#openstack-meeting-alt log

17:00:24 <hyakuhei> #startmeeting Openstack Security Group
17:00:25 <openstack> Meeting started Thu Apr  9 17:00:24 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:26 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:28 <openstack> The meeting name has been set to 'openstack_security_group'
17:00:35 <tkelsey> o/
17:00:37 <tmcpeak> o/
17:00:48 * fungi peeks out of his cave
17:00:51 <hyakuhei> o/
17:00:53 <hyakuhei> ooer!
17:00:55 <tmcpeak> fungi: welcome
17:01:01 <bpb> o/
17:01:07 <hyakuhei> Hey fungi, how’s the weather in VMT land?
17:01:14 <nkinder> hi all
17:01:29 <fungi> swell. i saw the security.openstack.org site on the agenda, so made sure not to miss the meeting
17:01:37 <dave-mccowan> o/
17:01:38 <hyakuhei> Excellent!
17:01:39 <bknudson> hi
17:01:48 <hyakuhei> Also excellent that people read the agenda!
17:02:05 <hyakuhei> #link https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity#Agenda_for_next_meeting Agenda.
17:02:08 <bknudson> a fungus among us
17:02:18 <elmiko> o/
17:02:30 <hyakuhei> Hey elmiko thanks for joining us
17:02:53 * sicarie sneaks in late
17:03:37 <hyakuhei> Ok, so lets get going now sicarie has finally joined us!
17:03:42 <hyakuhei> #topic project status
17:03:59 <hyakuhei> So, it gives me great pleasure to announce that we are now a part of OpenStack proper!
17:04:03 <hyakuhei> #link https://review.openstack.org/#/c/170172/
17:04:11 <tkelsey> woot
17:04:13 * sicarie applauds
17:04:16 <tmcpeak> woooohooo
17:04:21 <elmiko> huzzah!
17:04:25 <hyakuhei> This will be the last meeting of the OSSG, we’ll be “OpenStack Security” next week :D
17:04:33 <fungi> {group hug}
17:04:35 <hyakuhei> :D
17:04:39 <elmiko> hehe
17:04:52 <hyakuhei> And of course a great welcome to our VMT ninjas!
17:05:01 <tkelsey> hyakuhei: same bat time, same bat channel?
17:05:08 <hyakuhei> Yup
17:05:13 <tkelsey> cool cool
17:05:37 <hyakuhei> Coming up is a round of rebranding/refactoring and updating of existing documentation, links etc
17:05:38 <nkinder> woohoo!
17:06:16 <hyakuhei> We’re currently on Launchpad as a stand-alone org, hopefully we can get moved to a subproject of OpenStack soon: https://launchpad.net/~openstack-ossg
17:06:34 <fungi> lemme see if i can provide direction on that part
17:06:44 <hyakuhei> That would be helpful!
17:06:54 <fungi> bdpayne will need to help with this
17:07:05 <tmcpeak> bdpayne is gonzo :\
17:07:26 <fungi> yeah, which is why i pointed that out
17:07:31 <tmcpeak> ahhh
17:07:31 <hyakuhei> No problem, we still chat
17:07:36 <hyakuhei> Though the divorce was horrible
17:07:43 <fungi> rob may be able to. he's set as an administrator on that group
17:07:58 <bknudson> we should steal the shield logo : https://launchpad.net/ossa
17:08:05 <fungi> they're the only two administrators for the group in lp though
17:08:27 <hyakuhei> Ok, lets work out what needs to be done there
17:08:31 <elmiko> ooh, +1 for logo stealing ;)
17:08:34 <fungi> but bdpayne is still set as the group owner
17:13:08 <hyakuhei> Yeah, I noticed that earlier, I’ll ping him an email later
17:13:08 <gmurphy> o/
17:13:08 <hyakuhei> #action hyakuhei to talk to Bdpayne re LP group ownership
17:13:08 <hyakuhei> hey gmurphy
17:13:08 <hyakuhei> I agree the OSSA launchpad group has a nice logo, I’m not sure stealing it really sends the right message though :P
17:13:08 <tkelsey> lol
17:13:08 <hyakuhei> Ok next up I’d like to talk about security.openstack.org
17:13:08 <elmiko> hyakuhei: yea, probably true...
17:13:08 <hyakuhei> #topic security.openstack.org
17:13:08 <hyakuhei> fungi: can you give a little background on how this site came to be ?
17:13:08 <bknudson> #link http://security.openstack.org/
17:13:08 <fungi> hyakuhei: we needed somewhere to publish out security advisories, and still don't have control over www.openstack.org
17:13:08 <fungi> er, publish our
17:13:08 <fungi> that's more or less the extent of the story
17:13:53 <hyakuhei> It would be nice to look at how we might add more user resources, for people looking for general openstack security things. I’m thinking things like OSSNs, links to the security guide, developer best practices etc.
17:14:02 <fungi> yeah, the expectation is that we can set up similar publication jobs for the ossn repo
17:14:11 <nkinder> fungi: +1
17:14:13 <hyakuhei> +1
17:14:29 <fungi> and rearrange the site index a little so that they're sectioned appropriately and easy to find
17:14:37 <tmcpeak> +1
17:14:42 <hyakuhei> Makes sense.
17:15:02 <hyakuhei> So are you the maintainer for security.openstack.org fungi ?
17:15:08 <hyakuhei> That is to say, it’s your baby?
17:15:09 <fungi> gmurphy basically wrote a sphinx plugin to autogenerate our advisories out of some structured yaml as part of the publication chain
17:15:25 <hyakuhei> We are working on something similar for OSSN
17:15:37 <hyakuhei> well, gmurphy, nkinder were I think ?
17:15:59 <fungi> the vmt has been collectively managing the git ossa repository which is where that content is currently coming from, but being an infra root admin it was easiest for me to get the site added and the publication jobs going
17:16:01 <nkinder> Yeah, I did a bunch of work on a prototype
17:16:35 <fungi> should be easy to crib whatever we've got to cover your dataset as well
17:16:54 <gmurphy> where did you get to with the ossn -> yaml stuff?
17:17:05 <nkinder> I'm not really sure that YAML is the right way to go, but I have a python module written that is able to consume our existing notes and represent them in python
17:17:20 <gmurphy> that works
17:17:21 <hyakuhei> That would be great, our data is too badly defined at the moment, we have a work item to turn the existing OSSN into something more machien readable
17:18:21 <fungi> yeah, by comparison our advisories consist mostly of well-defined fields and sections
17:18:35 <nkinder> hyakuhei: I have it so it's machine readible
17:18:40 <fungi> so ossn likely requires a little more wrangling
17:18:48 <nkinder> hyakuhei: the problem is the YAML is not very readible and loses formatting
17:19:39 <fungi> yep, as long as you've got something you can use to turn it into restructuredtext, sphinx will be happy with that and we can run it as part of the publication pipeline
17:20:05 <nkinder> this is what I've come up with - http://paste.openstack.org/show/201422/
17:20:06 <hyakuhei> Cool, so I’m sure we can work that out. nkinder any preferred output?
17:20:30 <nkinder> hyakuhei: well, the question is what exactly do we want to do with that output?
17:20:56 <nkinder> hyakuhei: slurping the existing notes into Python, I can easily write tools to check if certain releases are affected, parse out recommendations, etc.
17:21:05 <nkinder> there's no need to output to another format for that
17:21:20 <nkinder> fungi: ok, so you want rst
17:21:30 <nkinder> fungi: I can do that pretty easily I think
17:21:49 <hyakuhei> I think we want something that’s parsable so we can push it into security.openstack.org easily. I want us to get to a point where it’s easy for some outsider looking at OpenStack to say “what OSSN/OSSA affect Folsom” for example
17:21:50 <fungi> we could probably do something other than rst if you need, but sphinx is what most of us know how to deal with
17:22:07 <nkinder> hyakuhei: yes, but that is solved with my new class
17:22:36 <nkinder> hyakuhei: the YAML is pretty ugly to be honest, largely because we have so much formatting
17:22:56 <hyakuhei> Cool, so I have no strong feelings about how to get there. If you don’t think YAML is the way to go I’m happy that’s the right call
17:23:00 <nkinder> fungi: nah, rst is fine
17:23:32 <nkinder> I think we need to define what we want to do with the notes, not the format
17:23:39 <nkinder> the format should fall out of the use-cases
17:23:53 <nkinder> if rst is what fits in with publishing, that makes sense
17:24:11 <nkinder> for tools that can be used to see if a note affects a deployment, I think I have that solved already
17:24:14 <hyakuhei> Publish and search are the two things I care about most right now
17:24:32 <hyakuhei> Great!
17:24:46 <tkelsey> hyakuhei: +1
17:24:56 <nkinder> ok, I'll work on adding to_rst() and load_from_rst() methods.
17:25:04 <hyakuhei> Sweet
17:25:05 <nkinder> that should get us what we need
17:25:23 <fungi> the current site content is all being rendered from rst to html by sphinx, hence we generate rst from yaml as an intermediate format during publication, but really you don't necessarily have to store it in rst as long as there's some transformation we can perform during publication
17:25:37 <nkinder> we might eventually just decide to write them in rst in the first place
17:25:46 <nkinder> we can evaluate that later
17:25:54 <hyakuhei> fungi: Are you happy with the general proposal that we make security.openstack.org more of a landing page for OpenStack Security Things - of which OSSA would be a prominent part?
17:26:29 <fungi> hyakuhei: yes, we were expecting to work with the ossg to make that happen even before the idea of merging governance came up
17:26:39 <hyakuhei> Wonderful!
17:26:52 <fungi> just seemed like a logical thing to do regardless
17:26:59 <hyakuhei> +1
17:27:06 <hyakuhei> but one doesn’t like to just assume such things...
17:27:10 <hyakuhei> ok, anything else to disscuss on this particular topic
17:27:36 <hyakuhei> sicarie: Are you free to talk about the security guide for a moment or two?
17:27:58 <sicarie> yes
17:28:17 <sicarie> So we have several open bugs: #link: https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide
17:28:39 <sicarie> We're trying to get a new lulu (physical copy) out by the Liberty release, so I think the Identity chapter is being worked
17:28:50 <hyakuhei> #topic Security Guide
17:28:56 <sicarie> If anyone wants to take a look I think the Dashboard and Network chapters need some work
17:28:56 <hyakuhei> Sorry, slow to keep up...
17:29:21 <shelleea007> I am still looking into both of those chapters
17:29:23 <hyakuhei> Ah yes, I saw nkinder had an action item regarding identity from a couple of weeks back…
17:29:27 <hyakuhei> and shelleea007  :P
17:29:31 <sicarie> And then I noticed the case studies are not consistent
17:29:33 <elmiko> and i'm still reading through the identity chapter
17:29:41 <shelleea007> I filed some bugs this AM
17:29:49 <sicarie> Yep, we have some good work in-flight
17:30:03 <shelleea007> i didn't forget :p
17:30:03 <sicarie> thanks nkinder, elmiko and shelleea007
17:30:18 <sicarie> And finally I started an etherpad to re-write the case studies
17:30:25 <hyakuhei> Wonderful ok, so a reminder for everyone that contributing to the guide is a great way to get involved
17:30:25 <sicarie> The new sections are going to be at the bottom
17:30:28 <sicarie> #link https://etherpad.openstack.org/p/sec-guide-case-studies
17:30:38 <hyakuhei> Great, I’ll look out for those when they land in review
17:31:02 <tmcpeak> sicarie: didn't you have a pull request for hyakuhei on the dev practices?
17:31:13 <sicarie> Yes I did
17:31:24 <sicarie> And I went through and updated the XSS last night, but did not push it yet
17:31:29 <tmcpeak> cool
17:31:54 <sicarie> pull request for developer guidelines #link: https://github.com/openstack-security/Developer-Guidance/pull/1
17:32:11 <hyakuhei> Cool, I didn’t get a notification about that for some reason, just logged in and found it now
17:32:46 <hyakuhei> Merged.
17:32:52 <tmcpeak> sweet
17:33:01 <tmcpeak> thanks hyakuhei, sicarie
17:33:07 <hyakuhei> Anything else around these docs?
17:33:08 <sicarie> sweet, I'll do another pull request on the xss one today/tomorrow
17:33:22 <hyakuhei> I’ll keep an eye out
17:33:28 <gmurphy> so how about converting them to .rst and getting them up on security.o.o?
17:33:29 <sicarie> thanks
17:33:41 <sicarie> gmurphy: thanks for the reminder
17:33:49 <sicarie> The docs team is migrating to rst
17:33:55 <hyakuhei> thank the gods!
17:33:56 <sicarie> I put us in the queue after Liberty
17:34:06 <gmurphy> oh sweet.
17:34:07 <sicarie> I want to focus on the content, then migrate
17:34:12 <elmiko> sicarie: won't we just migrate the current site to security.o.o?
17:34:41 <sicarie> elmiko: not sure how they're doing it - it looks like a largely manual process (or at least involved)
17:34:49 <elmiko> ah, ok
17:34:58 <sicarie> I think the move to security will be fine
17:35:07 <sicarie> the conversion to rst is a bit more involved (I think)
17:35:12 <sicarie> It's on my list to get more info on, though
17:35:18 <elmiko> yea, could be
17:35:34 <hyakuhei> Anne Gentle appears to be open to moving the security doc repo under Security now that we’re all official and whatnot.
17:35:54 <sicarie> Yes, that was mentioned, but the ticket is not submitted yet - there was discussion at the docs meeting on Wednesday
17:36:03 <sicarie> AJeager is a bit more aware of what is going on
17:36:11 <sicarie> And btw Anne is not running for docs PTL again
17:36:41 <hyakuhei> Oh I thought I saw an email saying she was.
17:36:43 <hyakuhei> Ho hum.
17:36:56 <sicarie> I could be mistaken - I thought it was the opposite
17:37:27 <bknudson> https://wiki.openstack.org/wiki/PTL_Elections_April_2015
17:37:34 <sicarie> Yeah, monday at 9:47 PST she decided not to
17:37:53 <hyakuhei> Fair enough :)
17:38:00 <sicarie> s/9/8
17:38:05 <bknudson> it'll be Lana Brindley unless someone else steps up
17:38:06 <fungi> yeah, lana is ptl by default i believe
17:38:14 <bknudson> here's your chance.
17:38:24 <hyakuhei> Heh.
17:38:32 <fungi> no one else is stepping up unless lana steps down. the nomination period closed at 06:00 utc today
17:38:38 <hyakuhei> Ok, lets talk about the summit a little.
17:38:42 <hyakuhei> #topic Summit
17:38:57 <hyakuhei> Now we’re official we get time/space at the summit :D
17:39:10 <hyakuhei> No more hanging around the Barbican geeks - unless you want to of course....
17:39:32 <hyakuhei> So here’s the mail I had from Theirry this morning on this topic : #link https://etherpad.openstack.org/p/summit-choices
17:39:55 <hyakuhei> So we need to tell Theirry how many fishbowls and boardrooms we want.
17:40:36 <fungi> i expect that the vulnerability management session(s) come out of your schedule budget now rather than out of release management's
17:40:44 <hyakuhei> If there’s a topic you care about and want to discuss at the summit, please put append it to that etherpad
17:40:51 <hyakuhei> fungi: Makes sense
17:42:22 <hyakuhei> So please everyone, if you want time to talk about Anchor, Bandit, VMT, Metrics, Security Docs etc please add to that etherpad, I’ve got you started
17:43:26 <hyakuhei> Theirry wants feedback on this asap so I’ll be reaching out to him tomorrow morning with whatever seems most appropriate based on that etherpad :)
17:43:44 <fungi> tristanC: ^ heads up
17:44:33 <hyakuhei> ok, anything else to discuss re summit shenanigans? I’ll try to find some funding for a security team meal/meetup but the agenda for the week looks pretty challenging so it might just be a case of breaking out when and where we can
17:45:23 <hyakuhei> #topic Elections
17:46:12 <elmiko> are these just for ossg dev work? (for example, would it be appropriate to have a bandit session about how to take it's output and turn it into actionable items)
17:46:22 <hyakuhei> Previously we’ve run elections in a semi ad-hoc manner, now we’ll be moving to work more like other more established OpenStack projects. Onlist nominations, subsequent voting etc.
17:46:23 <tmcpeak> elmiko: +1
17:46:31 <hyakuhei> elmiko: I think that would be appropriate
17:46:35 <elmiko> k, cool
17:46:44 <hyakuhei> We can always ask :)
17:47:03 <elmiko> added to pad
17:47:31 <hyakuhei> Previously we’ve conducted elections like this: #link https://wiki.openstack.org/wiki/Security/OSSG_Lead_Election_Fall_2014
17:48:14 <hyakuhei> I need to look at if/how the electorate needs to change to be more inline with how OpenStack projects typically work.
17:48:18 <fungi> worth noting that the ossg, because of having run its own ptl election so recently, doesn't need to do so again until september
17:48:35 <fungi> at least that was what i got from ttx's e-mail earlier in the week
17:49:20 <hyakuhei> oh ok, so I think my mandate was basically “until the spring summit 2015” and I’d like to honor that
17:49:39 <fungi> though if there's sufficient interest in an interim election because of having added new repos/subteams, we could probably do so
17:49:58 <hyakuhei> it’d be good to get some elections in before the summit and hopefully align more with more established Openstack projects.
17:50:01 <tmcpeak> I'm happy to leave it where it is FWIW
17:50:14 <tkelsey> +1
17:50:50 <hyakuhei> I think we’d need a vote on that :P
17:51:02 <tmcpeak> fair enough
17:51:07 <bknudson> what's the voting criteria?
17:51:26 <hyakuhei> The previous criteria are listed here: #link https://wiki.openstack.org/wiki/Security/OSSG_Lead_Election_Fall_2014
17:51:38 <bknudson> I don't think it's worth it to have an election, and if we wait we can have a better idea of the new voting criteria
17:51:50 <bknudson> seems like the vmt should have a say, for example
17:51:55 <fungi> i think that's part of what needs to be decided. now that the security project has several git repos under its governance, we could in theory consider using more typical openstack election criteria
17:52:28 <hyakuhei> Yeah, though we need security-doc too (or some way to recognise contributions there)
17:52:31 <fungi> e.g. qualified electors would be contributors to ossa, ossn, security guide, bandit, et cetera in the relevant time period
17:52:59 <hyakuhei> So any election we have, would have to be inclusive of the VMT and I think I agree with fungi re: qualifications
17:53:15 <fungi> i don't recall whether the security guide was on the table for moving from docs to security oversight
17:53:25 <fungi> but would make sense to consider it
17:53:29 <hyakuhei> Seems to be open for consideration
17:53:49 <sicarie> fungi: it was discussed at the docs meeting on Wednesday, but no determination was made
17:54:05 <hyakuhei> sicarie: what’s your opinion as the security-doc lead?
17:54:11 <fungi> probably fine to mull that over. it's not an urgent decision
17:54:36 <hyakuhei> +1 I presume it’s easy enough to have contributions to security-doc included in the qualifications for any vote.
17:54:41 <sicarie> hyakuhei: I'd want to think about it a bit more - I do appreciate the doc team input on style conventions
17:54:59 <sicarie> but there are a few things I'd like to push through and then revise (vs making sure it's fully style adherent before merging)
17:55:01 <fungi> given that i'm the one who generates the electoral rolls, yes i confirm that's extremely easy to do
17:55:13 <hyakuhei> Completely. It started off as a useful place to put it and benefit from publishing and ended up being a very useful partnership
17:55:15 <hyakuhei> fungi: lol
17:55:42 <elmiko> agreed with sicarie the doc team has been great
17:55:59 <sicarie> Yeah, they've been extremely helpful
17:55:59 <hyakuhei> ok, so lets talk about elections on openstack-dev then as we’re almost out of time
17:56:23 <fungi> though the doc team's big tent push is to focus more on providing the tools, guidelines and help to other teams to manage their own documentation, so this move could fit well with that
17:56:36 <bknudson> it would be good to make the electorate requirements public early enough that folks can get on the list if they want to
17:56:56 <bknudson> I don't think that "attend 3 or more IRC meetings" should cut it anymore.
17:57:00 <hyakuhei> +1
17:57:05 <tmcpeak> agree
17:57:22 <elmiko> hehe
17:57:28 <hyakuhei> This is part of maturing the group, it’s good that we need to discuss this
17:57:40 * hyakuhei eyes sneaky elmiko …. trying to get votes....
17:57:59 <hyakuhei> ok, so lets wrap with a reminder that we should discuss this further on -dev
17:58:07 <hyakuhei> tag [Security]
17:58:08 <fungi> sounds good
17:58:28 <elmiko> what!?!
17:58:30 <elmiko> ;)
17:59:14 <hyakuhei> Thanks everyone! It’s been a long road to get to this point but I’m extremely happy that we integrated with the VMT and have project status before the next summit. Have a great rest of the day!
17:59:16 <hyakuhei> #endmeeting