17:04:51 #startmeeting openstack security group 17:04:52 Meeting started Thu Feb 12 17:04:51 2015 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:04:53 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:04:55 The meeting name has been set to 'openstack_security_group' 17:05:00 Rob will come soon 17:05:07 roll call! 17:05:09 o/ 17:05:12 o/ 17:05:12 o/ 17:05:13 o/ 17:05:14 o/ 17:05:16 hi 17:05:23 o/ 17:05:26 o/ 17:05:27 yo/ 17:05:45 awesome 17:05:50 topics for today? 17:06:00 Midcycle 17:06:10 security guide 17:06:22 \o 17:06:38 Hey :) 17:06:44 yo 17:06:51 we completed roll call and are collecting topics 17:06:54 Sorry I”m late all 17:06:55 Great 17:07:00 we have midcycle and guide so far 17:07:09 So I’d like to talk a little about the midcycle too 17:07:52 Anything else? tkelsey is just joining now 17:07:52 I'd like to talk about an issue with bandit that I want some feedback on before sending a change :) 17:07:58 great! 17:08:01 +1 17:08:12 o/ sorry im late! 17:08:33 shame on you tkelsey 17:08:35 =P 17:08:41 :) 17:08:52 #topic Midycle 17:09:13 take it away maestro :) 17:09:23 So we’re going to lay on food (breakfast and lunch) at the midcycle 17:09:36 lay on? 17:09:46 It’s british for sit on your food 17:09:59 still not making sense ;-) 17:10:03 lol, yeah 17:10:19 You're expecting us to consume it through our buttocks? 17:10:22 perhaps there will be breakfast and lunch provided for free? 17:10:22 lol, so HP is going to pay for and provision breakfast and lunch at the midcycle 17:10:23 lol 17:10:25 (not that I'm attending) 17:10:29 sweet! 17:10:37 awesome 17:10:39 I like those HP guys, they're going places 17:10:39 breakfast at start time -- 9? 17:10:43 That makes more sense 17:10:47 * bdpayne thanks the overlords at HP 17:11:06 wonders where HP gets all this money -- probably selling stuff. 17:11:15 I’d still like some other organisation *cough* redhat, *cough* nebula to pony up some sort of social evening though 17:11:48 oh yeah, we also need to come to some consensus about when we're doing the social 17:12:01 if you haven't added your name to that section on the wiki, please do so 17:12:03 So yeah, 9am start time, food on-site. I don’t know the split of vegetarians we have but I’m thinking I’ll aim for about 30-50% vedgy food 17:12:05 looks like Tues is winning so far 17:12:11 +1 for Tuesday 17:12:17 hyakuhei I'll take an action item to investigate, and I'll PM you after this meeting 17:12:22 Thank you 17:12:56 will eat extra meat if it helps. 17:12:59 oops, o/ (missed roll call) 17:13:11 HP is committed to keeping security folks well fed. I’ll be ordering from a bunch of places, various bits. We’ll also have stock of drinks/snacks for the week 17:13:22 +1 17:13:35 I’m guessing some of you more local to the event can find homes for the left over drinks etc 17:14:15 I don’t recall anyone from the last meetup having any major dietary issues, new people should let me know if any food I order is likely to kill them. 17:14:17 Tea for breakfast, Gin for lunch 17:14:26 lol 17:14:46 The agenda is shaping up nicely I think and that’s me done on the midcycle I think. I’m really looking forward to seeing everyone. 17:14:59 hyakuhei: +100 17:15:06 indeed 17:15:26 hyakuhei agenda link? 17:15:27 yeah big time 17:15:30 * redrobot needs to bookmark it 17:15:35 https://www.team-cymru.org/Services/ip-to-asn.html 17:15:39 damit 17:15:42 #link etherpad.openstack.org/p/ossg-kilo-meetup 17:15:46 ^ that 17:17:33 I’ll put some contact info up on the wiki in case people need to reach out / have last minute problems etc 17:17:45 ok tmcpeak take us on to the next item 17:17:52 #topic Security Guide 17:17:58 (next slide) 17:17:59 elmiko bdpyane sicarie 17:18:02 hey 17:18:03 take it away 17:18:17 oh, yeah, that's us 17:18:21 elmiko has proposed a new chapter 17:18:28 #link https://review.openstack.org/#/c/155052 17:18:29 awesome 17:18:30 =) 17:18:31 reviews would be great since it is a lot of new content 17:18:47 and I'd like lots of eyeballs on it 17:19:00 beyond that, we have completed triaging the existing open tickets on the guide 17:19:00 bdpayne: will look 17:19:04 cool, will do 17:19:13 there's some good work that needs to be done 17:19:17 Great, I’ll try to take a look too 17:19:21 #link https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide 17:19:32 and our primary goal for the meetup will be to plan for how we manage the book going forward 17:19:53 so anyone with inputs on that (release schedule, what content to include, how to maintain quality, etc) should join us next week! 17:20:12 sounds good 17:20:17 and that's all that I have on the book... sicaries elmiko anything to add? 17:20:27 I did ask someone who knows Neutron relatively well to take a look at the Networking chapter, it'd be nice to get someone familiar with Nova quirks to submit anything on the Compute chapter 17:20:34 nothing more from me 17:20:53 so any nova people here? 17:20:57 sicarie agreed, let's discuss that in more detail next week, but I like the idea 17:20:58 for sicarie's thing? 17:21:12 Sounds good to me 17:21:13 I have several bugs assigned to me and I plan on doing a good deal of work on them within the next few weeks 17:21:20 groovy 17:21:22 thanks! 17:21:23 cool 17:21:28 ok anything else for the guide? 17:21:33 I assume having a quick intro from all attending delegates is part of the agenda? I know for me at least it would be good to know who everyone else is, and what they do :) 17:21:35 I think that's all 17:21:49 ukbelch: yeah, we definitely will 17:21:51 ukbelch, yeah, that would make sense ot me too 17:22:03 #topic Bandit Question 17:22:13 was this you elmiko? 17:22:28 not me 17:22:36 it was sigmavirus24 17:22:39 I think it was sigmavirus24 17:22:41 sigmavirus24 17:22:42 Yes 17:23:00 So I'm not sure how familiar everyone is with the ssl module but I take strong objection to https://github.com/stackforge/bandit/blob/24ba70179fbdcbc90e0e08637eb1ff35c5a9feb6/bandit.yaml#L93 17:23:01 cool, what's up? 17:23:24 PROTOCOL_SSLv23 negotiates the highest supported protocol automatically depending on what is supported by both client and server 17:23:33 yeah, actually you're right 17:23:33 That is not negotiating only SSLv2 or SSLv3 17:23:35 y, SSLv23 doesn't mean just 2 & 3. 17:23:41 good catch 17:23:43 correct 17:23:54 so you can submit a bug or make the change yourself 17:23:58 So that seems like a terrible false positive. I'm happy to fix it, but I wanted to make sure I wasn't missing another reason 17:24:00 either would be awesome 17:24:04 yeah, you can use it conjunction with other flags to prohibit v2 or whatever and allow others 17:24:10 tkelsey: exactly 17:24:14 requests is working on adding that functionality 17:24:15 sigmavirus24: no, I don't think you're missing anything. Good catch 17:24:18 I've just been too busy lately 17:24:29 hello 17:24:35 That's the only reason I caught this 17:24:40 Anyway that's all 17:25:00 sigmavirus24: great, thanks for brining it to attention 17:25:05 sigmavirus24: you propose we remove that check? the reasoning seems valid 17:25:14 to remove it, that is 17:25:22 tkelsey: yes 17:25:30 just that one check, none of the others stood out to me 17:25:38 cool 17:25:42 ok, I can put up a patch to do that if no one objects 17:25:48 maybe a check could be added for a protocol use that allows SSLv2. 17:25:50 tkelsey: was already working on it 17:25:51 :) 17:25:52 tkelsey: awesome 17:26:08 that would be a more difficult check 17:26:08 ah ok sigmavirus24, I'll leave it with you then :) 17:26:25 an interesting tidbit for those going for PCI requirements for OpenStack, TLS will only be allowed, SSL will no longer be acceptable. 17:26:27 bknudson: yeah but also Python 2.6+ disables SSLv2 forcefully 17:26:40 i know its off topic but the SSL thing reminded me 17:26:40 shelleea007: that is interesting and helpful to know :) 17:27:11 also for Bandit ljfisher has been bringing some great changes 17:27:36 any progress on gating on bandit? 17:27:36 :) 17:27:38 tmcpeak: +1 yeah ljfisher has added some good stuff 17:28:07 bdknuson: nah, I haven't done anything. Next step is still getting Gerrit and PyPI talking 17:28:14 I'm mostly going to work Bandit all of next week 17:28:21 so I'm expecting to make some good progress 17:28:36 I think we will need a profile for bandit for gating to limit to the more accurate tests 17:28:46 ljfisher: +1 17:28:52 +1 17:29:10 whenever we get into global requirements we're basically frozen for 6 months 17:29:22 so let's make sure we're happy with the version that will be usable by other projects 17:29:41 sounds like a worthy goal for next week :) 17:30:01 yeah, looking forward to some nice focused Bandit work 17:30:01 Oh have y'all heard back about the "bandit" name yet? 17:30:09 yeah, bdpayne pulled strings and got it for us 17:30:15 nice 17:30:19 :D awesome!! 17:30:55 :-) 17:31:05 cool, so anything else for Bandit? 17:31:22 #topic Anchor 17:31:27 tkelsey: go! 17:31:42 so, lots of tests going in still, coverage rising slowly 17:32:11 awesome 17:32:21 a few bug fixes, nothing major really. As always, I encourage people to look over the code and patches if they are interested 17:32:35 I will be happy to answer questions and give more info at the meet up 17:32:37 cool, sounds good 17:32:48 yeah, you're still planning to give an intro? 17:32:57 yup 17:33:00 sweet 17:33:04 good 17:33:19 okies 17:33:22 #topic Other Business 17:33:25 thats all i got 17:33:45 last week there were a couple of side projects 17:33:49 bknudson had one and... 17:34:03 about rootwrap 17:34:13 and there was one about sharing security info 17:34:15 I haven't had time to look at it. 17:34:21 bknduson: fair enough :) 17:34:25 plenty of time next week 17:34:49 is there an agenda item for rootwrap next week? 17:35:10 oh yeah, bknudson: did you have time to put one up? / do you still want to do it? 17:35:18 it's on the agenda: Rootwrap rearchitecting 17:35:19 yes, I believe there is an agenda item for rootwrap 17:35:40 * sigmavirus24 sneaks https://review.openstack.org/#/c/155419/ in 17:36:00 awesome, we'll review this shortly 17:36:03 thanks sigmavirus24 17:36:31 thanks tmcpeak 17:36:48 cool, other business today all or we good? 17:36:51 wanted to mention I got a small security hardening default config into horizon: https://review.openstack.org/#/c/154943/ 17:36:59 default config change 17:37:10 awesome! will take a look 17:37:16 fighting the good fight bknudson 17:37:19 bknudson: awesome! 17:37:20 we ran AppScan tool on horizon internally and it complained. 17:38:00 rather than just fix it internally with a config change, figured we'd fix it in community 17:38:39 +1 17:39:43 cool, any other stuff? 17:40:51 well looking forward to seeing a bunch of you next week 17:40:57 #endmeeting