17:05:23 <dg__> #startmeeting OSSG
17:05:24 <openstack> Meeting started Thu Sep  4 17:05:23 2014 UTC and is due to finish in 60 minutes.  The chair is dg__. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:05:25 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:05:27 <openstack> The meeting name has been set to 'ossg'
17:05:40 <dg__> #topic OSSN
17:06:22 <dg__> We dont have much of an agenda this week, so lets start off with the current OSSNs, then jump through topics as people propose them?
17:06:28 <tmcpeak> cool
17:06:38 <dg__> tmcpeak how is the OSSN queue looking atm?
17:06:54 <nkinder> hi all, lost track of time.
17:06:57 <tmcpeak> nkinder: just the man to answer
17:07:02 <tmcpeak> dg__
17:07:02 <tmcpeak> 10:06
17:07:02 <tmcpeak> tmcpeak how is the OSSN queue looking atm?
17:07:13 <nkinder> large
17:07:30 <nkinder> we have 11, and 6 are in progress
17:07:52 <bdpayne> is there a bottle neck or are things progressing smoothly?
17:08:07 <tmcpeak> here's 0026 in case anybody has time to take a look: https://review.openstack.org/118910
17:08:37 <nkinder> bdpayne: some are hitting a bottleneck
17:08:39 <dg__> tmcpeak I'll take a look after this meeting
17:08:50 <nkinder> so we need to get through reviews and wrap the ones we have
17:08:54 <tmcpeak> shohel had one too that wasn't formatted very well if I remember, has that one made progress?
17:08:55 <nkinder> This one is very close - https://review.openstack.org/114971
17:08:59 <tmcpeak> dg__: thanks!
17:09:16 <sicarie> I'd also like some input on 0025 if possible: https://review.openstack.org/#/c/117928/1
17:09:23 <nkinder> bdpayne: ^^^ that one just needs one more +2 from OSSG
17:09:38 <bdpayne> ok, I can review
17:09:40 <tmcpeak> sicarie: I'll check it out after the meeting
17:09:43 <sicarie> Thanks!
17:09:44 <nkinder> 0020 is stalled out.
17:09:45 <bdpayne> I have a review queue to go through after this meeting
17:10:25 <tmcpeak> nkinder: I'm asking Priti to come over to share some status on that
17:10:26 <dg__> nkinder I will take a review of 0020 too after this meeting
17:10:34 <bdpayne> nkinder should I approve the workflow for 20 if I'm ok with it?
17:10:45 <nkinder> bdpayne: you mean 0023?
17:10:51 <dg__> who else can +2? rob is afk this week
17:10:55 <nkinder> bdpayne: yes, you can +A it is you approve
17:11:04 <nkinder> dg__: myself, rob, and bdpayne
17:11:06 <bdpayne> 23, got it
17:11:24 <bdpayne> just making sure that it has a keystone core on it
17:11:30 <nkinder> dg__: 0020 needs to have some updates made to it, so it's waiting on the author
17:11:55 * bdpayne reviews 23 now
17:11:56 <nkinder> bdpayne: yes, gyee is core
17:12:13 <tmcpeak> where's 24?
17:12:55 * sicarie looks to see if he has trouble counting past 23
17:13:20 <nkinder> tmcpeak: 24 is here - https://review.openstack.org/114460
17:13:33 <tmcpeak> nkinder: yeah this one
17:13:39 <tmcpeak> looks super stalled
17:13:50 <nkinder> so notes that are stalled out on authors should just be taken over after a week IMHO
17:14:06 <tkelsey> +1
17:14:15 <tmcpeak> yeah, how to do that? unassign it and put it back in the queue?
17:14:20 <dg__> +1
17:14:34 <bdpayne> 23 lgtm, but makes me sad
17:14:42 <nkinder> tmcpeak: or just change it over to yourself and upload a new patch revision
17:14:55 <nkinder> bdpayne: well, it's the old API (but sad)
17:14:58 <dg__> bdpayne +1 : (
17:15:12 <tmcpeak> bdpayne: I cry e'rytim
17:15:26 <nkinder> tmcpeak: if you want to fix up the formatting for 24, that would be great
17:15:40 <tmcpeak> yeah I could probably do that
17:15:59 <dg__> thanks tmcpeak
17:16:13 <tmcpeak> nkinder: I'm not very familiar with the content on 24 though
17:16:20 <tmcpeak> can I fix the formatting and then throw it back ;)
17:16:23 <nkinder> I grabbed an OSSN today and I'll get a draft up for review.  I plan to cycle through the pending ones
17:16:35 <nkinder> tmcpeak: absolutely.  Don't assign it to yourself, just fix up the easy stuff
17:16:41 <tmcpeak> nkinder: cool
17:16:59 <tmcpeak> I'll pick your brain later on how to do the git stuff involved in that :)
17:17:07 <nkinder> Priti: Do you plan to get 0020 updated soon?
17:17:24 <nkinder> Priti: if you don't have time, someone can take it over
17:17:26 <Priti> Hi Guys, here is the status for 20, wrapping up OSSN-20, finishing writeup on how to detect active connections, thanks to Randy for Pointers
17:17:34 <nkinder> Priti: ok, great
17:17:42 <Priti> :)
17:18:04 <Priti> sorry Nathan for taking so long :(
17:18:23 <nkinder> no problem Priti
17:19:14 <nkinder> ok, well that's probably it on OSSNs.  It would be nice to get the 6 pending ones published by next week's meeting
17:19:34 <tmcpeak> 26 shouldn't need too much work (famous last words)
17:19:38 <tmcpeak> 16 patches later
17:19:48 <tkelsey> Lol :-)
17:20:09 <tmcpeak> :P
17:20:36 <bdpayne> other topics?
17:20:54 <tmcpeak> could give a Bandit update
17:21:10 <bknudson> another topic -- a "security" tempest job
17:21:18 <tmcpeak> bknudson: +1
17:21:20 <bdpayne> sure... perhaps the chair could change the topic?
17:21:26 <rlpple> +1
17:21:29 <bdpayne> dg__
17:21:38 <dg__> #topic Bandit
17:21:54 <tmcpeak> so I've been doing a pretty good amount of work on Bandit in the last week
17:22:07 <tmcpeak> latest as always is here: https://github.com/chair6/bandit
17:22:11 <tmcpeak> take a look if you get a chance
17:22:21 <tmcpeak> notable improvements: tests are each defined in their own separate file
17:22:26 <bknudson> we really need to get this in gerrit
17:22:29 <tmcpeak> tests are automatically discovered from the plugin directory
17:22:43 <tmcpeak> profiles can be defined to include or exclude certain tests
17:23:03 <tmcpeak> people don't need to know anything about AST to write tests
17:23:15 <tmcpeak> config is now in yaml
17:23:19 <tmcpeak> and there must be a few more I've forgotten
17:23:28 <tmcpeak> bknudson: getting this in Gerrit is coming
17:23:35 <tmcpeak> bknudson: I just want to clean up a bit more code first
17:23:40 <tmcpeak> then it should be ready for primetime
17:24:01 <tmcpeak> I ran it against all OpenStack projects yesterday and found… a crap-ton of issues
17:24:25 <tmcpeak> so we'll need to either get those fixed or marked with nosec, or define profiles which will focus on the essentials and not be too noisy
17:24:42 <tmcpeak> if you get a chance to play with it though, do so and let me know what you think :)
17:24:45 <nkinder> tmcpeak: or start with one project as a testbed
17:25:07 <tmcpeak> nkinder: yeah, that's probably a nice low impact way of getting going
17:25:43 <tmcpeak> so yeah, dev still going on, but if anybody wants to play with it, please do :)
17:25:48 <tmcpeak> that's about it
17:26:02 <bdpayne> tmcpeak how would you describe the issues it found: minor, false positives, serious, etc?
17:26:26 <tmcpeak> mostly minor
17:26:41 <tmcpeak> along the same lines as the ones we found in Seattle
17:26:47 <tmcpeak> but I haven't looked into them in depth
17:26:57 <tmcpeak> it takes a while to investigate each one to know for sure
17:27:10 <tmcpeak> one of the ones we found in Trove ended up being really really bad
17:27:11 <bdpayne> sure, makes sense
17:27:18 <bdpayne> interesting
17:27:36 <bdpayne> it could be useful to take those experiences (the hand tracing) and try to codify that to the extent possible
17:27:38 <tmcpeak> that's this guy in case anyone is interested: https://bugs.launchpad.net/trove/+bug/1349939
17:27:39 <uvirtbot> Launchpad bug 1349939 in trove "Multiple vulnerabilities in Couchbase implementation of restore strategy" [Critical,In progress]
17:27:46 <bdpayne> I know that largely isn't possible
17:27:49 <bdpayne> but something to think about
17:28:08 <tmcpeak> bdpayne: yeah, that would be great.  Going through by hand is a ton of work
17:28:24 <bdpayne> ok great, anything else for today?
17:28:32 <bdpayne> any updates on threat modeling or the book?
17:28:32 <bknudson> why no advisory?
17:28:33 <tmcpeak> bknudson
17:28:41 <tmcpeak> bknudson: because it wasn't released yet
17:28:47 <bknudson> oh, nice!
17:28:49 <tmcpeak> bknudson: was a new feature for Juno
17:28:59 <bdpayne> yeah, looks like our timing is perfect
17:29:30 <tmcpeak> yeah for sure
17:29:35 <tmcpeak> although secretly I wanted an advisory
17:29:38 <tmcpeak> it's on my bucket list
17:29:48 <bknudson> spend some time looking at keystone code
17:30:50 <dg__> ok anything on threat modelling or the book? or other topics?
17:31:05 <bdpayne> one quick thing on the book
17:31:06 <tmcpeak> bknudson: what's up with the keystone code?
17:31:27 <bknudson> tmcpeak: it's ripe for security vulnerabilities... that's how I've gotten some ossa's.
17:31:28 <dg__> #topic The Book
17:31:30 <bdpayne> I'll just say that anyone that is interested in planning the long term vision for the book who hasn't aleady contacted me... please let me know!
17:31:38 <tmcpeak> bknudson: +1
17:32:23 <dg__> thanks bdpayne anything else to add?
17:32:31 <bdpayne> that's all
17:32:33 <bdpayne> :-)
17:32:58 <dg__> great
17:33:00 <dg__> next...
17:33:11 <tmcpeak> somebody had security testing in tempest
17:33:41 <dg__> #topic Security Testing in Tempest
17:34:00 <bknudson> There's a change in devstack to use https: https://review.openstack.org/#/c/98854/
17:34:26 <bknudson> and I've made some changes and also proposed some that will hopefully use more secure hash algorithms, etc.
17:34:34 <bknudson> but these aren't the default
17:34:52 <bknudson> so maybe it would be good to have a tempest job that uses https, uses the more secure hash algorithms, etc.
17:35:08 <tmcpeak> bknudson: yeah, sounds good
17:35:11 <tmcpeak> how would that work?
17:35:40 <bknudson> tmcpeak: good question... I believe we can work with infra to get the job implemented.
17:35:57 <tmcpeak> bknudson: what's needed from our side?
17:36:26 <bknudson> I just wanted to float it by the ossg since they might know of other things that we'd want in a security job
17:36:47 <tmcpeak> I've always wondered why there aren't specific security tests in Tempest
17:37:22 <bknudson> y, this was more proposing a tempest run against our more secure configuration
17:37:26 <bknudson> to make sure that we don't break it.
17:37:27 <nkinder> bknudson: I really want that to be run through tempest too
17:37:50 <nkinder> bknudson: while rob c. was developing that, glance broke their https support
17:37:51 <tmcpeak> bknudson: oh, I see
17:38:21 <bknudson> having tests specific to security would be good for tempest too... I think there was a fuzz testing effort at some point.
17:38:30 <nkinder> bknudson: which rob noticed manually running tempest.  That shows that the tests would have definite value
17:38:47 <bknudson> nkinder: yes, we don't want that to break!
17:39:01 <nkinder> that https patch has been slow to get through reviews
17:39:39 <nkinder> welcome to OpenStack I guess, but it'd be nice to see if finally make it in...
17:39:43 <bknudson> I've got that one on my list to review but haven't been able to make the time
17:39:59 <bknudson> feature freeze makes for other priorities
17:40:03 <nkinder> yep
17:40:41 <nkinder> bknudson: if you get time once things slow down, I know Rob would appreciate it
17:40:52 <bknudson> I will definitely try it out
17:43:08 <bknudson> I guess that's it. I'll try to make time to work with infra on a security config job.
17:43:21 <bknudson> and maybe nkinder will beat me to it to get an https job
17:43:26 <tmcpeak> cool
17:43:56 <bknudson> if anyone has ideas for how they'd like to see a more secure config I'd be interested
17:44:14 <bknudson> we've been looking at the code for FIPS and NIST violations
17:44:45 <bknudson> so this is where we're checking to see if we can configure openstack to potentially comply with FIPS 140-2 or NIST 800-??
17:45:17 <bknudson> and of course we'd like for testing of a secure deployment upstream.
17:46:23 <nkinder> bknudson: I think the https part is the first step, then improving the defaults for hashing and such to fall in line (which I know you've been going through)
17:48:52 <nkinder> are there any other topics?
17:49:48 <dg__> nothing from me
17:50:18 <dg__> anyone else?
17:50:23 <nkinder> nothing here
17:50:38 <tmcpeak> should be it
17:50:51 <dg__> ok cool, thanks everybody
17:50:55 <tmcpeak> thanks guys!
17:50:57 <dg__> #endmeeting