17:00:43 <hyakuhei> #startmeeting OpenStack Security Group
17:00:44 <openstack> Meeting started Thu Jan 29 17:00:43 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:45 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:48 <openstack> The meeting name has been set to 'openstack_security_group'
17:00:52 <hyakuhei> zomg bdpayne !
17:01:00 <barthalion> lol
17:01:08 <elmiko> hi
17:01:12 <tmcpeak> bdpayne: btw, jursey is back in the chan
17:01:16 <tkelsey> o/
17:01:23 <tmcpeak> spamming the peeplez
17:01:30 <bknudson> lol (not laughing, arms up)
17:01:34 <bdpayne> hey guys
17:01:42 <redrobot> o/
17:01:44 <ljfisher> o/
17:01:49 <gmurphy> o/
17:01:54 <bdpayne> I'll see what I can do with my amazing powers :-)
17:01:57 <sigmavirus24> o/
17:02:10 <tmcpeak> \o\     dancing it out
17:02:34 <hyakuhei> lol everyone is exitable today
17:02:41 <sigmavirus24> /o/
17:02:47 <hyakuhei> Must be anticipation of the meetup of awesomeness
17:02:49 <chair6> ello
17:03:13 <tmcpeak> too much fun with ghost busting
17:03:23 <hyakuhei> lol yes
17:03:29 <hyakuhei> So agenda for today?
17:03:34 <tmcpeak> bandit
17:03:38 <hyakuhei> * Anchor
17:03:46 <hyakuhei> * Meetup
17:03:51 <hyakuhei> * Bugs
17:04:02 <hyakuhei> * GLIBC Spectres
17:04:22 <hyakuhei> Anything else ?
17:04:36 <tmcpeak> looks like a good start
17:04:56 <hyakuhei> Ok lets roll
17:04:59 <hyakuhei> #topic Bandit
17:05:12 <tmcpeak> ok - regretfully we have a PyPI collision on the Bandit name
17:05:26 <hyakuhei> Grrr.
17:05:33 <bknudson> https://pypi.python.org/pypi/bandit/0.0.1
17:05:34 <redrobot> boooo
17:05:34 <hyakuhei> BANdit?
17:05:34 <tmcpeak> I've asked the owner if he wants to give it up, but I'm not holding my breath
17:05:35 <hyakuhei> heh
17:05:36 <bdpayne> clearly we shall call it bandit2
17:05:42 <redrobot> bandido?
17:05:51 <tkelsey> redrobot: +1 lol
17:06:02 <sigmavirus24> might be able to take it over
17:06:09 <tmcpeak> yeah, so a few options, slightly different name, totally different name, same name with something appended
17:06:21 <tmcpeak> wanted to see what the folks favor
17:06:29 <tmcpeak> particularly chair6 since it's his baby
17:06:39 <tkelsey> tmcpeak: +1
17:06:52 <hyakuhei> +1
17:07:12 <bpb_> Bandicoot?
17:07:13 <elmiko> redrobot: +1
17:07:33 <tmcpeak> I'm somewhat hesitant to put oslo.bandit, openstack.bandit, etc because I don't want to discourage non-openstack projects from using it
17:07:43 <tmcpeak> I could see sec.bandit or something
17:07:53 <hyakuhei> +1 tmcpeak
17:07:54 <bdpayne> I'd suggest a full name change
17:07:57 <tmcpeak> or we can just go full on rebrand
17:07:59 <hyakuhei> Yeah
17:08:09 <hyakuhei> So I don’t think making it openstack specific is sensible
17:08:16 <tkelsey> hyakuhei: +1
17:08:26 <sigmavirus24> Did we consider contacting the package owner?
17:08:26 <hyakuhei> chair6: !
17:08:35 <hyakuhei> sigmavirus24: Yes but no reply yet afaik
17:08:36 <tmcpeak> sigmavirus24: I did yesterday
17:08:55 <tmcpeak> it seems like it has a fair amount of downloads, so I doubt he'd relinquish
17:08:56 <hyakuhei> It’s a pretty stale package by the looks of things
17:09:08 <chair6> i say we wait on a reply for a few days
17:09:08 <sigmavirus24> tmcpeak: that's likely mirrors
17:09:15 <sigmavirus24> chair6: I'd say give it a week or more honestly
17:09:18 <tmcpeak> sigmavirus24: ahh yeah, good point
17:09:18 <gmurphy> cl:q
17:09:23 <chair6> yep, then talk about other options from there
17:09:28 <sigmavirus24> If not, we can contact the PyPI administrators to see if we can reclaim the name
17:09:33 <tkelsey> that seems like a good plan
17:09:44 <sigmavirus24> (bandicoot may be trademarked fwiw)
17:09:45 <tmcpeak> ok, only downside is we really are completely blocked for moving ahead with our gate test in the meantime
17:10:09 <tmcpeak> I have a global requirements change ready to go, just pending a version number pin
17:10:15 <bknudson> seems easier to pick a new name.
17:10:17 <tmcpeak> openstack-infra folks really want that
17:10:25 <tmcpeak> the pinned version I mean
17:10:31 <hyakuhei> Yeah
17:10:32 <chair6> renaming will take effort too though
17:10:49 <tmcpeak> it will also reset whatever name building we've already done
17:10:50 <chair6> hold off, see if we get a response, blocked for a week is okay.. imho
17:11:10 <tmcpeak> ok, I'm fine with that
17:11:17 <tmcpeak> backup plan?
17:11:23 <tmcpeak> new name or append?
17:11:47 <hyakuhei> Might as well agree a new name in the meantime...
17:11:47 <chair6> new name
17:11:53 <tkelsey> chair6: +1 i think that seems like the best way to do it, backup should be contacting PyPI admins as sigmavirus24 suggested, after that look at rename I guess. Thoughts?
17:11:53 <bdpayne> +1 for new name
17:12:10 <tmcpeak> ok
17:12:13 <sigmavirus24> If we can't get bandit, +1 for a new name
17:12:55 <tmcpeak> bandido and bandito are both free in PyPI
17:12:58 <tkelsey> let the name voting commence lol (this normally takes a while)
17:13:00 <hyakuhei> ok cool, that all seems sensible
17:13:05 <hyakuhei> I love bandito :P
17:13:16 <tmcpeak> bknudson suggested it might be culturally insensitive
17:13:23 <tkelsey> yeah +1 bandito here :)
17:13:30 <tkelsey> ahh right
17:13:36 <bdpayne> -1 on bandito ... it has... other meanings
17:13:40 <hyakuhei> Also, more generally OSSG / Bandit - there’s a few reviews outstanding and it would be good to have other OSSG people looking at Bandit https://review.openstack.org/#/q/project:stackforge/bandit+status:open,n,z
17:13:41 <bpb_> bandicoot
17:14:01 <bpb_> http://en.wikipedia.org/wiki/Bandicoot
17:14:09 <tmcpeak> checking bad requirement is bogus… I did that for a test
17:14:12 <tmcpeak> I'll abandon soon
17:14:14 <hyakuhei> rofl @ urban dictionary / Bandito
17:14:22 <tmcpeak> actually both the bottom two are bogus
17:14:26 <tmcpeak> Lucas' is in flight
17:14:30 <bknudson> I think everything has an entry in urban dictionary by now.
17:14:31 <bdpayne> -1 on bandicoot... it's taken: http://bandilab.org/
17:14:32 <hyakuhei> great
17:14:33 <tmcpeak> we're pretty good with the reviews
17:14:50 <bknudson> if not we can make something up.
17:14:53 <bpb_> bdpayne: oh well
17:14:56 <hyakuhei> Anything else on the project we know as Bandit?
17:14:57 <chair6> i'm actually quite annoying about this name thing .. it's completely breaking my name-all-the-tools-after-smokey-and-the-bandit-characters rule i have with this current employer
17:15:02 <tkelsey> bpb_: bandicoot :D http://en.wikipedia.org/wiki/Crash_Bandicoot_%28video_game%29
17:15:12 <elmiko> chair6: LOL
17:15:16 <bknudson> there must be other characters.
17:15:38 <bknudson> http://www.imdb.com/title/tt0076729/fullcredits/
17:15:56 <chair6> i'm already using smokey, and burdette, and cledus, and.. :)
17:16:06 <chair6> we'll sort it out, and i'll survive
17:16:08 <bknudson> sugarbear?
17:16:15 <tkelsey> lol
17:16:17 <nkinder> hotpants?  Hmm... not sure
17:16:17 <bknudson> hotpants?
17:16:21 <elmiko> lol
17:16:23 <tmcpeak> sugarbear!
17:16:26 <ljfisher> redbandit? my history tells me to always put two words together
17:16:26 <chair6> using sugarbear already :)
17:16:56 <bdpayne> so it's either hotpants or cledus then ;-)
17:16:57 <hyakuhei> Hehe.
17:17:10 <nkinder> trucker?
17:17:12 * ukbelch feels like he arrived at the wrong time
17:17:18 <tmcpeak> chair6 has cledus already
17:17:21 <hyakuhei> tkelsey: Is there much to report on Anchor ?
17:17:24 <sigmavirus24> cledus +1
17:17:36 <nkinder> hotpants may be taken already for the next big CVE marketing name...
17:17:38 <bknudson> I'm afraid to lookup hotpants in urban dictionary.
17:17:45 <tkelsey> hyakuhei: tests rolling in, stuff in review, thats about i t
17:17:47 <tkelsey> *it
17:17:48 <tmcpeak> chair6: maybe you can swap your project names to one that doesn't require PyPI
17:17:50 <bpb_> Bandura?
17:18:29 <sigmavirus24> what about tidnab?
17:18:35 <ljfisher> codebandit, but taken a couple places
17:18:41 <tmcpeak> or secbandit
17:18:42 <bdpayne> hot pants + urban dictionary = what's wrong with UK?
17:18:51 <tkelsey> bdpayne: lol
17:18:52 <tmcpeak> it's very rainy there
17:19:03 <hyakuhei> roflcopter
17:19:17 <sigmavirus24> bandicurity?
17:19:19 <hyakuhei> ok kids, lets talk about the meetup
17:19:23 <elmiko> pantsbandit
17:19:36 <ljfisher> control is lost
17:19:41 <elmiko> sry
17:19:44 <sigmavirus24> elmiko: we don't want people to think we're stealing pants now =P
17:19:47 <hyakuhei> #topic Security Meetup
17:19:51 <ukbelch> Racoon
17:20:06 <elmiko> sigmavirus24: we dont?
17:20:20 <sigmavirus24> elmiko: I'll explain later
17:20:36 <bknudson> I got approval to attend the meetup so am planning to be there.
17:20:43 <hyakuhei> Fantastic!
17:20:53 <nkinder> great!
17:20:53 <hyakuhei> The etherpad is here: #link https://etherpad.openstack.org/p/ossg-kilo-meetup
17:20:54 <tmcpeak> awesome!
17:21:04 <hyakuhei> The agenda could still be stronger, I want to make the most of it
17:21:21 <hyakuhei> redrobot: Our plans need to be aligned too
17:21:30 <hyakuhei> At least where we want to do similar things...
17:21:32 <redrobot> hyakuhei agreed.
17:21:35 <bknudson> is barbican going to be there?
17:21:42 <redrobot> we can definitely talk about the Anchor->Barbican integration
17:21:45 <hyakuhei> Running in parallel in texas
17:21:50 <hyakuhei> Yeah
17:21:59 <redrobot> yes, we're scheduled for Feb 16-18
17:22:02 <hyakuhei> We’ll work out the best way
17:22:04 <bknudson> there was some confusion at the keystone meetup about where barbican was.
17:22:14 <hyakuhei> Hangouts?
17:22:37 <redrobot> bknudson sorry about that... I had originally planned to go, but some personal stuff came up that prevented me from going... :-\
17:23:07 <redrobot> hyakuhei hangouts is pretty good, other than the 10 ppl cap... but I don't think that'll be an issue
17:23:27 <hyakuhei> cool, we’ll probably have a roomfull at teh OSSG end anyway :)
17:23:29 <bdpayne> I wonder if we could setup a room with hangouts on a big screen
17:23:41 <hyakuhei> Any meetup related questions or queries
17:23:43 <hyakuhei> ?
17:24:00 <tkelsey> +1 for Anchor <-> Barbican stuff
17:24:02 <redrobot> bdpayne we did that for the meetup last cycle for a remote contributor and it worked out well.
17:24:05 <bdpayne> when you say that you want a strong agenda... what are you looking for?
17:24:06 <sigmavirus24> (also hangouts can be livestreamed to twitter for people wishing to observe but not participate)
17:24:08 <bdpayne> more?
17:24:10 <bdpayne> more detail?
17:24:21 <ukbelch> twitter? not youtube? :)
17:24:24 <tmcpeak> bdpayne: +1
17:24:35 <redrobot> I also want to run bandit on the barbican code base, but I've been slacking on it... gotta make some time for it soon.
17:24:51 <tkelsey> redrobot: that would be very interesting
17:25:55 <hyakuhei> bdpayne: both really.
17:26:06 <hyakuhei> We are sending quite a few people :)
17:26:09 <bdpayne> kk
17:26:22 <hyakuhei> #topic Summit
17:26:31 <hyakuhei> Who’s putting presentations in for the summit?
17:26:39 <ljfisher> o/
17:26:45 <nkinder> I'm working on one
17:27:01 <ljfisher> need to touch base with nkinder on that
17:27:18 <hyakuhei> I’ll likely put in an abstract for the security group though I don’t know 100% if there’s a Security track atm.
17:27:39 <bdpayne> I might... still tbd
17:27:41 <tmcpeak> there really should be a security track...
17:27:54 <bdpayne> no security track again?  that's a shame
17:28:16 <bknudson> security must be a solved problem.
17:28:17 <hyakuhei> All I’m saying is I’ve not had it confirmed
17:28:39 <hyakuhei> IT doesn’t sound like there’s many of us writing abstracts!?
17:28:57 <hyakuhei> I’ll put in a talk for Anchor too
17:29:00 <sigmavirus24> bknudson: it is a solved problem. Rub some crypto on it. Done.
17:29:11 <nkinder> I know there are a number of barbican talks in the works
17:29:21 <nkinder> ...so those would all line up with a security track
17:29:35 <bdpayne> there's a potential 3rd one coming from Nebula, too
17:29:42 <bdpayne> I won't steal his thunder
17:29:52 <bdpayne> but we will have 2 or 3 total
17:29:57 <hyakuhei> “Cloud Security” is at least a Topic listed on the CFP
17:31:03 <hyakuhei> #topic Ghosts (GLIBC)
17:31:15 <hyakuhei> Sooo, it’s been a fun few days...
17:31:30 <hyakuhei> tkelsey was looking at an OSSN
17:31:38 <tmcpeak> dg was I think
17:31:47 <hyakuhei> In the same way that we’ve produced OSSN’s for other big new-grabbing vulns
17:31:55 <tkelsey> yeah dg wanted to do it, so I punted to him :)
17:31:59 <hyakuhei> tmcpeak: they both were but dg is late to the meeting so doesn’t get credit!
17:32:04 <hyakuhei> hah
17:32:06 <tmcpeak> haha ok, fair enough
17:32:12 <tkelsey> lol, i'll take that :P
17:32:31 <hyakuhei> Ok, nkinder bdpayne thoughts on an OSSN for GLIBC/GHOST ?
17:32:57 <nkinder> Seems like it'd be pretty basic, but sure.
17:32:57 <bdpayne> I'm kind of meh on it, tbh
17:33:07 <nkinder> Upgrade glibc
17:33:08 <hyakuhei> Also more widely has anyone identified any strong OpenStack vectors to get user controlled domain names into an OpenStack cloud?
17:33:24 <bdpayne> I feel like Ghost has been a touch overhyped
17:33:42 <nkinder> designate possibly?
17:34:02 <hyakuhei> bdpayne: I share some of the sentiment
17:34:21 <hyakuhei> but I also think there’ll be other processes (than exim) shown to be exploitable over the coming weeks
17:34:46 <hyakuhei> and its a big coordinated release with a logo etc so it’s good for us to have something documented
17:34:57 <hyakuhei> I think otherwise it looks like an obvious gap in the OSSNs
17:35:02 <bdpayne> sure, I'm not against it if someone wants to do it
17:35:07 <tkelsey> hyakuhei: +1
17:35:16 <hyakuhei> Which, seem to have slowed down recently? nkinder is that the case?
17:35:51 <tmcpeak> they do seem less frequent
17:36:09 <nkinder> I'm not against it, but I do see us setting a precedent for releasing an OSSN for any CVE with a big splash
17:36:28 <nkinder> I don't really want to feel obligated to issue an OSSN just because of hype
17:36:54 <bdpayne> speaking of OSSNs... I have a private security bug that may be an OSSN candidate
17:36:55 <hyakuhei> nkinder: No but these happen rarely, once or twice per year… ?
17:36:56 <tmcpeak> I guess more to the point, are we still issuing notes for OpenStack bugs which would have traditionally gotten them?
17:37:06 <hyakuhei> bdpayne: That’s exciting
17:37:22 <bdpayne> well, sort of
17:37:24 <bdpayne> it means that the VMT doesn't want it
17:37:31 <nkinder> tmcpeak: we should be
17:37:33 * bdpayne tries to find it
17:38:05 <dg_> I did start drafting an OSSN in a spare moment yesterday, I'll try and get it finished and push it up, happy if we decide we dont need it thou.
17:38:23 <nkinder> tmcpeak: there's not much new in the queue that has been identified though (therre are some old ones though)
17:38:50 <tmcpeak> it looks like from here https://wiki.openstack.org/wiki/Security_Notes  some have been WIP for quite a while
17:38:54 <nkinder> tmcpeak: they just need to be picked up by anyone who has the spare cycles
17:39:23 <hyakuhei> So we could have a sprint on that at the Meetup?
17:39:25 <bdpayne> nkinder and hyakuhei have a look at https://bugs.launchpad.net/oslo.config/+bug/1395575 (for others, this is still private for now, sorry)
17:40:04 <tmcpeak> this vswitch one is a nightmare: 	•	https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0040&action=edit&redlink=1 - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch (work in progress)
17:40:10 <tmcpeak> this might be what derailed the notes :)
17:40:26 <nkinder> bdpayne: interesting
17:40:41 <hyakuhei> Yeah interesting, VMT will punt that to OSSN I think
17:40:46 <nkinder> yeah
17:40:50 <hyakuhei> (without looking through the discussion)
17:41:16 <hyakuhei> VMT really manages very-nasty-exploits more than security flaws and design issues
17:41:20 <hyakuhei> That’s what we’re for :)
17:41:27 <nkinder> tmcpeak: the IdP one has some code going in which sort of resolves it, which I would like in the note
17:41:47 <tmcpeak> nkinder: ahh
17:41:50 <nkinder> I need to circle back and see if that has landed yet
17:42:24 <bknudson> idp one?
17:42:56 <nkinder> bknudson: https://bugs.launchpad.net/ossn/+bug/1390124
17:43:09 <nkinder> bknudson: this is one I discussed with Marek back in Paris
17:43:19 <bknudson> an ossn for that makes sense.
17:43:31 <nkinder> Yeah
17:43:34 <bknudson> the doc change in keystone is fix released already
17:43:47 <nkinder> ok, but there's a code change too IIRC
17:44:02 <bknudson> there was a spec discussed at the meetup...
17:44:11 <nkinder> where you can map an IdP identifier from the assertion and ensure it matches a particular IdP
17:44:17 <bknudson> it's actually a nastier problem than I thought.
17:44:32 <bknudson> yes, that was it.
17:44:54 <nkinder> SO right now, we could recommend a separate URL per IdP in the httpd.conf
17:45:16 <nkinder> ...and you tie the IdP specific metadata and cert checking to that URL
17:45:33 <nkinder> mod_shib or mod_auth_mellon will then protect that URL appropriately
17:46:13 <nkinder> So we can do an OSSN with what we recommend now and then mention that future changes in Keystone to do an additional check are being developed
17:46:37 <bknudson> that sounds good.
17:46:46 <hyakuhei> #topic Any Other Business
17:47:09 <elmiko> hyakuhei: i'd still like to do a hangout sometime, maybe we could look towards next week?
17:47:18 <elmiko> mainly for talking about hadoop sec issues
17:48:18 <hyakuhei> Yeah, we didn’t really get beyond trying to set a time…
17:49:11 <elmiko> no worries, we can just try again =)
17:49:16 <hyakuhei> :D
17:49:35 <hyakuhei> Is there any thing else to discuss with you fine people?
17:50:28 <tkelsey> list of Anchor stuff in progress #link https://review.openstack.org/#/q/project:stackforge/anchor+status:open,n,z
17:50:41 <tkelsey> reviewers welcome :D
17:51:13 <hyakuhei> ok, I think that’s a wrap for today people :)
17:51:14 <hyakuhei> TY!
17:51:22 <bknudson> thanks
17:51:23 <tkelsey> thanks hyakuhei
17:51:24 <tmcpeak> cool, see ya
17:51:25 <nkinder> thanks
17:51:27 <hyakuhei> #endmeeting