17:01:38 #startmeeting OpenStack Security Group 17:01:39 Meeting started Thu Jul 3 17:01:38 2014 UTC and is due to finish in 60 minutes. The chair is nkinder_. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:40 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:42 The meeting name has been set to 'openstack_security_group' 17:01:58 #topic Roll Call 17:02:01 o/ 17:02:02 Hi all 17:02:04 :D 17:02:06 ello 17:02:23 hi 17:03:03 small crowd today 17:03:12 lots of 4 day weekends most likely 17:03:14 I guess US folks are starting the long weekend early ;) 17:03:27 I'm here recreationally today 17:03:29 ok, well let's get started 17:03:34 #topic OSSG Meetup 17:03:56 Has everyone confirmed if they are going on the etherpad? 17:04:20 #link https://etherpad.openstack.org/p/ossg-juno-meetup 17:04:42 bknudson: are you able to attend the mid-cycle? 17:04:51 bknudson: I see you on the list, but you're not confirmed 17:05:26 nkinder_: I wasn't able to get approval 17:05:31 bknudson: bummer :( 17:06:03 hotels are filling up according to some traffic on the mailing list, so anyone that hasn't booked should jump on it 17:06:17 yeah, even SpringHill is up to like $320 a night 17:07:03 shohel: I see that you filled in a bunch of stuff about threat modeling 17:07:11 yes 17:07:18 some ideas 17:07:33 planning the stuff beforehand :P 17:07:35 nkinder_: I'll try to do the same for Gate Testing sometime next week 17:07:57 yeah, I need to do the same for my topics, though I'll be in the woods with no computer next week... 17:08:02 might make that tough 17:08:14 nice! 17:08:20 Woods sounds nice 17:08:35 ok, any other mid-cycle discussion? 17:08:47 i was looking for some keystone core dev during the session 17:09:01 bknudson seems cannot join now :( 17:09:02 I've been told that chair6 is the man for any Seattle info that people may have 17:09:21 shohel: the keystone mid-cycle is next week, so back to back travel could be tough 17:09:53 shohel: I manage two of the core Keystone developers though, so I can be sure to engage with them after the mid-cycle 17:10:13 sounds good 17:10:16 shohel: I also contribute to Keystone and have a fairly good understanding of it's internals 17:10:55 excellent 17:11:19 #topic Threat Analysis 17:11:30 might as well switch the topic since we're discussing it already 17:11:43 yes... just doing some cleaning of the repo 17:12:03 planned to add it to the security guide 17:12:04 hyakuhei mentioned that Doug (dg_) is interested in getting more involved with the effort 17:12:09 what's the context? 17:12:30 yes.... 17:13:06 shohel: which repo is it in now? 17:13:15 shohel: the "old" doc repo? 17:13:17 still in my own repo 17:13:28 so moving to security doc repo 17:13:31 shohel: ok, so the cleanup is in preparation for moving it to the new repo 17:13:39 I need to do the same for OSSNs 17:13:48 https://github.com/openstack/security-doc 17:14:17 yep, so I'm going to make a ossn subdir in there 17:14:47 we're moving the ossn reviews? 17:15:01 bknudson: yes, we will be (more in a minute about that) 17:15:22 shohel: do you have an eta for when you will be moving the threat analysis stuff into the new repo? 17:15:23 nkinder: there is no more update from my side 17:15:44 nop.... thinking should we do it before or after the meetup 17:16:01 shohel: +1. We should get that all in shape at the meetup 17:16:06 another thing is about md to docbook format 17:16:14 anyone look at that 17:16:15 ? 17:16:25 shohel: pandoc is supposed to help with that 17:16:37 shohel: we should discuss/hack at the mid-cycle 17:16:44 yes , definately 17:16:47 I need to do the same thing for publishing OSSNs 17:16:54 on that note... 17:16:56 #topic OSSNs 17:17:17 bknudson: We will be moving the notes to a new combined OSSG doc repo 17:17:42 we want to consolidate all OSSG produced documentation in a single repo to make publishing easier 17:17:45 ok. that should make it a little easier to follow 17:17:55 This includes the security guide, OSSNs, and threat modeling 17:18:21 +1 17:18:27 nkinder_: oh cool, that's a good idea 17:18:30 bdpayne created the initial repo, so now it's up to me to migrate the OSSNs and shohel to migrate the threat analysys stuff 17:18:54 threat analysis was already in the ossn repo? 17:18:58 Yeah, we can then leverage the doc build scripts to publish OSSNs as an appendix in the security guide 17:19:03 bknudson: no 17:19:12 bknudson: it's in shohel's github 17:19:23 the ossns were reviewed in gerrit, the threat analysis wasn't 17:19:33 bknudson: correct 17:19:44 seems like unreviewed things should go through review to get in the repo 17:20:00 but it's easy enough to change anything anyways 17:20:13 gerrit has been working really well with OSSNs IMHO, and I think it will be very valuable for the threat analysis stuff too 17:20:29 definitely same line thinking 17:20:31 other than it's been slower! 17:20:51 bknudson: not really though 17:21:01 Our OSSN/month rate has been going up 17:21:13 they take longer to write/review, but out putput is higher 17:21:18 we have 4 OSSNs in June 17:21:47 nkinder_: probably due to increased participation in OSSG mostly 17:21:49 We've had new authors as well 17:22:03 yep! That's been great 17:22:10 What we need is more notes 17:22:34 we need fewer problems 17:22:37 We need to identity issues that are worthy of OSSNs and log them as bugs to keep the queue full 17:22:42 bknudson: that goes without saying :) 17:23:00 nkinder_: what's a good process to feeding security bugs into OSSN requests? 17:23:09 *for 17:23:29 tmcpeak: great question 17:23:51 first would be monitoring the discussions on the mailing list, security-impact bugs, etc. 17:23:55 nkinder_: right now they trickle down mostly from OSSA, right? 17:24:04 it you see something that warrants a note, file an OSSN bug in launchpad 17:24:16 tmcpeak: probably 60-70% come from VMT 17:24:20 nkinder_: +1 17:24:38 tmcpeak: but https://bugs.launchpad.net/ossn/+bug/1334926 came from a mailing list discussion 17:24:40 Launchpad bug 1334926 in neutron "floatingip still working once connected even after it is disociated" [High,In progress] 17:25:05 there is no harm in filing an LP and then deciding it 17:25:09 it's not note-worthyu 17:25:21 sigh... fingers are starting the weekend early 17:25:30 cool, sounds good 17:25:43 probably some good ones will come from the dev ML too 17:25:48 Ideally, we would have a list to triage through in this meeting each week 17:26:14 We can discuss this more at the mid-cycle to brainstorm other ideas, but don't hesitate to file LPs in the meantime 17:26:22 nkinder_: sounds good 17:26:26 There is the one outstanding OSSN bug that I linked to above 17:26:30 #link https://bugs.launchpad.net/ossn/+bug/1334926 17:26:31 +1 17:26:32 Launchpad bug 1334926 in neutron "floatingip still working once connected even after it is disociated" [High,In progress] 17:26:47 tmcpeak: Priti grabbed that one. Is she working on it? 17:26:47 nkinder_: maybe an etherpad for possible OSSN bugs 17:27:06 nkinder_: she is, but as I know it the problem is that neutron is actually working on afix 17:27:07 tmcpeak: eh, just file them in LP and we can use that instead of maintaining another list 17:27:20 tmcpeak: that is fine though. We can simply advise people of the issue 17:27:26 I was wondering if we should even write an OSSN if it will be fixed 17:27:33 tmcpeak: not knowing how it behaves and thinking you're safe is no good 17:27:59 nkinder_: I mean I think they're going to fix it so that is does disconnect sessions 17:28:05 *it 17:28:11 my fingers gone for the weekend as well 17:28:11 tmcpeak: agreed, but we don't need to wait on that for a note 17:28:28 nkinder_: ok cool, yeah I touched base with her yesterday and she said she's on it 17:28:48 nkinder_: can we remove notes that are no longer valid? 17:29:08 tmcpeak: That gets into some interesting publishing areas 17:29:20 nkinder_: yeah, that's what I was wondering about 17:29:30 nkinder_: then maybe we have to reclaim OSSN numbers or something 17:29:31 Right now, it's just a big list. People might be running on something old (essex, etc.), so removing them is not a good idea 17:29:52 Having a list of OSSNs that apply to a particular release would be ideal 17:29:59 nkinder_: ahh, ok, then just amend the versions 17:30:21 What I'm thinking for that is to publish the pertinent OSSNs into the appendix of the security guide for a particular release 17:30:42 nkinder_: oh, that's a cool idea. We could even automatically generate the OSSNs based on tags 17:30:45 This gets into the auto-publishing scripting 17:30:50 not generate, but automatically pull them in 17:31:04 this info should be available in launchpad 17:31:07 We would have it parse the CSV of affected releases to decide where to publish 17:31:13 by constructing the right query 17:31:48 also, some projects don't have normal icehouse, havana releases (the clients) 17:32:02 and I think swift also releases on its own sched 17:32:08 there are all great topics of discussion for the mid-cycle 17:32:13 bknudson: yes, there are outliers 17:32:35 yeah we could probably get some cool stuff working with a little mid-cycle hackathon 17:32:59 ok, any more OSSN discussion? 17:33:22 #topic Gate Tests 17:33:26 take it away tmcpeak 17:33:31 cool 17:33:39 not much update here unfortunately 17:33:51 viraptor has some good knowledge of the mechanics of getting them set up in non-blocking gate tests 17:33:53 so he's helping me 17:34:16 I have the PoC done for the shell injection test, which actually found something in Glance 17:34:39 I spoke with nkinder_ probably not a big deal security-wise, but we could probably get some good bang for our buck with writing a few other tests in the hacking framework at the meetup 17:34:48 glance just had a fix for shell injection 17:34:53 and then running them against current code and submitting LP bugs 17:35:10 bknudson: unless it was this week, this one may be different 17:35:47 it wasn't this week 17:35:58 bknudson: I saw that one, it's a different one 17:36:10 :( 17:36:21 before we actually run these in gate tests though, we should make sure that the relevant projects don't have these problems from the start 17:36:27 otherwise they'll just be very noisy 17:36:45 tmcpeak: let's also assume that there might be a valid usage of shell=True 17:36:48 so first thing we should probably do is run them against OpenStack projects and file bugs to get the low hanging fruit problems cleared up 17:36:52 btw - how does this test work? 17:37:04 nkinder_: totally, there are some times when shell=True is fine 17:37:07 tmcpeak: perhaps the input is static for example 17:37:10 we just want these gate tests to flag for review 17:37:31 tmcpeak: so we need to think of ways to tell the test to ignore if we ever decide to do voting jobs 17:37:32 bkudson: how does the shell=True test work or how does the hacking test work? 17:37:55 nkinder_: solid point, viraptor was mentioning that we can have categories or tests 17:37:58 oh, I thought you had found the new bug by going through the api. 17:37:58 tmcpeak: do you have a link to your hacking test 17:38:17 bknudson: he has a hacking test that was written that looks for patterns 17:38:44 you can # noqa to disable the hacking check on a line 17:38:58 so if you know it's a valid use of shell=True, # noqa it 17:39:04 bknudson: +1 17:39:07 that's awesome! 17:39:11 I didn't know about that :) 17:39:21 ah, great 17:39:53 also if it's valid it should probably contain a comment nearby, just to show that it has a valid reason to be used and it has been looked at and isn't a security risk 17:40:04 so that people that come after don't see it and freak out 17:40:10 y 17:40:28 ok, well we should identify other tests that we want to add at the hackfest. I'd suggest folks brainstorm in the meantime 17:40:48 yeah, if people want to add some gate test candidates to the etherpad that would be awesome 17:40:54 +1 17:40:57 I'll sit down for a few hours next week and try to come up with some myself 17:41:24 tmcpeak: any more gate testing discussion? 17:41:33 cool, that's pretty much all I have for the gate tests 17:41:38 nope 17:41:41 :) 17:41:48 #topic Open Discussion 17:42:12 anyone have any other topics? 17:42:51 what hours are we thinking for the meetup? 17:43:24 we should schedule some team building session :) possibly at night 17:43:32 tmcpeak: good question. I'm guessing 9am-5pm? I don't know what hours others are used to 17:43:32 9a - 6p ? 17:43:43 sounds good 17:43:52 I'm used to 6:30am onwards... :) 17:43:57 I won't propose that though 17:44:12 * bdpayne is greatful 17:44:20 lol 17:44:36 do we just show up at HP 17:44:46 I think 9a and a plentiful supply of coffee would be good 17:44:52 tell them we're here for the security and the lolz 17:44:58 lolz come first 17:45:11 yeah, show up .. address is in the etherpad 17:45:13 :) 17:45:16 9am 17:45:22 cool 17:45:25 we'll have coffee and breakfast, i believe 17:45:40 we can name-drop hyakuhei I suppose 17:45:40 nice! 17:45:50 that's a given 17:46:26 bdpayne: did you have anything to discuss on the book? 17:47:52 ok, well I guess that's it for today then 17:48:05 cool 17:48:09 have a good weekend everyone! 17:48:15 keep all your fingers 17:48:22 ;) 17:48:27 I'll be out next week, but looking forwarding to getting together in WA in a week and a half! 17:48:35 yeah, it's going to be awesome 17:48:37 sure 17:48:41 Thanks everyone 17:48:42 have fun in the woods 17:48:48 #endmeeting