18:00:36 <bdpayne> #startmeeting OpenStack Security Group
18:00:37 <openstack> Meeting started Thu Apr  3 18:00:36 2014 UTC and is due to finish in 60 minutes.  The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot.
18:00:38 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
18:00:41 <openstack> The meeting name has been set to 'openstack_security_group'
18:01:02 <bknudson> hi
18:01:02 <bdpayne> for those that have been hanging out, you may have noticed that hyakuhei held and OSSG meeting here an hour ago
18:01:12 <bdpayne> http://eavesdrop.openstack.org/meetings/openstack_security_group/2014/openstack_security_group.2014-04-03-17.02.log.html
18:01:21 <shohel02> ahaa !
18:01:21 <bdpayne> He is time zone impaired ;-)
18:01:28 <bdpayne> But, this is the normal meeting time
18:01:43 <bdpayne> So I wanted to touch base and make sure that we covered everything that people would like to discuss
18:01:57 <bdpayne> With that said...
18:02:03 <bdpayne> #topic Roll Call
18:02:08 <bdpayne> Who is here?
18:02:20 <shohel02> hi
18:02:24 <CristianF> Hi, Cristian here
18:03:43 <bknudson> Brant - IBM
18:03:46 <bdpayne> ok... so I was just reading through the previous meeting's minutes
18:03:51 <bdpayne> #topic Agenda
18:04:10 <bdpayne> Looks like they discussed OSSNs and a few other smaller topics
18:04:51 <bdpayne> Is everyone aware of the new OSSN process?
18:05:02 <bdpayne> we are now setup to review OSSNs in gerrit
18:05:07 <bdpayne> and they are all stored in git
18:05:12 <bdpayne> a much nicer setup
18:05:18 <bdpayne> we already ran on through the system this week
18:05:21 <bdpayne> and it's working nicely
18:05:21 <bknudson> what's the gerrit project?
18:05:29 <bdpayne> one sec, I'll find it
18:06:04 <bknudson> https://review.openstack.org/#/q/status:merged+project:openstack/openstack-security-notes,n,z
18:06:12 <bknudson> found it
18:06:25 <bdpayne> ah yeah
18:06:29 <bdpayne> you're faster than I
18:06:31 <bdpayne> :-)
18:06:33 <bdpayne> see also http://git.openstack.org/cgit/openstack/openstack-security-notes/
18:06:59 <bknudson> I'll add it to the watch list.
18:07:34 <shohel02> +1, i will too
18:07:45 <bdpayne> great
18:07:56 <bdpayne> anything else in particular that people would like to discuss today?
18:07:56 <bknudson> what's the format? plain text?
18:08:27 <bdpayne> there's a template
18:08:38 <bdpayne> http://git.openstack.org/cgit/openstack/openstack-security-notes/tree/templates
18:08:52 <bdpayne> but yes, structured text
18:09:00 <bdpayne> well, lightly structured ;-)
18:09:02 <bknudson> just wondering if it's rst or the doc xml
18:09:17 <bknudson> docbook xml
18:09:41 <bdpayne> oh, nothing like that
18:09:45 <bdpayne> basically plaint text
18:10:15 <bknudson> ok, I don't have an argument for docbook or rst.
18:11:08 <bdpayne> so I don't have a specific agenda for today, and it appears that much of the discussion happened in the meeting an hour ago
18:11:21 <bdpayne> are there other topics you guys want to discuss here?
18:11:28 <CristianF> referring to Security Guidelines, I went ahead and added a new guideline I found was missing (about input validation); just wanted to know if there is any process for reviewing info in this wiki?
18:11:35 <CristianF> https://wiki.openstack.org/wiki/Security/Guidelines
18:11:49 <bdpayne> oh thanks
18:12:02 <bdpayne> so there's nothing formal for reviewing that yet
18:12:12 <bdpayne> as you make changes, it could be nice to just mention it on the ML
18:12:17 <bdpayne> that way people can discuss / track
18:12:31 <bdpayne> in time, we may want to move stuff like this into git
18:12:39 <bdpayne> but right now it's an early stage WIP
18:12:43 <bdpayne> so the wiki feels right
18:12:50 <CristianF> ok, fine. Thanks.
18:12:55 <bdpayne> having said all of that
18:13:01 <bdpayne> input validation is a very good one to have
18:13:10 <bdpayne> on a related note
18:13:15 <bknudson> adding input validation is a great addition...
18:13:16 <bdpayne> Nova is putting together a formal BP template
18:13:22 <bknudson> now we just have to do it in keystone
18:13:36 <bdpayne> And I added a section to their template to discuss security impact
18:13:42 <bdpayne> In that section, I reference this wiki page
18:13:56 <bdpayne> I think it would be great if all of the projects did something similar
18:14:10 <bknudson> are they expecting OSSG to verify the bps?
18:14:11 <bdpayne> bknudson Does keystone have a formal BP template?
18:14:28 <bknudson> bdpayne: keystone uses launchpad for blueprints still
18:14:29 <shohel02> For keystone Input validation would be good addition bknudson
18:14:31 <bdpayne> we aren't quite there yet (OSSG verification of BPs)
18:14:44 <bdpayne> but I'd like for it to start moving that way
18:14:54 <bdpayne> at least getting people thinking about security at the design stage is important
18:15:05 <bdpayne> and can help direct OSSG efforts
18:16:31 <shohel02> yes, i have one question, do we have any session in the Atlanta summit to discuss about ongoing security works/future works
18:16:46 <shohel02> mainly discussion session
18:16:56 <bdpayne> normally I setup an OSSG lunch
18:17:01 <bdpayne> and I will be doing that again this time
18:17:09 <bdpayne> but we don't have a specific session devoted to that
18:17:24 <bdpayne> I'm happy to setup a more formal OSSG meeting though
18:17:26 <bdpayne> could be useful
18:17:33 <shohel02> yes definately
18:17:43 <shohel02> now that we have many security works ongoing
18:17:45 <bdpayne> so the security track at the summit is basically Monday
18:17:46 <bknudson> for the developer conference?
18:18:03 <bdpayne> I'm not sure where this would fit in the dev summit, unfortunately
18:18:16 <bdpayne> we might just do it informally, or setup a session at the unconference
18:18:32 <bdpayne> unless... is there a good slot for something like this at the dev summit?
18:18:39 <bdpayne> we aren't really a project, unfortunately
18:19:15 <bdpayne> anyway, I'll take this as an action item to figure out
18:19:23 <shohel02> that would be great
18:19:31 <bdpayne> #action bdpayne to Plan a formal OSSG meeting at the summit, in addition to the lunch
18:20:24 <bknudson> here's the topics http://summit.openstack.org/
18:20:49 <bdpayne> ahh, they do have a cross project workshop topic
18:20:57 <bdpayne> cool, I may be able to make that work
18:22:04 <bdpayne> anything else to discuss?
18:22:08 <CristianF> shohel: is there threat model meeting tomorrow?
18:22:30 <shohel02> yes, we have short one tomorrow
18:23:00 <CristianF> I have started with an analysis for Nova, I would like to know then how to add draft for that
18:23:07 <CristianF> we can discuss then tomorrow then
18:23:26 <shohel02> also now possible
18:23:29 <shohel02> or tomorrow
18:23:36 <CristianF> as you prefer
18:23:56 <shohel02> There is a draft currently in the Git repo
18:24:11 <shohel02> a template kind of thing
18:24:54 <shohel02> https://github.com/shohel02/OpenStack_Threat_Modelling
18:25:02 <CristianF> yes, I have been working on this template for Nova
18:25:34 <bknudson> the OSSAs in nova seem to be related a lot to image management
18:26:38 <bdpayne> at least the recent ones
18:26:49 <bdpayne> I suspect some people have been looking in that area more
18:26:54 <shohel02> yes, i think Nova has  good amount code base and it would be tough call
18:27:04 <bdpayne> Nova is probably also one of the more mature projects
18:28:01 <bknudson> the images themselves could be the source of the attack
18:28:29 <CristianF> so are you suggesting not be focusing on Nova?
18:28:39 <bdpayne> yeah, that's the most recent one that came out for Nova
18:28:50 <bdpayne> oh, I think it is useful to look at Nova
18:28:56 <shohel02> i am not saying that... i am saying its useful
18:28:59 <bdpayne> just commenting that you may find less
18:29:06 <bdpayne> which would be great
18:29:14 <bknudson> I was suggesting someplace to focus on.
18:29:15 <bdpayne> but it is very important to review, in my opinion
18:29:15 <shohel02> it would be hard job with huge code base
18:29:23 <shohel02> very important one
18:29:37 <bknudson> like keystone was looking at auth_token
18:29:53 <bdpayne> so yeah, image handling, also looking at interactions with the drivers (esp libvirt) and how the users can influence that
18:29:57 <bdpayne> also looking at scheduling
18:30:05 <bdpayne> those are the areas I'd focus on, personally
18:30:18 <CristianF> got it, yes this is big.. I am following a top-down approach, for later taking drilling down on some specific area
18:30:33 <CristianF> ok, thanks for the feedback
18:31:12 <bdpayne> np
18:31:12 <shohel02> bknudson has good point,
18:32:55 <bdpayne> well, I think that's about all we have time for today
18:33:06 <bdpayne> thanks everyone... cya next time
18:33:11 <bknudson> thanks
18:33:13 <shohel02> thanks
18:33:17 <bdpayne> #endmeeting