#openstack-meeting-alt log

17:00:43 <hyakuhei> #startmeeting Security
17:00:44 <openstack> Meeting started Thu Jun 25 17:00:43 2015 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:44 <mihgen> thanks everyone
17:00:45 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:45 <tmcpeak> o/
17:00:47 <tmcpeak> o\
17:00:48 <openstack> The meeting name has been set to 'security'
17:00:49 <hyakuhei> o/
17:00:50 <tkelsey> o/
17:00:51 <redrobot> o/
17:00:52 <browne> hi
17:00:53 <hyakuhei> Hey everyone
17:00:56 <Daviey> \o
17:01:00 <bknudson> hi
17:01:03 <dg_> hey
17:01:14 <sicarie> o/
17:01:33 <dave-mccowan> o/
17:01:54 <jian5397> hi, all
17:02:30 <hyakuhei> tmcpeak: I'm on call atm can you kick off please? The agenda is on the wiki
17:02:48 <tmcpeak> yep
17:02:56 <elmiko> o/
17:02:57 <hyakuhei> https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity#2015
17:03:03 <tmcpeak> lol, read my mind
17:03:24 <tmcpeak> ok, let's save midcycle for when hyakuhei gets back
17:03:31 <tmcpeak> #topic Anchor Update
17:03:36 <tmcpeak> oh crap, I can't :)
17:03:40 <hyakuhei> #topic Anchor Update
17:03:47 <tmcpeak> tkelsey, dg
17:03:50 <tmcpeak> take it away
17:03:51 <tkelsey> yo
17:04:09 <tkelsey> so this week and last we had a bunch of patches to bring us Py3 compat
17:04:23 <tkelsey> im not sure how far along we are but we are very clos e
17:04:33 <tmcpeak> saw that, that's awesome
17:04:38 <tkelsey> i'll be looking to add a py3 gate this coming week
17:04:43 <tmcpeak> we need to still viraptor for Bandit ;)
17:04:49 <tkelsey> and thats all I have on Anchor :)
17:04:51 <tmcpeak> *steal
17:04:57 <tmcpeak> ok sweet
17:04:59 <tmcpeak> emm
17:05:05 <tmcpeak> #topic Bandit
17:05:06 <tmcpeak> ?
17:05:10 <tmcpeak> hyakuhei: ^
17:05:19 <hyakuhei> #topic Bandit
17:05:22 <tmcpeak> cool
17:05:23 <tkelsey> plugins via stevedore
17:05:26 <tkelsey> :)
17:05:34 <tmcpeak> so sigmavirus24 has been working a ton of magic
17:05:49 <tmcpeak> we have proper plugins now, and are almost ready to push a new version to PyPI
17:05:50 <tmcpeak> but...
17:05:56 <tmcpeak> I noticed a new bug :(
17:06:04 <tmcpeak> not new, but I noticed it now
17:06:07 <tkelsey> oh?
17:06:18 <tmcpeak> #link https://bugs.launchpad.net/bandit/+bug/1467636
17:06:19 <openstack> Launchpad bug 1467636 in Bandit "Incorrect line number in results" [High,New]
17:06:38 <tkelsey> ah yeah
17:06:41 <tmcpeak> basically this is a function of how AST works for multiline statements that are included in ( )
17:06:49 <tmcpeak> it squashes them all onto the first line and reports them as one line
17:07:04 <tkelsey> somthing that the statement buffer work could fix?
17:07:16 <tkelsey> I have a bit of a plan for that, if I ever get time to work on it
17:07:19 <tmcpeak> so while our actual issue may occur on line x+3, it's reported as x, which means that the actual line containing the issue might be out of the display window
17:07:38 <Daviey> What about using the line that the command start on, seems an easy enough reference to assist debug?
17:08:00 <tmcpeak> tkelsey: statement buffer is going to have to be part of it because to fix it we need to know where the next statement begins and then walk backwards
17:08:15 <tkelsey> tmcpeak: yeah
17:08:23 <tmcpeak> Daviey: yeah, we currently have that, but it's not a great user experience to not actually see the issue in the output, it makes it look like we're detecting false positives
17:08:27 <tkelsey> that should be ok actually, with what i have in mind
17:09:06 <tmcpeak> so yeah, I'd like to fix that, but I'm open to input on whether it's worth waiting for that before we pin a new version
17:09:22 <Daviey> tmcpeak: can AST not allow rollback to the start of the command (before the () ) ?
17:09:31 <tmcpeak> we have so much good stuff that's been added, would nice to get that all in PyPI and usable by projects, but I have some strange thing in my mind about pushing a new numbered version with a known bug
17:10:18 <tkelsey> tmcpeak: yeah, feels wrong
17:10:28 <Daviey> Release Early.. Release Often
17:10:45 <tmcpeak> Daviey: it can, but for something like insecure tmp file usage (where I noticed this) we're looking for "/tmp" in a string, the string statement itself is what we're looking for, the preceding statement doesn't really have anything to do with it
17:10:57 <tmcpeak> and yeah, those two ^ philosophies are the internal head struggle I'm having
17:11:07 <tmcpeak> so I guess,…
17:11:12 <tmcpeak> chair6: thoughts?
17:11:15 <tmcpeak> tkelsey: thoughts
17:11:17 <tmcpeak> browne: thoughts
17:11:22 <tmcpeak> sigmavirus24: thoughts?
17:11:23 <redrobot> +1 release with known defects in release notes
17:11:35 <tmcpeak> oh, crap, that reminds me
17:11:39 <tmcpeak> we have two new Bandit cores!
17:11:42 <tkelsey> tmcpeak: I agree with redrobot
17:11:46 <tkelsey> so long as its documented
17:11:48 <tmcpeak> congratulations sigmavirus24 and browne!
17:11:58 <bknudson> congrats
17:12:00 <browne> yeah, i'd say release, and plan to relesae another one soon
17:12:11 <tmcpeak> ok cool, settled then
17:12:23 <tmcpeak> we'll post up a new version and put it as a known defect
17:12:27 <michaelxin> +1
17:12:37 <dg_> good work on the cores :)
17:12:40 <elmiko> congrats!
17:12:46 <tmcpeak> cool, I'll work on that, probably get that new version up this week
17:12:48 <tkelsey> :)
17:13:05 <tmcpeak> #topic OpenStack Secure Guide Update
17:13:10 <tmcpeak> hyakuhei: ^
17:13:49 <tmcpeak> :^/
17:14:02 <sicarie> haha
17:14:02 <tmcpeak> ok, let's go ahead anyway
17:14:06 <tmcpeak> sicarie: take it away
17:14:21 <sicarie> So the big thing is that we're going to convert from docbook to rst format
17:14:24 <sicarie> #link https://bugs.launchpad.net/openstack-manuals/+bug/1463111
17:14:25 <openstack> Launchpad bug 1463111 in openstack-manuals "OpenStack Security Guide - Convert to RST format" [High,Triaged]
17:14:45 <sicarie> pdesai is goign to submit a bp in the sec-spec repo and we're going to move on that as quickly as possible
17:14:49 <tmcpeak> what's involved in this?
17:14:52 <sicarie> during which we are going to freeze changes
17:14:56 <sicarie> tmcpeak: it's in the bug
17:15:14 <sicarie> there are automated tools to convert, but then manual validation (and some touch-ups) are required
17:15:18 <tmcpeak> RTFM? :'(
17:15:29 <tmcpeak> ahh, cool
17:15:52 <sicarie> yep, the doc team is so far offering their support - hopefully nothing big drops on them while we're doing ours :)
17:16:07 <tmcpeak> that's cool, they're very helpful that doc team
17:16:27 <sicarie> Other than that we haven't frozen contributions yet, so please feel free to grab a bug
17:16:29 <sicarie> #link https://bugs.launchpad.net/openstack/+bugs?field.tag=sec-guide
17:16:37 <tmcpeak> sweet
17:16:50 <tmcpeak> fair amount to pick from :)
17:17:11 <tmcpeak> ok cool
17:17:15 <tmcpeak> anything else for the guide?
17:17:19 <sicarie> yep, we have some good reviewers and submitters that do good low-hanging-fruit
17:17:20 <sicarie> nope
17:17:23 <tmcpeak> cool
17:17:30 <tmcpeak> #topic OSSN
17:17:33 <tmcpeak> hyakuhei: ^
17:17:37 <Daviey> many of the tagged sec-bugs are pretty crappy tbh
17:17:56 <bknudson> all bugs are crappy
17:17:56 <tmcpeak> nkinder: ^
17:18:02 <sicarie> Daviey: sec-bugs or sec-guide bugs?
17:18:13 <michaelxin> confused here too
17:18:24 <Daviey> sicarie: sec-guide, sorry
17:18:33 <Daviey> ie, https://bugs.launchpad.net/openstack-manuals/+bug/1447759
17:18:34 <openstack> Launchpad bug 1447759 in openstack-manuals "Networking services in OpenStack Security Guide - Rewrite for clarity" [Medium,Triaged]
17:18:49 <sicarie> Daviey: do you have a few minutes after - I'd be very interested in getting some feedback on how to improve the existing bugs
17:18:57 <Daviey> lots of bugs tagged tred, but well.. not
17:19:16 <bknudson> if it's not a valid bug then close it
17:19:33 <bknudson> incomplete or invalid
17:19:41 <tmcpeak> +1
17:20:17 <bknudson> if was incomplete and then it was changed to triaged instead?
17:20:30 <bknudson> *it* was
17:20:41 <tmcpeak> so yeah, Daviey, elmiko, sicarie, bnudson - maybe you guys can synch after in #openstack-security ?
17:20:47 <sicarie> bknudson: it was, there was an update made to the intent
17:20:49 <Daviey> Triaged implies it is ready to be fixed, with a known direction
17:20:50 <sicarie> tmcpeak: sure
17:20:55 <elmiko> usually the triaged ones are discussed during the weekly sec-guide meeting. i'm curious what we could do better as well
17:21:05 <Daviey> tmcpeak: sure
17:21:09 <tmcpeak> awesome
17:21:28 <tmcpeak> seems like there's a good conversation to be had and don't want to rush you guys :)
17:21:46 <tmcpeak> ok, so nkinder isn't around for OSSN
17:21:47 <tmcpeak> but...
17:22:02 <elmiko> as for OSSN, i've got this one up #link https://review.openstack.org/#/c/194416/
17:22:03 <tmcpeak> #link https://launchpad.net/ossn
17:22:07 <elmiko> could use a few more eyes on it
17:22:15 <tmcpeak> #link https://bugs.launchpad.net/ossn
17:22:31 <tmcpeak> seems like we've got a few good ones in the New category we should look at
17:23:11 <tmcpeak> elmiko: cool, haven't looked at yours yet
17:23:21 <tmcpeak> I'll check it out after the meeting
17:23:30 <elmiko> tnx
17:23:44 <tmcpeak> seems like we're building a queue though
17:23:58 <tmcpeak> we should probably go through some of these and either decide to write or not write OSSNs
17:24:01 <elmiko> one outstanding question we had was whether ironic should be listed as affected in that ossn. seemed like no, but not entirely sure.
17:24:30 <tmcpeak> elmiko: hmm, ok cool, I'll check it out and throw in my .02
17:24:34 <elmiko> cool
17:24:58 <tmcpeak> lol dg: https://bugs.launchpad.net/ossn/+bug/1163569
17:24:59 <openstack> Launchpad bug 1163569 in OpenStack Security Notes "security groups don't work with vip and ovs plugin" [High,In progress] - Assigned to Steven Weston (steve.weston)
17:25:00 <tmcpeak> this one still
17:25:03 <tmcpeak> :P
17:25:19 <tmcpeak> I remember this
17:25:40 <sicarie> is that the one that has a -1 from docs on capitalization
17:26:00 <tmcpeak> no, this is the one that never gets written because Neutron confuses people
17:26:37 <tmcpeak> so yeah, we can pick this up again next week if nkinder is around
17:26:58 <tmcpeak> hmm, hyakuhei: you back yet?
17:27:17 <tmcpeak> seems like we should discuss the midcycle, but that's really his baby
17:27:30 <tmcpeak> well I can get it started
17:27:38 <tmcpeak> has everybody who is interested expressed their interest here?
17:27:43 <tmcpeak> we'll want to finalize dates today
17:27:55 <tmcpeak> #link https://etherpad.openstack.org/p/security-liberty-midcycle
17:28:23 <tmcpeak> if you want to come and think you might be able to, please write your name at the top and put your name next to all dates you can make it
17:29:47 <tmcpeak> so I think what we'll probably end up doing is majority rule on the dates, sounds fair?
17:30:01 <tmcpeak> I'll give a few minutes for everybody that wants to update the doc to do so
17:30:17 <Daviey> Interested, but no chance of funding.
17:30:30 <tmcpeak> Daviey: fair enough, you're over the pond, aren't you?
17:30:35 <elmiko> similar, interested but not sure about budget
17:30:38 <Daviey> yah.
17:30:48 <tmcpeak> elmiko: fair enough
17:30:55 * redrobot is also in the broke boat
17:31:00 <tmcpeak> lol
17:31:03 <hyakuhei> Sorry I went afk - just heard that Mrs. Hyakuhei has been in a small car accident. Seems to be ok though.
17:31:10 <tmcpeak> woah, crappy man
17:31:14 <tmcpeak> :\
17:31:15 <hyakuhei> Yarp
17:31:24 <hyakuhei> So talking about the mid-cycle ?
17:31:25 <elmiko> =
17:31:30 <redrobot> hyakuhei :-O  glad she's ok.
17:31:32 <tmcpeak> yeha, we blew through the rest of the topics
17:31:36 <hyakuhei> cool
17:31:38 <tmcpeak> saved this one for you
17:31:38 <hyakuhei> #topic midcycle
17:31:39 <dg_> eeep!
17:31:40 <elmiko> yea, glad to hear she's ok
17:31:40 <tmcpeak> take it away :)
17:31:53 <hyakuhei> So i'd like to get two dates/options lined up. One primary one secondary.
17:32:08 <hyakuhei> As both will require various approvals/sponsorship etc
17:32:14 <michaelxin> +1
17:32:17 <tmcpeak> from the etherpad it looks like we have a clear choice for those two
17:32:41 <browne> wait, how many times can you vote for a site?
17:32:44 <hyakuhei> Both the late august ones?
17:32:56 <hyakuhei> Just put your name by anything you can make it to
17:32:57 <tmcpeak> yeah
17:33:01 <hyakuhei> or would be prepared to get to
17:33:25 <hyakuhei> nkinder not here?
17:33:30 <tmcpeak> nopes
17:34:41 <hyakuhei> ok well we need to decide soon
17:34:48 <tmcpeak> let's decide now :)
17:35:07 <hyakuhei> +1
17:35:29 <tmcpeak> then we can firm down a location
17:35:36 <hyakuhei> So Seattle seems like the preferred location and actually isn't that weighted by HP
17:35:47 <tmcpeak> hyakuhei: can you make it August 24-28?
17:35:48 <hyakuhei> Well it is but half the HP folk on that list aren't from Seattle
17:36:03 <hyakuhei> tmcpeak: Mrs.Hyakuhei isn't going to like it but yes, probably
17:36:07 <tmcpeak> right, most of the HP people on the list are going to have to travel no matter what
17:36:12 <hyakuhei> yarp
17:36:28 <hyakuhei> Ok so locations: Seattle Primary, Rackspace Austin Backup ?
17:36:39 <bknudson> works for me
17:36:39 <tmcpeak> that sounds reasonable
17:36:41 <browne> sounds good
17:36:43 <michaelxin> +1
17:36:45 <redrobot> oooh.... I might be able to make Austin
17:36:48 <tkelsey> +1
17:36:57 <dg_> +1
17:37:10 <hyakuhei> Ok... dates.
17:37:33 <hyakuhei> Both august dates have 6 people by them
17:37:43 <hyakuhei> This number tends to swell a little before it happens
17:38:07 <tmcpeak> yeah, I'm going to try to convince sigmavirus to come also :)
17:38:40 <hyakuhei> cool
17:38:43 <tmcpeak> how to pick man ?
17:39:19 <browne> only diff between the 2 august dates are hyakuhei and I
17:39:25 <tmcpeak> and I
17:39:28 <hyakuhei> I'll send a mail out to openstack-dev this evening, see if anyone tips the scales for us.
17:39:38 <browne> that sounds good
17:39:48 <tmcpeak> ok, is there some way we can decide before next week though?
17:39:52 <hyakuhei> browne come a week earlier and it's all good. tmcpeak has no choice in the matter.
17:40:00 <tmcpeak> if it's going to be that earlier weekend I really should know sooner than later
17:40:04 <tmcpeak> hahahaha
17:40:05 <hyakuhei> tmcpeak: Yeah I'll make a command decision.
17:40:17 <tmcpeak> ok cool
17:40:41 <tmcpeak> hah, tkelsey tipped it ;)
17:40:55 <dg_> sorted
17:41:10 <tmcpeak> ok cool
17:41:23 <tmcpeak> so we'll look for that email tonight/tomorrow?
17:41:36 <hyakuhei> yeah
17:41:55 <hyakuhei> damn it tkelsey put your name somewhere useful.
17:42:01 <tmcpeak> hahaha
17:42:13 <tmcpeak> I've got a nice shiny beer for you if you do the needful
17:42:21 <hyakuhei> tkelsey: Put your name by everything you _could_ make
17:42:42 <tkelsey> i would, but the dates are not great for me, ill add a few options
17:42:47 <hyakuhei> There's a few missing like bknudson - can you make any dates ?
17:42:56 <bknudson> I can make all the dates
17:43:26 <tmcpeak> sicarie tipped it ;)
17:44:10 <sicarie> well, I think those may be dependent on travel budget, and I'm pretty sure 'm going to be the odd man out this time if it's not in SEA
17:44:38 <sicarie> but that's just a guess, not anything I've actually checked on
17:44:58 <tmcpeak> tkelsey:!!!
17:45:13 <tkelsey> sorry to be that guy, august is bad for me
17:45:24 <hyakuhei> For a lot of us I think
17:45:52 <hyakuhei> First week Sept could work, though it's getting a little late, we tend to use these as much of sprints as planning
17:45:54 <tmcpeak> allright hyakuhei -as riveting as this is, we'll wait for the final call from you ;)
17:46:06 <tmcpeak> I for sure couldn't do that week
17:46:11 <hyakuhei> As our planning stuff is around small contained projects.
17:46:53 <tmcpeak> and by for sure couldn't do, I mean it would suck but I'll make it :)
17:47:16 <hyakuhei> ok I threw another one there.
17:47:39 <hyakuhei> We do need to tie this off shortly, though I'm not going to rush it if we can make something work
17:47:47 <hyakuhei> tmcpeak: can you ping fletcher?
17:47:56 <tmcpeak> I'll try
17:48:11 <hyakuhei> michaelxin: We've added a date to the potential mid-cycle calendar
17:48:24 <hyakuhei> sicarie: thoughts on Sept 1st ?
17:48:25 <michaelxin> hyakuhei: Got it. Thanks.
17:48:28 <hyakuhei> cool
17:48:54 <michaelxin> it should work for me
17:48:59 <sicarie> me as well
17:49:02 <hyakuhei> looks good
17:49:10 <bknudson> Sept 1 works for me, too
17:49:18 <tmcpeak> allright, we can do that one
17:49:38 <michaelxin> Have to multitask today. Sorry.
17:49:55 <hyakuhei> no worries that's why I pinged you.
17:50:01 <hyakuhei> I'll talk to the apl guys
17:50:11 <hyakuhei> dg_: ^^
17:50:19 <michaelxin> hyakuhei: Thanks.
17:50:27 <dg_> yeah sept is probably doable atm
17:51:22 <hyakuhei> Looks like that's probably a winner. Does anyone object to that being too late?
17:51:27 <tmcpeak> it's fine
17:51:31 <hyakuhei> I think so
17:51:37 <tmcpeak> still 2 mos before the summit?
17:51:39 <bknudson> we're not planning blueprints so later is fine
17:51:42 <hyakuhei> Yeh
17:51:49 <hyakuhei> Excellent.
17:51:50 <browne> it works
17:52:04 <tmcpeak> ok cool, sorted then?
17:52:06 <hyakuhei> Ok, I'll still send a mail to -dev but that will be telling people about our proposed date.
17:52:08 <hyakuhei> Yarp
17:52:09 <tmcpeak> so how do we pick a place?
17:52:14 <hyakuhei> We already did
17:52:21 <tmcpeak> Seattle?
17:52:21 <hyakuhei> Seattle Primary, Austin Backup
17:52:28 <tmcpeak> that's what I mean
17:52:33 <tmcpeak> what's the backup for
17:52:38 <michaelxin> hah
17:52:45 <hyakuhei> In case something happens that means we have to change plans.
17:52:49 <redrobot> location HA?
17:52:54 <bknudson> I'll need to know which one since I'm not going to get tickets for both.
17:52:55 <dg_> +!
17:52:55 <tmcpeak> lol
17:52:56 <elmiko> lol
17:53:00 <browne> in case of Seattle natural disaster
17:53:07 <dg_> zombies
17:53:09 <michaelxin> do not scare us
17:53:11 <hyakuhei> bknudson: Sure so I can get the OK from HP in a day or so
17:53:14 <browne> lol
17:53:29 <bknudson> invasion from canada
17:53:36 <hyakuhei> :)
17:54:03 <hyakuhei> ok so I think that's sorted.
17:54:10 <tmcpeak> yep, sorted
17:54:34 <sicarie> For those interested, there's a container networking meeting in #openstack-meeting in 5 min
17:54:53 <hyakuhei> Is this about all that TLS stuff?
17:55:03 <hyakuhei> #topic any other business
17:55:15 <bknudson> I'll propose making bandit voting in keystone soon.
17:55:19 <sicarie> hyakuhei: as far as I know it's the magnum group looking at networking in general
17:55:21 <redrobot> Just a review request for https://review.openstack.org/#/c/186617/10
17:55:23 <bknudson> it was approved at the meeting on tuesday
17:55:36 <redrobot> seems reasonable to me, but I'd like to get some OSSG feedback
17:55:51 <shelleea007> sicarrie: Thanks!
17:56:04 * sicarie is a pirrrrate
17:56:05 <tmcpeak> bknudson: awesome!!!
17:56:15 <tmcpeak> first Bandit vote gate :)
17:56:25 <sicarie> +1 very cool
17:56:29 <tkelsey> w00t
17:56:33 <dg_> sweet!
17:56:35 <Daviey> for which project?
17:56:38 <browne> bknudson: before going to voting, should we have some infra to breaking new versions of bandit breaking you
17:56:40 <tmcpeak> Keystone
17:56:43 <Daviey> Nice
17:57:07 <bknudson> browne: what does that mean?
17:57:14 <Daviey> tmcpeak: Is it testing from bandit trunk or pypi?
17:57:20 <browne> … some infra so new versions of bandit don't break keystone…  bad typing
17:57:21 <bknudson> pypi
17:57:21 <tmcpeak> PyPI
17:57:39 <browne> does keystone use >= in requirements.txt?
17:57:41 <bknudson> you mean a test in bandit?
17:58:14 <bknudson> http://git.openstack.org/cgit/openstack/requirements/tree/global-requirements.txt#n221
17:58:19 <tmcpeak> I always run fairly extensive tests on Keystone before I push anything, but I'm not planning to do that for all projects, so something like that would be useful
17:58:20 <bknudson> bandit in global-requirements in >=
17:58:41 <bknudson> *is* >=
17:58:53 <Daviey> tmcpeak: Is keystone bandit 1.0 compliant ?
17:59:07 <bknudson> if you're planning to put out a breaking release then cap it
17:59:12 <Daviey> exactly.
17:59:23 <browne> ok
17:59:28 <browne> np, then
17:59:51 <tmcpeak> looks like we're out of time
17:59:53 <bknudson> also, don't put out breaking releases
17:59:54 <tmcpeak> we can go to #openstack-security though
18:00:02 <tmcpeak> yeah, breaking releases are bad
18:00:08 <Daviey> we need to put out breaking releases!
18:00:09 <tmcpeak> #endmeeting
18:00:14 <tmcpeak> hyakuhei: ^ :)
18:00:32 <SergeyLukjanov> hey sahara folks ;)
18:00:43 <openstack> SergeyLukjanov: Error: Can't start another meeting, one is in progress.  Use #endmeeting first.
18:00:59 <hyakuhei> #endmeeting