17:00:28 #startmeeting OpenStack Security Group 17:00:28 Meeting started Thu Mar 26 17:00:28 2015 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:30 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:33 The meeting name has been set to 'openstack_security_group' 17:00:35 #topic Roll Call 17:00:39 hi 17:00:41 hi 17:00:44 o/ 17:00:48 o/ 17:00:51 o/ 17:00:51 o/ 17:01:26 we'll give a couple minutes for stragglers like tkelsey and then start collecting agenda items 17:01:45 o/ 17:01:52 guess Roll Call is probably Role Call anyway :P 17:02:27 allright, maybe small group today, agenda items? 17:02:29 Bandit 17:03:11 nkinder: you got anything on OSSNs? 17:03:12 OSSN YAML format 17:03:17 yep, thought so :) 17:03:23 o/ 17:03:25 o/ 17:03:26 sicarie, elmiko: sec guide? 17:03:31 sure 17:03:56 o/ 17:04:00 sweet 17:04:03 any other agenda items? 17:04:38 allright, maybe a short one today 17:04:42 #topic Bandit 17:04:54 we pinned a version, we're live on PyPI :) 17:05:01 bknudson: update on your side of the house? 17:05:04 omg! good work guys 17:05:05 very cool! 17:05:06 bknudson has been doing the good stuff 17:05:10 d-9, sicarie: thanks! 17:05:13 nice, grats! 17:05:15 lots of hard work from lots of folks 17:05:19 :) 17:05:24 woot! 17:06:04 so.. bknudson is really the person to discuss next steps, because he's been driving it 17:06:38 in short he has a few jobs going to get what we need to run Bandit in Keystone 17:06:48 we may be blocked on adding Bandit into requirements now 17:06:51 due to requirements freeze 17:06:55 does anybody know when that ends? 17:07:38 tmcpeak: https://wiki.openstack.org/wiki/Kilo_Release_Schedule would suggest Apr 30 17:07:38 tmcpeak I would guess after the Kilo summit 17:07:48 * tmcpeak impatient… 17:07:50 thanks sigmavirus24 17:07:57 d-9: or after teh summit 17:07:59 Either 17:08:03 * sigmavirus24 isn't certain 17:08:07 sigmavirus24, d-9: thanks guys 17:08:39 I guess that's a month ish.. not the end of the world 17:08:48 would have been nice to have it running before summit 17:09:05 I don't know if that's possible or not without having it in requirements, I'll probably go ping CI guys at some point 17:09:17 anywho stay tuned :) good things to follow 17:09:25 #topic OSSN YAML format 17:09:29 nkinder: ^ 17:09:39 take it away :) 17:09:56 So tmcpeak created a rough script to do basic conversion of the existing OSSN format to YAML 17:10:16 when he says rough, he means it :D 17:10:28 An example of what it does now is here - http://paste.openstack.org/show/196912/ 17:10:46 It's got some bugs, as you can see by the duplicated portion in the 'summary' section, but it's a start 17:10:54 tmcpeak: ping me after the meeting about teh depfreeze 17:11:02 sigmavirus24: awesome, will do 17:11:15 I'm more interested in looking at how to make the structure useful first 17:11:18 nkinder: everything I looked at (all 3 of them) worked perfectly :P 17:11:47 So the affected releases and versions should be broken out instead of just being a CSV lits 17:11:49 list 17:12:03 nkinder: ok cool 17:12:06 how do you intend to do that? 17:12:08 Here's what I was thinking - http://paste.openstack.org/show/196913/ 17:12:25 o/ 17:12:31 hey hyakuhei 17:12:36 Mr. Rob - wassup 17:12:41 Sorry I’m late, thanks for running things tmcpeak 17:12:45 nkinder: this looks good 17:12:53 what about in the case of our oddball OSSNs where they don't fit into nice format 17:12:57 so I'm playing with some code that can idenfity known services and releases to do the conversion from OSSN->YAML and split these out 17:12:58 sure 17:13:01 tmcpeak: I’m in and out so please carry on :) 17:13:08 k, cool 17:13:10 well, there has to be some "other" category 17:13:25 affected_other or something with a better name 17:13:52 sounds reasonable 17:13:53 With the releases and versions split out, it's easy to write a tool to parse it to see if a particular deployment is affected 17:14:13 so that's what I'm working on now, plus general script cleanup 17:14:17 nkinder: one idea: yaml allows you not to have to use super long strings like that. If you want you should be able to use some YAML features to write those as real paragraphs 17:14:22 nkinder: cool, sounds good 17:14:30 I forget if it's like discussion: > 17:14:33 sigmavirus24: yeah, tmcpeak and I talked abotu that some 17:14:40 * sigmavirus24 missed it 17:14:42 sorry 17:15:05 We will need to have some logic to do line-wrapping at the appropriate width when we do YAML->e-mail conversion 17:15:26 we don't want to force the e-mail width on the YAML file. We wan't flexibility there if possible. 17:15:34 yeah, it's very difficult to automatically tell which line breaks should be preserved and which shouldn't 17:15:46 s/difficult/impossible 17:15:51 yeah 17:16:05 I'm waving my hands on that issue for now :) 17:16:14 if we can get a script to do 80% we can clean manually later 17:16:34 nkinder: cool, do you need any help from OSSG or you got it for now? 17:17:11 I have it for now. I might have something to play with here next week. 17:17:22 nkinder: awesome, sounds good. Thanks for taking this 17:17:34 sure, thanks for your first pass at the sript! 17:17:47 I <3 hack-jobbing things 17:17:51 ;) 17:17:54 cool 17:17:59 #topic Sec Guide 17:18:06 sicarie, elmiko - take it away 17:18:15 Yeah, so we have our current bugs list here: #link https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide 17:18:29 that's a pretty solid list 17:18:30 Still mostly structural changes going on 17:18:39 I am trying to review the case studies to ensure they're sane 17:18:59 For example, one of the recurring examples is a federal customer who is supposed to be fedramp certified, and the controls don't match 17:19:00 lol, sane case studies are good 17:19:15 sounds like a heap of work 17:19:27 So there's an etherpad outlining the current case studies and discussing changes in the bug: #link https://bugs.launchpad.net/openstack-manuals/+bug/1349540 17:19:28 Launchpad bug 1349540 in openstack-manuals "Ensure one case study per chapter in security guide" [Medium,In progress] - Assigned to N Dillon (sicarie) 17:19:30 Any input is appreciated 17:19:50 Yep, it keeps me busy 17:19:52 yea, we could probably use one more reviewer/comitter who has time 17:19:58 +1 17:19:59 any takers? 17:20:15 Even the general list - most of them should be smaller bugs 17:20:33 Also, anyone who wanted to review some of the chapters we know have issues 17:20:43 Identity, Dashboard, Network, Storage 17:20:49 filing bugs against those would be awesome 17:21:11 But yeah, that's about it 17:21:21 i should be filing some bugs on Identity in the next few days 17:21:27 we should do one of these events soon where nkinder comes to your place of employment and rounds up some new OSSG troops 17:21:33 i can do any one of those 17:21:40 shelleea007: awesome! 17:21:43 tmcpeak: lol, nice! 17:21:53 And Priti also said she'd review Identity, so Dashboard, Network, Storage are open 17:21:58 :) 17:22:03 ill take network 17:22:11 thanks 17:22:15 I can take a look at Identity too 17:22:16 awesome, thanks! 17:22:27 #action shelleea007 to review sec guide network section 17:22:27 +1 nkinder: always helps to have eyes on it 17:22:37 ok cool 17:22:42 sicarie: what am I going to ask about? :P 17:22:55 no idea 17:23:04 secure development guidelines 17:23:06 hahaa 17:23:10 what's the latest on those? 17:23:32 I put in the pull request against the git repo this morning 17:23:33 #action nkinder to review sec guide identity section 17:23:45 nkinder, shelleea007: thank ou! 17:23:47 you 17:23:51 So if I get an initial +1 on how I'm approaching it I'll continue 17:23:53 sicarie: sweet 17:24:09 ok, I'll take a look at those 17:24:21 requirements freeze will be lifted once the rc is cut, I think. I don't think I have to wait for requirements update to get the change in keystone or infra. 17:24:22 And there are a few of those that need some attention as well - xss, cert validation 17:24:22 lgtm i had a quick look just before. 17:24:57 bknudson: awesome, let's circle back around in one min 17:24:59 I'm curious to hear update 17:25:13 gmurphy: thanks for looking at them 17:25:28 anybody that has cycles, please look at sicarie's secuire guidelines change 17:25:30 sicarie: link? 17:25:43 we should probably try to add more to those too. 17:26:14 gmurphy: +1 , I think once we get them out there it will seem like lower barrier to entry to publish new ones 17:26:15 hyakuhei's is: #link: https://github.com/openstack-security/Developer-Guidance 17:26:19 Not sure how to show the pull request 17:26:24 or the diff from the pull request 17:26:34 https://github.com/openstack-security/Developer-Guidance/pulls 17:26:43 That would be it 17:26:58 #link - https://github.com/openstack-security/Developer-Guidance/pull/1 17:27:08 awesome 17:27:13 will take a look 17:27:21 sicarie: thanks for all your hard work on all of this 17:27:36 no problem 17:27:49 #topic Bandit Circle Back 17:27:54 bknudson: take it away :) 17:28:17 there's changes proposed for an infra job and for keystone tox env 17:28:37 https://review.openstack.org/#/c/157595/ 17:28:49 #link https://review.openstack.org/#/c/157930/ 17:29:06 so once the infra job is in there I should be able to recheck experimental 17:29:07 this looks great 17:29:16 and see the bandit results in gerrit 17:29:32 I think the changes can go in in any order. 17:29:38 anyway, that's all I'm waiting on 17:29:47 eventually will change the experimental job to a non-voting 17:29:49 great work bknudson! 17:29:57 and if that goes well then hopefully to voting. 17:30:21 super excited, we're getting very close to having working Bandit gate in Keystone 17:30:25 thanks for driving this forward 17:30:28 nice 17:30:31 the rest of the project can do something similar 17:30:44 not sure if anyone is signed up for that 17:30:51 but might as well see it working on keystone first 17:30:57 Barbican expressed interest, Anchor is in the bag :D 17:31:04 i have a tangential bandit question 17:31:09 sicarie the random sample of your changes that I've just looked at seem pretty good :) 17:31:11 elmiko: what's up? 17:31:24 so, let's say we use bandit to expose potential errors in our code base 17:31:33 and we create bugs from those 17:31:40 should we mark those bugs are security related? 17:31:48 or should they be private at first? 17:31:58 elmiko: I have been marking them as private security 17:32:01 i think judgement is the better thing to rely on 17:32:03 I'll take a look at the Keystone job, and maybe add an experimental gate to Barbican as well. 17:32:11 some things might not need private security 17:32:22 redrobot_mobile: awesome! 17:32:27 yea, that's kinda my question. what is the cut line for a private bug? 17:32:34 yeah, it really depends how exploitable you think it is 17:32:38 yeah 17:32:39 ok 17:32:39 if you aren't sure mark it private 17:32:44 yeah 17:32:44 I assume security brings it to vmt attention 17:32:45 ? 17:32:56 bknudson: not sure. it mails the ossg mailing list though 17:33:05 all activity on that bug will then be sent to the mailing list 17:33:09 hopefully private security don't email ossg 17:33:13 nope 17:33:18 they don't 17:33:18 is you mark a bug a private security the vmt get notified 17:33:24 public security = ossg 17:33:24 gmurphy: right 17:33:28 notifications etc 17:33:31 on openstack-security 17:33:42 i think 17:33:50 (Same with SecurityImpact on reviews) 17:33:53 or if you tag the patch #security or whatever 17:33:54 yeah 17:34:06 ok, thanks. that helps. 17:34:07 Oh that's the other thing, if you report a bug as private security DO NOT SUBMIT A REVIEW FIXING 17:34:18 *IT 17:34:24 Work on the bug itself uploading patches 17:34:33 yes. otherwise the vmt will find you and kick you. 17:34:36 Yep 17:34:36 good to know 17:34:37 lol 17:34:46 VMT is good at finding you 17:34:52 tmcpeak: they work for the NSA, right? 17:34:53 =P 17:34:57 that's what I heard 17:35:04 * sigmavirus24 googles 17:35:06 #topic Other Business 17:35:12 No Such Agency with that acronym 17:35:22 anything else anybody wants to discuss before we call it? 17:35:30 there has been discussion about a private gerrit for private security reviews 17:35:53 I have a bug that y'all might want to weigh in on but it's not really OSSG business 17:35:56 yeah. that has been going on.. forever.. 17:36:04 tmcpeak: is there an etherpad up for OSSG break out sessions at summit? 17:36:06 sigmavirus24: what's up? 17:36:12 elmiko: good question 17:36:12 https://bugs.launchpad.net/glance-store/+bug/1100220 17:36:14 Launchpad bug 1100220 in glance_store "Swift+Glance stops working after changing service password" [High,Confirmed] - Assigned to Ian Cordasco (icordasc) 17:36:27 elmiko: we’ll have one up early next week 17:36:32 I actually don't know anything about the summit.. nkinder - hyakuhei ? 17:36:36 Friday is dedicated to me sorting OSSG things 17:36:42 sweet 17:36:45 hyakuhei: cool, thanks 17:36:48 no worries 17:36:55 * sigmavirus24 will participate if he doesn't leave before the session happens 17:37:26 cool, anything else? 17:37:54 opinions on the best way to handle https://bugs.launchpad.net/glance-store/+bug/1100220 would be cool 17:37:55 Launchpad bug 1100220 in glance_store "Swift+Glance stops working after changing service password" [High,Confirmed] - Assigned to Ian Cordasco (icordasc) 17:38:17 oh, meant to check this out 17:38:18 Also, perhaps we need a guideline to make sure no one ever stores credentials in plain-text anywhere when used in a URI (if we don't have one) 17:38:28 Yeah it's not pressing. Just, feedback appreciated. :D 17:38:57 yeah, password in URI's is bad 17:39:03 YEP 17:39:15 sigmavirus24: that’s horrible 17:39:35 Nah, it's perfectly fine. ;) 17:40:16 why can I see this if OSSA is New 17:40:28 because it is public 17:40:35 he opened it up? 17:40:44 tmcpeak: it wasn't reported as private 17:40:56 and the VMT does not care once it's been publicly reported 17:41:04 ahh ok 17:41:07 going public -> private security just gets it re-opened again 17:41:19 yeah, once it's public it's public 17:41:55 Also this is two years in the open like this 17:41:58 well this is good times :) 17:42:03 yep 17:42:30 anything else for today? 17:43:47 cool 17:43:49 thanks everybody! 17:43:51 #endmeeting