17:00:29 #startmeeting security 17:00:36 Meeting started Thu Aug 13 17:00:29 2015 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:37 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:40 The meeting name has been set to 'security' 17:00:40 \o 17:00:42 #charit hyakuhei 17:00:45 #chair hyakuhei 17:00:46 Warning: Nick not in channel: hyakuhei 17:00:47 hello 17:00:47 Current chairs: hyakuhei tmcpeak 17:00:54 hey everybody 17:01:01 hi 17:01:02 hiyo/ 17:01:10 hello 17:01:13 hyakuhei is out doing sales stuff, but he said he'll try to make it, subject to availability of n3tz on the road 17:01:17 #topic Roll Call 17:01:25 o/ 17:01:27 hi 17:01:28 o/ 17:01:33 o/ 17:01:53 sweet 17:02:24 so just a reminder, we have an agenda for each meeting here: https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity which bknudson has showed us how to use with his agenda item 17:02:42 very nice 17:02:43 o/ 17:02:48 hey sigma 17:02:55 so let's get right on into it 17:02:57 nice 17:02:58 #topic Anchor 17:03:03 tkelsey, dg_, Daviey 17:03:20 anchor is awesome, you shold have it in your cloud 17:03:30 lol, nice 17:03:30 You should also have it in your devstack! 17:03:31 excellent, next topic :D 17:03:36 haha 17:03:38 haha 17:03:43 will try for sure 17:03:56 dg_: Have you any more comments on the devstack branch? 17:04:00 anything you guys want to mention this week? 17:04:06 hopefully coming soon to Octavia as the default pki, Ive been working with some of the cores trying to get it integrated 17:04:23 daviey Ive not looked at it further, its on my list to play with further 17:04:32 very cool 17:04:40 #link https://wiki.openstack.org/wiki/Octavia 17:04:55 ty Daviey (saved me the Googles) 17:04:57 dg_: Ok, reach out to me if/when you do pls. 17:05:02 o/ 17:05:04 tkelsey and I have spent the last couple of days playing with devstack for something else, so we are getting more familiar with it, probably take a look at it next week 17:05:12 hello Mr. redrobot 17:05:19 dg_: Yeah, i saw the barbican interest 17:05:24 daviey for sure 17:05:31 EOF 17:05:45 cool 17:05:55 #topic Bandit 17:06:09 we've got a new Bandit (0.13.1) in response to the good point that we weren't handling missing config very well 17:06:16 specifically we were spamming exceptions 17:06:34 Daviey got it fixed up last week and yesterday we pushed the new version to PyPI 17:06:57 browne also wrote a cool new plugin for short keysizes in cryptos 17:07:08 tmcpeak: Does there need to be a release announcement ? 17:07:12 that will wait for 0.14.0 as sigmavirus24 points out, we shouldn't be dropping new plugins in point releases 17:07:22 Daviey: probs not, it just fixes crap behavior, would rather not call it out :) 17:07:27 heh 17:07:43 I dunno, I'm open to suggestions 17:08:12 tmcpeak: Are we seeing any more adoption at gates? 17:08:28 bah, sorry im late! 17:08:38 what i miss? 17:08:38 a few non-voting jobs thanks to browne and.. somebody else, can't remember ATM 17:08:59 tkelsey: we've got a handle on this security thing 17:09:02 we can all go home 17:09:07 lol 17:09:13 tmcpeak: sounds good to me, same time next week then 17:09:17 yep yep 17:09:18 not openstack related, but i am giving a tech talk on bandit at red hat next week =) 17:09:25 elmiko: sweet! 17:09:25 here's the output in keystone with latest bandit: http://logs.openstack.org/20/208620/10/check/gate-keystone-tox-bandit/d7698f9/console.html#_2015-08-13_13_14_16_081 17:09:34 elmiko: I'm giving one on it tonight at the local UG 17:09:35 elmiko: awesome 17:09:42 sigmavirus24: ^5 17:09:43 although the talk is about code quality tools in general 17:09:46 ^5 17:09:53 sigmavirus24: elmiko +1 17:10:05 yeah sweet guys! 17:10:09 spread the word :) 17:10:24 trying =) 17:10:34 bknudson: looks good, anything out of place from your perspective? 17:10:38 sigmavirus24: Hopefully this won't be an example of bad code! 17:10:42 nope, looks good. 17:10:49 bknudson: awesome :) 17:10:54 lol 17:10:56 no it won't 17:10:58 bknudson: I always give preferential testing to the Keystone properties before release 17:11:03 Daviey: it'll be used to improve code-q 17:11:07 since you guys have voting gates 17:11:07 it says when the run started but doesn't say when the run ended 17:11:20 but it's top of my list to get automation for all the gate projects 17:11:22 (not sure why either one is all that interesting to log) 17:11:59 bknudson: not particularly unless you're super concerned with performance 17:12:13 cool, so that's probs good for Bandit this week, keep on keeping on 17:12:19 #topic Sec Guide 17:12:27 sicarie, elmiko, Daviey, pdesai 17:12:29 So the migration to RST is complete 17:12:33 \o/ 17:12:39 mwahahahahaha 17:12:41 whoop whoop 17:12:45 Awesome work from everyone 17:12:47 I mean, awesome! :) 17:12:50 #link http://docs.openstack.org/security-guide/ 17:12:50 http://docs.openstack.org/security-guide/ 17:13:03 the 'Warning' there is getting removed as soon as we get a doc core +2 17:13:10 the commit to delete the xml files was actually delicious 17:13:15 +1 17:13:18 it's… it's.. beautiful 17:13:23 hehe 17:13:26 +1 17:13:30 sigmavirus24: Anne questioned if we should be advertising liberty coverage in docs yet? 17:13:34 err sicarie ^ 17:13:43 hah 17:13:51 tab complete is not your friend 17:13:57 Inflippindeed 17:14:03 oh, and we have yet to address the current LuLu print and future pdf plans, unless sicarie addressed it already 17:14:17 Daviey: if it's not released, I'm not a fan of promoting it 17:14:46 I think we should keep an eye on it and open bugs for coverage, but I also don't know anything liberty specific we'd need to include at this point 17:14:56 elmiko: yes, I've been chatting with Anne and Lana about that 17:15:06 sicarie: awesome =) 17:15:15 We learned that LuLu was not insignificant sales.. which surprised me 17:15:17 I need to validate the tooling - it might take docbook, in which case our leaf version will be the current XML :( 17:15:23 how much? 17:15:24 Daviey: +1 17:15:29 (might ONLY take docbook) 17:15:42 tmcpeak: Numbers TBC, i'll dig out the comment 17:16:04 sicarie: ouch.. 17:16:12 does that just cover printing cost or it go to the openstack foundation in some way? 17:16:13 elmiko: agreed 17:16:34 just when i thought i had escaped xml, it drags me back in.... 17:16:46 tmcpeak: there is a charge to update content, and then I'd imagine that some of the profits go towards cost of printing, but that is all foundation stuff 17:17:08 elmiko: at this point, I'm in favor of updating it, and then adding a disclaimer and opening a ticket against the docs team :) 17:17:12 ahh cool 17:17:20 (tmcpeak: In May 2015, 20 were sold.) 17:17:22 sicarie: that sounds fair 17:17:28 that's pretty solid 17:17:39 So that's my action for the week 17:17:45 cool 17:17:47 As long as I don't forget - I'm still digging out from my inbox 17:17:51 though I'm almost done 17:17:54 #topic Security Notes 17:18:08 nkinder: you around today? 17:18:14 i think we need a OSSN triage day or something 17:18:14 looks like not 17:18:17 I've made no progress with my inflight OSSN this week. I suck. 17:18:26 yeah, so elmiko was pointing out we have some murky OSSN's 17:18:53 i looked through several of the open ones to find a new target, and there is no clear winner. i think we need to make sure they are all viable for notes 17:19:19 we should definitely triage some of these 17:19:29 elmiko: Wait, the open OSSN's might not all need docs? 17:19:33 this one (for example) has been going on forever 17:19:47 Daviey: imo no, some of them there is no clear path for an OSSN 17:19:57 or at the least they should be marked as incomplete 17:20:10 elmiko: Does that need nkinder to prune them? 17:20:55 Daviey: i think we should probably do an OSSN triage day where we have nkinder and others take a look over them to make sure they are relevent 17:21:03 elmiko: +1 17:21:04 elmiko: sprint topic? 17:21:07 if we make it a group effort we can probably bust through the lot of them 17:21:24 Daviey: yeah probably a good sprint effor 17:21:25 Daviey: that would be great 17:21:25 t 17:22:01 sadly, i'm thinking i won't be able to attent the mid-cycle, but i would certainly pitch in for a sprint to read them and raise questions 17:22:14 bah, elmiko not making it? 17:22:35 :( 17:22:36 tmcpeak: i want to, i just haven't heard back on my requests to attend =( 17:22:50 we should get a subsprint going with those that can't make it 17:22:58 to do things like OSSN cleanup, unit tests for Bandit, etc 17:23:03 there's still hope, but i'm not sure 17:23:11 tmcpeak: +1 17:23:33 cool, ok 17:23:37 #topic Midcycle 17:23:38 elmiko: good luck 17:23:48 not much to say here, I think we're all up to date 17:23:58 hopefully those that are planning on attending have been able to book their hotel/flights by now 17:24:13 we'll do a self-paid social day at some point, but not sure yet when that will be 17:24:17 we can synch up in person 17:24:42 we'll also get some directions ready to explain what to do on the first day for those that haven't been to HP Seattle yet 17:25:06 what's the address of HP seattle? 17:25:17 also if you have anything you'd like to propose for an agenda item please add it to the etherpad: https://etherpad.openstack.org/p/security-liberty-midcycle 17:25:33 701 Pike St, Seattle, WA 17:25:38 michaelxin hp seattle is in the seattle convention center 17:25:39 I think 9th floor? 17:25:45 sicarie: ^ 17:25:46 (Suite 900 and zip of 98101) 17:25:50 tmcpeak yeah 17:25:51 perfect 17:25:51 thanks 17:26:14 we have some good items already on the etherpad 17:26:14 worry about the details closer to the time, but basically 'convention center' 17:26:23 looks like plenty to keep us busy 17:26:37 will check with boss today. 17:26:37 but if you have something else you think would be good for the midcycle, please add it to the topics section 17:26:52 along with your name (if you want to lead it) a brief synopsis, and how much effort you think it will take 17:27:27 michaelxin: great 17:27:32 #topic API Testing 17:27:35 michaelxin: any update here? 17:27:54 I'll take the monorail. 17:28:02 sorry, I just got back from China yesterday and Matt is out of office this week. 17:28:22 ok cool no worries, we'll do an update next week 17:28:30 sure. 17:28:34 #topic oslo proposal for privsep daemon library - https://review.openstack.org/#/c/204073 17:28:40 bknudson: ^ 17:28:53 I just wanted to mention it in case security people wanted to look at it. 17:29:16 this looks promising 17:29:17 we talked about this at the last ossg meetup 17:29:30 oh 17:29:32 we did? 17:29:37 as a better implementation of rootwrap 17:29:48 I should go get my head checked I think 17:30:13 This is really interesting! I've never really been happy with rootwrap 17:30:22 bknudson: if we could get that in before glance starts using os-brick... that'd be greaaattt =P 17:30:30 yea, this spec looks pretty intense 17:30:33 very cool 17:30:45 all I need to hear was "better implementation of rootwrap" 17:30:51 lol 17:31:03 picking up rootwrap would be a mistake IMO 17:31:03 +1 intense 17:31:18 At least the current one is better than the Eucalyptus C one that was rushed in. 17:32:06 I'll have to read this properly after the meeting 17:32:41 cool, ok- so this looks interesting I encourage everybody to read it :) 17:32:46 #topic AOB 17:32:48 open floor 17:33:24 sicarie: DC + BH overview? 17:33:40 anything of note for OpenStack pplz? 17:33:57 Sure, I think my highlight was the "cloud instructor" who was talking about different paradigms and was all excited that "in the cloud, production can change as much as five times a day!" 17:34:24 haha 17:34:27 I didn't see anything openstack-related 17:34:42 And I did try to hit all the cloud talks, even after it was apparent they were a hot mess 17:34:46 I suppose that's good 17:35:07 sicarie: hot mess in terms of not being that focused, or ...? 17:35:36 elmiko: they were either all theoretical or they were focused on very fringe firmware versions that did not go across many devices 17:35:39 Oh 17:35:57 There was one note - apparently flooding the CAN in OVS breaks all vlans and will allow arbitrary sniffing 17:36:10 I think that was the most useful bit 17:36:20 cool 17:36:34 sicarie: +1 17:36:37 the real question though, did DefCon continue the badge hacking contest? 17:36:54 elmiko: yes, but in this case you just added your own stuff on top of the record 17:37:02 DC badges looked strange this year 17:37:06 ahh 17:37:16 I didn't go to the closing ceremonies - I was off at the last technical talk 17:37:35 sicarie: Heard car hacking is hot this year. 17:37:44 michaelxin: there were 3 talks, all SRO 17:37:47 and a car-hacking village 17:37:54 I didn't get in there in time to get a badge, though :( 17:38:14 wished I were there. 17:38:17 if anybody hasn't read the whitepaper Charlie Miller and Chris Valasek did on their car hacking you should 17:38:20 Obviously Valacek's talk was huge, the Tesla one was actually better - they went through what was done right, and all the stuff they had to rip through to get in 17:38:20 it's really good 17:38:38 ooh car hacking village, very cool 17:38:50 +1 I sat in with a few people, it was fun 17:38:53 what's next? 17:39:00 plane hacking village? 17:39:25 Oh, and the I Will Kill You talk was hysterical 17:39:54 michaelxin: lol 17:40:18 liability requirements for software haven't kept up with how it's used 17:40:21 yeah that one was great 17:40:37 hysterical and terrifying in one 17:40:50 And PenTesting a City 17:41:01 Though the slides for that one weren't as descriptive as the talk 17:41:19 was the ring -1 stuff overrated, or was it just me? 17:41:29 Daviey: ring -1? 17:43:45 sorry, OTP 17:43:51 nvm 17:44:19 cool, anything else before we wrap? 17:44:54 lets go home! 17:45:28 cool 17:45:30 #endmeeting