17:01:04 <tmcpeak> #startmeeting security
17:01:05 <openstack> Meeting started Thu Feb 25 17:01:04 2016 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:07 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:08 <wayward710> Hi
17:01:09 <openstack> The meeting name has been set to 'security'
17:01:11 <elmiko> heyo/
17:01:11 <cjschaef> hi
17:01:14 <tmcpeak> #chair hyakuhei
17:01:15 <openstack> Warning: Nick not in channel: hyakuhei
17:01:16 <openstack> Current chairs: hyakuhei tmcpeak
17:01:20 <bknudson> hi
17:01:27 <michaelxin> hi,all
17:02:03 <tmcpeak> o/
17:02:03 <tmcpeak> yo, what's up everybody
17:02:03 <tmcpeak> we'll give a couple minutes to get people in
17:02:11 * hyakuhei is here but still in previous meeting - you see the agenda?
17:02:23 <tmcpeak> no, where's that?
17:02:33 <elmiko> tmcpeak, hyakuhei, approve my pull request! =D
17:02:47 <tmcpeak> #link https://etherpad.openstack.org/p/security-20160225-agenda
17:03:03 <tmcpeak> ok I'll run this until hyakuhei finishes other meeting
17:03:18 <tmcpeak> so I think we had BYOK follow up
17:03:20 <tmcpeak> we'll defer
17:03:26 <tmcpeak> all the way to… Anchor
17:03:40 <tmcpeak> although we have none of the Anchor's around either
17:03:48 <elmiko> added blog XD
17:03:52 <tmcpeak> #topic Bandit
17:04:01 <tmcpeak> ok we've got a lot of good changes coming
17:04:04 <tmcpeak> still working toward 1.0
17:04:33 <tmcpeak> browne, cjschaef, myself, tkelsey and others have been pushing some good work
17:04:40 <elmiko> +1
17:04:43 <tmcpeak> we're still on track there
17:04:45 <bknudson> +1
17:04:53 <tmcpeak> one thing we could use is some testing
17:05:06 <tmcpeak> so if anybody has some time to play with Bandit and find (and report) bugs, that would be awesome
17:05:33 <LHinds> I can do that
17:05:42 <tmcpeak> LHinds: awesome, thank you!
17:05:57 <tmcpeak> ok cool
17:05:58 <cjschaef> I will play with it some too, now that my test coverage work is winding down
17:05:59 <LHinds> I ran it against some of my own code, and it found a lot, so owe it back ;-]
17:06:00 <michaelxin> +1
17:06:07 <tmcpeak> cjschaef: great, thank you!
17:06:19 <tmcpeak> ok cool, probably not much else to say on Bandit this week
17:06:25 <tmcpeak> #topic Sec Guide
17:06:31 <tmcpeak> elmiko: sicarie
17:06:33 <tmcpeak> take it away
17:06:51 <elmiko> i don't think there is much to report here
17:06:54 <sicarie> +1
17:06:59 <michaelxin> -1
17:07:01 <sicarie> Not much progress this week
17:07:02 <michaelxin> :-)
17:07:04 <elmiko> we are still working towards the pdf re-release, and closing some bug
17:07:06 <tmcpeak> allright, might have a quicker meeting then ;)
17:07:13 <tmcpeak> #topic Syntribos
17:07:35 <tmcpeak> michaelxin and co
17:07:37 <michaelxin> We added some blueprints about what we want to do
17:07:37 <tmcpeak> how's this coming?
17:07:50 <michaelxin> Michael Dong has been working on some features.
17:08:08 <michaelxin> We are also updating the docs
17:08:12 <tmcpeak> sweet, summary?
17:08:30 <michaelxin> We will use it testing Solum next week
17:08:43 <elmiko> nice
17:08:47 <michaelxin> summary: We are working on it.
17:08:59 <tmcpeak> fair enough
17:09:14 <tmcpeak> ok then..
17:09:27 <tmcpeak> hmm, trying to think what we should talk about without Rob
17:09:34 <michaelxin> summit?
17:09:45 <elmiko> blog?
17:09:57 <tmcpeak> he'll probably want to discuss that too ;)
17:09:57 <tmcpeak> sure blog
17:09:57 <tmcpeak> #topic Blog
17:10:07 <michaelxin> When will they announce talks accepted for the summit?
17:10:13 <tmcpeak> ok anybody have any cool stuff they want to write about?
17:10:15 <elmiko> i put a post up for the blog, please accept it =D
17:10:23 <michaelxin> elmiko: +1
17:10:29 <elmiko> (i refrained from just pushing it myself)
17:10:37 <tmcpeak> oh yeah?
17:10:37 <tmcpeak> you don't have mergy juice elmiko?
17:10:54 <elmiko> oh, i do. just wanted to be more democratic about it
17:11:09 <browne> link?
17:11:13 <elmiko> #link https://github.com/openstack-security/openstack-security.github.io/pull/13
17:11:14 <ysm> ylinux01
17:11:44 <tmcpeak> elmiko: just push when you think it's ready
17:11:44 <elmiko> tmcpeak: i wanted to make sure that you and hyakuhei were good with it first
17:11:55 * tmcpeak reads
17:12:14 <elmiko> ok, i'll give folks sometime to check it out and merge later if there are no comments
17:12:23 <michaelxin> good job
17:12:28 <elmiko> \o/
17:13:02 <tmcpeak> elmiko: this is awesome!
17:13:16 <elmiko> =D
17:13:23 <tmcpeak> mergies!
17:13:23 <LHinds> +1
17:13:35 <LHinds> looks good
17:13:43 <elmiko> ok, i'll just merge now then
17:13:53 <tmcpeak> this is awesome elmiko
17:14:01 <elmiko> thanks tmcpeak
17:14:32 <tmcpeak> ok cool, up next…
17:14:40 <tmcpeak> oh let's do CORS
17:14:41 <tmcpeak> #topic CORS
17:14:57 <tmcpeak> did anybody get a chance to look at this?
17:14:58 <tmcpeak> I did
17:15:00 <singlethink> I did
17:15:08 <singlethink> (spec, docs, not code)
17:15:11 <tmcpeak> ok cool, what's your thoughts singlethink
17:15:16 <tmcpeak> I only looked at the spec
17:15:23 <singlethink> First blush: it sounds like a reasonable solution
17:15:34 <michaelxin> link?
17:15:37 <singlethink> basically... centralizing access to APIs from web browser
17:15:38 <elmiko> i looked as well
17:15:45 <singlethink> #link http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html
17:15:47 <tmcpeak> I understand the use however it really seems like the kind of thing that needs to be well thought out
17:15:50 <michaelxin> Thanks.
17:15:52 <singlethink> instead of each project maintaining their own api proxy
17:16:01 <tmcpeak> this would probably be a good use of a OSSP threat model
17:16:01 <singlethink> also #link http://docs.openstack.org/developer/oslo.middleware/cors.html
17:16:22 <singlethink> Yes... I agree it's security critical
17:16:38 <tmcpeak> yeah and they keep mentioning that it has to be done carefully and projects need to be aware of security implications
17:16:44 <elmiko> i think a common location for cors middleware would be great, it would also save krotscheck the time of updating all the paste deploy scripts ;)
17:16:46 <tmcpeak> that's the kind of thing we can help with
17:16:48 <singlethink> I also think that it deserves some coverage in the security guide (and maybe Bandit)
17:17:07 <tmcpeak> yeah we should definitely produce some guidance about this
17:17:12 <krotscheck> Eh?
17:17:19 <singlethink> discussing CORS middleware
17:17:24 <elmiko> krotscheck: we're talking about http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html
17:17:27 <tmcpeak> I'm wondering if this should be a design session at the summit
17:17:32 <hyakuhei> Sup, sorry - ran a little long
17:17:36 <hyakuhei> Please continue :)
17:17:50 <krotscheck> Righto
17:17:53 <tmcpeak> hey hyakuhei, saved the parts I thought you'd want to be on for you
17:18:01 <michaelxin> a threat model is cool idea
17:18:02 <hyakuhei> Cheers
17:18:09 <tmcpeak> hyakuhei: did you read the CORS thing?
17:18:33 <tmcpeak> you'll want to check this out: http://specs.openstack.org/openstack/openstack-specs/specs/cors-support.html
17:18:39 <tmcpeak> curious for your take
17:18:53 <hyakuhei> Just reading up on it now
17:18:54 <tmcpeak> gmurphy also agrees this should be one with care
17:19:17 <tmcpeak> (pasted link in my team channel last week)
17:19:27 <hyakuhei> well, that’s scary.
17:19:42 <tmcpeak> heh yeah
17:19:45 <tmcpeak> that was my gut thought too
17:19:46 <hyakuhei> I don’t fully understand how it applies to middleware as opposed to the more typical browser example.
17:19:57 * krotscheck would like to note that he doesn't have the context-relevant vocabulary, so as he says things that sound weird, please ask for him to define what his brain things those words mean.
17:20:06 <tmcpeak> hyakuhei: I'd like to do a threat model for this in a design session
17:20:20 <hyakuhei> Seems fair
17:20:33 <tmcpeak> two birds with one stone, etc
17:20:39 <hyakuhei> sure
17:20:53 <tmcpeak> ok cool
17:20:59 <tmcpeak> #topic Summit room request
17:21:03 <tmcpeak> hyakuhei:
17:21:14 <elmiko> it would be a good example to illustrate how the flow of traffic works, imo (re:CORS)
17:21:33 <krotscheck> I'd be happy to act as SME for that and explain it.
17:21:35 <tmcpeak> elmiko: yeah, one of the things I'd like to put together in TA
17:21:47 <tmcpeak> good diagrams, data flows, etc
17:21:47 <hyakuhei> Sounds good to me, fishbowl or working room?
17:21:47 <elmiko> +1, krotscheck, tmcpeak ;)
17:21:57 <tmcpeak> krotscheck: ahh cool
17:22:00 <elmiko> i'd vote working room
17:22:00 <tmcpeak> are you involved with this?
17:22:07 <elmiko> tmcpeak: he wrote that spec
17:22:10 <tmcpeak> oooh
17:22:11 <tmcpeak> perfect
17:22:14 <elmiko> hehe
17:22:16 <hyakuhei> exciting times.
17:22:20 <krotscheck> tmcpeak: I wrote the spec. And all the patches. That are currently already in Mitaka
17:22:31 <tmcpeak> ok perfect
17:22:35 <tmcpeak> yeah we'll need you then
17:22:38 <krotscheck> tmcpeak: That are under discussion AGAIN.
17:22:43 <elmiko> he's also been updating all the api-paste.ini files for projects that use them to include the necessary options for CORS support
17:22:47 * krotscheck didn't realize the horse was still alive.
17:23:07 <krotscheck> elmiko: And it looks like I get to revert all those.
17:23:23 <elmiko> /sadpanda
17:23:43 <krotscheck> elmiko: No biggie. The application default options really should be pregenerated in the config file,.
17:24:04 <elmiko> that makes sense
17:24:23 <krotscheck> Anyway: Yes, assuming I'm going to the summit (95% likely, unless daycare falls through) I'll be more than happy to describe CORS to you.
17:24:47 <tmcpeak> ok cool
17:24:55 <elmiko> but the real issue here is not horizon talking to the services, but new browser based apps that will need to make requests directly against api servers, right?
17:25:08 <elmiko> or, indirectly, i suppose
17:25:29 <hyakuhei> A lot of what horizon does actually falls away with CORS in favor of browser-side operation
17:25:33 <hyakuhei> which is kinda interesting
17:25:40 <elmiko> yea
17:26:17 <krotscheck> Yep
17:26:30 <elmiko> it seems to me we are enabling more growth of applications that can talk to the api servers with improved CORS support
17:26:40 <elmiko> just a good thing to do
17:27:04 <elmiko> anyways, sorry for the derail
17:27:21 <tmcpeak> it's a good discussion, but we should also have it face to face to be effective I think
17:27:32 <elmiko> +1
17:27:54 <nsun> +1
17:27:56 <tmcpeak> ok cool
17:28:03 <tmcpeak> so summit rooms for real
17:28:07 <tmcpeak> hyakuhei: what'd you have in mind?
17:28:22 <hyakuhei> Ok, so we get to request rooms
17:28:31 <hyakuhei> Last summit we had 2 fishbowl, 2 working
17:28:34 <hyakuhei> and used all of them
17:28:56 <tmcpeak> what do we have in mind?
17:29:01 <tmcpeak> Bandit again?
17:29:06 <hyakuhei> TA
17:29:21 <elmiko> imo, TA should be a fishbowl
17:29:25 <hyakuhei> +1
17:29:29 <elmiko> maybe bandit too, we had a full house last time
17:29:35 <elmiko> i dunno
17:29:39 <hyakuhei> Though we could also have a working room for TA:Cors
17:29:45 <hyakuhei> I’d be happy to do both
17:29:46 <elmiko> +1
17:29:58 <tmcpeak> ok so those two, what else?
17:30:00 <elmiko> a working room for CORS.* seems appropriate
17:30:06 <hyakuhei> So yeah, if you want a fishbowl or a working room for your pet project put it on the etherpad
17:30:28 <tmcpeak> hyakuhei: did Doug do any talks, and/or do you think he'll be at summit?
17:30:33 * elmiko adding distributed scale attacks to list....
17:30:35 <tmcpeak> if we're doing Killick things could be worth one
17:30:36 <elmiko> j/k
17:30:45 <hyakuhei> tmcpeak: Doug did, no idea if it’ll be included
17:30:59 <hyakuhei> (I actually have an idea as a track chair, but my lips are sealed, muwhahaha)
17:30:59 <tmcpeak> ok, maybe we'll need to circle back on this a couple of times
17:31:06 <tmcpeak> hyakuhei: when do you need to know by?
17:31:11 <elmiko> hyakuhei: oooh, nice
17:31:34 <hyakuhei> I’ve put in a provisional request for 3x3
17:31:45 <elmiko> i wonder if we could expand the Anchor, Killick stuff to a more broad topic on PKI in general?
17:31:47 <tmcpeak> cool
17:31:56 <tmcpeak> elmiko: yeah, that's probably a good way to slice it
17:32:04 <hyakuhei> Yeah that would be interesting
17:32:24 <michaelxin> which etherpad?
17:32:41 <elmiko> i know Anchor is an OSSP baby, but i would be lax on my duties if i didn't at least advocate for a discussion of all options *cough*dogtag/ipa*cough*
17:32:49 <tmcpeak> :D
17:32:53 <elmiko> ;)
17:32:54 <tmcpeak> holy war, holy war
17:32:58 <elmiko> haha
17:33:08 <hyakuhei> Good point
17:33:17 <tmcpeak> maybe we can just have bare knuckle boxing and sort this out for once
17:33:26 <michaelxin> +1
17:33:27 <hyakuhei> Though I have thoughts on pushing Anchor up as a general service ala AWS ACM
17:33:40 <elmiko> +1, imo Anchor is cool
17:33:52 <hyakuhei> which would be very different (and require more adherence to OpenStack idiomatic API etc)
17:33:59 <elmiko> i just think we should avoid becoming a one-solution-fits-all organ
17:34:21 <elmiko> hyakuhei: yea... about that ;)
17:34:29 <hyakuhei> elmiko: I agree
17:35:03 <tmcpeak> ok cool
17:35:09 <tmcpeak> onward?
17:35:24 <hyakuhei> please
17:35:42 <elmiko> was there a different link for the summit etherpad?
17:35:57 <michaelxin> a link?
17:36:07 <tmcpeak> #topic PTL Elections
17:36:16 <tmcpeak> hyakuhei: what'd you want to do here?
17:36:25 <tmcpeak> I'm happy with "Rob 4 prez" as we've done in the past
17:36:31 <hyakuhei> Make sure people know there’s an election cycle coming up in about a month
17:36:37 <elmiko> michaelxin: re: "[12:30] < hyakuhei> So yeah, if you want a fishbowl or a working room for your pet project put it on the etherpad"
17:36:40 <hyakuhei> Work out who I need to kneecap/pay off etc.
17:36:44 <tmcpeak> but they probably want us to do the whole process
17:36:46 <elmiko> haha
17:36:52 <hyakuhei> elmiko: michaelxin: Just the agenda one for now
17:36:56 * tmcpeak <— pay
17:36:59 <elmiko> hyakuhei: ack, tahnks
17:37:00 <michaelxin> Thanks.
17:37:12 * elmiko <- no kneecap, please
17:37:14 <hyakuhei> It’s not a big discussion, helps me with numbers, I’ll petition Theirry and we’ll see what we get
17:37:27 <hyakuhei> Remove both kneecaps, roger that!
17:37:48 <hyakuhei> Anyway yeah, last time around the PTL elections slipped us by. I wanted to make sure everyone knows this time
17:38:08 <tmcpeak> ok, anything we have to do?
17:38:14 <tmcpeak> or just hyakuhei actions?
17:38:33 <michaelxin> Do we need to vote?
17:38:34 <elmiko> i think just hyakuhei, and any rivals, need to make posts to the ML right?
17:38:53 <hyakuhei> We need to add ourselves to a yml file these days I think
17:39:00 <elmiko> also, added room requests to the agenda
17:39:03 <hyakuhei> Process doesn’t open for a while.
17:39:06 <hyakuhei> elmiko: TY
17:39:44 <tmcpeak> does anybody want to run?
17:40:22 <elmiko> i'm happy to continue with our BDFL
17:40:24 <browne> not really, but are there multiple PTLs for the OSSP projects?
17:40:30 <browne> like bandit vs achor?
17:40:33 <elmiko> browne: good point
17:40:33 <browne> anchor
17:40:39 <hyakuhei> Not really just code leads / cores
17:40:57 <tmcpeak> I think subprojects don't get cores generally in OS
17:40:58 <tmcpeak> is that right?
17:40:59 <hyakuhei> We can spin projects out into full blown “openstack things” if required
17:41:03 <tmcpeak> sorry PTL's
17:41:08 <hyakuhei> tmcpeak: correct
17:41:20 <browne> oh, but i think of bandit as a project (at least that way in Gerrit).
17:41:38 <tmcpeak> yeah Bandit potentially should be separate
17:41:59 <elmiko> yea, bandit is really growing to the point it should have full project status, imo
17:42:02 <hyakuhei> PTL is mainly here to do things like arrange the summit, make sure meetings happen, push agenda upstream etc. Maybe a discussion we should have at the summit is spinning out Bandit
17:42:27 <michaelxin> lots of work :)
17:42:33 <browne> i was more curious of the organization.  not suggesting anything.  its been working as is
17:42:35 <elmiko> hmm, to that extent, then the other projects may not make sense to spin off
17:42:38 <hyakuhei> “Status” is a relative term now that we have a big tent model, it’s not the rubber stamp that it used to be but it’s certainly I’d be open to
17:42:46 <browne> but if someone wanted to be a PTL of Bandit or whatever
17:42:56 <hyakuhei> In the words of my former boss
17:43:07 <hyakuhei> “You can call yourself whatever the hell you want so long as you don’t want any more money"
17:43:14 <elmiko> hyakuhei: yea, and bandit as an openstack project i don't means as much. but in the wider F/OSS community i think bandit definitely has legs.
17:43:17 <michaelxin> haha
17:43:38 <elmiko> s/don't means/don't think means/
17:43:50 <michaelxin> elmiko: +1
17:43:57 <hyakuhei> Sounds like a good discussion to have f2f
17:44:01 <elmiko> +1
17:44:04 <hyakuhei> possibly including beer
17:44:08 <elmiko> +2
17:44:15 <LHinds> does bandit have its own channel?  (sorry if off-topic)
17:44:20 <elmiko> no
17:44:31 <tmcpeak> ++
17:44:36 <elmiko> maybe it's time is coming though ;)
17:44:44 <tmcpeak> LHinds: #openstack-security works I think
17:44:47 <tmcpeak> not too crowded in there
17:44:59 <LHinds> k, thanks tmcpeak
17:45:06 <elmiko> aside from the random bot ;)
17:45:20 <tmcpeak> the bot adds character
17:45:29 <elmiko> true
17:45:32 <tmcpeak> ok, let's see
17:45:37 <tmcpeak> anything else we want to cover?
17:45:45 <tmcpeak> maybe AOB now?
17:45:47 <tmcpeak> #topic AOB
17:46:23 <michaelxin> when will they announce talk schedule?
17:46:34 <tmcpeak> hyakuhei: 	you know?
17:46:47 <hyakuhei> Oh not for a few weeks at least
17:46:58 <hyakuhei> Don’t have to close out our chair discussions until next week
17:47:07 <hyakuhei> There’s normally a 2 week tail on that before they’re announced
17:47:12 <hyakuhei> but I don’t know the details
17:47:21 <michaelxin> thanks.
17:47:24 <hyakuhei> #action hyakuhei to check when the sched is announced
17:48:28 <tmcpeak> allright, anything else?
17:48:31 <tmcpeak> might wrap early today
17:49:09 <michaelxin> cool. Thanks.
17:49:16 <hyakuhei> https://review.openstack.org/#/c/271517/
17:49:24 <tmcpeak> oh yeah
17:49:29 <tmcpeak> Rob had a follow up from last time
17:49:37 <hyakuhei> ^ thats all
17:50:15 <tmcpeak> cool
17:50:35 <tmcpeak> allright, time to wrap?
17:50:46 <tmcpeak> #endmeeting