17:01:21 #startmeeting OpenStack Security Group 17:01:22 Meeting started Thu Mar 19 17:01:21 2015 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:23 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:25 The meeting name has been set to 'openstack_security_group' 17:01:27 Hey ukbelch 17:01:27 o/ 17:01:30 o/ 17:01:30 o/ 17:01:32 sup 17:01:35 \o 17:01:36 o/ 17:01:39 hello 17:01:41 o/ 17:01:42 o/ 17:01:42 o/ 17:02:23 hi 17:02:56 So we I have good news, bad news and governance news for you guys, what else should be on the agenda? 17:03:09 bandit! :P 17:03:16 security dev practices 17:03:38 * sicarie runs off to do a pull request 17:03:44 o/ 17:03:44 sorry rob! 17:04:15 Cool 17:04:31 So I suppose we should start with the not so great news… bdpayne ? 17:04:40 oh is that me? 17:04:53 turn in your badge and your gun on the way out. 17:04:58 we've all been fired? 17:05:05 lol 17:05:05 again? 17:05:11 it was only a matter of time 17:05:14 well, for those that haven't seen the news, I'm leaving Nebula at the end of the month 17:05:24 bdpayne: still attending the summit? 17:05:37 my new job is not in the OpenStack space 17:05:38 still doing awesome? 17:05:39 so I'll be needing to bow out of this community 17:05:45 I am currently planning to attend the summit 17:05:49 ah... congrats to you, comiserations to us 17:06:01 ukbelch++ 17:06:07 and, of course, I'll be doing awesome (at Netflix) 17:06:08 thats a shame bdpayne, you have done really awesome stuff 17:06:17 bdpayne will probably be tan and happy. 17:06:17 thanks guys 17:06:18 ooh neat! 17:06:19 but good luck for your next gig :) 17:06:20 congratulations on the new job, but thats a real shame for the community! 17:06:28 +1 17:06:43 thanks for all you've done. 17:06:57 Yes indeed, thank you bdpayne - take a bow :) 17:06:58 it's been great working with you bdpayne, maybe again some day? 17:07:07 you're welcome... it's been a great time and I'm so glad to see the OSSG where it is today 17:07:11 * bdpayne bows 17:07:15 :D 17:07:28 So I suppose that brings me onto some good news 17:07:35 you're also leaving? 17:07:40 ouch... 17:07:41 LOL 17:07:42 ouch 17:07:42 lol 17:07:49 burn 17:07:53 Announcements etc will follow but the VMT and the OSSG are going to merge 17:08:08 (claps) 17:08:12 good work 17:08:14 I guess that's good news too. 17:08:15 Which paves the way for the OSSG to apply to become the ‘Security’ project team, officially a part of OpenStack 17:08:22 cool 17:08:22 nice! 17:08:27 nice 17:08:37 woot! 17:08:39 there's still a vmt? 17:08:43 Which I’m sure won’t turn your frowns upside down after bdpayne’s bad news but it’s good progress. 17:08:47 bknudson: absolutely 17:09:13 They will be under security from an organsiational point of view but will retain all of their indipendance 17:09:22 ah, makes sense. 17:09:29 it will stop the outward confusion that sometimes results in having the VMT and OSSG separately 17:09:29 * nkinder arrives late... 17:09:39 :) 17:09:48 My intention is that security becomes a horizontal team just like the documentation team 17:09:53 welcome nkinder ! 17:10:22 this sounds like a great path 17:10:32 I hope so 17:11:03 there should be an announcement in a few days, followed by lots of shuffling around of various things, web pages, wiki stuf etc 17:11:47 hyakuhei will there be a OSSG PTL? 17:11:54 Yup 17:12:32 Which brings me nicely onto the next topic :) once this all shuffles around we’ll have to elect a PTL before the next summit. 17:13:07 how where when? 17:13:09 Currently our election process is more in line with how the TC does things than how I think I’ve seen some other projects manage themselves, so any input on good/bad ways to do this would be appreciated 17:13:09 * bdpayne will not be running ;-) 17:13:09 is there a special procedure for initial PTL? 17:13:31 bknudson: yeah, I put my name next to ‘initial PTL’ in the application :P 17:13:33 names in a hat? :P 17:13:44 last man standing :P 17:14:02 through a medium of CoD? 17:14:10 hyakuhei: +1 from me. 17:14:20 heh, cheers 17:14:28 ukbelch no, shots 17:14:29 yeah hyakuhei +1 here as well 17:14:34 done deal 17:14:38 * bknudson is surprised the application isn't in gerrit. 17:14:42 I’ve been super focused on this over the last week (lots of moving parts, email threads etc) 17:14:47 bknudson: It ends up there 17:15:03 well we already elected you to OSSG lead, why wouldn't you be PTL? 17:15:11 I’ve not submitted it yet because I needed to get things aligned with the VMT 17:15:14 because vmt 17:15:16 oh 17:15:18 it's great to see this happen... getting where we belong. 17:15:43 So I’ll be the inital PTL, grandfarthered in I suppose but elections will come shortly after. 17:15:57 i think its a real positive step to merge vmt and ossg 17:16:06 So I can do all this work and some chancer like dg_ can try to steal the election :P 17:16:31 hyakuhei its a figurehead position, right ;) 17:16:33 ok, so that’ enough fluffy stuff, tmcpeak want to talk about Bandit ? 17:16:35 My vote costs a simple pint of ale, and a meat pie :) 17:16:40 sure 17:16:43 #topic bandit 17:16:55 we've been trying to make sure Bandit is stable ahead of version pin 17:17:04 browne and dwyde in particular have found some great bugs 17:17:06 https://pypi.python.org/pypi/bandit/ :( 17:17:08 which we are in the process of fixing 17:17:26 doesn't have to be perfect. 17:17:27 we want to have all bugs Medium+ fixed ahead of version pin 17:17:53 yeah, some of these are (IMO) important enough I wouldn't be comfortable having "the world" see Bandit initially with them 17:18:07 anyway, fixes are cruising along 17:18:25 ukbelch, chair6, tkelsey, and myself doing some fixes 17:18:34 is ljfisher on? One of the fixes has modified the JSON output a tad 17:18:42 I'd expect to be probably back where I expected to be last Monday next Monday 17:18:43 err, fletcher 17:18:44 not fisher 17:18:49 :) 17:18:51 which, considering all the stuff we are fixing is well worth it 17:19:09 so anybody that wants to help, assign a bug to yourself or run Bandit and try to break it 17:19:13 file bugs on Launchpad etc 17:19:26 otherwise, sit tight, we'll be pinning soon 17:19:33 anybody want to mention anything else on Bandit? 17:19:35 * bknudson sits 17:19:53 cool 17:19:59 :) 17:20:04 I get the feeling this might be a short meeting today :) 17:20:12 #topic General 17:20:22 security dev guidance :D :D 17:20:59 tmcpeak: You had an action last meeting to look at that I think? Or was that OSSN? I forget, you’re so helpful taking actions :) 17:21:10 it was sicarie 17:21:13 Yep 17:21:55 I did a first pass to standardize formatting, as well as (in anticipation they'd be merged into the security doc repo) changed filename formats 17:22:16 Yeah the filename formatting was pretty tidy 17:22:28 I promised hyakuhei a pull request so those changes could be compared a bit easier 17:22:44 and I had started reviewing in detail, but only got through 3 or 4 17:22:56 So still ongoing 17:23:05 cool thanks sicarie 17:23:13 thanks sicarie! 17:23:41 tmcpeak: I thought it was you that volunteered to help with the OSSN formatting? We wanted to munge them into Yaml iirc. 17:24:34 that was gmurphy 17:24:36 and nkinder 17:24:48 Ah right ok 17:25:02 nkinder: any progres there? 17:25:02 it was me 17:25:10 no, not yet 17:25:12 I’ve been using a lot of gmurphy’s time on other things this week 17:25:30 ok cool, lets make it an action for next week? 17:25:56 hyakuhei: sounds good 17:26:25 #action nkinder to report back on attempts to transform historical OSSNs into a more parsable format 17:26:46 Sure. I'll likely convert just one and see what we all thing 17:26:47 think 17:26:57 sounds good 17:27:00 Yeah 17:27:11 Easiest to do something that will easily convert most of them 17:27:27 and just manually convert the few that break the conversion tool/code/script/thing 17:27:50 if somebody can get me the format we want, I can hack together a convert tool 17:28:42 tmcpeak: ping gmurphy for the yaml or check the logs from last week, there’s a link in there 17:28:58 hyakuhei: ok 17:29:11 redrobot: if you’re still around could you maybe give us an update on what’s going on with asymmetric crypt in Barbican? There’s been a lot of questions flying around recently. 17:29:25 o/ 17:29:41 so, we can currently store asymm keys via Containers 17:29:55 there's a patch in flight to add asymm key generation to one of the backends (KMIP) 17:30:23 #link https://review.openstack.org/#/c/163989/ 17:31:12 Barbican does not currently verify that asymm keys submitted to the system are indeed keys... 17:31:16 Cool, so asym and sym both “work” at least for store,update,destroy and soon create too? 17:31:21 ah you just give it two blobs ? 17:31:41 yeah, we plan to tackle more in-depth validation in Liberty 17:32:24 Makes sense, shouldn’t be too hard to do either 17:33:07 Thanks for the info redrobot 17:33:18 Ok peoples, anything else to discuss today? 17:33:20 * redrobot nods 17:33:45 I like " Package Index Owner: tmcpeak, chair6, openstackci " on https://pypi.python.org/pypi/bandit/ 17:34:06 heh yeah I noticed that :) 17:34:12 bknudson woot! now we can all get "bandit" tattoos 17:34:25 I already have one ;) 17:34:25 lol 17:34:27 If anyone wants to drop some knowledge on the sec guide, any reviews or contributions of storage, networking, compute, identity, or dashboard sections are welcome 17:34:30 :d 17:34:45 I got hotpants a little too quickly. 17:34:46 redrobot: when are you going to put Bandit in the Barbican gate!? You know there’s a queue right? 17:35:31 hyakuhei hehe... I'll have to ping our contributor who did the review during the mid cycle 17:35:44 :D 17:35:54 hyakuhei I think there was a few bugs filed that we were waiting on fixes before making a gate 17:36:25 buut... I wouldn't be opposed to adding a gate in the experimental pipeline 17:36:33 redrobot bandit is looking good now. the false positives it found in barbican have been fixed. 17:36:33 oooh :) 17:36:50 dave-mccowan ah there you are! :D 17:37:12 I can take an action item to get a bandit experimental gate set up 17:37:38 though I think we may need a bandit release in PyPI 17:37:49 redrobot: it's coming soon! 17:39:03 I wonder if Bandit would have caught this: https://review.openstack.org/#/c/165678/ ? 17:39:33 I think it’s pretty likely 17:39:35 if md5 was called it would have 17:41:18 unrelated question: are any of y’all going to be at PyCon? 17:43:19 I guess not :) 17:43:21 I know of a couple of keystone folks going to pycon. 17:43:38 Cool where is it this year? 17:43:45 Montreal 17:43:51 nice 17:43:55 sign me pu! 17:46:15 Ok, lets call it a day. Thank you everyone! 17:46:21 thanks! 17:46:35 and of course, thank you to bdpayne - will you be joining us next week? 17:46:39 #link https://us.pycon.org/2015/schedule/presentation/304/ 17:47:05 I will not 17:47:09 this is likely my last meeting 17:47:15 look us up at the summit 17:47:21 sadface 17:47:28 I think netflix uses amazon? 17:47:33 all the best for the future Bryan, stay in touch 17:47:36 make them switch 17:47:37 yes 17:47:39 party at the summit :-) 17:47:46 +1 17:47:48 heh, I'll get right on that 17:48:01 well thanks for everything bdpayne - beers coming your way in Vancouver! 17:48:04 #endmeeting