17:00:53 <tmcpeak> #startmeeting security
17:00:54 <openstack> Meeting started Thu Dec  3 17:00:53 2015 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:56 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:56 <tmcpeak> #chair hyakuhei
17:00:58 <openstack> The meeting name has been set to 'security'
17:00:59 <openstack> Current chairs: hyakuhei tmcpeak
17:01:00 <openstack> hyakuhei: Error: Can't start another meeting, one is in progress.  Use #endmeeting first.
17:01:01 <hyakuhei> heh
17:01:07 <hyakuhei> Thanks tmcpeak
17:01:08 <tmcpeak> :P
17:01:10 <nkinder> Hi all
17:01:11 <tmcpeak> take it away sir
17:01:14 <ysm> o/
17:01:21 <tmcpeak> hey nkinder
17:01:24 <nkinder> fyi - I'm only half here (in another meeting)
17:01:27 <hyakuhei> hey nkinder !
17:01:29 <tmcpeak> fair enough
17:01:32 <browne> hi
17:01:33 <nkinder> Push OSSN stuff to the end please
17:01:42 <tmcpeak> cool
17:01:43 <hyakuhei> righto!
17:02:10 <hyakuhei> Okiedokie I guess we can get started
17:02:17 <hyakuhei> #link https://etherpad.openstack.org/p/security-20151203-agenda
17:02:20 <hyakuhei> Agenda ^
17:02:39 <tmcpeak> nice
17:02:50 <tmcpeak> I like this etherpad approach
17:03:02 <hyakuhei> Normally I like to share them earlier
17:03:07 <hyakuhei> bumped OSSN to the bottom of the list
17:03:19 <hyakuhei> As per nkinder :)
17:03:28 <hyakuhei> Hmmm, no redrobot here.
17:03:42 <hyakuhei> ok, so I also knocked this together
17:03:46 <tmcpeak> no michaelxin either
17:03:48 <hyakuhei> #topic Publicity
17:03:55 <hyakuhei> #link https://etherpad.openstack.org/p/security-raising-profile
17:04:12 <hyakuhei> Etherpad for ideas on how to raise awareness as well as tracking which teams we’ve spammed :)
17:04:12 <michaelxin> here
17:04:18 <tmcpeak> oh nice
17:04:21 <michaelxin> sorry that I am late
17:04:30 <michaelxin> half here too.
17:04:45 <hyakuhei> General idea is that you look through, pick a few in your timezone and drop in on their meetings, add something to the teams agenda if you can
17:05:19 <hyakuhei> The boilerplate part is there for us to work on some messaging, make it easier to be consistent in meetings
17:05:34 <tmcpeak> cool, shall we prioritize in some way?
17:05:38 <michaelxin> that's a huge list
17:05:47 <tmcpeak> +1 - huge list
17:05:49 <hyakuhei> That’s almost every team
17:05:53 <hyakuhei> I’m happy to cut
17:05:55 <michaelxin> we need some security champs
17:06:07 <michaelxin> +1 for prioritizing
17:06:17 <hyakuhei> michaelxin: While I agree, for the most part we need champs to come to us
17:06:32 <hyakuhei> That is to say, people like bknudson who work on another project but also want to dip into security
17:06:56 <tmcpeak> +1 - too many groups for us to be involved with each
17:07:08 <tmcpeak> seems easier and more effective to get people interested in security within a project
17:07:10 <sicarie> hyakuhei: I was noticing this week that the neutron api folk put out a request to -dev for liaisons
17:07:11 <hyakuhei> I think the best we can do is increase our visbility and accessibility - if we build it, they <might> come
17:07:34 <bknudson> the bandit work should help
17:07:35 <hyakuhei> sicarie: We’ve tried that (years ago) - lets see if they get traction with that.
17:07:45 <tmcpeak> bknudson: agreed
17:07:48 <bknudson> maybe we need to make it clearer that bandit is an ossg project?
17:08:21 <hyakuhei> bknudson: I’d like to bask in the Bandit glory :D
17:08:29 <tmcpeak> hehe
17:08:42 <tmcpeak> I assume we'll be needing a big push again once we get the baseline gate working
17:09:00 <tmcpeak> at that point I'd imagine most projects should be ready to do at least a non-voting gate to start
17:09:28 <tmcpeak> so how should we go forward on this?
17:09:43 <michaelxin> we can brainstorm for some ideas
17:09:52 <tmcpeak> maybe get a few of us interested
17:09:56 <michaelxin> it might be a good topic for mid-cycle
17:09:58 <tmcpeak> then each sign up for 2 meetings to start?
17:10:12 <hyakuhei> Well, start with some more boilerplate on that etherpad. It’d be good if everyone just picked a couple of meetings.
17:10:29 <tmcpeak> 1) drop something on the meeting agenda, 2) introduce ourselves and our mission, 3) ask if anybody is interested in security?
17:10:35 <hyakuhei> Prioritising is great but to start with just picking those meetings that fit most easily with your schedule is fine
17:10:40 <hyakuhei> tmcpeak: Pretty much
17:10:42 <tmcpeak> ok, I'll pick a couple now
17:10:56 <hyakuhei> It would be ncie to have the Boilerplate really become more of an FAQ.
17:11:36 <michaelxin> I will sign up two
17:12:02 <tmcpeak> ok I'll take OSLO and Heat to begin
17:12:15 <hyakuhei> Great, put your name by them
17:12:37 <tmcpeak> good work hyakuhei
17:12:43 <michaelxin> +1
17:12:47 <hyakuhei> and then just strike them out (line through) when done?
17:13:10 <tmcpeak> will do
17:13:12 <hyakuhei> I’ll prune the list a little later, groking the meeting info has resulted in entries for _everything_
17:13:15 <bknudson> we should make sure that people are clear that ossg isn't keystone
17:13:30 <tmcpeak> hehe
17:13:32 <tmcpeak> wut?
17:13:34 <bknudson> since I would think most people think that keystone handles security for their project
17:13:43 <tmcpeak> oh.. like that
17:13:44 <bknudson> most developers
17:13:50 <tmcpeak> well then we've got some work to do
17:14:08 <michaelxin> bknudson: Thanks for letting us know
17:14:38 <hyakuhei> Absolutely, that’s why I figured having some boilerplate text might be useful
17:15:08 <hyakuhei> I’ll also push to have a security-project presentation at each of the summits moving forward.
17:15:13 <tmcpeak> yeah true
17:15:17 <tmcpeak> how should we approach that?
17:15:24 <tmcpeak> we can point to the deck too
17:15:48 <hyakuhei> tbh, I’m not sure it’s that important, not many devs go to the conference talks.
17:16:32 <hyakuhei> But yeah, we need to think of other things to raise profile too
17:16:40 <michaelxin> We tried one for Tokyo
17:16:44 <tmcpeak> I just mean we can pull the boiler plate from the deck
17:16:45 <michaelxin> only two showed up
17:17:00 <bknudson> I think the best way to raise the profile in other projects is to get involved
17:17:10 <michaelxin> bknudson: +1
17:17:15 <bknudson> for example, push changes to enable bandit
17:17:17 <tmcpeak> definitely - I'm just not sure we have the resources
17:17:20 <tmcpeak> we need more bknudson's
17:17:54 <bknudson> we have to prioritize... maybe it's more important to get bandit in the projects rather than adding new features
17:17:59 <hyakuhei> I’ll be able to put some more effort from my team into pushing bandit out to other projects.
17:18:10 <hyakuhei> bknudson, possiblilty for parallel tracks
17:18:22 <bknudson> It doesn't hurt to go to the meetings and ask for volunteers
17:18:27 <hyakuhei> It’s also possible that integrating with other projects might be more approachable than creating new features
17:18:33 <bknudson> sometimes devs are looking for interesting work
17:18:43 <tmcpeak> yeah - if we just double down on getting a bandit gate in most of these, then they'll have had a (hopefully good) introduction to the security team
17:18:56 <tmcpeak> and ideally be more comfortable reaching out for design decisions and the other stuff we do
17:19:29 <bknudson> getting reminders from bandit that they don't know security should help.
17:19:29 <hyakuhei> Demonstrating value is always a good way to get buy-in
17:19:40 <tmcpeak> bknudson: :D
17:20:35 <hyakuhei> lol yes that too
17:21:15 <bknudson> how about an action plan to get a project using bandit with the new baseline feature, write up how it's done, and post a message to the mailing list
17:21:18 <hyakuhei> Anything to discuss re: Bandit specifically ?
17:21:31 <bknudson> then when you attend the meeting ask for help with this.
17:21:34 <tmcpeak> bknudson: that sounds like a great approach
17:21:38 <hyakuhei> Agree
17:21:48 <tmcpeak> ok cool, tkelsey or I can take that action
17:22:16 <tmcpeak> I'm guiding one of our internal teams through setting up the baseline gates currently :)
17:22:30 <tmcpeak> that should be it for Bandit
17:23:14 <hyakuhei> I’d be interested in helping out
17:23:17 <tmcpeak> awesome
17:23:28 <tmcpeak> let's shoot for that as the next step then
17:23:38 <hyakuhei> Throw it in the etherpad.
17:23:45 <tmcpeak> shouldn't be too bad, I've already got the requisite jenkins job manager magic
17:23:51 <tmcpeak> ok
17:23:59 <hyakuhei> Thanks tmcpeak !
17:24:34 <tmcpeak> cool, np
17:25:26 <hyakuhei> Ok, lets roll on. We don’t have dg_ or tkelsey as they’re at HPE Discover
17:25:28 <bknudson> we don't need baseline for keystone since we've got it deployed
17:25:30 <hyakuhei> #topic Bandit
17:25:40 <hyakuhei> Anything else going on here that you’d like to discuss?
17:25:53 <tmcpeak> so we have a proposal to fix config
17:26:12 <tmcpeak> https://review.openstack.org/249128
17:26:37 <tmcpeak> basically config has been one of the major pain points
17:26:48 <tmcpeak> the file is huge, if you update Bandit a lot of times your old config doesn't work as expected, etc
17:27:16 <tmcpeak> so basically the idea is to break it up.  Some stuff can be flat out removed, other stuff will be moved to dedicated profile files, and the config generator will be adapted to build profiles easily
17:27:27 <tmcpeak> I encourage you all to read it if you haven't yet
17:27:32 <bknudson> the proposal looks like it'll be a nice improvement
17:27:48 <browne> nice, i missed that spec
17:27:50 <bknudson> the bandit upgrade changes have been difficult to review
17:27:50 <tmcpeak> bknudson: awesome, was hoping you'd think so
17:27:55 <tmcpeak> (our most loyal customer)
17:28:13 <tmcpeak> bknudson: upgrade changes?
17:28:27 <bknudson> yes, when we're supporting new versions of bandit
17:28:31 <bknudson> and the config file changes
17:28:32 <tmcpeak> oh yeah..
17:28:38 <tmcpeak> so this should obviate the need to do that
17:28:41 <bknudson> it's difficult for reviewers to know if it's correct or not
17:29:02 <tmcpeak> basically what you'll do from a keystone perspective is run "bandit —include 101-150" or something
17:29:07 <tmcpeak> and then it will just run the right tests
17:29:12 <browne> yea
17:29:23 <tmcpeak> similar to how PEP8 works
17:29:27 <bknudson> no config file?
17:29:29 <tmcpeak> nope
17:29:34 <tmcpeak> you can have a profile file
17:29:38 <tmcpeak> that specifies which tests and settings
17:29:45 <tmcpeak> and if you have that profile it'll work from one version to the next
17:30:08 <tmcpeak> bc each plugin has defaults values for what it needs built in
17:30:08 <bknudson> that works as long as it doesn't put too many lines in the tox.ini
17:30:19 <tmcpeak> bknudson: it'll be really small tox.ini
17:31:32 <tmcpeak> we'd like to get these done before midcycle but who knows
17:31:40 <tmcpeak> that special not working time of the year is rolling on up
17:31:47 <browne> tmcpeak: when is  midcycle?
17:31:52 <hyakuhei> speaking of the midcycle, we don’t have a whole-lot of signups
17:31:53 <tmcpeak> Jan 11-15 I think
17:31:59 <hyakuhei> #link https://etherpad.openstack.org/p/security-mitaka-midcycle
17:32:12 <hyakuhei> Has Rackspace confirmed the space now?
17:32:18 <michaelxin> hyakuhei: yes
17:32:26 <michaelxin> We booked the conferences for both
17:32:28 <michaelxin> teams
17:32:48 <tmcpeak> yeah we don't… time to scare up more participants!
17:32:54 <hyakuhei> Wonderful, I thought was the case but thank you for the confirmation.
17:32:59 <michaelxin> We also booked some small conference rooms if we want to break into small groups
17:33:01 <tmcpeak> #topic Midcycle
17:33:04 <hyakuhei> Perfect
17:33:05 <tmcpeak> :)
17:33:07 <bknudson> I might be able to get another couple to go. I have to advertise it.
17:33:25 <bknudson> I wasn't sure if the dates were confirmed.
17:34:06 <bknudson> #link https://wiki.openstack.org/wiki/Sprints
17:34:11 <michaelxin> The dates should be 01/12-01/15
17:34:16 <michaelxin> Tuesday to Friday
17:34:21 <tmcpeak> so.. who wants to go to midcycle and hasn't signed up?
17:34:26 <hyakuhei> I’ll add ours now
17:34:39 <bknudson> thanks!
17:34:40 <browne> i want to, but need to confirm with mgmt
17:35:06 <michaelxin> Barbian team's mid-cycle is from Monday to Wednesday
17:35:08 <tmcpeak> sigmavirus24: it's in your backyard, you should come
17:35:14 <michaelxin> So we have two day overlapped.
17:35:26 <sigmavirus24> oh?
17:35:26 <sigmavirus24> where?
17:35:54 <michaelxin> It should give us some time to work together.
17:35:55 <sigmavirus24> hm
17:35:59 <michaelxin> sigmavirus24: in the castle
17:36:26 <sigmavirus24> I will talk to my manager
17:36:29 <tmcpeak> sweet
17:38:32 <sigmavirus24> and approved
17:38:37 <tmcpeak> haha damn
17:38:38 <tmcpeak> nice
17:39:25 <michaelxin> sigmavirus24: +1
17:39:29 <tmcpeak> allright so, in conclusion - sign up if you haven't and you'd like to come to midcycle
17:40:02 <hyakuhei> +1
17:40:08 <tmcpeak> recruiting?
17:40:12 <tmcpeak> or nkinder..
17:40:19 <hyakuhei> #topic Recruiting
17:40:25 <tmcpeak> sweet
17:40:32 <hyakuhei> Which kind of overlaps with the publicity stuff
17:40:33 <tmcpeak> I've got a slot at the OpenStack meetup in the bay
17:40:37 <hyakuhei> Excellent!
17:40:39 <tmcpeak> Jan 21st I think
17:40:43 <tmcpeak> browne said he'll come too
17:40:46 <michaelxin> ccneil delivered a talk for Austin Openstack meetup
17:40:51 <tmcpeak> nkinder would but he's actually pretty far in the boonies now
17:41:01 <tmcpeak> michaelxin: legit!
17:41:05 <tmcpeak> anything come from it?
17:41:08 <nkinder> Yeah, I'm not sure if I'll be down there at that time
17:41:08 <michaelxin> A couple of people showed interest in Bandit
17:41:13 <tmcpeak> and how was it received? I think he's the first
17:41:25 <michaelxin> none is interested in OSSP. :-(
17:41:46 <tmcpeak> how many people turned up?
17:41:53 <michaelxin> 30+
17:42:08 <michaelxin> Visa gave a talk before our talk.
17:42:15 <tmcpeak> any feel for demographics?
17:42:28 <michaelxin> I do not know.
17:42:30 <michaelxin> I was not there.
17:42:46 <michaelxin> We will host a OWASP San Antonio in two weeks.
17:43:01 <michaelxin> We will handle out flyers.
17:43:03 <tmcpeak> nice!
17:43:10 <hyakuhei> Superb!
17:43:15 <elmiko> o/
17:43:21 <michaelxin> And talk with people about OSSP
17:43:46 <tmcpeak> elmiko: you made it afterall :)
17:44:07 <elmiko> tmcpeak: my talk ended a little early =)
17:44:24 <tmcpeak> awesome
17:44:38 <hyakuhei> welcome elmiko
17:44:47 <hyakuhei> nkinder: you around to talk OSSNs now ?
17:44:53 <nkinder> Sure
17:44:58 <hyakuhei> #topic OSSN
17:45:17 <nkinder> So there's an embargoed one that I'm working on that's quite close to being opened up
17:45:34 <tmcpeak> yep, that ones looking good
17:45:40 <nkinder> The way the issue is being handled has changed since I drafted the note, so there are some minor changes needed.
17:46:05 <nkinder> There was another issue that was embargoed that tmcpeak and hyakuhei worked on
17:46:11 <bknudson> maybe we can get some other folks to look at the proposals, maybe they have a different opinion
17:46:29 <hyakuhei> nkinder: Does that need another look?
17:46:30 <nkinder> I believe the issue is public now, but the note was never proposed as a review
17:46:49 <tmcpeak> wait, which one is this?
17:47:04 <nkinder> hyakuhei: OSSN-0060, which is in the embargoed repo we use
17:47:20 <tmcpeak> is that the one we distributed through the OSSA channel?
17:47:29 <hyakuhei> I think so yeah
17:47:35 <hyakuhei> it never got the final release?
17:48:27 <tmcpeak> I thought it did..
17:48:33 <nkinder> so are we dropping the OSSN?  If so, we should close the OSSN bug for it and free up the OSSN number
17:48:57 <tmcpeak> no it should just be released as a public OSSN now
17:49:27 <nkinder> tmcpeak: ok, do you want to propose the review since you worked on writing it?
17:49:30 <hyakuhei> Yeah, I think it just goes out as normal
17:49:33 <nkinder> then I can review it
17:49:35 <hyakuhei> I can help with that.
17:49:47 <nkinder> ok, great.
17:49:54 <tmcpeak> nkinder: sorry I missed your comments about 0060
17:49:58 <tmcpeak> I don't read gud
17:50:04 <nkinder> The queue of OSSNs is looking pretty good
17:50:13 <nkinder> There are 3 to be picked up
17:50:25 <nkinder> one new one came in last week that should be easy - https://bugs.launchpad.net/ossn/+bug/1516031
17:50:25 <openstack> Launchpad bug 1516031 in Glance "Use of MD5 in OpenStack Glance image signature (CVE-2015-8234)" [Undecided,Triaged]
17:50:54 <hyakuhei> lol - I can knock that out tomorrow morning unless someone else wants it
17:51:01 <hyakuhei> been a while since I authored an OSSN
17:51:35 <tmcpeak> hmm
17:51:41 <nkinder> hyakuhei: cool.  I'll try to get to one of the other ones once the embargoed one I'm working is wrapped up.
17:51:48 <hyakuhei> Cool
17:52:14 <tmcpeak> looks like a fun one
17:52:20 <tmcpeak> that's actually a cool bug
17:52:22 <tmcpeak> signature = rsa(sha256(md5(disk-image-content)))
17:52:22 <tmcpeak> This degrades the security of the system to that of the weakest hash, which is obviously MD5 here.
17:52:23 <hyakuhei> #action hyakuhei to pick up bug 1516031
17:52:23 <openstack> bug 1516031 in Glance "Use of MD5 in OpenStack Glance image signature (CVE-2015-8234)" [Undecided,Triaged] https://launchpad.net/bugs/1516031
17:52:32 <tmcpeak> not super obvious from the code but it's true
17:52:37 <nkinder> That's about it on the OSSN side of things.  Anyone interested can pick one of then up. :)
17:52:54 <hyakuhei> Thanks nkinder
17:53:47 <elmiko> tmcpeak: a collision on the md5 would ripple up through the sha and rsa?
17:54:10 <tmcpeak> you can just brute the md5 and then calculate sha256 of it
17:54:20 <elmiko> right
17:54:21 <nkinder> yeah, hash the same input and you get the same output
17:54:24 <tmcpeak> I'm not sure how the rsa fits in
17:54:27 <hyakuhei> *sigh*
17:54:30 <elmiko> lol
17:54:33 <hyakuhei> Righto, Any other business.
17:54:41 <hyakuhei> #topic Any Other Business
17:55:13 <tristanC> oh hi folks, if I may share another list of things to do... This is the list of public OSSA issues (confirmed and incomplete): https://bugs.launchpad.net/ossa/+bugs?field.information_type%3Alist=PUBLICSECURITY&orderby=-status&start=0
17:56:06 <hyakuhei> Are these where you need opinions from us?
17:56:26 <tristanC> well the two first one needs patch
17:57:27 <tristanC> the swift one needs opinion, investigation...
17:58:04 <tristanC> and the last one also requires some more investigation
17:58:10 <hyakuhei> Excellent, anyone want to take actions on these?
17:58:34 <tmcpeak> if they haven't been done by next week I should have some time to spend
17:58:50 <hyakuhei> I’ll try to do some on Monday.
17:59:02 <tristanC> to be honest, we figured those public ossa issue would be better discussed with OSSP
17:59:21 <tmcpeak> ok cool, Ill put it on my queue for Monday too
17:59:52 <tristanC> but times is now running out, so yes if they could get reviewed next time, that would be very helpful
18:00:07 <tmcpeak> ok cool, will do
18:00:23 <tmcpeak> time is up!
18:00:28 <hyakuhei> #endmeeting