17:00:43 #startmeeting Security 17:00:44 Meeting started Thu Jun 25 17:00:43 2015 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:44 thanks everyone 17:00:45 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:45 o/ 17:00:47 o\ 17:00:48 The meeting name has been set to 'security' 17:00:49 o/ 17:00:50 o/ 17:00:51 o/ 17:00:52 hi 17:00:53 Hey everyone 17:00:56 \o 17:01:00 hi 17:01:03 hey 17:01:14 o/ 17:01:33 o/ 17:01:54 hi, all 17:02:30 tmcpeak: I'm on call atm can you kick off please? The agenda is on the wiki 17:02:48 yep 17:02:56 o/ 17:02:57 https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity#2015 17:03:03 lol, read my mind 17:03:24 ok, let's save midcycle for when hyakuhei gets back 17:03:31 #topic Anchor Update 17:03:36 oh crap, I can't :) 17:03:40 #topic Anchor Update 17:03:47 tkelsey, dg 17:03:50 take it away 17:03:51 yo 17:04:09 so this week and last we had a bunch of patches to bring us Py3 compat 17:04:23 im not sure how far along we are but we are very clos e 17:04:33 saw that, that's awesome 17:04:38 i'll be looking to add a py3 gate this coming week 17:04:43 we need to still viraptor for Bandit ;) 17:04:49 and thats all I have on Anchor :) 17:04:51 *steal 17:04:57 ok sweet 17:04:59 emm 17:05:05 #topic Bandit 17:05:06 ? 17:05:10 hyakuhei: ^ 17:05:19 #topic Bandit 17:05:22 cool 17:05:23 plugins via stevedore 17:05:26 :) 17:05:34 so sigmavirus24 has been working a ton of magic 17:05:49 we have proper plugins now, and are almost ready to push a new version to PyPI 17:05:50 but... 17:05:56 I noticed a new bug :( 17:06:04 not new, but I noticed it now 17:06:07 oh? 17:06:18 #link https://bugs.launchpad.net/bandit/+bug/1467636 17:06:19 Launchpad bug 1467636 in Bandit "Incorrect line number in results" [High,New] 17:06:38 ah yeah 17:06:41 basically this is a function of how AST works for multiline statements that are included in ( ) 17:06:49 it squashes them all onto the first line and reports them as one line 17:07:04 somthing that the statement buffer work could fix? 17:07:16 I have a bit of a plan for that, if I ever get time to work on it 17:07:19 so while our actual issue may occur on line x+3, it's reported as x, which means that the actual line containing the issue might be out of the display window 17:07:38 What about using the line that the command start on, seems an easy enough reference to assist debug? 17:08:00 tkelsey: statement buffer is going to have to be part of it because to fix it we need to know where the next statement begins and then walk backwards 17:08:15 tmcpeak: yeah 17:08:23 Daviey: yeah, we currently have that, but it's not a great user experience to not actually see the issue in the output, it makes it look like we're detecting false positives 17:08:27 that should be ok actually, with what i have in mind 17:09:06 so yeah, I'd like to fix that, but I'm open to input on whether it's worth waiting for that before we pin a new version 17:09:22 tmcpeak: can AST not allow rollback to the start of the command (before the () ) ? 17:09:31 we have so much good stuff that's been added, would nice to get that all in PyPI and usable by projects, but I have some strange thing in my mind about pushing a new numbered version with a known bug 17:10:18 tmcpeak: yeah, feels wrong 17:10:28 Release Early.. Release Often 17:10:45 Daviey: it can, but for something like insecure tmp file usage (where I noticed this) we're looking for "/tmp" in a string, the string statement itself is what we're looking for, the preceding statement doesn't really have anything to do with it 17:10:57 and yeah, those two ^ philosophies are the internal head struggle I'm having 17:11:07 so I guess,… 17:11:12 chair6: thoughts? 17:11:15 tkelsey: thoughts 17:11:17 browne: thoughts 17:11:22 sigmavirus24: thoughts? 17:11:23 +1 release with known defects in release notes 17:11:35 oh, crap, that reminds me 17:11:39 we have two new Bandit cores! 17:11:42 tmcpeak: I agree with redrobot 17:11:46 so long as its documented 17:11:48 congratulations sigmavirus24 and browne! 17:11:58 congrats 17:12:00 yeah, i'd say release, and plan to relesae another one soon 17:12:11 ok cool, settled then 17:12:23 we'll post up a new version and put it as a known defect 17:12:27 +1 17:12:37 good work on the cores :) 17:12:40 congrats! 17:12:46 cool, I'll work on that, probably get that new version up this week 17:12:48 :) 17:13:05 #topic OpenStack Secure Guide Update 17:13:10 hyakuhei: ^ 17:13:49 :^/ 17:14:02 haha 17:14:02 ok, let's go ahead anyway 17:14:06 sicarie: take it away 17:14:21 So the big thing is that we're going to convert from docbook to rst format 17:14:24 #link https://bugs.launchpad.net/openstack-manuals/+bug/1463111 17:14:25 Launchpad bug 1463111 in openstack-manuals "OpenStack Security Guide - Convert to RST format" [High,Triaged] 17:14:45 pdesai is goign to submit a bp in the sec-spec repo and we're going to move on that as quickly as possible 17:14:49 what's involved in this? 17:14:52 during which we are going to freeze changes 17:14:56 tmcpeak: it's in the bug 17:15:14 there are automated tools to convert, but then manual validation (and some touch-ups) are required 17:15:18 RTFM? :'( 17:15:29 ahh, cool 17:15:52 yep, the doc team is so far offering their support - hopefully nothing big drops on them while we're doing ours :) 17:16:07 that's cool, they're very helpful that doc team 17:16:27 Other than that we haven't frozen contributions yet, so please feel free to grab a bug 17:16:29 #link https://bugs.launchpad.net/openstack/+bugs?field.tag=sec-guide 17:16:37 sweet 17:16:50 fair amount to pick from :) 17:17:11 ok cool 17:17:15 anything else for the guide? 17:17:19 yep, we have some good reviewers and submitters that do good low-hanging-fruit 17:17:20 nope 17:17:23 cool 17:17:30 #topic OSSN 17:17:33 hyakuhei: ^ 17:17:37 many of the tagged sec-bugs are pretty crappy tbh 17:17:56 all bugs are crappy 17:17:56 nkinder: ^ 17:18:02 Daviey: sec-bugs or sec-guide bugs? 17:18:13 confused here too 17:18:24 sicarie: sec-guide, sorry 17:18:33 ie, https://bugs.launchpad.net/openstack-manuals/+bug/1447759 17:18:34 Launchpad bug 1447759 in openstack-manuals "Networking services in OpenStack Security Guide - Rewrite for clarity" [Medium,Triaged] 17:18:49 Daviey: do you have a few minutes after - I'd be very interested in getting some feedback on how to improve the existing bugs 17:18:57 lots of bugs tagged tred, but well.. not 17:19:16 if it's not a valid bug then close it 17:19:33 incomplete or invalid 17:19:41 +1 17:20:17 if was incomplete and then it was changed to triaged instead? 17:20:30 *it* was 17:20:41 so yeah, Daviey, elmiko, sicarie, bnudson - maybe you guys can synch after in #openstack-security ? 17:20:47 bknudson: it was, there was an update made to the intent 17:20:49 Triaged implies it is ready to be fixed, with a known direction 17:20:50 tmcpeak: sure 17:20:55 usually the triaged ones are discussed during the weekly sec-guide meeting. i'm curious what we could do better as well 17:21:05 tmcpeak: sure 17:21:09 awesome 17:21:28 seems like there's a good conversation to be had and don't want to rush you guys :) 17:21:46 ok, so nkinder isn't around for OSSN 17:21:47 but... 17:22:02 as for OSSN, i've got this one up #link https://review.openstack.org/#/c/194416/ 17:22:03 #link https://launchpad.net/ossn 17:22:07 could use a few more eyes on it 17:22:15 #link https://bugs.launchpad.net/ossn 17:22:31 seems like we've got a few good ones in the New category we should look at 17:23:11 elmiko: cool, haven't looked at yours yet 17:23:21 I'll check it out after the meeting 17:23:30 tnx 17:23:44 seems like we're building a queue though 17:23:58 we should probably go through some of these and either decide to write or not write OSSNs 17:24:01 one outstanding question we had was whether ironic should be listed as affected in that ossn. seemed like no, but not entirely sure. 17:24:30 elmiko: hmm, ok cool, I'll check it out and throw in my .02 17:24:34 cool 17:24:58 lol dg: https://bugs.launchpad.net/ossn/+bug/1163569 17:24:59 Launchpad bug 1163569 in OpenStack Security Notes "security groups don't work with vip and ovs plugin" [High,In progress] - Assigned to Steven Weston (steve.weston) 17:25:00 this one still 17:25:03 :P 17:25:19 I remember this 17:25:40 is that the one that has a -1 from docs on capitalization 17:26:00 no, this is the one that never gets written because Neutron confuses people 17:26:37 so yeah, we can pick this up again next week if nkinder is around 17:26:58 hmm, hyakuhei: you back yet? 17:27:17 seems like we should discuss the midcycle, but that's really his baby 17:27:30 well I can get it started 17:27:38 has everybody who is interested expressed their interest here? 17:27:43 we'll want to finalize dates today 17:27:55 #link https://etherpad.openstack.org/p/security-liberty-midcycle 17:28:23 if you want to come and think you might be able to, please write your name at the top and put your name next to all dates you can make it 17:29:47 so I think what we'll probably end up doing is majority rule on the dates, sounds fair? 17:30:01 I'll give a few minutes for everybody that wants to update the doc to do so 17:30:17 Interested, but no chance of funding. 17:30:30 Daviey: fair enough, you're over the pond, aren't you? 17:30:35 similar, interested but not sure about budget 17:30:38 yah. 17:30:48 elmiko: fair enough 17:30:55 * redrobot is also in the broke boat 17:31:00 lol 17:31:03 Sorry I went afk - just heard that Mrs. Hyakuhei has been in a small car accident. Seems to be ok though. 17:31:10 woah, crappy man 17:31:14 :\ 17:31:15 Yarp 17:31:24 So talking about the mid-cycle ? 17:31:25 = 17:31:30 hyakuhei :-O glad she's ok. 17:31:32 yeha, we blew through the rest of the topics 17:31:36 cool 17:31:38 saved this one for you 17:31:38 #topic midcycle 17:31:39 eeep! 17:31:40 yea, glad to hear she's ok 17:31:40 take it away :) 17:31:53 So i'd like to get two dates/options lined up. One primary one secondary. 17:32:08 As both will require various approvals/sponsorship etc 17:32:14 +1 17:32:17 from the etherpad it looks like we have a clear choice for those two 17:32:41 wait, how many times can you vote for a site? 17:32:44 Both the late august ones? 17:32:56 Just put your name by anything you can make it to 17:32:57 yeah 17:33:01 or would be prepared to get to 17:33:25 nkinder not here? 17:33:30 nopes 17:34:41 ok well we need to decide soon 17:34:48 let's decide now :) 17:35:07 +1 17:35:29 then we can firm down a location 17:35:36 So Seattle seems like the preferred location and actually isn't that weighted by HP 17:35:47 hyakuhei: can you make it August 24-28? 17:35:48 Well it is but half the HP folk on that list aren't from Seattle 17:36:03 tmcpeak: Mrs.Hyakuhei isn't going to like it but yes, probably 17:36:07 right, most of the HP people on the list are going to have to travel no matter what 17:36:12 yarp 17:36:28 Ok so locations: Seattle Primary, Rackspace Austin Backup ? 17:36:39 works for me 17:36:39 that sounds reasonable 17:36:41 sounds good 17:36:43 +1 17:36:45 oooh.... I might be able to make Austin 17:36:48 +1 17:36:57 +1 17:37:10 Ok... dates. 17:37:33 Both august dates have 6 people by them 17:37:43 This number tends to swell a little before it happens 17:38:07 yeah, I'm going to try to convince sigmavirus to come also :) 17:38:40 cool 17:38:43 how to pick man ? 17:39:19 only diff between the 2 august dates are hyakuhei and I 17:39:25 and I 17:39:28 I'll send a mail out to openstack-dev this evening, see if anyone tips the scales for us. 17:39:38 that sounds good 17:39:48 ok, is there some way we can decide before next week though? 17:39:52 browne come a week earlier and it's all good. tmcpeak has no choice in the matter. 17:40:00 if it's going to be that earlier weekend I really should know sooner than later 17:40:04 hahahaha 17:40:05 tmcpeak: Yeah I'll make a command decision. 17:40:17 ok cool 17:40:41 hah, tkelsey tipped it ;) 17:40:55 sorted 17:41:10 ok cool 17:41:23 so we'll look for that email tonight/tomorrow? 17:41:36 yeah 17:41:55 damn it tkelsey put your name somewhere useful. 17:42:01 hahaha 17:42:13 I've got a nice shiny beer for you if you do the needful 17:42:21 tkelsey: Put your name by everything you _could_ make 17:42:42 i would, but the dates are not great for me, ill add a few options 17:42:47 There's a few missing like bknudson - can you make any dates ? 17:42:56 I can make all the dates 17:43:26 sicarie tipped it ;) 17:44:10 well, I think those may be dependent on travel budget, and I'm pretty sure 'm going to be the odd man out this time if it's not in SEA 17:44:38 but that's just a guess, not anything I've actually checked on 17:44:58 tkelsey:!!! 17:45:13 sorry to be that guy, august is bad for me 17:45:24 For a lot of us I think 17:45:52 First week Sept could work, though it's getting a little late, we tend to use these as much of sprints as planning 17:45:54 allright hyakuhei -as riveting as this is, we'll wait for the final call from you ;) 17:46:06 I for sure couldn't do that week 17:46:11 As our planning stuff is around small contained projects. 17:46:53 and by for sure couldn't do, I mean it would suck but I'll make it :) 17:47:16 ok I threw another one there. 17:47:39 We do need to tie this off shortly, though I'm not going to rush it if we can make something work 17:47:47 tmcpeak: can you ping fletcher? 17:47:56 I'll try 17:48:11 michaelxin: We've added a date to the potential mid-cycle calendar 17:48:24 sicarie: thoughts on Sept 1st ? 17:48:25 hyakuhei: Got it. Thanks. 17:48:28 cool 17:48:54 it should work for me 17:48:59 me as well 17:49:02 looks good 17:49:10 Sept 1 works for me, too 17:49:18 allright, we can do that one 17:49:38 Have to multitask today. Sorry. 17:49:55 no worries that's why I pinged you. 17:50:01 I'll talk to the apl guys 17:50:11 dg_: ^^ 17:50:19 hyakuhei: Thanks. 17:50:27 yeah sept is probably doable atm 17:51:22 Looks like that's probably a winner. Does anyone object to that being too late? 17:51:27 it's fine 17:51:31 I think so 17:51:37 still 2 mos before the summit? 17:51:39 we're not planning blueprints so later is fine 17:51:42 Yeh 17:51:49 Excellent. 17:51:50 it works 17:52:04 ok cool, sorted then? 17:52:06 Ok, I'll still send a mail to -dev but that will be telling people about our proposed date. 17:52:08 Yarp 17:52:09 so how do we pick a place? 17:52:14 We already did 17:52:21 Seattle? 17:52:21 Seattle Primary, Austin Backup 17:52:28 that's what I mean 17:52:33 what's the backup for 17:52:38 hah 17:52:45 In case something happens that means we have to change plans. 17:52:49 location HA? 17:52:54 I'll need to know which one since I'm not going to get tickets for both. 17:52:55 +! 17:52:55 lol 17:52:56 lol 17:53:00 in case of Seattle natural disaster 17:53:07 zombies 17:53:09 do not scare us 17:53:11 bknudson: Sure so I can get the OK from HP in a day or so 17:53:14 lol 17:53:29 invasion from canada 17:53:36 :) 17:54:03 ok so I think that's sorted. 17:54:10 yep, sorted 17:54:34 For those interested, there's a container networking meeting in #openstack-meeting in 5 min 17:54:53 Is this about all that TLS stuff? 17:55:03 #topic any other business 17:55:15 I'll propose making bandit voting in keystone soon. 17:55:19 hyakuhei: as far as I know it's the magnum group looking at networking in general 17:55:21 Just a review request for https://review.openstack.org/#/c/186617/10 17:55:23 it was approved at the meeting on tuesday 17:55:36 seems reasonable to me, but I'd like to get some OSSG feedback 17:55:51 sicarrie: Thanks! 17:56:04 * sicarie is a pirrrrate 17:56:05 bknudson: awesome!!! 17:56:15 first Bandit vote gate :) 17:56:25 +1 very cool 17:56:29 w00t 17:56:33 sweet! 17:56:35 for which project? 17:56:38 bknudson: before going to voting, should we have some infra to breaking new versions of bandit breaking you 17:56:40 Keystone 17:56:43 Nice 17:57:07 browne: what does that mean? 17:57:14 tmcpeak: Is it testing from bandit trunk or pypi? 17:57:20 … some infra so new versions of bandit don't break keystone… bad typing 17:57:21 pypi 17:57:21 PyPI 17:57:39 does keystone use >= in requirements.txt? 17:57:41 you mean a test in bandit? 17:58:14 http://git.openstack.org/cgit/openstack/requirements/tree/global-requirements.txt#n221 17:58:19 I always run fairly extensive tests on Keystone before I push anything, but I'm not planning to do that for all projects, so something like that would be useful 17:58:20 bandit in global-requirements in >= 17:58:41 *is* >= 17:58:53 tmcpeak: Is keystone bandit 1.0 compliant ? 17:59:07 if you're planning to put out a breaking release then cap it 17:59:12 exactly. 17:59:23 ok 17:59:28 np, then 17:59:51 looks like we're out of time 17:59:53 also, don't put out breaking releases 17:59:54 we can go to #openstack-security though 18:00:02 yeah, breaking releases are bad 18:00:08 we need to put out breaking releases! 18:00:09 #endmeeting 18:00:14 hyakuhei: ^ :) 18:00:32 hey sahara folks ;) 18:00:43 SergeyLukjanov: Error: Can't start another meeting, one is in progress. Use #endmeeting first. 18:00:59 #endmeeting