#openstack-meeting-alt log

17:01:21 <hyakuhei> #startmeeting OpenStack Security Group
17:01:22 <openstack> Meeting started Thu Mar 19 17:01:21 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:23 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:25 <openstack> The meeting name has been set to 'openstack_security_group'
17:01:27 <hyakuhei> Hey ukbelch
17:01:27 <tkelsey> o/
17:01:30 <elmiko> o/
17:01:30 <ljfisher> o/
17:01:32 <tmcpeak> sup
17:01:35 <dwyde> \o
17:01:36 <singlethink> o/
17:01:39 <sicarie> hello
17:01:41 <bpb_> o/
17:01:42 <dave-mccowan> o/
17:01:42 <alazarev> o/
17:02:23 <bknudson> hi
17:02:56 <hyakuhei> So we I have good news, bad news and governance news for you guys, what else should be on the agenda?
17:03:09 <ukbelch> bandit! :P
17:03:16 <tmcpeak> security dev practices
17:03:38 * sicarie runs off to do a pull request
17:03:44 <bdpayne> o/
17:03:44 <sicarie> sorry rob!
17:04:15 <hyakuhei> Cool
17:04:31 <hyakuhei> So I suppose we should start with the not so great news… bdpayne ?
17:04:40 <bdpayne> oh is that me?
17:04:53 <bknudson> turn in your badge and your gun on the way out.
17:04:58 <dg_> we've all been fired?
17:05:05 <bdpayne> lol
17:05:05 <hyakuhei> again?
17:05:11 <dg_> it was only a matter of time
17:05:14 <bdpayne> well, for those that haven't seen the news, I'm leaving Nebula at the end of the month
17:05:24 <bknudson> bdpayne: still attending the summit?
17:05:37 <bdpayne> my new job is not in the OpenStack space
17:05:38 <dg_> still doing awesome?
17:05:39 <bdpayne> so I'll be needing to bow out of this community
17:05:45 <bdpayne> I am currently planning to attend the summit
17:05:49 <ukbelch> ah... congrats to you, comiserations to us
17:06:01 <elmiko> ukbelch++
17:06:07 <bdpayne> and, of course, I'll be doing awesome (at Netflix)
17:06:08 <tkelsey> thats a shame bdpayne, you have done really awesome stuff
17:06:17 <bknudson> bdpayne will probably be tan and happy.
17:06:17 <bdpayne> thanks guys
17:06:18 <elmiko> ooh neat!
17:06:19 <tkelsey> but good luck for your next gig :)
17:06:20 <dg_> congratulations on the new job, but thats a real shame for the community!
17:06:28 <hyakuhei> +1
17:06:43 <bknudson> thanks for all you've done.
17:06:57 <hyakuhei> Yes indeed, thank you bdpayne - take a bow :)
17:06:58 <tmcpeak> it's been great working with you bdpayne, maybe again some day?
17:07:07 <bdpayne> you're welcome... it's been a great time and I'm so glad to see the OSSG where it is today
17:07:11 * bdpayne bows
17:07:15 <hyakuhei> :D
17:07:28 <hyakuhei> So I suppose that brings me onto some good news
17:07:35 <dg_> you're also leaving?
17:07:40 <elmiko> ouch...
17:07:41 <tkelsey> LOL
17:07:42 <bknudson> ouch
17:07:42 <tmcpeak> lol
17:07:49 <ukbelch> burn
17:07:53 <hyakuhei> Announcements etc will follow but the VMT and the OSSG are going to merge
17:08:08 <tmcpeak> (claps)
17:08:12 <dg_> good work
17:08:14 <bknudson> I guess that's good news too.
17:08:15 <hyakuhei> Which paves the way for the OSSG to apply to become the ‘Security’ project team, officially a part of OpenStack
17:08:22 <elmiko> cool
17:08:22 <tkelsey> nice!
17:08:27 <ukbelch> nice
17:08:37 <redrobot> woot!
17:08:39 <bknudson> there's still a vmt?
17:08:43 <hyakuhei> Which I’m sure won’t turn your frowns upside down after bdpayne’s bad news but it’s good progress.
17:08:47 <hyakuhei> bknudson: absolutely
17:09:13 <hyakuhei> They will be under security from an organsiational point of view but will retain all of their indipendance
17:09:22 <bknudson> ah, makes sense.
17:09:29 <hyakuhei> it will stop the outward confusion that sometimes results in having the VMT and OSSG separately
17:09:29 * nkinder arrives late...
17:09:39 <dg_> :)
17:09:48 <hyakuhei> My intention is that security becomes a horizontal team just like the documentation team
17:09:53 <hyakuhei> welcome nkinder !
17:10:22 <bdpayne> this sounds like a great path
17:10:32 <hyakuhei> I hope so
17:11:03 <hyakuhei> there should be an announcement in a few days, followed by lots of shuffling around of various things, web pages, wiki stuf etc
17:11:47 <redrobot> hyakuhei will there be a OSSG PTL?
17:11:54 <hyakuhei> Yup
17:12:32 <hyakuhei> Which brings me nicely onto the next topic :) once this all shuffles around we’ll have to elect a PTL before the next summit.
17:13:07 <tmcpeak> how where when?
17:13:09 <hyakuhei> Currently our election process is more in line with how the TC does things than how I think I’ve seen some other projects manage themselves, so any input on good/bad ways to do this would be appreciated
17:13:09 * bdpayne will not be running ;-)
17:13:09 <bknudson> is there a special procedure for initial PTL?
17:13:31 <hyakuhei> bknudson: yeah, I put my name next to ‘initial PTL’ in the application :P
17:13:33 <ukbelch> names in a hat? :P
17:13:44 <tkelsey> last man standing :P
17:14:02 <ukbelch> through a medium of CoD?
17:14:10 <bknudson> hyakuhei: +1 from me.
17:14:20 <hyakuhei> heh, cheers
17:14:28 <dg_> ukbelch no, shots
17:14:29 <tkelsey> yeah hyakuhei +1 here as well
17:14:34 <ukbelch> done deal
17:14:38 * bknudson is surprised the application isn't in gerrit.
17:14:42 <hyakuhei> I’ve been super focused on this over the last week (lots of moving parts, email threads etc)
17:14:47 <hyakuhei> bknudson: It ends up there
17:15:03 <tmcpeak> well we already elected you to OSSG lead, why wouldn't you be PTL?
17:15:11 <hyakuhei> I’ve not submitted it yet because I needed to get things aligned with the VMT
17:15:14 <dg_> because vmt
17:15:16 <tmcpeak> oh
17:15:18 <bknudson> it's great to see this happen... getting where we belong.
17:15:43 <hyakuhei> So I’ll be the inital PTL, grandfarthered in I suppose but elections will come shortly after.
17:15:57 <dg_> i think its a real positive step to merge vmt and ossg
17:16:06 <hyakuhei> So I can do all this work and some chancer like dg_ can try to steal the election :P
17:16:31 <dg_> hyakuhei its a figurehead position, right ;)
17:16:33 <hyakuhei> ok, so that’ enough fluffy stuff, tmcpeak want to talk about Bandit ?
17:16:35 <ukbelch> My vote costs a simple pint of ale, and a meat pie :)
17:16:40 <tmcpeak> sure
17:16:43 <hyakuhei> #topic bandit
17:16:55 <tmcpeak> we've been trying to make sure Bandit is stable ahead of version pin
17:17:04 <tmcpeak> browne and dwyde in particular have found some great bugs
17:17:06 <bknudson> https://pypi.python.org/pypi/bandit/ :(
17:17:08 <tmcpeak> which we are in the process of fixing
17:17:26 <bknudson> doesn't have to be perfect.
17:17:27 <tmcpeak> we want to have all bugs Medium+ fixed ahead of version pin
17:17:53 <tmcpeak> yeah, some of these are (IMO) important enough I wouldn't be comfortable having "the world" see Bandit initially with them
17:18:07 <tmcpeak> anyway, fixes are cruising along
17:18:25 <tmcpeak> ukbelch, chair6, tkelsey, and myself doing some fixes
17:18:34 <ukbelch> is ljfisher on? One of the fixes has modified the JSON output a tad
17:18:42 <tmcpeak> I'd expect to be probably back where I expected to be last Monday next Monday
17:18:43 <ukbelch> err, fletcher
17:18:44 <ukbelch> not fisher
17:18:49 <ljfisher> :)
17:18:51 <tmcpeak> which, considering all the stuff we are fixing is well worth it
17:19:09 <tmcpeak> so anybody that wants to help, assign a bug to yourself or run Bandit and try to break it
17:19:13 <tmcpeak> file bugs on Launchpad etc
17:19:26 <tmcpeak> otherwise, sit tight, we'll be pinning soon
17:19:33 <tmcpeak> anybody want to mention anything else on Bandit?
17:19:35 * bknudson sits
17:19:53 <tmcpeak> cool
17:19:59 <tmcpeak> :)
17:20:04 <hyakuhei> I get the feeling this might be a short meeting today :)
17:20:12 <hyakuhei> #topic General
17:20:22 <tmcpeak> security dev guidance :D :D
17:20:59 <hyakuhei> tmcpeak: You had an action last meeting to look at that I think? Or was that OSSN? I forget, you’re so helpful taking actions :)
17:21:10 <tmcpeak> it was sicarie
17:21:13 <sicarie> Yep
17:21:55 <sicarie> I did a first pass to standardize formatting, as well as (in anticipation they'd be merged into the security doc repo) changed filename formats
17:22:16 <hyakuhei> Yeah the filename formatting was pretty tidy
17:22:28 <sicarie> I promised hyakuhei a pull request so those changes could be compared a bit easier
17:22:44 <sicarie> and I had started reviewing in detail, but only got through 3 or 4
17:22:56 <sicarie> So still ongoing
17:23:05 <hyakuhei> cool thanks sicarie
17:23:13 <tmcpeak> thanks sicarie!
17:23:41 <hyakuhei> tmcpeak: I thought it was you that volunteered to help with the OSSN formatting? We wanted to munge them into Yaml iirc.
17:24:34 <tmcpeak> that was gmurphy
17:24:36 <tmcpeak> and nkinder
17:24:48 <hyakuhei> Ah right ok
17:25:02 <hyakuhei> nkinder: any progres there?
17:25:02 <nkinder> it was me
17:25:10 <nkinder> no, not yet
17:25:12 <hyakuhei> I’ve been using a lot of gmurphy’s time on other things this week
17:25:30 <hyakuhei> ok cool, lets make it an action for next week?
17:25:56 <tmcpeak> hyakuhei: sounds good
17:26:25 <hyakuhei> #action nkinder to report back on attempts to transform historical OSSNs into a more parsable format
17:26:46 <nkinder> Sure.  I'll likely convert just one and see what we all thing
17:26:47 <nkinder> think
17:26:57 <tmcpeak> sounds good
17:27:00 <hyakuhei> Yeah
17:27:11 <hyakuhei> Easiest to do something that will easily convert most of them
17:27:27 <hyakuhei> and just manually convert the few that break the conversion tool/code/script/thing
17:27:50 <tmcpeak> if somebody can get me the format we want, I can hack together a convert tool
17:28:42 <hyakuhei> tmcpeak: ping gmurphy for the yaml or check the logs from last week, there’s a link in there
17:28:58 <tmcpeak> hyakuhei: ok
17:29:11 <hyakuhei> redrobot: if you’re still around could you maybe give us an update on what’s going on with asymmetric crypt in Barbican? There’s been a lot of questions flying around recently.
17:29:25 <redrobot> o/
17:29:41 <redrobot> so, we can currently store asymm keys via Containers
17:29:55 <redrobot> there's a patch in flight to add asymm key generation to one of the backends (KMIP)
17:30:23 <redrobot> #link https://review.openstack.org/#/c/163989/
17:31:12 <redrobot> Barbican does not currently verify that asymm keys submitted to the system are indeed keys...
17:31:16 <hyakuhei> Cool, so asym and sym both “work” at least for store,update,destroy and soon create too?
17:31:21 <hyakuhei> ah you just give it two blobs ?
17:31:41 <redrobot> yeah, we plan to tackle more in-depth validation in Liberty
17:32:24 <hyakuhei> Makes sense, shouldn’t be too hard to do either
17:33:07 <hyakuhei> Thanks for the info redrobot
17:33:18 <hyakuhei> Ok peoples, anything else to discuss today?
17:33:20 * redrobot nods
17:33:45 <bknudson> I like "   Package Index Owner:   tmcpeak, chair6, openstackci  " on https://pypi.python.org/pypi/bandit/
17:34:06 <hyakuhei> heh yeah I noticed that :)
17:34:12 <redrobot> bknudson woot!  now we can all get "bandit" tattoos
17:34:25 <tmcpeak> I already have one ;)
17:34:25 <tkelsey> lol
17:34:27 <sicarie> If anyone wants to drop some knowledge on the sec guide, any reviews or contributions of storage, networking, compute, identity, or dashboard sections are welcome
17:34:30 <dg_> :d
17:34:45 <bknudson> I got hotpants a little too quickly.
17:34:46 <hyakuhei> redrobot: when are you going to put Bandit in the Barbican gate!? You know there’s a queue right?
17:35:31 <redrobot> hyakuhei hehe...  I'll have to ping our contributor who did the review during the mid cycle
17:35:44 <hyakuhei> :D
17:35:54 <redrobot> hyakuhei I think there was a few bugs filed that we were waiting on fixes before making a gate
17:36:25 <redrobot> buut... I wouldn't be opposed to adding a gate in the experimental pipeline
17:36:33 <dave-mccowan> redrobot bandit is looking good now.  the false positives it found in barbican have been fixed.
17:36:33 <hyakuhei> oooh :)
17:36:50 <redrobot> dave-mccowan ah there you are! :D
17:37:12 <redrobot> I can take an action item to get a bandit experimental gate set up
17:37:38 <redrobot> though I think we may need a bandit release in PyPI
17:37:49 <tmcpeak> redrobot: it's coming soon!
17:39:03 <redrobot> I wonder if Bandit would have caught this: https://review.openstack.org/#/c/165678/ ?
17:39:33 <hyakuhei> I think it’s pretty likely
17:39:35 <tmcpeak> if md5 was called it would have
17:41:18 <dwyde> unrelated question: are any of y’all going to be at PyCon?
17:43:19 <hyakuhei> I guess not :)
17:43:21 <bknudson> I know of a couple of keystone folks going to pycon.
17:43:38 <hyakuhei> Cool where is it this year?
17:43:45 <dwyde> Montreal
17:43:51 <hyakuhei> nice
17:43:55 <dg_> sign me pu!
17:46:15 <hyakuhei> Ok, lets call it a day. Thank you everyone!
17:46:21 <tmcpeak> thanks!
17:46:35 <hyakuhei> and of course, thank you to bdpayne - will you be joining us next week?
17:46:39 <bknudson> #link https://us.pycon.org/2015/schedule/presentation/304/
17:47:05 <bdpayne> I will not
17:47:09 <bdpayne> this is likely my last meeting
17:47:15 <bknudson> look us up at the summit
17:47:21 <dg_> sadface
17:47:28 <bknudson> I think netflix uses amazon?
17:47:33 <dg_> all the best for the future Bryan, stay in touch
17:47:36 <bknudson> make them switch
17:47:37 <bdpayne> yes
17:47:39 <bdpayne> party at the summit :-)
17:47:46 <tkelsey> +1
17:47:48 <bdpayne> heh, I'll get right on that
17:48:01 <hyakuhei> well thanks for everything bdpayne - beers coming your way in Vancouver!
17:48:04 <hyakuhei> #endmeeting