17:02:58 <hyakuhei> #startmeeting openstack security group
17:02:59 <openstack> Meeting started Thu Jun 26 17:02:58 2014 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:03:00 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:03:02 <openstack> The meeting name has been set to 'openstack_security_group'
17:03:09 <CristianF> Hi everyone!
17:03:15 <hyakuhei> Lets hope this doesn't end with a mahoosive netsplit like last week!
17:03:23 <paulmo> Paul Montgomery here
17:03:32 <hyakuhei> Hey paulmo, good to see you here
17:03:42 <paulmo> :)
17:03:50 <chair6> g'day
17:03:53 <hyakuhei> Malini sends her apologies
17:04:07 <viraptor1> ready too
17:04:11 <hyakuhei> Ok guys, what do we need to talk about today?
17:04:30 <tmcpeak> I have a gate test follow up
17:04:49 <tmcpeak> and we should synch on hotels for Seattle
17:04:57 <nkinder> hey all
17:05:08 <tmcpeak> nkinder: hey hey
17:05:09 <hyakuhei> Hey nkinder !
17:05:31 <nkinder> apologies for being late...  It's been a hectic morning
17:05:50 <dg_> Hi guys
17:06:06 <hyakuhei> No worries nkinder same as.
17:06:13 <tmcpeak> dg_: how it goes
17:06:47 <hyakuhei> #topic Meetup
17:07:01 <hyakuhei> #link https://etherpad.openstack.org/p/ossg-juno-meetup
17:07:27 <nkinder> just booked my travel yesterday
17:07:30 <hyakuhei> Ok so, I've trimmed back the topics that didn't have enough interest
17:07:32 <tmcpeak> asme
17:07:36 <tmcpeak> *same
17:07:51 <hyakuhei> fwiw I'll be staying in the Westin. It's not amazing but I'm used to it
17:08:07 <hyakuhei> It's not terribly positioned for walking to decent/interesting food/stuff
17:08:22 <tmcpeak> I'm staying at SpringHill, it's cheaper and looks decent
17:08:25 <tmcpeak> less than half a mile
17:09:02 <nkinder> tmcpeak: I booked there too
17:09:08 <tmcpeak> cool
17:09:11 <hyakuhei> Sounds good, I don't really mind where people stay, its most important that everyone is comfortable and can get themselves to the office.
17:09:20 <bdpayne> yep
17:10:12 <hyakuhei> Ok so topics wise, Gate tests and Threat Modelling seem to have the most interest
17:10:33 <hyakuhei> Nice to see that the two pro-active topics are high on the list
17:10:53 <hyakuhei> Each of those will probably want a minimum of a day, with the people that care about it in the room
17:11:03 <tmcpeak> hyakuhei: +1
17:11:45 <hyakuhei> Great
17:11:53 <hyakuhei> Do we have viraptor1 with us today?
17:12:00 <nkinder> yeah, those are some solid topics that should get a good amount of airtime
17:12:18 <bdpayne> I'd actually love to do a book hackathon for most / all of the week
17:12:27 <hyakuhei> I think the gate test stuff needs some good prelim work
17:12:36 <hyakuhei> bdpayne: I think there's value to that too
17:12:37 <bdpayne> hopefully a few people can join in for most / all of that time
17:12:50 <bdpayne> but I understand that some people may want to come / go as they explore other projects
17:12:59 <hyakuhei> Maybe we can have a seeding session at the start
17:13:04 <bdpayne> yeah
17:13:09 <tmcpeak> hyakuhei: I've been working on gate testing prelim work, viraptor is helping
17:13:18 <bdpayne> I plan to come into the week with a bunch of book bugs
17:13:18 <hyakuhei> So people like you who have input on many topics can express them before going on to focus on something specific
17:13:32 <viraptor1> hyakuhei: yes, I'm here
17:13:34 <bdpayne> and also just to introduce the week, the schedule, the goals, etc
17:13:41 <hyakuhei> tmcpeak: great, I think perhaps we need some agreed milestones of things to get to before the meetup?
17:13:55 <hyakuhei> I believe viraptor1 will be participating remotely :)
17:13:57 <bdpayne> and to pass out maps to the good nearby coffee places (aka Monorail)
17:14:01 <bdpayne> ;-)
17:14:09 <tmcpeak> hyakuhei: yeah, milestones would be great
17:14:13 <viraptor1> I'll try if possible
17:14:32 <hyakuhei> bdpayne: don't worry there'll be a intro/welcome/wheres-the-coffee session
17:14:45 <hyakuhei> #action hyakuhei to order coffee
17:14:45 * bdpayne wasn't worried
17:14:50 * bdpayne just needs coffee
17:15:00 * tmcpeak too
17:15:10 <hyakuhei> Ok any more on the meetup?
17:15:21 <bdpayne> so I'll be working on preparing for the book stuff
17:15:30 <bdpayne> if anyone would like to help with the prep, just drop me a line
17:15:38 <bdpayne> there's plenty of pre-meetup work to be done
17:15:39 <bdpayne> :-)
17:15:47 <hyakuhei> dg_: Didn't you have a comment on the book re: "risk" ^^
17:16:54 <dg_> yeah, there doesnt appear to be a definition of threat, risk, vulnerability, etc
17:18:01 <hyakuhei> dg_: I was going to look at adding something this week but I won't have time. Could you write a LP bug for it and it can be picked up at the meetup or before?
17:18:19 <dg_> hyakuhei sure
17:18:22 <hyakuhei> dg_: https://bugs.launchpad.net/openstack-manuals
17:18:25 <bdpayne> +1 for the bug report :-)
17:18:34 <shohel02___> those easily can be borrowed from RFC, in most cases... we can use existing sources
17:18:47 <bdpayne> perhaps send me a link to the bug after it is created... I'll make sure it is tagged properly and such
17:18:52 <hyakuhei> shohel02___: sure, it's more agreeing about who's definitions you wish to use
17:19:19 <hyakuhei> shohel02___: as you're here - maybe we can talk a little about the threat modelling stuff, how the sessions should play out?
17:19:27 <hyakuhei> objectives etc
17:19:46 <shohel02___> it will be a team session , but i need to plan it
17:19:54 <hyakuhei> Sure
17:19:59 <shohel02___> also want feedback from people here
17:20:22 <shohel02___> usually run it with developers and security guys in one room
17:20:25 <hyakuhei> Ok, how about just bullet-pointing something in the etherpad?
17:20:27 <nkinder> shohel02___: feedback on what specifically?  The overall approach, or things around the keystone work that you've done?
17:20:58 <shohel02___> overall process is good, but more important now to complete the Keystone and possibly to extend Nova
17:21:54 <hyakuhei> I know dg_ wanted to contribute lots to the Threat stuff
17:22:17 <dg_> hyakuhei unfortunately its looking like I wont make it, but Im very interested to see how it goes
17:22:22 <hyakuhei> I'm concerned that it's a bit disconnected. shohel02___ are your weekly meetings still happening, I've missed a few
17:22:37 <shohel02___> great, then i would like discuss with him
17:22:39 <hyakuhei> dg_: maybe you can work with shohel02___ on the process/ideas ?
17:22:46 <shohel02___> no, weekly meeting are happening...
17:23:06 <shohel02___> the work is slow phase
17:23:09 <hyakuhei> Ok that's good. I'll make a note in my calendar. dg_ I'll add you
17:23:34 <hyakuhei> shohel02___: lets see if we can speed it up :) I think the work you're doing has a lot of potential
17:24:03 <hyakuhei> #topic OSSNs
17:24:14 <hyakuhei> nkinder: We need moar OSSN!
17:24:22 <tmcpeak> moar!
17:24:23 <hyakuhei> The board is pretty much clean.
17:24:35 <nkinder> hyakuhei: we've been up to about 3/month, which is nice to see
17:24:41 <hyakuhei> Many thanks to tkelsey tmcpeak dg_ viraptor1
17:24:43 <nkinder> but agreed, we need more
17:24:51 <nkinder> +1.  All of the new writers have been doing great
17:25:09 <hyakuhei> It's a good problem to have, quality and quantity have gone up, that's superb. Moving to gerrit was completely the right way to go
17:25:17 <tkelsey> thanks all, OSSN are interesting to write
17:25:28 <tmcpeak> writing them is a good experience, I'll take on another soon
17:25:34 <hyakuhei> tkelsey: I think yours is just waiting on agreement from Cinder-Core
17:25:49 <hyakuhei> nkinder: It's still a manual process to publish?
17:26:01 <nkinder> hyakuhei: yes, which I've been handling
17:26:20 <nkinder> hyakuhei: but that's something I want to work on at the mid-cycle
17:26:40 <nkinder> hyakuhei: we need to move towards the combined repo that bdpayne was setting up
17:26:57 <bdpayne> yes, this is on my near term list
17:27:07 <tmcpeak> what's the repo?
17:27:11 <bdpayne> I need to work with the other doc core people to ensure that I don't break the build when I move the book over
17:27:14 <nkinder> hyakuhei: that will make it possible to publish to the appendix of the security guide
17:27:26 <tmcpeak> I mean what's it for?
17:27:28 <nkinder> tmcpeak: we're combining the security guide and OSSN repos into one
17:27:36 <tmcpeak> nkinder: oh cool
17:27:37 <bdpayne> https://github.com/openstack/security-doc
17:27:50 <bdpayne> coming soon!
17:27:51 <viraptor1> so are OSSNs coming only from someone mentioning security on some bug, or should be we doing some kind of active, quick review of incoming bugs?
17:28:06 <nkinder> bdpayne: is it possible to work on that together at the mid-cycle?
17:28:07 <hyakuhei> nkinder: So I like it being in the appendix
17:28:14 <bdpayne> perhaps
17:28:18 <nkinder> viraptor1: we need to do both
17:28:25 <bdpayne> my goals for pre-meetup are to get the repo running and to file a lot of bugs
17:28:32 <bdpayne> so hopefully, we don't need to work on it there
17:28:32 <nkinder> viraptor1: thus far, it's been the former though
17:28:34 <bdpayne> but, we shall see
17:28:36 <hyakuhei> but I think there should be a bug raised each time an OSSN is approved, saying "Find a good place to reference this in the security guide"
17:28:50 <hyakuhei> ^ just an idea
17:29:21 <tmcpeak> hyakuhei: +1
17:29:28 <nkinder> hyakuhei: or "how can this be prevented with a gate test?"
17:29:55 <tmcpeak> nkinder: +1
17:29:56 <hyakuhei> oooh +1
17:30:07 <hyakuhei> See, now we're thinking joined-up :D
17:30:31 <nkinder> I'd like to brainstorm some of the OSSN follow-up ideas at the mid-cycle
17:30:31 <hyakuhei> Excellent. So, at the moment nkinder basically does all the heavy lifting for this stuff on his own
17:31:03 <hyakuhei> nkinder: Good idea, should we perhaps have an etherpad/wiki page for ideas we have between now and then, like the two just above?
17:31:19 <tmcpeak> yeah, sounds good
17:31:20 <nkinder> hyakuhei: yeah
17:31:57 <chair6> one last thing on the mid-cycle - could attendees please update the etherpad to confirm they're coming?
17:31:58 <nkinder> #action nkinder to create an OSSN etherpad collecting ideas
17:32:04 <hyakuhei> Next question, nkinder do you need/want help at the organisational level with OSSNs ? like implementing the above? or should we just wait for the mid-cycle
17:32:06 <nkinder> chair6: good call
17:32:12 <hyakuhei> chair6: +1
17:32:18 <nkinder> hyakuhei: probably just wait for the mid-cycle
17:32:18 <tmcpeak> chair6: +1
17:32:26 <hyakuhei> nkinder: k
17:33:36 <hyakuhei> tmcpeak: You had a topic you wanted to discuss today?
17:33:48 <tmcpeak> hyakuhei: yep, wanted to do a little follow up on the gate testing
17:34:06 <tmcpeak> so we were considering three options: hacking, pylint, and homegrown
17:34:28 <tmcpeak> first I asked openstack-dev ML what they thought would be the best, and I think I got one answer that said hacking
17:34:36 <hyakuhei> #topic hacking / gate testing
17:34:53 <tmcpeak> I looked into how to implement a basic security check in hacking and came up with this
17:35:48 <tmcpeak> http://pastebin.com/b9LUJUwX
17:36:08 <tmcpeak> this could obviously be done with a regex, but as you can see it's really easy to write simple tests
17:36:41 <hyakuhei> Yeah tbh I'm +1 for anything not regex
17:36:45 <tmcpeak> to run you just 'flake8 directory'
17:36:53 <hyakuhei> Very nice
17:36:55 <tmcpeak> yeah, I don't like to read them, or write them really
17:37:05 <viraptor1> (note: you don't have to kill the whitespace - pep8 guarantees consistent spacing already)
17:37:07 <tmcpeak> but in some cases (like the file permissions) they'd be more practical
17:37:08 <hyakuhei> and what's the process for getting flake8 changes merged ?
17:37:16 <tmcpeak> viraptor1: oh cool, I didn't know that
17:37:20 <hyakuhei> viraptor1: good point
17:37:36 <tmcpeak> hyakuhei: so I checked with jogo
17:37:43 <tmcpeak> the PTL for hacking
17:37:47 <hyakuhei> but for all it's going to cost us process wise to nullify whitespace, I'd rather it was there and then we're not relying on pep8 for assurance.
17:38:06 <tmcpeak> and he said that the best way to go forward would be to implement local checks first
17:38:20 <tmcpeak> then once the community as a whole embraces our additions, we can get them merged in
17:38:24 <tmcpeak> he/she
17:38:27 <tmcpeak> not assuming :)
17:38:31 <viraptor1> kind of like nova does it already in that case...
17:38:52 <tmcpeak> I did also look at pylint, and I have to say I don't like it as much
17:39:09 <tmcpeak> people always seem to complain that it is very noisy
17:39:16 <tmcpeak> and it seems a bit more complicated to implement a check
17:39:29 <paulmo> Pylint is pretty decent at finding logical errors and such in my experience
17:39:35 <tmcpeak> here's a slightly more complicated example in case anybody is curious: http://lists.logilab.org/pipermail/python-projects/2009-November/002091.html
17:40:01 <hyakuhei> So projects can have their own flake8 ? I guess I don't follow what you mean by 'local' checks
17:40:11 <tmcpeak> ok, so basically in the tox.ini
17:40:34 <tmcpeak> you have this: [hacking]
17:40:34 <tmcpeak> local-check-factory = glance.hacking.checks.factory
17:40:42 <hyakuhei> I know Adam Young is keen to adopt anything smart we come up with into keystone
17:41:24 <tmcpeak> which points to this python file checks.py where you can implement a "factory" or set of tests
17:41:26 <viraptor1> nova uses local hacking rules too https://github.com/openstack/nova/blob/master/tox.ini#L67
17:41:30 <nkinder> yeah, we should have an easy time getting keystone to adopt our gate tests
17:42:12 <tmcpeak> factory is just a set of register(function_name)
17:42:28 <tmcpeak> so to add new checks we can just add some functions in checks.py, then register them in the factory
17:42:31 <tmcpeak> and voila
17:42:37 <hyakuhei> Ok cool, so local hacking rules seem useful, would we have our own module/suite of changes that teams wanting to use can import into their tox.ini? I can see it getting messy re:changes/updates
17:42:56 <tmcpeak> yeah, I think you can comma separate them
17:43:05 <tmcpeak> so we'll just have our own factory file
17:43:16 <tmcpeak> and all you need to do is add it in the [hacking] section of tox.ini
17:43:31 <hyakuhei> Great, sorry for all the questions, I've not looked into it before.
17:43:41 <tmcpeak> hyakuhei: I'm glad you asked
17:43:50 <tmcpeak> this was all the information I found that I wanted to convey to you all
17:44:12 <tmcpeak> so that's pretty much it
17:44:17 <hyakuhei> You're doing great work
17:44:17 <tmcpeak> and btw, this is useful
17:44:22 <tmcpeak> hyakuhei: thank you
17:44:28 <tmcpeak> I ran it against a project yesterday
17:44:39 <tmcpeak> and found a shell=True in subprocess that I believe may be exploitable
17:44:45 <tmcpeak> I'm talking to nkinder privately about it
17:44:50 <hyakuhei> Sounds like, we'll be in a position to just start hacking up tests at the OSSG meetup
17:44:55 <hyakuhei> tmcpeak: Great!
17:45:06 <tmcpeak> hyakuhei: yeah, and it should be pretty easy to come up with some good tests :)
17:45:16 <tmcpeak> hacking is perfect for this
17:45:41 <tmcpeak> so that's pretty much all I had
17:45:52 <viraptor1> if the addition is done this way, I believe nothing much needs to be done to gerrit anymore
17:46:11 <viraptor1> as long as project already uses flake8 for gating, they will run the additional tests by default
17:46:18 <hyakuhei> #winning.
17:46:28 <tmcpeak> viraptor1: cool, even better :)
17:46:33 <hyakuhei> superb work tmcpeak thank you.
17:46:37 <tmcpeak> thank you
17:46:40 <viraptor1> the bad part is that we wouldn't be able to make them not-enforcing unless they are separated :(
17:47:05 <tmcpeak> viraptor1: separated how?
17:47:06 <hyakuhei> Yeah, we do ideally want non-voting rules
17:47:09 <bdpayne> so we just make sure they are good out of the box :-)
17:47:26 <hyakuhei> bdpayne: Ah yes, and static analysis will save us all
17:47:34 <bdpayne> clearly
17:47:38 <hyakuhei> :-)
17:47:50 <tmcpeak> lol
17:48:19 <viraptor1> I mean, if flake8 run calls the new rules by default, they will need to pass; they could be likely separated into a different environment, so it's 'tox -e pep8' and 'tox -e security' for example
17:48:33 <viraptor1> (not sure about the implementation of that, but it should be doable)
17:49:16 <tmcpeak> oh cool, I can ask jogo the best way to separate them
17:49:21 <nkinder> yes, we want non-voting for this for sure
17:50:15 <hyakuhei> Agreed.
17:50:28 <hyakuhei> #topic Any Other Business
17:50:44 <hyakuhei> Any last things to talk about?
17:51:19 <tmcpeak> think we're good
17:51:24 <tkelsey> so nkinder I would like to talk about oslo-messaging security policy plugin, as mentioned in your blog post, we can caht outside of the meeting though since time is nearly up
17:51:37 <hyakuhei> We've got time
17:51:38 <tkelsey> s/caht/chat/
17:51:43 <hyakuhei> and I'm interested, nkinder ?
17:51:50 <tkelsey> cool :)
17:52:03 <tmcpeak> what's this about?
17:52:10 <nkinder> sure, so there are changes needed in oslo.messaging to be able to leverage kite
17:52:48 <nkinder> there are some old patches that simo initially proposed that jamielennox is reworking
17:53:11 <tkelsey> I would like to help out on this, working from the oslo-messaging side
17:53:19 <nkinder> tkelsey: the ugly details are here - https://blueprints.launchpad.net/oslo.messaging/+spec/trusted-messaging
17:53:35 <tkelsey> nkinder: yeah I have had a read over that :-)
17:53:46 <nkinder> tkelsey: your best bet would be to sync up with Jamie
17:54:03 <nkinder> I don't believe he has started in on the oslo.messaging part in earnest
17:54:03 <hyakuhei> Jamie is super busy and difficult to catch up with
17:54:11 <nkinder> well, he's in AUS
17:54:24 <nkinder> so I'd expect it's hard for hyakuhei to sync up with him
17:54:35 <tkelsey> sure, I have reached out to Jamie, but im sure he has a lot on so im hoping I can push stuff from oslo side without riskjing duplicating any work
17:54:59 <nkinder> tkelsey: ok, but I know he had planned to talk with you to coordinate
17:55:13 <tkelsey> nkinder: ah thats good to know
17:55:36 <hyakuhei> Seems like there's just a small disconnect in comms then. Which is understandable given the geo.
17:55:44 <nkinder> tkelsey: are you going to be at the mid-cycle?
17:56:05 <tkelsey> unfortunatly not, timing is an issue for me
17:56:12 <tmcpeak> gotta run, catch you all later
17:56:24 <nkinder> ok, well I'll talk to Jamie later this afternoon and let him know your plans
17:56:44 <tkelsey> nkinder: ok thanks very much
17:57:01 <nkinder> tkelsey: it's pretty easy to get a hold of him on #openstack-keystone after about 2pm PST
17:57:15 <tkelsey> nkinder: noted, thanks
17:57:29 <hyakuhei> So thats 10pm for us over here I think,
17:57:36 <hyakuhei> (uk)
17:57:43 <nkinder> great, thanks everyone
17:58:13 <tkelsey> yeah somthing like that, well may have to burn some late night oil but im sure it will be worth it :-)
17:58:21 <tkelsey> ok thanks nkinder hyakuhei
17:59:21 <hyakuhei> Thanks everyone, very useful meeting yet again.
17:59:36 <hyakuhei> Dont forget to update the etherpad and confirm your attendance!
17:59:41 <hyakuhei> #endmeeting