17:05:09 #startmeeting OpenStack Security Group 17:05:10 Meeting started Thu Sep 11 17:05:09 2014 UTC and is due to finish in 60 minutes. The chair is nkinder_. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:05:11 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:05:14 The meeting name has been set to 'openstack_security_group' 17:05:29 With that, let's jump into it 17:05:32 #topic ossn 17:05:55 So, there are still a good number of OSSNs out there. I've been making my way through reviewing them. 17:06:00 Can ppl make sure they update LP when they pick up an OSSN pls? 17:06:07 hyakuhei: +1 17:06:43 I think 0020 is close 17:06:46 #link https://review.openstack.org/#/c/113422 17:07:06 I pushed up a new patch for Priti to help move it along 17:07:19 cool 17:07:26 what does it need? more review? 17:07:55 Yes, more review. It has none since I updated it this morning 17:08:15 It's a pretty simple one, as we backed off of trying to provide an intricate workaround to identity and terminate NAT connections 17:08:47 I don't think it's possible to reliably kill connections made via floating IP based on my testing 17:08:56 So, that should make this easy to review. :) 17:09:03 cool 17:09:19 hyakuhei: a review by you would be great. I'm ok to +2 it given that Priti really wrote it (and I just tweaked it) 17:09:29 tmcpeak: I'll wait for a +1 from you before that too though 17:09:38 nkinder_: ok, sounds good 17:09:41 so on the topic of managing LP, I got used to nova actually marking stuff as in progress after a review is opened, but when I wrote 0023 it neither moved to in-progress, nor closed even though closes-bug is in the message - does anyone know if it's hard to automate? 17:09:43 and I'll see about getting a Neutron core to review it again 17:09:55 #action nkinder to ask Neutron devs to review OSSN-0020 17:10:05 #action tmcpeak to review OSSN-0020 17:10:15 #action hyakuhei to review OSSN-0020 17:10:18 :) 17:10:40 Ok, so OSSN-0024 is also a fairly easy one from a technical standpoint 17:11:14 tmcpeak and I have both reviewed it, and it's really just wording issues at this point 17:12:02 yeah, not much changes left on that 17:12:09 Shohel will update that one, and we can hopefully take care of it pretty quickly 17:12:21 sicarie: has 25 17:12:28 I have to make the rounds through the other pending notes today 17:12:45 tkelsey has 27 17:12:52 Yup 17:13:06 Are there any technical details on the pending notes that we need to discuss? 17:13:09 Review welcome 17:13:18 tkelsey: will do 17:13:22 Ty 17:13:28 nkinder - there is a pending fix on 25 17:13:47 Should I hold off until it's merged, or make a note that there is a 'pending' fix? 17:14:01 tkelsey: which LP is your note associated with? 17:14:16 sicarie: same question for you ^^^ 17:15:32 ah, tkelsey has https://bugs.launchpad.net/ossn/+bug/1274034 17:15:33 Launchpad bug 1274034 in neutron "Neutron firewall anti-spoofing does not prevent ARP poisoning" [High,In progress] 17:15:49 Bah, the OSSN draft isn't showing up, but here's the bug 17:15:50 https://bugs.launchpad.net/ossn/+bug/1354512 17:15:51 Launchpad bug 1354512 in ossn "Anonymous user can download public image through Swift" [Undecided,New] 17:16:00 Yeaah sorry was finding link 17:16:41 would it be useful for us to have a table where we list LP bug, review link, status? 17:16:50 and who is working it 17:16:56 for each OSSN number 17:17:01 +1 - I'm always forgetting the lgerrit link 17:17:13 same, I've had that trouble many times 17:17:14 sicarie: , set the ossn LP to "in progress" and assign it to yourself please 17:17:21 I usually have to go through my browser history 17:17:30 nkinder - apologies, thought I had, will do shortly 17:17:43 If you add "Closes-bug" in your patch commit message, it will add a link into the LP 17:17:48 though a table would be nice 17:18:39 I use this list to see what is being worked on: 17:18:42 #link https://bugs.launchpad.net/ossn/ 17:18:49 +1 17:18:55 Ah, my non-familiarity with git - I didn't want to do closes-bug in case that submitted as a patch 17:19:11 maybe an etherpad with OSSN#, who has it, what's the status, LP bug, review link 17:19:12 sicarie: it knows what git repo is tied to which project in LP 17:19:24 tmcpeak: yeah, though it needs to be maintained... 17:19:31 sometimes I have a few mins to kill and would do reviews but laziness associated with finding them is a barrier to entry 17:19:55 tmcpeak: so a gerrit view of all open security-doc reviews is ideal for that 17:19:59 nkinder: true 17:20:25 #link https://review.openstack.org/#/q/status:open+project:openstack/security-doc,n,z 17:20:57 Useful titles in your commit message would really help here 17:21:17 good point 17:21:38 I think we should have something consistent like "OSSN-xxxx - " 17:21:48 as you can see, there are some generic ones right now 17:22:48 ok, so everyone pitch in on reviews and let's get some published before next week. I think we knocked 2 out last week. 17:23:11 let's try to at least do the same in the next week (should be easy with 0020 and 0024) 17:23:15 +1 17:23:23 cool 17:23:40 One other item related to notes is that it's going to be a good time to make a pass through the existing notes to see if things are changing in Juno 17:23:54 For some existing notes, we might need to add Juno to the list of affected releases 17:24:11 ...for others, we might be able to add something saying "this issue is fixed in Juno" 17:24:30 I think we should do that once we start getting Juno RCs 17:24:43 nkinder_: +1 17:25:05 I'll re-raise this in a future meeting as we get closer, because I'd like for us all to split this task up. 17:25:15 cool 17:25:25 ok, I think that's it on notes 17:25:41 tmcpeak: anything on bandit/gate you want to discuss? 17:25:46 sure 17:25:53 #topic bandit/gate tests 17:26:00 chair6 has a review in to get Bandit in Gerrit 17:26:08 stackforge? 17:26:12 #link https://review.openstack.org/#/c/119865/ 17:26:15 yeah, sorry, stackforge 17:26:15 yup, stackforge 17:26:23 chair6: cool! 17:26:25 chair6: didn't know you're here 17:26:30 can you fill in a bit on the process? 17:26:38 lurking.. :) 17:26:51 you? never... 17:27:02 yeah, sure 17:27:05 #link http://ci.openstack.org/stackforge.html 17:27:10 ^ that's the process we're following 17:27:31 new repos are created on fridays, so hopefully this will be approved and created tomorrow 17:27:39 make a few edits to various config files, submit a review .. my muscle memory slipped and i'd type 'sourceforge' instead of 'stackforge', fixed that so we should be good 17:28:05 excellent 17:28:11 tomorrow would be good 17:28:27 chair6: does that needany support? 17:28:32 we need more tests, they're easy to write 17:28:42 if you think of any and want to write one and want help, let me know 17:28:47 hyakuhei: you mean to get approved? 17:28:53 yeah 17:29:04 hyakuhei: I just looked over the changes, and they all look correct for repo creation. I'll +1 it. 17:29:17 erg, sorry everyone 17:29:31 hyakuhei: in my experience, the acks all come in on friday 17:30:03 ok, any other bandit/gate test discussion at this point? 17:30:06 tmcpeak made a few more useful framework imrpovements over the week, i wrote a basic sqli check.. time to keep on building the set of tests out 17:30:26 also testing would be useful 17:30:40 I've run it against all OpenStack projects and it doesn't die, but more testing is always good 17:30:43 how is the list of issues that we discovered going? Have any of those gotten merged? 17:31:03 My swift changes to avoid insecure mktemp were merged last week 17:31:14 I found and fixed the Glance one a while back 17:31:16 but I didn't go update the google doc we created at the midcycle 17:31:25 anyone have a link to that google doc? 17:31:36 I'll get it 17:31:50 https://docs.google.com/spreadsheets/d/1HkKYaUI0fL1wKGq7KrFQkUuxSnRXhr8O6ZO3E5_eyuA/edit?usp=sharing 17:31:53 #link https://docs.google.com/spreadsheets/d/1HkKYaUI0fL1wKGq7KrFQkUuxSnRXhr8O6ZO3E5_eyuA/edit?usp=sharing 17:33:04 ok, so I'll update my item on that. If anyone else has filed bugs that are referenced there, please check them to see if anything has been done to address them and update the doc appropriately. 17:33:21 btw, if anybody still wants to take one, Trove has a ton 17:34:06 as in, run the latest Bandit against Trove, and happy hunting 17:34:23 ok, any other topics from anyone? 17:34:44 nope 17:34:46 no bdpayne today, so I don't know if anyone else can cover the doc update 17:35:02 seems to be slowing down 17:35:03 I also haven't heard anything on the thread modeling side of things 17:35:19 Does anyone have any news there, or has that effort stagnated? 17:35:58 I guess shohel would be the one to say 17:36:37 Shohel and priti were doing some hands on stuff 17:38:50 ok, any other topics from anyone? 17:39:32 if nothing else, then I'm going to suggest we end early 17:39:41 sounds good 17:39:43 nothing from me 17:39:48 ...then we can all use the extra time for OSSN reviews. :) 17:39:50 I hada topic 17:39:57 bknudson: sure 17:40:02 So here's my concern... 17:40:10 I can propose a bunch of security hardening 17:40:25 but at this point they're going to be considered Wishlist / nice to have rather than actual bugs 17:40:47 bknudson: +1 17:40:52 so, maybe it would be useful if we had something that documented when some crypto use was inadequate 17:40:58 and was actually a bug and not a nice-to-have 17:41:14 great idea 17:41:22 bknudson: +1 17:41:52 I have learned what is considered to be a bug and not, but that knowledge dies with me. Could save somebody else some effort 17:42:09 probably not something we'll have for juno, but for K should be something we can aim for 17:42:30 blueprint? 17:42:30 I think we'll still have to pile onto the bugs to stress that they are important 17:42:32 maybe this would be a good topic for the summit 17:42:50 bknudson: +1 17:43:56 bknudson: I'm not sure where that is going to fit from a design session standpoint given the restructuring of how that portion of the summit works 17:44:52 ok, just wanted to bring it up here since I was thinking about it and maybe there were other thoughts / agreement. 17:44:57 I'll try to come up with some next steps. 17:45:04 sounds good 17:45:06 maybe something to the mailing list 17:45:10 bknudson: perhaps we should be bringing the issues to the affected project's IRC meeting to get buy in at the PTL level 17:45:23 yeah, mailing list would be a good place to start too 17:45:30 ok, any other topics? 17:46:48 going once... 17:47:27 ok then 17:47:29 #endmeeting