17:02:45 #startmeeting OpenStack Security Group 17:02:46 Meeting started Thu Apr 3 17:02:45 2014 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:02:47 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:02:49 The meeting name has been set to 'openstack_security_group' 17:03:02 o/ 17:03:16 #topic Role call 17:03:20 Speak up people :D 17:03:26 < jamie from HP 17:03:27 * hyakuhei here, in seattle this week 17:03:54 Lets give people a minute or two to roll in. 17:04:58 I guess that'll do, looks like we have most people here. I've got Doug from HP here with me also 17:05:19 Right, whats the agenda for today? 17:05:39 OSSN updates would be a good start I suppose - nkinder ? 17:05:43 #topic OSSN updates 17:06:25 nkinder: are you around to give us an updatE? 17:06:37 hyakuhei: yep, sorry (got pulled aside) 17:06:42 I see that we now have stuff working in the gerrit review system, I think it's already showing some value :) 17:07:02 So, gerrit is working now, and we've run the first OSSN through it! 17:07:31 Wonderful! 17:07:39 How's your OSSN coming chair6 ? 17:07:46 The review guidelines Bryan and I discussed match the normal process. We want two +2's, then a core member can approve the push. 17:07:47 draft in progress, eta for review later today 17:07:57 chair6: which OSSN are you working on? 17:08:05 https://bugs.launchpad.net/keystone/+bug/1287219 17:08:07 Launchpad bug 1287219 in keystone "scope of domain admin too broad in v3 policy sample" [Medium,Fix released] 17:08:27 chair6: ah, ok. When you submit the review, add me as a reviewer please. 17:08:32 will do 17:08:50 So I'd like to thank nkinder for his hard work 17:08:54 and I will - thanks ;) 17:09:06 I started looking into adding a simple job to check for trailing whitespace. We can then expand on it if we have other formatting checks. 17:09:12 Hi, I'm Doug from HP 17:09:20 Hi Doug 17:09:41 Thanks cool nkinder I'd like to look at adding more jobs in, basic stuff like spell checking (though that's not easy with technical stuff) format checking etc 17:10:13 hyakuhei: we can certainly have a non-voting job for things like spell check 17:10:40 hyakuhei: the nice thing will be that one can run the jobs using tox before submitting the review 17:10:55 Maybe when you've gone through how to do the basic one we can chat about writing more? 17:11:14 It's also on my list to sync up with the docs team to add a publishing job for an appendix in the Security Guide. 17:11:24 hyakuhei: definitely. 17:11:48 Yeah so that's useful for sure, though manual intervention tasks (find a place to insert a link to the appendix) will need to be spawned or taken into account too 17:12:15 hyakuhei: I'll work with docs to see how to best handle that 17:12:17 In fact, we probably need an action to review the current OSSNs and work out where to insert them into the guide 17:12:50 hyakuhei: I can handle that 17:13:00 #topic security guidelines 17:13:21 nkinder: thanks, make sure you don't overload yourself though! 17:13:38 hyakuhei and chair6 - sprint on the security guidelines this week? 17:14:17 I think that would work, a lot of the HP folk are together in the same place over the next few days, so if people here are happy I think we can get together and get lots of content down 17:14:23 and then non-HP people can review :) 17:14:44 sounds good, this week or next week.. 17:15:00 Ok cool, so lets take an action to do it before the next OSSG meeting 17:15:07 hyakuhei: is the focus on operator or developer guidelines? 17:15:14 developer 17:15:17 hyakuhei: ok 17:15:29 hyakuhei: so filling out the previous items that were defined (and adding to them)? 17:15:42 To my mind, its a set of 'rules' that we can get PTLs to agree to, that should then help bring up the quality of security code in OpenStack 17:15:57 in the longterm I can see some being codified into jenkins jobs, tempest checks etc 17:16:23 hyakuhei: makes sense 17:16:23 perhaps 'secure design/development guidelines' is a better label 17:16:37 yeah 17:16:39 chair6: +1 17:16:41 I've got no objection to that. 17:16:54 Or "+1" in Openstack parlance 17:17:17 #topic AOB 17:17:32 that was https://wiki.openstack.org/wiki/Security/Guidelines, for the record 17:18:05 So I sent around a newsletter-ish email a few days back, elaborating on the things that were discussed in the previous OSSG meeting and some of my thoughts about the future. 17:18:12 Did anyone see it / find any value? 17:18:25 yes 17:18:30 go team! 17:19:04 So, I'm wondering if it's worth doing these now and again, to keep people up to date because reading IRC logs is not very fun. 17:19:30 hyakuhei +1 17:19:38 any other business? 17:20:19 I'm planning on setting up a mid-cycle security related hackfest 17:20:39 oooh 17:20:44 This is more for developers really. I'd like to get some cross-project interest and movement towards some security related goals 17:21:04 Topics on my mind are making SSL deployments easier and secure messaging 17:21:22 nkinder: yeah 17:21:24 There are efforts going on in these areas, but not a lot of cross-project buy in 17:21:35 So that's a good point. 17:21:39 #topic SSL 17:21:52 The guidance on SSL isn't overly good at the moment 17:21:59 I have a long SSL blog post I'm just about finished with 17:22:03 Lots of people are doing this in different ways 17:22:09 Oh cool 17:22:13 ...which covers exactly that 17:22:29 Ok, so lets wait for that and use it to start a discussion? 17:22:32 So the docs can definitely be improved, and I've done a lot of research that can feed into that. 17:22:39 hyakuhei: yes, a next week topic I suppose 17:23:04 Yeah, everyone does it differently, I personally lean towards pre-service termination (on the same physical host) but it's really context dependant. 17:23:06 On the SSL topic, I also have a colleague who is working on SSL enabling devstack 17:23:37 Great, I should talk to you guys about a CA piece I've been working on. 17:23:39 If we can make it easy to set up SSL automatically with devstack, we can start having tests actually run regularly with SSL 17:24:00 Absolutely 17:24:08 nkinder: it'd be good to take a look at that blogpost, I have an internal doucment we can share if you want - giving our requirements and justification for them 17:24:20 Dg_: that would be great 17:24:48 Dg_: I hope to have my writeup out in the next day or so 17:24:53 I'll send it to the list 17:25:22 ok cool - so, any other business I guess? 17:25:26 nkinder: let me know you email and I'll forward it over 17:25:40 Dg_: nkinder at redhat dot com 17:25:47 kk 17:26:09 #topic AOB-again 17:26:16 Anything else before we close up? 17:27:37 ok great, thank you everyone! 17:27:43 #endmeeting