17:00:34 #startmeeting Security 17:00:38 Meeting started Thu Dec 10 17:00:34 2015 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:39 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:42 The meeting name has been set to 'security' 17:00:51 Hey everybody! 17:00:55 hi 17:00:57 howdy o/ 17:01:03 hello! 17:01:05 hi 17:01:05 o/ 17:01:12 o/ 17:01:15 o/ 17:01:19 o/ 17:01:41 Oh man, I didn't realize you guys had a meeting right after Fuel - lots of familiar names! Hi michaelxin_! Hi ccneill! 17:01:48 hi there SheenaG! 17:01:53 long time no see 17:01:55 hi 17:02:12 ccneill: no kidding. Time for me to duck out, you guys have a good meeting! 17:02:16 SheenaG: How are you? 17:02:29 heh 17:02:45 michaelxin_ I'm good! I miss you guys! Looking forward to seeing everyone up at the Austin summit 17:02:53 SheenaG: sure 17:03:02 o/ 17:03:11 time ran away with me ;) 17:03:18 pffft! 17:03:23 hehe 17:03:24 o/ all 17:03:30 debugging my crappy gate failure 17:03:33 Right so I don’t have a locked in agenda for today (my bad) 17:03:39 greeting! 17:03:40 pffft 17:03:44 Did anyone pick up any of hte OSSNs this week? 17:03:48 Hey tristanC 17:03:52 tmcpeak: lol 17:04:03 hyakuhei: not me 17:04:07 how many do we have? 17:04:15 I'm just back from vacation 17:04:24 neither did i :/ 17:04:27 I was supposed to check out the OSSA's but I got stuck on something and forgot :( 17:04:34 hyakuhei: no new ones picked up. Still finishing the embargoed one 17:04:34 3-4 I think, I’ve got one in review 17:04:45 #link https://review.openstack.org/#/c/254427/ 17:04:56 hyakuhei: ah, I'll take a look at your draft 17:05:14 Cheers 17:05:20 hyakuhei: +1 17:05:32 will check it later. 17:05:41 Thanks 17:06:38 It was an easy one because the initial writeup was good 17:07:14 That always helps :) 17:07:35 ok, here’s a copy-pasted agenda whoop! 17:07:39 hyakuhei: looks legit 17:07:41 #link https://etherpad.openstack.org/p/security-20151210-agenda 17:07:48 #topic Publicity 17:07:57 #link https://etherpad.openstack.org/p/security-raising-profile 17:08:07 Anyone managed to pick up any sessions? 17:08:20 By that I mean - drop in and say hello... 17:08:27 I think we decided to be ready with the Bandit baseline job first? 17:08:31 I'm working on that as we speak 17:08:35 Ah yeah that’s right 17:08:35 or was prior to the meeting 17:08:44 In the meantime the boilerplate needs working on 17:08:53 +1 17:08:58 I picked up two 17:09:04 hyakuhei: had not seen this pad, but i'll look into taking a session 17:09:06 and I will go to one of them today. 17:09:21 michaelxin: hold off until we have the Bandit stuff ready so we can demo it during the meeting? 17:09:24 I missed one early this morning due to some other duty 17:09:38 tmcpeak: ok 17:09:46 i'll definitely followup with the api-wg 17:09:57 that way they can play with it, see (hopefully) it's good, and then we can get next steps to put it in their tox 17:09:57 elmiko: sahara? right 17:10:04 michaelxin_: yes 17:10:09 oh yeah, I have an update on that I can wait until bandit slot 17:10:13 elmiko: +1 17:10:24 Well, you can take any meeting you want, whenever you want :) If you want to wait for Bandit so that there’s a nice way to demo / leverage it then that’s absolutely fine 17:10:27 ahh ok, if you're already set up go ahead 17:10:49 maybe, we can start to say hi 17:10:55 and learn what other people is doing. 17:11:03 seems reasonable 17:11:09 Whatever works for you as individuals, it’d be nice to drop in on the same group more than once 17:11:13 There is some emails about security issue for Fuel 17:11:15 with Sahara I'm sure elmiko can push Bandit anyway ;) 17:11:18 Maybe even being more of a security rep… 17:11:28 but that gets time intensive 17:11:31 Maybe, we can leverage opportunities like that 17:11:31 tmcpeak: hehe, yea. we are working towards a voting bandit gate 17:11:36 yep 17:11:46 elmiko: ok, with the baseline I think it will be easier for you ;) 17:11:52 cool 17:11:56 yes 17:12:21 we might have to spend time on projects to learn what people are doing 17:12:30 the challenges they face 17:12:34 seems like we already have good engagement with some of the projects on this list. should we just note that in the etherpad? 17:12:34 and help them 17:12:40 (for example, barbican) 17:12:51 elmiko: +1 17:13:16 ccneill: is working on lots of barbican security testings. 17:13:23 nice 17:13:36 <_< something like that 17:13:42 and designate 17:13:44 I at least know what's going on I think ;) 17:13:55 gotta start somewhere 17:14:03 mdong: too. 17:14:13 I've been able to poke at the code manually a bit, and mcdong and I have written some functional security tests 17:14:24 Thats excellent news 17:14:25 still have to figure out what we want to do with the tempest-lib CR I have open.. 17:14:45 ccneill: you writing them for tempest? 17:14:58 https://review.openstack.org/#/c/216303/ + https://review.openstack.org/#/c/237263/ 17:15:00 or just unit tests in Barbican? 17:15:33 so I originally started with barbican, then Designate was added to my plate, and I realized that maintaining a one-off file for every product I test would be tedious 17:15:45 and someone from designate recommended putting it in tempest-lib 17:15:46 yeah, good to reuse 17:16:01 barbican + designate both use tempest-lib, so I figured it was the lowest barrier to entry 17:16:13 this also happened before syntribos, so there's some confusion of how/if they fit together 17:16:26 I think the stuff I've written makes sense mostly as a data generator; the validators I have are very simplistic 17:16:33 yeah, looks like there is some overlap 17:16:41 but still, cool stuff 17:17:02 sorry for that tangent, but figured it kind of fits in with our outreach 17:17:11 definitely 17:17:15 no it’s very useful 17:17:23 since we'll want to figure out what tools we recommend/use ourselves/etc. 17:17:45 ccneill: +1 17:17:51 I think maybe in Q1 I can work on integrating Syntribos and my stuff a little more 17:17:59 at least feeding the stuff I've done into Syntribos or something 17:18:01 maybe we can spend some time reconciling this at the midcycle 17:18:12 + planning out where we want to do our fuzzing and drawing the lines 17:18:19 yeah 17:18:41 this was built purely to serve my needs for the tests I wanted to write for those 2 products; there is definitely room for improvement haha 17:19:27 it seems to make sense to have this in tempest 17:19:34 since those are already being run in the gate 17:19:48 would have less barrier to entry than introducing a separate tool 17:19:51 yeah, and it's super trivial to write your own functional tests and just plug in my data generators 17:19:56 agree 17:20:11 I saw a Mirantis blog on security highlightly Syntribos 17:20:22 but completely missing the Security project as a whole 17:20:23 oh sweet, link? 17:20:28 :P 17:20:32 which made me both sad with mirantis and sad generally 17:20:52 well yeah, you'd think we'd at least have one participant from there 17:21:04 #link https://www.mirantis.com/blog/openstack-security-issues-self-defense-without-weapons/ 17:21:08 You’d think right? hehe. 17:21:52 Anyway, do you guys have specific bandit things to talk about? 17:22:15 yeah 17:22:27 #topic Bandit 17:22:55 ok cool 17:23:07 so we were going to make it easy to do a Bandit gate 17:23:14 with the baseline stuff 17:23:29 and I was going to do just make a gate job template like I did for the HP stuff 17:23:49 but the project-config guys had the idea that we should just make a command line tool, and then projects can add it to their tox.ini and run it as part of flake8 checks 17:23:50 good idea 17:24:07 then a project doesn't have to do anything with config changes, they can change it themselves with their tox.ini 17:24:12 and it's also easy for developers to check locally 17:24:14 yeah 17:24:31 Ok that makes sense 17:24:33 +1 for easy peasy 17:24:36 so I've got this tool I've been working on: https://review.openstack.org/254455 17:24:49 the unit tests are broken (I'm deubgging them) 17:24:51 but the tool works 17:24:55 if you guys want to play with it 17:25:20 basically it checks out the parent commit, runs Bandit, checks out the current commit, runs Bandit baseline, and compares 17:25:38 so even if your project has a bunch of problems, you'll only get results that are introduced as part of your code change 17:25:50 you basically run 'bandit-baseline ' and away you go 17:25:55 it can do HTML report, txt output, etc 17:26:06 nice 17:26:07 tmcpeak: very cool 17:26:09 and most importantly we can just add it to the tox target 17:26:10 That sounds useful 17:26:27 so a project that wants to use a bandit gate but has existing issues should still be able to use it 17:26:33 it will just make sure new issues aren't introduced 17:27:09 so yeah, as soon as this unit test gets fixed we should be able to merge it, push a new Bandit that includes it, and then start socializing it 17:27:27 sounds awesome 17:27:34 cool, thanks guys 17:27:46 some of the feedback I got presenting the OSSP deck at the OS Austin meetup was one guy was VERY interested in seeing every product gate on bandit 17:27:51 tmcpeak: great job 17:27:53 tmcpeak: +1 17:27:55 :D 17:28:03 so this is great stuff 17:28:15 cool, so next week it should be merged and everybody can go play around with it 17:28:36 that's all I had, tkelsey I assume you were busy? 17:28:47 nope im here 17:28:48 #topic Anchor 17:29:04 So not a lot has happened but viraptor has been working on integrating CMC messaging 17:29:04 I mean with the changes you're working on (config stuff) 17:29:10 tmcpeak: I'll look it over, I have been a bit snowed under :) 17:29:16 heh ,yeah, figured 17:29:28 because we want to leverage that (possibly) for attestation in Leeson too (certificate things) 17:29:38 tkelsey: I don’t think there’s any other Anchor things? 17:29:53 what's CMC messaging? 17:30:03 s/messaging/requests 17:30:08 (brainfart) 17:30:14 what's CMC requests? 17:30:19 It’s like google 17:30:35 CMC is a way of packaging up certificate requests 17:30:43 It comes in two variants, simple and … not 17:30:57 Barbican has a simple implementation, we want to try and implement it too 17:31:05 ahh 17:31:14 #link https://tools.ietf.org/html/rfc5272 17:31:38 I take it we've rushed right out and started integration with the complicated one? :P 17:31:44 my IRC client is being lame, BRB while i relaunch it sorry! 17:32:00 We also need to put something together to better explain why ephemeral certificates are a good thing (revocation not working etc) 17:32:16 because I basically have to do a coffee talk every time someone new hears about it… 17:32:38 haha 17:32:42 heh, i'll bet 17:32:55 “You dont revoke certificates!” INSECURE! 17:33:07 Well, you don’t really revoke them either, you just think you do.... 17:33:12 yeah, from presenting at OSSP, it was definitely clear that at least I am unable to articulate all the benefits of Anchor... 17:33:14 I would be interested in helping with that, but there will be a learning curve for me, making for a slower timeline. Is that OK? 17:33:19 …. lets grab a coffee and maybe a white board. 17:33:19 er *at Austin OpenStack 17:33:34 hyakuhei: you love doing coffee talks tho? :) 17:33:43 I’d be happy to try and get some design summit space to talk abotu Anchor 17:33:55 Of course there’s some content on youtube already 17:33:56 ok back 17:34:00 wb tkelsey 17:34:00 apologies 17:34:04 ty hyakuhei 17:34:11 I don’t have much to add really 17:35:15 Doug doesn’t appear to be here so nothing to add on the Killick things. 17:35:25 sicarie: What’s up with security docs? 17:35:32 (if he’s here….) 17:35:41 haven't had time to mess with it much the last few weeks 17:35:45 very little going on 17:35:58 Is it all shiny RST now ? 17:36:03 yep 17:36:05 all RST 17:36:11 still working on getting sphinx to build the pdf 17:36:11 and very shiny ;) 17:36:13 that's a huge pain 17:36:16 Well that makes the bar for contribution significantly lower 17:36:21 congratulations 17:36:26 +1 17:36:27 massive bit of work to complete 17:36:56 #topic Last meeting 17:37:09 #Vote should we hold a meeting on Thursday the 17th? 17:37:15 last meeting? 17:37:29 last meeting of this year? 17:37:32 #sure 17:37:32 of the year i'm guessing? 17:37:48 i have no objection to that 17:37:54 +1 17:37:54 +1 I can be there then 17:37:54 #startvote Last meeting of the year on the 17th? 17:37:55 Begin voting on: Last meeting of the year on the 17th? Valid vote options are Yes, No. 17:37:56 Vote using '#vote OPTION'. Only your last vote counts. 17:38:00 +1 17:38:08 #vote Yes 17:38:08 ^ Yay bot votey thing works :P 17:38:09 #vote Yes 17:38:09 #vote yes 17:38:09 #vote Yes 17:38:10 #yes 17:38:13 I will be here. +vote Yes 17:38:16 #vote yes 17:38:17 #vote yes 17:38:17 #vote yes 17:38:22 #vote Yes 17:38:24 #vote yes 17:38:28 #vote No - just to be different 17:38:32 Ok well I guess that was easy enough, I’m presuming we’ll skip the meeting on christmas eve 17:38:35 gmurphy: nice ;) 17:38:39 gmurphy: you were already way different enough! 17:38:46 #vote no Xmas eve meeting 17:38:47 lol 17:38:53 lol +1 17:39:04 #showvote 17:39:10 wait, i thought we were doing ossp santa tracker on xmas eve? 17:39:19 elmiko: +1 17:39:23 hehe 17:39:27 #endvote 17:39:29 Voted on "Last meeting of the year on the 17th?" Results are 17:39:31 ossp santa modding? 17:39:42 wow the openstack bot is having a bad day.... 17:39:54 naughty/nice list injection exploits, ftw 17:39:55 thinking… thinking 17:40:02 #santaglitches 17:40:05 42 17:40:15 it's goign to tell us we have to meet on xmas eve... 17:40:19 haha 17:40:20 lol 17:40:20 haha 17:40:34 rofl 17:40:38 this voting has worked wonderfully 17:40:42 ok that’s more-or-less all I had 17:40:46 midcycle? 17:40:47 #topic Any other business 17:40:58 Yes, so afaik we’re just waiting for people to confirm numbers 17:41:02 mdong: can you update Syntribos? 17:41:14 cool, fair enough 17:41:16 we good on topics? 17:41:18 #link https://etherpad.openstack.org/p/security-mitaka-midcycle 17:41:20 mdong has been working on Syntribos recently. 17:41:23 I can talk a little bit on it 17:41:37 festivus is dec 23 so I'll be busy 17:41:44 We need to build the topics out more, add some structure, leaders for each bit as we’ve done with previous summits 17:41:50 s/summits/mid-cycles/ 17:41:58 so I’ve been working on making Syntribos more usable, namely working on its reporting 17:42:11 bknudson: +1 17:42:31 mdong: insteresting 17:42:36 *interesting 17:42:46 trying to make it output like bandit instead of what it’s doing right now, which is writing stack traces to logs 17:42:47 +1 17:43:10 mdong: feel free to steal :) 17:43:22 that's what open source is all about 17:44:05 tmcpeak: +1 17:44:12 already on it ;) 17:44:38 https://review.openstack.org/255357 17:44:56 I should have a few more CRs up for it shortly 17:45:19 nice 17:45:26 looks like it's coming along 17:45:44 mdong: nice 17:46:14 I’m really excited to see where this project goes 17:46:29 hyakuhei: +1 17:46:32 and aligning outputs of bandit and syntribos is very classy 17:46:43 +1 17:47:04 really the problem is that Syntribos, being based on OpenCafe, behaves very differently from Bandit 17:47:10 hyakuhei: +1 17:47:16 I get that, they’re different tools doing different things 17:47:20 as far as the way its tests are written and run 17:47:38 but as far as aligning the output it’s not too hard 17:47:45 cool 17:47:45 but if the outputs, although different can potentially be consumed in similar ways with similar look and feel that’s going ot play very nicely with developers 17:48:38 yep ye 17:48:40 p 17:49:26 Excellent. Right what else to discuss people? 17:49:42 dg_: anything on Killick? 17:50:06 https://media1.giphy.com/media/4PvmF62Tl3KLe/200_s.gif 17:50:19 lol 17:50:21 lol, ouch 17:50:25 lol 17:50:25 :P 17:50:30 please sign up for mid-cycle meeting if you have not done it yet. 17:50:35 :-) 17:50:36 +1 17:50:40 #endmeeting