comments on OSSNs? 18:09:29 quiet group today 18:10:05 very well then, I'll file a bug for my idea separately 18:10:08 how do you get keystone to log db sql statements? 18:10:11 #topic Security Reviews 18:10:25 bknudson it is through the sqlalchemy logging options 18:10:41 ok 18:11:12 sorry was afk. juggling calls. 18:11:23 #topic Back to OSSN 18:11:35 ok, hyakuhei I'll give you a second chance 18:11:38 anything on OSSN to report? 18:11:40 I don't think we have much at all in the queue atm 18:11:55 Process for refining still requires me and nkinder to get together. 18:12:22 We still have the vnc one but that's it 18:12:32 there is the one issue that hyakuhei and I have been in discussion with the VMT on... but I think that's still embargoed so I won't mention it here 18:12:35 I like the idea of moving to gerrit for this, having stuff in git, commenting etc. 18:12:38 likely to result in an OSSN, I think 18:12:40 Yes. Thats a mess. 18:12:57 who's taking to lead on getting things setup on gerrit? 18:13:05 and git 18:13:13 I'd like for it to be someone that isn't me... 18:13:16 nkinder? 18:13:41 I shouldn't think it'll be too hard. We've got a few PTLs around here, I'm sure I can bug some of them for help. 18:14:06 sure, we just need someone to take ownership of that 18:14:12 otherwise it won't happen 18:14:13 Yes, this is on my plate. 18:14:17 ah, great 18:14:18 Been sick this week 18:14:23 ahh, sorry to hear that 18:14:36 ok, so nkinder is on it 18:14:41 yep 18:14:48 anything else on OSSNs? 18:15:00 ok, pushing ahead... 18:15:05 Get less sick soon nkinder 18:15:06 #topic Security Reviews 18:15:22 This topics has two points 18:15:23 I'll send an email around about the security review tomorrow 18:15:26 1) Ironic security review 18:15:29 is this happening? 18:15:51 hyakuhei what is the security review tomorrow? 18:15:53 Introducing ironic people and a few others to the OSSG, suggesting possible approaches in a general getting the ball moving sort of way. 18:16:04 bdpayne: no, I'll actually do some work on starting it tomorrow 18:16:20 gotcha... so yeah, please do send out that email 18:16:31 a little more advance notice is always nice, when possible ;-) 18:16:53 2) the other issue on my mind is the general code security reviews 18:17:05 Many of you are seeing the emails about security impact in a PR 18:17:16 I'd like to track how well we are responding to those requests 18:17:27 Is there anyone that is willing to do a little digging on that front? 18:17:30 Yeah they're kinda clunky because we get hit with every change. 18:17:45 Basically to look at PRs that are tagged, and see if there's reviews on them from OSSG members? 18:18:30 ok, I think this would be valuable information to have 18:18:40 as I'd like to understand if this mechanism is working or not 18:18:50 let's keep it in mind as a potential task for a new member 18:18:56 my guess is that a lot of them are slipping through 18:19:03 this is my guess as well 18:19:10 which brings me to my next point 18:19:25 I think it would be useful to have a person or a small team that is respondible for that process 18:19:40 I do a lot of reviews in keystone... but not because of the SecurityImpact. 18:19:47 so they would track the PRs and either provide the reviews them selves or find the right person to provide that review 18:20:03 bknudson, yeah, that makes sense 18:20:05 +1 good idea 18:20:23 is the SecurityImpact review a full review or more of a quick look to see if there's a problem? 18:20:31 perhaps this is where I need to email the group and solicit some people that are willing to take this on 18:20:42 #action bdpayne to build out a security impact review team 18:20:46 if it's not a full review (since we're not familiar with the code in the project), I'd think you wouldn't want to even leave a vote. 18:21:05 unless you noticed a security problem. 18:21:16 in that case, I would want the team to try to find a good person to do that review 18:21:22 but, yes, I agress 18:21:40 #topic Open Discussion 18:21:55 So I'd like to get an update on from the book editors 18:21:59 I haven't seen them in a while 18:22:00 so there's one in nova right now... https://review.openstack.org/#/c/40467/ 18:22:24 yeah, that one has been going through review for a long time 18:22:43 Beyond the book, anything else that people would like to see in here in future weeks? 18:22:44 68 patch sets, wow. 18:23:08 I'd like to start pulling in the right people so that we can have the discussions needed to keep things moving forward 18:23:22 And I just want to make sure that I'm not missing important ongoing efforts 18:24:43 so if this was a security review of 40467, I'd ask if "aes-xts-plain64" was a good default cipher and 512 was a good default size for the key 18:25:02 ha 18:25:06 those would be reasonable questions 18:25:21 are those the kind of things you'd expect of a security review? (I don't know the answer to either) 18:25:46 ideally, I'd want a security reviewer to find stuff like that and suggest the right options 18:25:54 I'd also want them to look for general security coding issues 18:26:04 like shelling out, input validation, etc 18:26:36 ok, sounds like there's not much more on people's minds today 18:26:49 that's all that I have for today 18:26:54 #endmeeting