17:03:05 <hyakuhei> #startmeeting openstack security group
17:03:05 <openstack> Meeting started Thu Nov 20 17:03:05 2014 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:03:05 <tmcpeak> yo!
17:03:06 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:03:09 <openstack> The meeting name has been set to 'openstack_security_group'
17:03:12 <hyakuhei> sigh.
17:03:14 <tkelsey> o/
17:03:18 <sweston> o/
17:03:22 <sicarie> o/
17:03:23 <hyakuhei> That's the third time I've started this meeting in the last 2 minutes
17:03:25 <tmcpeak> o/
17:03:30 <hyakuhei> started it _twice_ in the Barbican room
17:03:33 <bdpayne> o/
17:03:36 <dave-mccowan> o/
17:03:43 <bdpayne> ha
17:03:45 <tkelsey> lol
17:03:51 <chair6> \o
17:04:29 <hyakuhei> so welcome everyone to Rob finally loosing it, live on IRC.
17:04:42 <tmcpeak> yayy :D
17:04:50 * sicarie gets popcorn
17:04:55 <hyakuhei> ok, agenda peeps?
17:04:59 * tkelsey grabs popcorn
17:05:10 <hyakuhei> OSSG mid-cycle
17:05:23 <redrobot> o/
17:05:41 <hyakuhei> redrobot: feel free to start your Barbican meeting now :P
17:05:50 <redrobot> hyakuhei haha
17:05:57 <tkelsey> shout out about PyKMIP 0.2.0 landing + PyKMIP 0.1.0 getting into global reqs
17:06:09 <ereynolds> too early for popcorn
17:06:17 <hyakuhei> Hey ereynolds !
17:06:22 <tkelsey> ereynolds: not here, its 17:00
17:06:37 <hyakuhei> #topic OSSG Mid-Cycle
17:06:37 <ereynolds> 11am in texas
17:06:52 <hyakuhei> So I spoke to a few people about this already and there was a thread on the ML last week
17:07:07 <hyakuhei> There's a lot of overlap between OSSG/Barbican/Keystone
17:07:28 <hyakuhei> I'd like to attend all three as do a bunch of other people
17:07:35 <tkelsey> hyakuhei: +1
17:07:41 <hyakuhei> Trying to work out the best way to arrange it
17:08:21 <hyakuhei> Time/Travel costs wise it makes sense to host them in the same place at the same time
17:08:42 <hyakuhei> I had a notion that maybe we could run something from Tuesday of one week to the Thursday of the next
17:08:48 <hyakuhei> Monday and Friday as travel days.
17:08:55 <redrobot> I spoke to the Keystone PTL the other day and they're committed to meeting in San Antonio, TX on Jan 21-23
17:09:01 <hyakuhei> 8 Working days to cover all three
17:09:10 <hyakuhei> ok, that's actually pretty soon
17:09:18 <hyakuhei> how does that influence your plans redrobot ?
17:09:49 <redrobot> hyakuhei I think there's more overlap in OSSG/Barbican than Keystone/Barbican, so I'm waiting to see what you guys want to do..
17:10:23 <hyakuhei> Ok anyone here object to that?
17:10:33 <bdpayne> object to?
17:10:49 <bdpayne> I agree that there's probably more overlap with Barbican than Keystone
17:11:06 <hyakuhei> Object to running the midcycle alongside Barbican
17:11:14 <hyakuhei> Last time we filled 4-5 days all on our own
17:11:42 <bdpayne> Do we know anything about where/when the Barbican guys are planning theirs?
17:11:55 <hyakuhei> redrobot: is king Barbican
17:12:01 <tmcpeak> yeah 8 days for three meetups doesn't leave much time for any individual meetup
17:12:01 <redrobot> lol, I like that
17:12:06 <bdpayne> I do agree that OSSG could fill a week by itself... so it seems more of a question of trying to make travel easier for folks
17:12:08 <hyakuhei> We've knocked around a few ideas
17:12:35 <hyakuhei> I think Tuesday->2nd Thursday might still be a good plan?
17:12:59 <hyakuhei> We only loose one weekend, get some good work done on both projects..?
17:13:01 <bdpayne> just doing ossg and barbican at a similar location / time?
17:13:03 <bdpayne> I think that's very reasonable
17:13:11 <tmcpeak> yeah sounds good
17:13:46 <tkelsey> hyakuhei:  Tuesday->2nd Thursday ?
17:14:25 <hyakuhei> Yeah. Tue-Wed-Thur-Fri-Sat-Sun-Mon-Tue-Wed-Thur
17:14:40 <hyakuhei> work/play/whatever on the sat/sun potentially optional
17:14:46 <bdpayne> can you be more... specific? ;-)
17:15:04 <hyakuhei> Hehe I don't have dates in mind yet
17:15:05 <tkelsey> im fine with the weekend, just wandering on the dates
17:15:14 <redrobot> We had tentatively talked about Feb 3 - 12
17:15:15 <hyakuhei> redrobot: said there might be a space we could use
17:15:23 <hyakuhei> That's right
17:15:35 <ereynolds> <tkelsey> im fine with the weekend,  +1
17:15:38 <redrobot> Geekdom SA or Geekdom SF should be fairly easy for us to get.
17:16:01 <redrobot> Not sure what the Geekdom SF space is like, but the SA one worked well for Keystone/Barbican last cycle
17:16:23 <hyakuhei> I'd be happy with either I guess, knowing nothing of thenm
17:16:33 <bdpayne> at one time there was talk of Nebula helping out... not sure if that's still of interest
17:16:56 <hyakuhei> #link http://geekdomsf.com/
17:17:20 <hyakuhei> Open to options, sounds like we might get a space for free via Rackspace/Geekdom
17:17:48 <redrobot> yeah.  Geekdom SA was free last cycle.  I _think_ Geekdom SF would be free as well.
17:18:19 <hyakuhei> HP happy to cover costs but I don't want to create the appearance that HP's trying to own this so others are welcome to contribute/foot the bill :P
17:18:48 <redrobot> we'd still have to provide food/snacks
17:19:04 <hyakuhei> Yeah so I think that's what we are talking about really
17:19:26 <hyakuhei> Breakfast/Lunch etc each day some events in the evening perhaps
17:19:33 <bdpayne> ok gotcha... I had more been working the space side of things
17:20:35 <hyakuhei> Appreciate that bdpayne and I don't think we have confirmation that Geekdom will give us space for free
17:21:00 <hyakuhei> but it would be good for OSSG and Barbican both be in the same place as well as back to back
17:21:48 <bdpayne> sure, makes sense
17:21:51 <redrobot> understood.  I can work with the Geekdom folks once we decide on a city.
17:21:52 <bdpayne> whatever works
17:22:21 <hyakuhei> What should guide the decision here?
17:22:28 <hyakuhei> SF vs SA I mean
17:22:39 <redrobot> SA would allow for Keystone/Barbican/OSSG to run back to back.
17:22:43 <hyakuhei> I think you US folks might be better qualified to comment
17:22:49 <redrobot> SF would mean just Barbican/OSSG
17:23:16 <hyakuhei> ok I think all three might be ambitious, especially if they're taking a whole week already
17:23:34 <ereynolds> generally warmer in SA (if that matters)
17:23:42 <tkelsey> hyakuhei: humm yeah +1
17:24:03 <bdpayne> the thinking should go like this ... SF >>>> SA
17:24:11 * bdpayne provides his humble opinion
17:24:21 <tmcpeak> lol
17:24:33 <bdpayne> and, to be honest, this has nothing to do with where I live
17:24:35 <redrobot> we do have awesome tacos down here
17:24:35 <bdpayne> I just happen to think that SA is kind of sleepy
17:24:49 <bdpayne> well, that is true
17:24:55 <hyakuhei> Personally I really like SF
17:24:59 <hyakuhei> but I've never been to SA
17:25:01 <bdpayne> and a nice little riverwalk ;-O
17:25:03 <reaperhulk> I live in Austin and I'd prefer SF ;)
17:25:10 <hyakuhei> bdpayne: can we go biking?
17:25:15 <bdpayne> clearly
17:25:27 <redrobot> in SA yes, there's a ton of greenways, and a pretty good bikeshare program.
17:25:48 <hyakuhei> ok so, lets make the presumption that GeekdomSF isn't terrible.
17:26:10 <hyakuhei> All other things being equal, we could just vote it here?
17:26:19 <hyakuhei> Well that's not fair to the Barbican folks
17:26:25 <hyakuhei> but we could measure what OSSG thought
17:26:31 <bdpayne> SF also has more / larger airports and better public transit
17:26:36 <hyakuhei> +1
17:26:42 <reaperhulk> SF geekdom space is reasonably large. I was there just a few weeks ago
17:26:46 <hyakuhei> That makes a differnce to us puddle jumpers
17:26:56 <reaperhulk> I don't know about their scheduling of course
17:27:20 <hyakuhei> Ok, so my vote is SF on the condition that tmcpeak and bdpayne take us to awesome places during social hours
17:27:26 <tmcpeak> will do
17:27:27 <dg__> +1
17:27:31 <tkelsey> +1
17:27:31 <sicarie> +1
17:27:37 <tmcpeak> +1
17:27:37 <dg__> SF gets my vote
17:27:49 <bdpayne> I can work with this plan
17:27:55 <hyakuhei> redrobot: reaperhulk thoughts?
17:28:40 <hyakuhei> ok so I guess we need to find out about availability
17:28:59 <redrobot> I would be ok with SF.  The only question would be on dates?  There may be some Keystone folks that would maybe try to make SF after their mid-cycle.
17:29:16 <reaperhulk> Ha, I'm good on that ;)
17:30:33 * bdpayne votes for sometime in Feb
17:30:38 <hyakuhei> +1
17:30:40 <tkelsey> +1
17:30:48 <tmcpeak> yeah Feb
17:30:50 <tmcpeak> +1
17:31:43 * redrobot votes for late Feb.
17:32:33 <hyakuhei> ok, redrobot can you find out about availability at GeekdomSF for late Feb?
17:32:43 <redrobot> hyakuhei will do
17:33:36 <hyakuhei> Thank you!
17:33:57 <redrobot> hyakuhei I'll ping you as soon as I hear back from them.
17:34:08 <hyakuhei> Sweet, thank you
17:35:47 * bdpayne runs to another meeting... I'll be in the security channel later if anyone needs something from me
17:36:17 <hyakuhei> thanks bdpayne
17:36:36 <hyakuhei> ok. Next agenda item.
17:36:41 <hyakuhei> tmcpeak: did you have something?
17:36:53 <tmcpeak> hyakuhei: just a quick thing on Bandit
17:36:53 <bknudson> I had no problem in san antonio... the geekdom was right next to the river walk. Was too busy to go anywhere except the valencia hotel and geekdom
17:37:31 <tmcpeak> since we'll be using dev ML for OSSG stuff, it would probably be good to introduce Bandit to the wider audience
17:37:39 <hyakuhei> #topic bandit
17:37:42 <tmcpeak> I will draft something this week and send it out
17:37:47 <tkelsey> tmcpeak: +1 for mailing out
17:38:00 <bknudson> does bandit run on any code now? (keystone?)
17:38:14 <hyakuhei> IT's not in any gates
17:38:21 <tmcpeak> yeah not in gates
17:38:27 <hyakuhei> but it can be run on the code tree and finds plenty
17:38:30 <tmcpeak> I'd love to start getting wider use and feedback
17:38:38 <tkelsey> +1
17:38:38 <hyakuhei> just check out all of tmcpeak's launchpad bugs :P
17:38:52 <bknudson> is there config for rules like flake8/pep8?
17:39:05 <tmcpeak> bknudson: yep
17:39:06 <bknudson> you can turn on the rules 1 by 1
17:39:14 <bknudson> and fix them
17:39:22 <tmcpeak> you can whitelist tests or blacklist tests
17:39:54 <bknudson> great
17:40:06 <tmcpeak> we'll be starting more dev soon
17:40:11 <tmcpeak> but feedback first would be really helpful
17:40:12 <bknudson> projects should be ok with it if it works like pep8
17:40:14 <tkelsey> yup yup :)
17:40:32 <hyakuhei> Almost like it was planned that way...
17:40:46 <tmcpeak> bknudson: the mechanism for enabling/disabling tests is probably different than pep8
17:40:48 <tmcpeak> but should be pretty self-explanatory
17:40:54 <tkelsey> we need to get into the global req's list to be allowed into test-requirments of course
17:41:04 <hyakuhei> Moreso than pep8 imho
17:41:14 <hyakuhei> ^ ease of use
17:41:24 <tmcpeak> yeah, we like to think so
17:41:56 <bknudson> with pep8 they pin at a version because it'd break everything when new rules are added.
17:42:30 <tmcpeak> with a simple profile tweak that wouldn't be an issue with Bandit
17:43:27 <tkelsey> tmcpeak: yeah the profile stuff is very nice
17:43:33 <tmcpeak> that's probably it on Bandit for now
17:43:40 <tmcpeak> stay tuned for ML introduction for it
17:43:48 <tkelsey> other than to invite anyone who fancies it to come contribute :)
17:44:06 <tmcpeak> +1
17:44:20 <hyakuhei> cool
17:44:28 <bknudson> I for one am looking forward to it
17:44:29 <hyakuhei> #topic KMIP
17:44:34 <hyakuhei> tkelsey:
17:44:38 <tmcpeak> bknudson: awesome!
17:44:39 <hyakuhei> What did you want to say?
17:44:56 <tkelsey> hyakuhei: about PyKMIP?
17:45:06 <hyakuhei> ja
17:45:25 <tkelsey> so I was just going to give a shout out, since im sure there are people in here who are interested
17:45:49 <bknudson> my understanding is that barbican can talk to KMIP
17:45:57 <tkelsey> PyKIMP 0.2.0 dropped a day or so ago, and PyKMIP 0.1.0 got into the global reqs list.
17:46:19 <tkelsey> bknudson: yeah Barbican is using it via KMIPSecretStore to talk to HSMs
17:46:46 <hyakuhei> So without that kmip could only perform user/password based authentication
17:47:00 <tkelsey> so it would be awesome to get 0.2.0 into the global req's I'll probably make a ptach to do that soon
17:47:03 <hyakuhei> This adds certificates, which a lot of HSM demand - that right tkelsey ?
17:47:16 <tkelsey> hyakuhei: yes thats right
17:47:21 <bknudson> pykmip>=0.1.0  # Apache 2.0 License
17:47:21 <tkelsey> client cert
17:47:28 <bknudson> so if you install now you'd get 0.2.0.
17:47:38 <bknudson> shouldn't use the new APIs until the requirements is updated to 0.2.0
17:48:32 <tkelsey> yeah, true, but I had an engineering need to use the new stuff. But since KMIPSecretStore was in before PyKMIP at any version I figured it would be ok
17:49:00 <hyakuhei> Whats the requirements for bumping the version in global reqs?
17:49:09 <tkelsey> as I say, I'll put a patch up to bump to 0.2.0 once the dust settles on 0.1.0
17:49:13 <bknudson> usually it's just an indication that some new feature needs it.
17:49:22 <tkelsey> bknudson: +1 yeah
17:49:32 <hyakuhei> Ok, that should be fine
17:49:35 <bknudson> i.e. "for the xxx feature we need 0.2.0"
17:49:56 <tkelsey> seems sensible
17:50:08 <tkelsey> thanks bknudson
17:50:17 <tkelsey> ok thats it from me.
17:50:30 <hyakuhei> #topic any other business
17:50:45 <sicarie> yeah
17:50:49 <hyakuhei> I'm really looking forward to get the mid-cycle locked in
17:50:56 <sicarie> I may have missed it - I'm not great with poking around launchpad
17:51:08 <sicarie> But is there any type of push to move off SSL?
17:51:12 <sicarie> bugs/etc...?
17:51:24 <hyakuhei> I'd like for someone to do some callibration of the OSSA metrics I wrote: https://wiki.openstack.org/wiki/Security/OSSA-Metrics
17:51:41 <hyakuhei> sicarie: yeah just file a bug
17:51:51 <hyakuhei> Oh I did that for the guide already
17:52:04 <sicarie> For example I was looking through Neutron's bugs
17:52:07 <hyakuhei> tmcpeak: tkelsey didn't one of you write a bandit test for this ?
17:52:07 <sicarie> didn't see anything
17:52:15 <tmcpeak> hyakuhei: what did you have in mind for calibration?
17:52:19 <tmcpeak> tkelsey did
17:52:33 <tkelsey> hyakuhei: yup I did
17:52:35 <hyakuhei> tmcpeak: take a OSSA, run it through the modified version of DREAD in the link
17:52:35 <dg__> sicarie bdpayne was/is updating the Security Guide to move of SSL, I dont believe there has been any talk of opening tickets to address individual cases
17:52:42 <hyakuhei> Document teh result and we'll compare notes
17:53:12 <tmcpeak> cool,  will do
17:53:20 <sicarie> dg__ I was just wondering if there was an over-arching approach to move to it (certain projects first, etc...)
17:53:26 <hyakuhei> We want to make sure that show stopping OSSAs score highly while less important ones don't. I expect everything to be medium or over because they don't really go in for OSSA on mild issues
17:53:41 <hyakuhei> sicarie: There's no oversight like that
17:53:42 <tmcpeak> right
17:53:46 <hyakuhei> OSSG could provide guidance
17:53:56 <sicarie> hyakuhei exactly what I was thinking
17:54:01 <hyakuhei> 1st step, clone all the projects, run them through bandit for SSL checks I guess
17:54:08 <tkelsey> hyakuhei: +1
17:54:15 <bknudson> crappy eventlet servers on old python don't even allow configuring for no SSLv3.
17:55:07 <sicarie> bknudson exactly the type of thing I was looking to start trying to find and approach now
17:55:54 <clarkb> bknudson: are you sure? python2 ssl seems to support setting the version
17:56:22 <hyakuhei> ok who wants to take an action to investigate?
17:56:27 <hyakuhei> sweston: how is your OSSN coming?
17:56:34 * sicarie volunteers
17:56:55 <bdpayne> I would argue that what we want it make sure that every project can be configured to run without SSLv3... and that this is the default.  If people want to enable SSLv3 for some reason, that is their own choice.
17:57:07 <sweston> hyakuhei: it's going well, just got instructions from Tim this morning, will push an update to gerrit soon
17:57:09 <hyakuhei> #action sicarie to provide a summary of projects that still support SSL by default
17:57:14 <sicarie> bdpayne +1
17:57:16 <hyakuhei> great thanks sweston
17:57:18 <bknudson> clarkb: see https://docs.python.org/2/library/ssl.html#ssl.OP_NO_SSLv2
17:57:25 <tkelsey> sweston: +1
17:57:30 <sweston> hyakuhei: sure thing
17:57:40 <sweston> tkelsey: thanks :-)
17:57:41 <bknudson> clarkb: you have to do PROTOCOL_SSLv23 | OP_NO_SSLv2 | OP_NO_SSLv3
17:57:43 <clarkb> bknudson: that is only applicable when using the 23 version...
17:57:56 <clarkb> you can still say TLS1 | TLS1.1 | TLS1.2 ya?
17:58:23 <bknudson> clarkb: I guess, but then what happens when TLS1.3? Also, there's no config option (in keystone.conf for example)
17:58:45 <hyakuhei> 1 minute guys
17:58:58 <bknudson> there's no config option in keystone.conf that allows you to set TLS1 | TLS1.1 | TLS1.2
17:59:13 <hyakuhei> ok, maybe take this over to the security room?
17:59:23 <hyakuhei> Thanks everyone for attending, looking forward to SFO!
17:59:29 <tmcpeak> later!
17:59:29 <tkelsey> :) thanks all!
17:59:30 <alazarev> meeting at #openstack-meeting-alt in 1 minute
17:59:31 <hyakuhei> #endmeeting