17:00:58 #startmeeting openstack security group 17:00:59 Meeting started Thu Oct 2 17:00:58 2014 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:01 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:03 The meeting name has been set to 'openstack_security_group' 17:01:08 We'll just let people filter in for a minute or two 17:01:14 howdy 17:01:15 Hi all 17:01:19 hi 17:01:21 hi 17:01:23 Good morning chaps! 17:01:27 hello all 17:01:31 hello 17:01:34 Evening tkelsey :) 17:02:07 hyakuhei: evening 17:02:35 Ok great, we've probably got enough people to start building an agenda :) 17:02:48 * Things that need reviews 17:02:53 * Elections 17:03:00 * Threat Analysis 17:03:06 Others ? 17:04:03 that's probably a good start (lots of things fall into "things that need reviews") 17:04:15 Ok cool, lets start there. 17:04:24 #topic things that need review 17:04:35 nkinder: any outstanding OSSNs ? 17:04:48 25 - https://review.openstack.org/#/c/117928/ 17:04:49 OSSN-0028 is really close - https://review.openstack.org/#/c/124213/1 17:05:00 and 25 is the only other one out for review AFAIK 17:05:22 hyakuhei: 28 just had the "hypervisor host" -> "compute host" title change you mentioned 17:05:27 Great, can a few people take actions to reivew ? 17:05:31 hyakuhei: I think it's good to go otherwise 17:05:35 nkinder: I know thanks, it's got +2 from me :) 17:05:44 +1 from me 17:05:51 I'll take a review of the latest version of 25 today 17:06:17 There are some other ones in the backlog that need to be picked up 17:07:02 There is also this, which is totally awesome - https://review.openstack.org/118139 17:07:09 gate tests for OSSNs 17:07:21 ooo 17:07:29 That _IS_ exciting! 17:07:31 yeah, it will catch some of the stupid stuff 17:07:37 +1 17:08:03 Very nice, thanks nkinder 17:08:13 hyakuhei: if you're able to provide one more +2 there, I think we can get it approved 17:08:16 awesome 17:08:26 Will review before I finish work today nkinder 17:08:36 great, thanks hyakuhei 17:08:51 As already said, 25 needs a review #link https://review.openstack.org/#/c/117928/ volunteers? 17:08:52 I know there are some bandit changes out for review 17:08:57 hyakuhei: I'll review it 17:09:10 let me look at 25 17:09:20 yeah, I did a bit of work on bandit, ill find links 17:09:50 tkelsey: I've skimmed over them, but need to take more time to play with the changes to feel comfortable voting on them 17:10:20 bandit link 1: https://review.openstack.org/#/c/124039/ link 2: https://review.openstack.org/#/c/124058/ 17:10:25 ah thanks nkinder 17:10:53 those updates should be much cleaner than the last version tbh 17:10:59 i'll take a look at them too 17:11:13 cool thanks chair6 17:12:01 Any other things here that people want reviewing? 17:12:18 I reviewed the Threat Modelling docs from shohel02, did you want more reviews? 17:12:27 definately 17:12:36 #link https://review.openstack.org/#/c/121034/ 17:12:39 uploaded a new patch 17:12:49 based on reviews from anne and you 17:13:53 should we include some people other than security folks... what they think .. 17:14:00 shohel02: I'll review it in the next few days 17:14:00 is it a workable approach 17:14:23 ok cool, I think it is but it remains very resource intensive. 17:15:12 hmm.. currently i am doing historical security bugs published in Launchpad 17:15:45 and try to find a correaltion for future possiblities 17:16:19 but thats a side trac 17:16:32 shohel02: OSSA bugs, or anything with SecurityImpact? 17:16:42 anything with security impact 17:17:02 that's a big list :) 17:17:14 yes... i am searching with security tag 17:17:42 but i see other bugs which has not mention security tag... some times has security impact 17:17:55 shohel02: yes, it's not used consistently 17:19:16 Coverage could certainly be better that's for sure. 17:19:19 shohel02: how are you searching for SecurityImpact? 17:19:29 launchpad tag 17:19:36 ah ok 17:21:26 Ok, anything else need/want reviewing? 17:22:11 I've put something in the 'other projects' summit proposals for OSSG 17:22:14 https://etherpad.openstack.org/p/kilo-other-projects 17:22:24 Bandit could well be there 17:22:36 or possibly in 'Cross-project' workshops 17:22:52 https://etherpad.openstack.org/p/kilo-crossproject-summit-topics 17:24:05 design summit discussions are most successful when there's a problem to discuss and get agreement on 17:24:19 so one example I would give is -- how do we want to handle bandit? 17:24:34 Makes sense. 17:24:49 you've got the other projects there so you can get some buy in as to whether they want to submit to failing gate because of bandit checks 17:25:05 Yes, I'd like to take the "goals" approach we talked about on the keystone meeting this week 17:25:34 So it might be good to cover security gate testing in general, with a few goals... 17:25:55 1) static analysis checking in the gate with bandit 17:26:06 Makes sense, chair6 - nkinder want me to look into that or would you like to throw something on the wiki? 17:26:07 2) ssl gate testing 17:26:15 hyakuhei: I can update it 17:26:27 Cool 17:26:51 someone on my team is working on proposing ssl gate testing now that the support for it merged in devstack 17:27:05 we could combine those two items into a single session I think 17:28:17 That sounds good 17:28:36 Great, next topic then ? 17:29:38 #topic Elections 17:30:08 #link https://wiki.openstack.org/wiki/Security/OSSG_Lead_Election_Fall_2014 17:30:40 ^ We're going to have elections, to do that we need an election official - someone who isn't going to run for leadership 17:31:14 I've decided to open the candidacy today so we've got reasonable time to get everything done 17:31:54 Any volunteers to be officials ? Basically you check that when people announce for candidacy they meet the requirements and everything is above board 17:31:55 hyakuhei: maybe worth giving info on whats involved with being an official 17:32:00 ^ 17:32:11 Please. 17:32:38 One official will be responsible for administering the vote, bdpayne did it last time 17:33:09 We don't have to get volunteers here, it can go out to email 17:33:33 I'll add some content to the wiki page re: the roles of officials 17:34:29 So everyone have a think about if you'd like to take a shot at leading the group, think about what you'd focus on, how you'd shape the community etc and when ready announce your candidacy as described on the wiki :) 17:34:44 hyakuhei: we basically need at least one official soon, as candidates might start announcing their intent to run 17:34:53 An official will reply-all confirming your eligability or contact you directly to work out any issues 17:35:28 nkinder: Yes, but as the vote isn't for two weeks we can accept some latency between candidacy emails and confirmation 17:35:59 Though it's unlikely that anyone not meeting the candicy rules would just pop in and nominate themselves anyway 17:37:54 ok, so I guess that covers it for now, I'll reach out to bdpayne who invented the process and ask him if there's anything else he'd like to see from officials before I send around an email covering the detail. 17:38:57 Great. shohel02 was there anything else to run through regarding Threat Modelling today? 17:39:15 No 17:39:33 i think we covered most important aspects 17:39:57 ok great 17:40:03 #topic any other business 17:40:13 As above guy, anything else you'd like to talk about or discuss? 17:40:37 Nothing more from me today 17:41:06 ok well I guess we can wrap early then :) 17:41:24 Have a good week guys, I'll email around re: Elections soon. 17:41:26 :) 17:41:30 efficient meeting :) 17:41:30 thanks! 17:41:34 we all going to the summit? 17:41:38 I'll be attending 17:41:40 I;ll be there 17:41:47 Of course :) 17:41:49 y 17:42:05 It'd be my pleasure to take you guys out for food again. 17:42:23 Not sure the food in paris will be up to the quality of atlanta but we can try... 17:42:34 oh hai bdpayne 17:42:40 we should try to set up a lunch to get everyone together for some "off" time 17:42:41 I'm worried about the uncooked hamburgers... 17:42:49 nkinder: definitely 17:42:59 bknudson: you mean uncremated - you'll be fine :) 17:43:22 I was hoping bdpayne had swooped in to tell us all about being an election officila but alas, he's afk 17:43:38 hey guys 17:43:40 am I late? ;-) 17:43:44 ? 17:43:47 right on time 17:43:51 * bdpayne must have missed something 17:43:52 congratulations 17:44:05 whooop 17:44:50 So I was just asking about potential election officials re: https://wiki.openstack.org/wiki/Security/OSSG_Lead_Election_Fall_2014 bdpayne 17:45:17 ahh 17:45:27 I'm happy to do that 17:45:37 Well that sorted itself out nicely :) 17:45:49 I'd also be happy to have a deputy :-) 17:45:57 Do you think you could put one-two sentances on the wiki page regarding the role and responsibilities? 17:46:03 sure 17:46:07 ty :D 17:46:21 wait 17:46:28 role and resp for the OSSG lead or ? 17:46:37 No just for the election officials 17:46:41 ah, ok 17:46:42 sure 17:47:01 Awesome thanks! 17:47:19 We were just about to wrap when you joined bdpayne - is there anything you'd like to cover? 17:47:24 bdpayne: i can volunteer as a deputy 17:47:48 shohel02 ok thanks, I'll be in touch 17:47:54 I don't have anything to cover 17:48:02 carry on :-) 17:48:15 cool, well then I guess that's a wrap - thanks all! 17:48:24 thanks everyone 17:48:31 #endmeeting