18:00:31 <bdpayne> #startmeeting OpenStack Security Group
18:00:32 <openstack> Meeting started Thu Feb 27 18:00:31 2014 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:33 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:35 <openstack> The meeting name has been set to 'openstack_security_group'
18:00:46 <bdpayne> Hi security group
18:00:51 <bdpayne> #topic Roll Call
18:00:53 <bknudson> bdpayne: hi
18:01:38 <bdpayne> well, we have two!
18:02:00 <bdpayne> #topic Agenda
18:02:17 <bdpayne> I'd like to discuss the OSSG lead elections today
18:02:18 <bknudson> in keystone dolphm started sending a message out with all the participants' names at the start of the meeting.
18:02:40 <malini1> greetings
18:02:50 <bdpayne> You mean just a mention in IRC or an email?
18:02:54 <bdpayne> morning malini1
18:02:56 <nkinder_> Hi guys
18:03:00 <bknudson> bdpayne: just in irc
18:03:02 <shohel02_> hi guys
18:03:08 <bdpayne> gotcha... not a bad idea
18:03:27 <bknudson> the message is on the meeting wiki
18:03:28 <bdpayne> so we're on agenda
18:04:09 <bdpayne> beyond lead elections, I can provide a brief update on the book project
18:04:13 <bdpayne> anything else for today?
18:04:28 <shohel02_> i give some update on threat modelling work
18:04:47 <nkinder_> great, I'm curious about the threat modeling work
18:05:05 <bdpayne> ok, sounds good
18:05:10 <bdpayne> #topic Quick Book Update
18:05:24 <bdpayne> So I'm at the RSA Conference this week
18:05:36 <bdpayne> I met with David Mortman, who is one of the book editors
18:05:56 <bdpayne> we decided that a good first step is to put together a style guide
18:06:06 <bdpayne> (or borrow one from other OS Docs projects)
18:06:15 <bdpayne> so that the book can have a consistent voice, tone, etc
18:06:25 <bdpayne> so that's something that he will be working on
18:06:38 <bdpayne> also on the book, I believe that malini1 still has an outstanding PR?
18:07:10 <malini1> :-) Yes, will commit it this week, last few tweaks
18:07:24 <bknudson> working on a style guide or working on changing the book to match the style?
18:07:24 <bdpayne> great, sounds good
18:07:27 <bdpayne> https://review.openstack.org/#/c/73195/ for reference
18:07:47 <bdpayne> bknudson malini1 is just working on a specific book editing ticket
18:07:52 <malini1> I was thinking that is also time to update with more key management info once Barbican is out of incubation
18:07:57 <bdpayne> the style guide is separate
18:08:16 <bdpayne> malini1 that would be nice
18:08:20 <bdpayne> perhaps open a doc ticket?
18:08:38 <bdpayne> ok, any other book discussion?
18:08:39 <malini1> bdpayne: will do
18:09:02 <nkinder_> malini: yes, though barbican only covers certain key management use cases AFAIK
18:09:02 <bdpayne> #topic Lead Elections
18:09:30 <bdpayne> I've started putting together a document to describe the election process
18:09:43 <bdpayne> This was basically stolen from the PTL / TC election process
18:09:45 <bdpayne> https://wiki.openstack.org/wiki/Security/OSSG_Lead_Election_Spring_2014
18:10:05 <bdpayne> I'd like to -- as a first step -- make sure that everyone is on board with this being a good way to proceed
18:10:19 <bdpayne> If people feel ok with this, then Rob and I will push ahead with the logistics
18:10:27 <bdpayne> I will send this to the mailing list later today
18:10:35 <bdpayne> But wanted to get some initial feedback here, if possible
18:11:23 <bknudson> might be useful to give more lead time...
18:11:37 <bknudson> you've got several ways that one could be an active contributor...
18:11:40 <bdpayne> lead time for declaring an intent to run or?
18:11:51 <nkinder_> the page looks pretty straightforward
18:12:02 <bknudson> where if there's an announcement that there's an election coming up
18:12:05 <amey> Hello, I have a question about OpenStack security mechanisms?
18:12:11 <bknudson> a lot of people might want to become an active contributor
18:12:26 <bdpayne> ah, I see
18:12:33 <bdpayne> would we want to encourage that?
18:12:35 <bknudson> so do we want to give some amount of time for others to become active?
18:12:45 <amey> We are working on a project to develop a component that can allow user to select security checks
18:13:02 <amey> Is there an existing component that does this?
18:13:08 <nkinder_> amey: we'll have an open question phase at the end of the meeting.  Is it OK to discuss then?
18:13:09 <bdpayne> amey We are mid-meeting here... we typically have some time for open discussion at the end
18:13:17 <bdpayne> :-)
18:13:22 <amey> Okay, sure
18:13:27 <amey> :)
18:13:29 <nkinder_> amey: thx
18:13:52 <bdpayne> while I do love getting more people to actively contribute
18:13:56 <nkinder_> So it sound slike the question is if we want to consider people who are not yet active for nominations
18:14:06 <bdpayne> I'm not sure how much we'd want to encourage it just for the elections
18:14:20 <nkinder_> start becoming active now for elections in J :)
18:14:21 <bknudson> ok, that makes sense.
18:14:24 <bknudson> just wanted to consider it
18:14:31 <bdpayne> yeah, it's a fair point
18:14:36 <bdpayne> and I'm open to other thoughts here
18:14:39 <bdpayne> I can see both side
18:14:44 <bdpayne> *sides
18:15:45 <bdpayne> ok, I'll leave it as is... if anyone has concerns please feel free to comment on the email thread on the ML later today or just email me directly
18:16:06 <bdpayne> any other thoughts / discussion on the election process?
18:16:10 <nkinder_> I think it's good for one to already have some background, and just attending an IRC meeting is on the list of "active".  That's a low barrier to entry.
18:16:21 <bdpayne> it is
18:16:44 <bdpayne> I suspect if someone just showed up for one meeting that they wouldn't get elected as lead
18:16:49 <bdpayne> but, I'm ok with them voting
18:16:55 <bdpayne> that was my thinking
18:17:04 <bdpayne> since we are a fledging community at this point
18:17:36 <malini1> bdpayne: the whole openstack community gets to vote, or only OSSG members?
18:17:48 <bdpayne> only active ossg members
18:18:00 <bdpayne> at least, per the current wording of this document
18:18:11 <bdpayne> this mirrors how PTLs are elected for other projects
18:18:37 <bdpayne> it is just that with code-driven projects it is easier to identify an active contributor
18:18:46 <bdpayne> so I've tried to be broad with that definition
18:19:11 <malini1> bdpayne: good point on broading definition
18:19:14 <bdpayne> hence the catch all at the bottom... in case I forgot any kind of contribution that someone may have made
18:20:40 <shohel02_> i agree with Nkinder, one meeting attending for voting is a broad definition
18:21:06 <bdpayne> do you guys have a suggestion for narrowing that a bit?
18:21:50 <bdpayne> perhaps attending X meetings where X > 1 (or X > 2, or whatever)?
18:22:09 <malini1> bdpayne: a few more meetings and push out the election to April?
18:22:17 <shohel02_> thats sounds good more than +1
18:22:32 <nkinder_> How about "participated" instead of "attended"?
18:22:53 <bdpayne> that's kind of a grey area
18:22:55 <nkinder_> it's still vague, but cuts out just lurking on the IRC channel
18:23:20 <bdpayne> to prove attendance, we'd need to at least see a line with their name in the meeting logs
18:23:37 <bdpayne> I think that's probably all we can do
18:23:43 <bdpayne> anything more is judgement
18:24:15 <bdpayne> Re pushing it out to April... would the intent be to allow people to get involved in meetings now so that they could be part of the electorate?
18:24:28 <bdpayne> I'd hate to see people do that only to drop off again after the election
18:25:34 <bdpayne> ok, given the time, I'll take this discussion to the ML .. please watch for my email in the next few hours
18:25:36 <bdpayne> #topic Threat Modeling
18:26:02 <bdpayne> shohel02_ the floor is yours
18:26:08 <shohel02_> ok
18:26:11 <shohel02_> we have updated the wiki page related to threat modeling..
18:26:22 <shohel02_> contains all the docs shared earlier, by mail and others
18:26:29 <shohel02_> https://wiki.openstack.org/wiki/Security/Threat_Analysis
18:26:37 <shohel02_> any comments are welcome...
18:26:47 <shohel02_> Last Friday, we have also discussed with couple of members
18:27:06 <shohel02_> of OSSG ow should we progress, We are now working with Keystone,
18:27:21 <shohel02_> paulmo said he tries to implement threat modeling process for Solenium
18:27:30 <bdpayne> great... so sounds like this is moving forward
18:27:30 <paulmo> Solum; yep
18:27:31 <shohel02_> In general, we need two people per project plus some
18:27:41 <shohel02_> engagement from respective project.
18:27:43 <bdpayne> what are the next steps?
18:27:49 <nkinder_> shohel02_: Was there an IRC meeting covering threat modeling last week?  I tried to attend, but nobody was there.
18:27:56 <shohel02_> continue the work
18:28:03 <shohel02_> we still plenty of things to do
18:28:04 <shohel02_> yes
18:28:12 <bknudson> I didn't know about the meeting...
18:28:14 <paulmo> nkinder_: The channel had ## in front I believe… I almost got mixed up too.
18:28:20 <shohel02_> last friday... we will meet again on next Friday
18:28:27 <nkinder_> paulmo: I was wondering about that extra #....
18:28:33 <shohel02_> we posted it in the openstack-security group
18:28:40 <shohel02_> mailing list
18:28:45 <shohel02_> although bit late
18:28:45 <bknudson> ok, thanks
18:28:47 <nkinder_> shohel02_: yeah, I thought the extra # was a typo
18:28:52 <nkinder_> shohel02_: who is involved on the keystone side?
18:28:56 <paulmo> shohel02_: There is another channel with the exact same name with a single # in front… might be confusing for folks.
18:29:05 <bknudson> will try to join in next time.
18:29:11 <shohel02_> ok, i do not know about that
18:29:23 <shohel02_> ## because its an unofficial channel
18:29:28 <bdpayne> fyi http://lists.openstack.org/pipermail/openstack-security/2014-February/001081.html
18:29:34 <lmcmpou> shohel: what's the channel again and when?
18:29:40 <malini1> bdypayne: amey had a question
18:29:44 <bdpayne> ok, thanks for the update
18:29:53 <bdpayne> is that all for threat modeling?
18:29:58 <shohel02_> ##openstack-threat-analysis
18:30:04 <shohel02_> yes
18:30:07 <bdpayne> ok, thanks!
18:30:12 <bdpayne> #topic Open Discussion
18:30:14 <amey> Yes, thanks! We are a group of grad students working on improving OpenStack security
18:30:29 <bdpayne> amey still around?
18:30:39 <bdpayne> which school amey?
18:30:40 <amey> We want to build a component that will allow users to select the check they want to have
18:30:44 <amey> CMU
18:31:00 <bdpayne> ah great, welcome
18:31:13 <malini1> amey: any blueprint or write up for us to read?
18:31:18 <amey> is there a component that does this? Or is this project viable?
18:31:23 <bdpayne> by check, are you talking about applying role based access controls across openstack or ?
18:31:27 <nkinder_> amey: by "check", do you mean a tool that will audit from a security standpoint?
18:31:43 <bdpayne> heh... yeah I guess check can mean a lot
18:31:53 <amey> We are in design phase an will be ready with a blueprint in 2 months
18:32:31 <amey> our main aim is static code integrity check using IMA/TPM
18:32:49 <amey> this component will extent TCPs
18:33:09 <malini1> amey: we have trusted-compute-pools today that does BIOS, firmware and VMM check against known good values
18:33:52 <malini1> amey: would like to learn more. wanted to extent "trust" to bare metal
18:33:55 <bdpayne> amey I think some of the relevant questions here are what do you want to check, and how does the result of the check influence the system
18:34:01 <amey> Yes, do we check the integrity in run time? Eg.  regular integrity checks?
18:34:14 <bdpayne> amey not much runtime checking today
18:34:20 <bdpayne> usually it is just boot time
18:34:25 <bdpayne> but runtime would be nice
18:34:35 <amey> Yes, we wanted to do that
18:34:39 <bdpayne> sounds like a potentially interesting discussion
18:34:44 <bdpayne> perhaps worth taking to the mailing list? http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
18:34:49 <amey> But we are concerned about the design and performance tradeoffs
18:35:12 <bdpayne> this is one of those trickey areas that spans all of the openstack projects... and then some
18:35:15 <amey> Can the community review our design when we are done with it? Whom should I submit them to?
18:35:41 <bdpayne> we should talk more on the mailing list about your goals and such
18:35:55 <bdpayne> OSSG has done some security reviews, but typically more for established projects and such
18:35:55 <nkinder_> +1
18:36:04 <paulmo> Perhaps even creating an early blueprint with goals would help folks understand better too.
18:36:07 <bdpayne> but I'm open to further discussion
18:36:10 <bdpayne> yeah
18:36:25 <bdpayne> ok, thanks all... I know we're a bit over time in so thanks for sticking around
18:36:35 <bdpayne> have a great week!
18:36:37 <amey> Thank you !  :)
18:36:40 <bknudson> thanks!
18:36:41 <shohel02_> thanks
18:36:45 <bdpayne> #endmeeting