17:00:14 #startmeeting openstack security group 17:00:15 Meeting started Thu Dec 4 17:00:14 2014 UTC and is due to finish in 60 minutes. The chair is tkelsey. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:16 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:18 The meeting name has been set to 'openstack_security_group' 17:00:34 Hello OSSG folks, I will be your host today (hyakuhei can’t make it and sends his apologies). 17:00:59 #topic rollcall 17:01:16 o/ 17:01:16 o/ 17:01:30 o/ 17:01:47 hey sweston elmiko sicarie, just give a few mins for folks to join 17:01:53 np 17:01:54 \o 17:01:58 o/ 17:02:05 tkelsey: of course 17:02:31 o/ 17:03:19 o/ I'm kind of around but pretty much afk 17:03:27 Thanks tkelsey for chairing this! 17:03:40 hyakuhei: np 17:03:41 go tkelsey! 17:04:17 dg_: heh :) 17:05:06 ok, i think thats long enough for folks to join 17:05:13 #topic agenda 17:05:22 so what do we want to talk about today then 17:05:44 I have a few things carried over from the last meeting (pre-thanks giving) 17:06:02 anyone else got topics to discuss? 17:06:45 i've got a question or two about documentation, but it's not huge 17:06:50 tkelsey someone mailed the list about change history for the secuirty guide, when to update the changelog in the front, etc 17:07:35 elmiko, ok cool. Yeah dg_ security guide stuff is on the list 17:07:56 right, lets start with barbican 17:08:03 #topic barbican 17:08:51 so there is a patch to bump PyKMIP to 0.2.0 in the global reqs here, getting some traction 17:09:04 #link https://review.openstack.org/#/c/137016/ 17:09:46 * bdpayne is here... sorry I'm a little late 17:10:14 any other Barbican related topics people want to mention? do we have redrobot 17:10:38 hey bdpayne, hyakuhei asked me to chair the meeting this time 17:10:48 cool, thanks for stepping up 17:11:05 bdpayne: my pleasure 17:11:58 ok so I guess thats it for Barbican stuff 17:12:08 #topic midterm 17:12:50 what is midterm ? 17:12:51 so I dont have much to input on the midterm discussions, but I gather redrobot was going to find out about geekdom availability 17:13:15 ANIsh_ the midcycle OSSG meetup 17:13:18 that's what I recall as well 17:13:19 ANIsh_: midterm meet up 17:13:21 tkelsey indeed... finally got a response from them last night, trying to work out the details now. 17:13:22 I guess we're waiting to hear on that before locking in dates? 17:13:34 ok does it happen over US 17:13:37 redrobot: awesome thanks :) 17:13:58 ANIsh_: yes its in the US 17:14:12 current discussion is san antonio or san fran 17:15:19 ok 17:16:21 yeah, I think SF got most of the votes last time we mentioned it 17:16:52 anyway, lets let redrobot look over the details from geekdom and then revisit it next time 17:16:58 unless anyone wants to add anything now? 17:17:45 wow, blew right through my meeting reminder :) 17:17:48 hi folks 17:17:54 si the meetup can be attended remotely ? 17:17:58 heh hi tmcpeak 17:18:14 ANIsh_: no idea, I have actually never been to one 17:18:22 anyone else know about that sort of thing? 17:18:33 it would probably be pretty difficult 17:19:24 Re remote attendance... someone tried that last time and it didn't work too well 17:19:37 I'm not against the idea, but I'd suggest that it has limited utility 17:20:23 bdpayne: that makes sense, though of course people will be in the IRC room from time to time I would think 17:20:50 indeed 17:21:19 ok then, all happy to move on? 17:22:18 sure! 17:22:20 ok, so next on my list is Anchor 17:22:27 #topic anchor 17:22:51 anchor is the name for the Ephemera PKI now on stackforge 17:23:07 https://review.openstack.org/#/admin/projects/stackforge/anchor 17:23:17 #link https://review.openstack.org/#/admin/projects/stackforge/anchor 17:23:36 #link https://github.com/stackforge/anchor 17:23:59 this is the short lived certificate system that hyakuhei talked about during the Paris summit 17:24:44 it now has a name and a home, so anyone with an interest is welcome to check it out and leave bugs for us in LP 17:24:46 nice, glad to see this posted 17:24:55 what are the plans for this going forward? 17:24:56 sounds cool 17:25:01 i will take a look 17:25:43 for those who did not get a chance to see the talk the vid can be found here ... 17:25:47 #link https://www.youtube.com/watch?v=jf_YOzW7I3s 17:26:03 exciting times :) 17:26:23 bdpayne make it work well, test it, document it, etc. We will be looking to deploy this in production systems, and hopefully get this adopted(if that is the correct term?) 17:26:54 if anyone wants to contribute, then feel free, it'd be really nice to have some non-hp effort working on this! 17:27:04 would be nice to see barbican integration (Anchor as a CA backend for Barbican) 17:27:24 I'll check it out, I've been curious about how you guys are approaching this 17:27:44 bdpayne: I think there was some discussion of integration with Barbican in their last meeting 17:27:54 I would have to have a think about that, I've been thinking about plugging Anchor into a HSM for key storage, but hadnt thought about plugging it into barbican. 17:28:11 bdpayne +1 17:29:42 in terms of helping out with anchor, is there a list of TODOs or something? 17:29:51 well we have a bunch of preliminary stuff to sort out to make the project more inline with openstack ways of doing stuff 17:30:21 elmiko: we will be updating with TODOs and documentation 17:30:30 tkelsey: awesome 17:30:47 #action tkelsey to add some TODOs for Anchor 17:31:18 yeah, no need to redo all of that hsm work that's already in barbican 17:32:14 bdpayne: +1 we dont wont to duplicate effort 17:33:29 ok cool, so plenty of stuff will be happening with Anchor and it would be good to get input from people :) 17:33:33 moving on 17:33:47 #OSSA metrics calibration 17:33:50 nope 17:33:56 #topic OSSA metrics calibration 17:34:03 I tried running through one 17:34:09 DREAD is pretty subjective 17:34:18 so hyakuhei asked about this last meeting 17:34:18 it could be helpful to have more specific qualifications for each 17:34:34 tmcpeak: sure, i guess that why we need some good calibration examples for refferance 17:35:18 yeah, so for starters R and E could use some more distinction IMO 17:35:27 my take is that this stuff will always be subjective at some level 17:35:35 the idea is to try to reduce / minimize that 17:35:37 yeah, for sure 17:35:40 bdpayne: agreed 17:35:53 to be useful though, we should take away as much subjectivity as possible 17:35:56 I'd look for two things 17:36:18 1) if two people review the same bug do they come up with the same score (or similar) 17:36:25 2) do the scores that people come up with pass the "smell test" 17:36:31 that is... do they seem reasonable 17:36:38 sure 17:36:55 bdpayne: sounds like good advice 17:37:00 well to that extent then, I'd be curious on other passes on this: https://bugs.launchpad.net/horizon/+bug/1308727 17:37:03 Launchpad bug 1308727 in horizon/icehouse "[OSSA 2014-023] XSS in Horizon Heat template - resource name (CVE-2014-3473)" [High,Fix released] 17:37:09 I did a pass, and came up with a score 17:37:13 I'd be curious what others come up with 17:37:25 yeah, perhaps we should have several people take a pass over a collection of 5-10 bugs 17:37:32 and then share the scores when everyone is done 17:37:38 bdpayne: +1 sounds like a good plan 17:37:45 yeah, that sounds good 17:38:02 I'd be happy to participate 17:38:11 +1 17:38:16 perhaps someone else could put together the list of bugs to score? 17:38:18 bdpayne: thank you, anyone else like to take part 17:38:21 I'll play too, but I'm out for a couple of weeks 17:38:23 so might take me a while 17:38:30 pull up a set of bugs, send it out to the mailing list with a lync to the dread info? 17:38:34 i'll join in the effort as well 17:38:44 dg_ good plan 17:38:48 yeah... I guess it could just be the last N OSSAs 17:38:50 arghh broken autoscroll 17:39:07 that's one thing bdpayne: I actually had a hard time finding the last N OSSAs 17:39:11 bdpayne yeh that would do the trick, no real need to cherry pick 17:39:13 is there a simple way to do it I'm missing? 17:40:18 normally I'd just search my inbox 17:40:34 dg_ ok, can you send out a message to the ML with links to the last 5 OSSAs and we can coordinate around that 17:40:50 bdpayne I dont think that approach would scale... 17:40:53 yeah, that's what I did. I guess there isn't anything better? Would be nice to just hit a page and get them 17:41:22 there may be a better way to do it, but for now a manual list should be fine right? 17:41:54 so I would hope that there is a page, they talked about this in the VMT design session in paris, talking about having security.openstack as the destination to get stuff like this 17:42:19 yeah, I'm thinking that's not done yet 17:42:49 fyi https://wiki.openstack.org/wiki/SecurityAdvisories/Icehouse 17:42:49 ok, as long as it wasn't me just being stupid :) 17:42:52 and so forth 17:43:01 heh, I guess have a dig around and find the last 5 17:43:05 ok, can we put the action to send out that list on soemone who has the list of the most recent OSSAs, or someone mail them to me and I'll write something up 17:43:21 dg_ can you take an action to do that please ? 17:43:32 ahh there we go, thanks bdpayne 17:43:36 :-) 17:43:46 tkelsey sure 17:44:10 #action dg_ to send a list of the last 5 OSSAs to the ML for calibration efforts 17:44:25 ok, quick show of hands, who wants to take part in scoring ? 17:44:31 o/ 17:44:36 o\ 17:44:43 I mean o/ 17:44:46 lol :) 17:44:54 o/ 17:45:15 o/ 17:45:43 thanks guys, appreciated :) 17:45:53 ok next 17:46:27 #topic security guide 17:46:38 elmiko: what did you want to being up? 17:46:58 tkelsey: i'm working on a security guidelines document for the Sahara project 17:47:14 and i'm looking for the OSSG guide sources for inspiration 17:47:30 will this be coding guidelines or ? 17:47:30 not for content, but for a little guidance on the structure of our sources. 17:47:35 ahh, ok 17:47:38 configuration guides 17:47:48 elmiko, I'd be happy to help you out 17:48:17 i'm thinking we'd like to have something akin to what is currently produced, a PDF and online docs with the ability for the community to generate patches against the docs. 17:48:18 sources for the guide are here: https://github.com/openstack/security-doc/tree/master/security-guide 17:48:30 bdpayne: awesome, thanks! 17:48:44 hello 17:48:44 thanks bdpayne :) 17:48:46 so, that takes a while to achieve 17:48:48 you'd really want doc team support for that 17:49:00 although, any reason you wouldn't just want this as part of the security guide? 17:49:22 no specific reason, i think we were just considering starting small 17:49:34 it would be awesome to have it part of the main doc though =) 17:49:48 to be honest, it would be less work to join forces 17:49:51 otherwise you are reinventing lots of stuff 17:50:01 what is the status of the sahara project? 17:50:11 sahara is integrated as of Juno 17:50:21 ok cool 17:50:28 so we should be able to just make a chapter for it 17:50:47 that would be great 17:50:48 I'd suggest taking that approach 17:50:50 then you can also cross reference to other things in the book more easily 17:50:57 like... you want TLS... see Ch X 17:51:05 exactly 17:51:22 so yeah, perhaps ping me and I can help you get started 17:51:25 yes, I was going to ask about TLS next, but i'll let you guys finish up first 17:51:31 would be good to start by filing some bugs for the work you have in mind 17:51:44 so, i've started a blueprint in the sahara side of launchpad, would it be appropriate to continue with my spec and then attempt to bring things over to the OSSG doc? 17:52:03 either way 17:52:16 ok, 10mins folks 17:52:19 also on the security guide topic, i ran across some stale content the other day.. not sure if anyone else needs to know about it 17:52:20 when it comes time to do the actual writing / merging, I'd ask that you file bugs under https://bugs.launchpad.net/openstack-manuals 17:52:27 bdpayne have a minor TLS/secuirty guide point to cover too 17:52:30 and then tag them as security guide bugs 17:52:46 #link https://bugs.launchpad.net/openstack-manuals/+bug/1395974 17:52:47 Launchpad bug 1395974 in openstack-manuals "OpenStack Security Guide Chapter number mismatch" [High,Triaged] 17:52:48 "sec-guide" is the correct tag 17:52:54 bdpayne: ok, i'll need time to study the doc/manuals stuff. 17:52:59 sure, np 17:53:16 poke me if you have questions... I'm usually in the openstack-security IRC channel 17:53:41 ok elmiko and bdpayne should talk more on this :) 17:53:41 bdpayne: also, i imagine we will have more content as time goes on, we are just starting to improve security in sahara 17:53:52 sounds like it =) 17:53:58 sure, sounds good 17:54:03 in the last 5mins do we have any pressing issues to raise ? 17:54:18 chair6 what's the question on that bug? 17:54:46 dg_ perhaps we could chat about your point in the security channel after this meeting? 17:55:05 looks like it's being actioned, but just wanted to make sure it's "known about" 17:55:18 ah, yes, it is 17:55:20 thanks 17:55:21 chair6: good stuff 17:55:23 thanks 17:55:28 bdpayne sounds good 17:55:53 ok so unless we have anything else pressing lets talk about OSSNs 17:56:01 #topic OSSNs 17:56:17 so who has outstanding OSSNs in review ? 17:56:47 please add links here so others can go review them :) 17:56:56 looks like there are 2 17:57:03 https://review.openstack.org/#/c/136203/ 17:57:18 https://review.openstack.org/#/c/128636/ 17:57:32 bdpayne: thank you, didn't know whether it needed more reviews or not 17:57:43 for the first one 17:57:48 sweston, looks like you need another OSSG core review 17:57:51 I can provide that 17:58:05 bdpayne: awesome, thank you :-) 17:58:18 also may need a review from the project core team? do we have that yet? 17:58:33 tkelsey for yours... are we wanting on a core project review? 17:58:46 bdpayne: yes thats right 17:58:56 ok, how do we get that to happen? 17:59:06 this has been sitting idle for a while 17:59:23 bdpayne: yes, I guess I'll go jump into an irc room and ask :) 17:59:37 ok thanks 17:59:50 looks like our time is up 17:59:55 indeed 18:00:01 thanks everyone 18:00:05 #endmeeting