17:00:24 #startmeeting Openstack Security Group 17:00:25 Meeting started Thu Apr 9 17:00:24 2015 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:26 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:28 The meeting name has been set to 'openstack_security_group' 17:00:35 o/ 17:00:37 o/ 17:00:48 * fungi peeks out of his cave 17:00:51 o/ 17:00:53 ooer! 17:00:55 fungi: welcome 17:01:01 o/ 17:01:07 Hey fungi, how’s the weather in VMT land? 17:01:14 hi all 17:01:29 swell. i saw the security.openstack.org site on the agenda, so made sure not to miss the meeting 17:01:37 o/ 17:01:38 Excellent! 17:01:39 hi 17:01:48 Also excellent that people read the agenda! 17:02:05 #link https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity#Agenda_for_next_meeting Agenda. 17:02:08 a fungus among us 17:02:18 o/ 17:02:30 Hey elmiko thanks for joining us 17:02:53 * sicarie sneaks in late 17:03:37 Ok, so lets get going now sicarie has finally joined us! 17:03:42 #topic project status 17:03:59 So, it gives me great pleasure to announce that we are now a part of OpenStack proper! 17:04:03 #link https://review.openstack.org/#/c/170172/ 17:04:11 woot 17:04:13 * sicarie applauds 17:04:16 woooohooo 17:04:21 huzzah! 17:04:25 This will be the last meeting of the OSSG, we’ll be “OpenStack Security” next week :D 17:04:33 {group hug} 17:04:35 :D 17:04:39 hehe 17:04:52 And of course a great welcome to our VMT ninjas! 17:05:01 hyakuhei: same bat time, same bat channel? 17:05:08 Yup 17:05:13 cool cool 17:05:37 Coming up is a round of rebranding/refactoring and updating of existing documentation, links etc 17:05:38 woohoo! 17:06:16 We’re currently on Launchpad as a stand-alone org, hopefully we can get moved to a subproject of OpenStack soon: https://launchpad.net/~openstack-ossg 17:06:34 lemme see if i can provide direction on that part 17:06:44 That would be helpful! 17:06:54 bdpayne will need to help with this 17:07:05 bdpayne is gonzo :\ 17:07:26 yeah, which is why i pointed that out 17:07:31 ahhh 17:07:31 No problem, we still chat 17:07:36 Though the divorce was horrible 17:07:43 rob may be able to. he's set as an administrator on that group 17:07:58 we should steal the shield logo : https://launchpad.net/ossa 17:08:05 they're the only two administrators for the group in lp though 17:08:27 Ok, lets work out what needs to be done there 17:08:31 ooh, +1 for logo stealing ;) 17:08:34 but bdpayne is still set as the group owner 17:13:08 Yeah, I noticed that earlier, I’ll ping him an email later 17:13:08 o/ 17:13:08 #action hyakuhei to talk to Bdpayne re LP group ownership 17:13:08 hey gmurphy 17:13:08 I agree the OSSA launchpad group has a nice logo, I’m not sure stealing it really sends the right message though :P 17:13:08 lol 17:13:08 Ok next up I’d like to talk about security.openstack.org 17:13:08 hyakuhei: yea, probably true... 17:13:08 #topic security.openstack.org 17:13:08 fungi: can you give a little background on how this site came to be ? 17:13:08 #link http://security.openstack.org/ 17:13:08 hyakuhei: we needed somewhere to publish out security advisories, and still don't have control over www.openstack.org 17:13:08 er, publish our 17:13:08 that's more or less the extent of the story 17:13:53 It would be nice to look at how we might add more user resources, for people looking for general openstack security things. I’m thinking things like OSSNs, links to the security guide, developer best practices etc. 17:14:02 yeah, the expectation is that we can set up similar publication jobs for the ossn repo 17:14:11 fungi: +1 17:14:13 +1 17:14:29 and rearrange the site index a little so that they're sectioned appropriately and easy to find 17:14:37 +1 17:14:42 Makes sense. 17:15:02 So are you the maintainer for security.openstack.org fungi ? 17:15:08 That is to say, it’s your baby? 17:15:09 gmurphy basically wrote a sphinx plugin to autogenerate our advisories out of some structured yaml as part of the publication chain 17:15:25 We are working on something similar for OSSN 17:15:37 well, gmurphy, nkinder were I think ? 17:15:59 the vmt has been collectively managing the git ossa repository which is where that content is currently coming from, but being an infra root admin it was easiest for me to get the site added and the publication jobs going 17:16:01 Yeah, I did a bunch of work on a prototype 17:16:35 should be easy to crib whatever we've got to cover your dataset as well 17:16:54 where did you get to with the ossn -> yaml stuff? 17:17:05 I'm not really sure that YAML is the right way to go, but I have a python module written that is able to consume our existing notes and represent them in python 17:17:20 that works 17:17:21 That would be great, our data is too badly defined at the moment, we have a work item to turn the existing OSSN into something more machien readable 17:18:21 yeah, by comparison our advisories consist mostly of well-defined fields and sections 17:18:35 hyakuhei: I have it so it's machine readible 17:18:40 so ossn likely requires a little more wrangling 17:18:48 hyakuhei: the problem is the YAML is not very readible and loses formatting 17:19:39 yep, as long as you've got something you can use to turn it into restructuredtext, sphinx will be happy with that and we can run it as part of the publication pipeline 17:20:05 this is what I've come up with - http://paste.openstack.org/show/201422/ 17:20:06 Cool, so I’m sure we can work that out. nkinder any preferred output? 17:20:30 hyakuhei: well, the question is what exactly do we want to do with that output? 17:20:56 hyakuhei: slurping the existing notes into Python, I can easily write tools to check if certain releases are affected, parse out recommendations, etc. 17:21:05 there's no need to output to another format for that 17:21:20 fungi: ok, so you want rst 17:21:30 fungi: I can do that pretty easily I think 17:21:49 I think we want something that’s parsable so we can push it into security.openstack.org easily. I want us to get to a point where it’s easy for some outsider looking at OpenStack to say “what OSSN/OSSA affect Folsom” for example 17:21:50 we could probably do something other than rst if you need, but sphinx is what most of us know how to deal with 17:22:07 hyakuhei: yes, but that is solved with my new class 17:22:36 hyakuhei: the YAML is pretty ugly to be honest, largely because we have so much formatting 17:22:56 Cool, so I have no strong feelings about how to get there. If you don’t think YAML is the way to go I’m happy that’s the right call 17:23:00 fungi: nah, rst is fine 17:23:32 I think we need to define what we want to do with the notes, not the format 17:23:39 the format should fall out of the use-cases 17:23:53 if rst is what fits in with publishing, that makes sense 17:24:11 for tools that can be used to see if a note affects a deployment, I think I have that solved already 17:24:14 Publish and search are the two things I care about most right now 17:24:32 Great! 17:24:46 hyakuhei: +1 17:24:56 ok, I'll work on adding to_rst() and load_from_rst() methods. 17:25:04 Sweet 17:25:05 that should get us what we need 17:25:23 the current site content is all being rendered from rst to html by sphinx, hence we generate rst from yaml as an intermediate format during publication, but really you don't necessarily have to store it in rst as long as there's some transformation we can perform during publication 17:25:37 we might eventually just decide to write them in rst in the first place 17:25:46 we can evaluate that later 17:25:54 fungi: Are you happy with the general proposal that we make security.openstack.org more of a landing page for OpenStack Security Things - of which OSSA would be a prominent part? 17:26:29 hyakuhei: yes, we were expecting to work with the ossg to make that happen even before the idea of merging governance came up 17:26:39 Wonderful! 17:26:52 just seemed like a logical thing to do regardless 17:26:59 +1 17:27:06 but one doesn’t like to just assume such things... 17:27:10 ok, anything else to disscuss on this particular topic 17:27:36 sicarie: Are you free to talk about the security guide for a moment or two? 17:27:58 yes 17:28:17 So we have several open bugs: #link: https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide 17:28:39 We're trying to get a new lulu (physical copy) out by the Liberty release, so I think the Identity chapter is being worked 17:28:50 #topic Security Guide 17:28:56 If anyone wants to take a look I think the Dashboard and Network chapters need some work 17:28:56 Sorry, slow to keep up... 17:29:21 I am still looking into both of those chapters 17:29:23 Ah yes, I saw nkinder had an action item regarding identity from a couple of weeks back… 17:29:27 and shelleea007 :P 17:29:31 And then I noticed the case studies are not consistent 17:29:33 and i'm still reading through the identity chapter 17:29:41 I filed some bugs this AM 17:29:49 Yep, we have some good work in-flight 17:30:03 i didn't forget :p 17:30:03 thanks nkinder, elmiko and shelleea007 17:30:18 And finally I started an etherpad to re-write the case studies 17:30:25 Wonderful ok, so a reminder for everyone that contributing to the guide is a great way to get involved 17:30:25 The new sections are going to be at the bottom 17:30:28 #link https://etherpad.openstack.org/p/sec-guide-case-studies 17:30:38 Great, I’ll look out for those when they land in review 17:31:02 sicarie: didn't you have a pull request for hyakuhei on the dev practices? 17:31:13 Yes I did 17:31:24 And I went through and updated the XSS last night, but did not push it yet 17:31:29 cool 17:31:54 pull request for developer guidelines #link: https://github.com/openstack-security/Developer-Guidance/pull/1 17:32:11 Cool, I didn’t get a notification about that for some reason, just logged in and found it now 17:32:46 Merged. 17:32:52 sweet 17:33:01 thanks hyakuhei, sicarie 17:33:07 Anything else around these docs? 17:33:08 sweet, I'll do another pull request on the xss one today/tomorrow 17:33:22 I’ll keep an eye out 17:33:28 so how about converting them to .rst and getting them up on security.o.o? 17:33:29 thanks 17:33:41 gmurphy: thanks for the reminder 17:33:49 The docs team is migrating to rst 17:33:55 thank the gods! 17:33:56 I put us in the queue after Liberty 17:34:06 oh sweet. 17:34:07 I want to focus on the content, then migrate 17:34:12 sicarie: won't we just migrate the current site to security.o.o? 17:34:41 elmiko: not sure how they're doing it - it looks like a largely manual process (or at least involved) 17:34:49 ah, ok 17:34:58 I think the move to security will be fine 17:35:07 the conversion to rst is a bit more involved (I think) 17:35:12 It's on my list to get more info on, though 17:35:18 yea, could be 17:35:34 Anne Gentle appears to be open to moving the security doc repo under Security now that we’re all official and whatnot. 17:35:54 Yes, that was mentioned, but the ticket is not submitted yet - there was discussion at the docs meeting on Wednesday 17:36:03 AJeager is a bit more aware of what is going on 17:36:11 And btw Anne is not running for docs PTL again 17:36:41 Oh I thought I saw an email saying she was. 17:36:43 Ho hum. 17:36:56 I could be mistaken - I thought it was the opposite 17:37:27 https://wiki.openstack.org/wiki/PTL_Elections_April_2015 17:37:34 Yeah, monday at 9:47 PST she decided not to 17:37:53 Fair enough :) 17:38:00 s/9/8 17:38:05 it'll be Lana Brindley unless someone else steps up 17:38:06 yeah, lana is ptl by default i believe 17:38:14 here's your chance. 17:38:24 Heh. 17:38:32 no one else is stepping up unless lana steps down. the nomination period closed at 06:00 utc today 17:38:38 Ok, lets talk about the summit a little. 17:38:42 #topic Summit 17:38:57 Now we’re official we get time/space at the summit :D 17:39:10 No more hanging around the Barbican geeks - unless you want to of course.... 17:39:32 So here’s the mail I had from Theirry this morning on this topic : #link https://etherpad.openstack.org/p/summit-choices 17:39:55 So we need to tell Theirry how many fishbowls and boardrooms we want. 17:40:36 i expect that the vulnerability management session(s) come out of your schedule budget now rather than out of release management's 17:40:44 If there’s a topic you care about and want to discuss at the summit, please put append it to that etherpad 17:40:51 fungi: Makes sense 17:42:22 So please everyone, if you want time to talk about Anchor, Bandit, VMT, Metrics, Security Docs etc please add to that etherpad, I’ve got you started 17:43:26 Theirry wants feedback on this asap so I’ll be reaching out to him tomorrow morning with whatever seems most appropriate based on that etherpad :) 17:43:44 tristanC: ^ heads up 17:44:33 ok, anything else to discuss re summit shenanigans? I’ll try to find some funding for a security team meal/meetup but the agenda for the week looks pretty challenging so it might just be a case of breaking out when and where we can 17:45:23 #topic Elections 17:46:12 are these just for ossg dev work? (for example, would it be appropriate to have a bandit session about how to take it's output and turn it into actionable items) 17:46:22 Previously we’ve run elections in a semi ad-hoc manner, now we’ll be moving to work more like other more established OpenStack projects. Onlist nominations, subsequent voting etc. 17:46:23 elmiko: +1 17:46:31 elmiko: I think that would be appropriate 17:46:35 k, cool 17:46:44 We can always ask :) 17:47:03 added to pad 17:47:31 Previously we’ve conducted elections like this: #link https://wiki.openstack.org/wiki/Security/OSSG_Lead_Election_Fall_2014 17:48:14 I need to look at if/how the electorate needs to change to be more inline with how OpenStack projects typically work. 17:48:18 worth noting that the ossg, because of having run its own ptl election so recently, doesn't need to do so again until september 17:48:35 at least that was what i got from ttx's e-mail earlier in the week 17:49:20 oh ok, so I think my mandate was basically “until the spring summit 2015” and I’d like to honor that 17:49:39 though if there's sufficient interest in an interim election because of having added new repos/subteams, we could probably do so 17:49:58 it’d be good to get some elections in before the summit and hopefully align more with more established Openstack projects. 17:50:01 I'm happy to leave it where it is FWIW 17:50:14 +1 17:50:50 I think we’d need a vote on that :P 17:51:02 fair enough 17:51:07 what's the voting criteria? 17:51:26 The previous criteria are listed here: #link https://wiki.openstack.org/wiki/Security/OSSG_Lead_Election_Fall_2014 17:51:38 I don't think it's worth it to have an election, and if we wait we can have a better idea of the new voting criteria 17:51:50 seems like the vmt should have a say, for example 17:51:55 i think that's part of what needs to be decided. now that the security project has several git repos under its governance, we could in theory consider using more typical openstack election criteria 17:52:28 Yeah, though we need security-doc too (or some way to recognise contributions there) 17:52:31 e.g. qualified electors would be contributors to ossa, ossn, security guide, bandit, et cetera in the relevant time period 17:52:59 So any election we have, would have to be inclusive of the VMT and I think I agree with fungi re: qualifications 17:53:15 i don't recall whether the security guide was on the table for moving from docs to security oversight 17:53:25 but would make sense to consider it 17:53:29 Seems to be open for consideration 17:53:49 fungi: it was discussed at the docs meeting on Wednesday, but no determination was made 17:54:05 sicarie: what’s your opinion as the security-doc lead? 17:54:11 probably fine to mull that over. it's not an urgent decision 17:54:36 +1 I presume it’s easy enough to have contributions to security-doc included in the qualifications for any vote. 17:54:41 hyakuhei: I'd want to think about it a bit more - I do appreciate the doc team input on style conventions 17:54:59 but there are a few things I'd like to push through and then revise (vs making sure it's fully style adherent before merging) 17:55:01 given that i'm the one who generates the electoral rolls, yes i confirm that's extremely easy to do 17:55:13 Completely. It started off as a useful place to put it and benefit from publishing and ended up being a very useful partnership 17:55:15 fungi: lol 17:55:42 agreed with sicarie the doc team has been great 17:55:59 Yeah, they've been extremely helpful 17:55:59 ok, so lets talk about elections on openstack-dev then as we’re almost out of time 17:56:23 though the doc team's big tent push is to focus more on providing the tools, guidelines and help to other teams to manage their own documentation, so this move could fit well with that 17:56:36 it would be good to make the electorate requirements public early enough that folks can get on the list if they want to 17:56:56 I don't think that "attend 3 or more IRC meetings" should cut it anymore. 17:57:00 +1 17:57:05 agree 17:57:22 hehe 17:57:28 This is part of maturing the group, it’s good that we need to discuss this 17:57:40 * hyakuhei eyes sneaky elmiko …. trying to get votes.... 17:57:59 ok, so lets wrap with a reminder that we should discuss this further on -dev 17:58:07 tag [Security] 17:58:08 sounds good 17:58:28 what!?! 17:58:30 ;) 17:59:14 Thanks everyone! It’s been a long road to get to this point but I’m extremely happy that we integrated with the VMT and have project status before the next summit. Have a great rest of the day! 17:59:16 #endmeeting