17:00:12 #startmeeting Security 17:00:13 Meeting started Thu Mar 31 17:00:12 2016 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:14 o/ 17:00:15 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:16 o/ 17:00:17 The meeting name has been set to 'security' 17:00:24 #chair tmcpeak 17:00:24 Current chairs: hyakuhei tmcpeak 17:00:50 My dog’s just had to go back to the vets for the second time today so it’s possible I’ll need to hand over to you tmcpeak 17:00:57 o/ 17:00:58 Anyway, hopefully not. 17:01:02 Hey gmurphy 17:01:05 sup 17:01:09 #link https://etherpad.openstack.org/p/security-20160331-agenda 17:01:12 hyakuhei: =( 17:01:18 o/ ;) 17:01:18 hope the pup is ok 17:01:33 yep 17:01:36 me too :) 17:01:58 hope all is well for the dog 17:02:12 hi, all 17:02:22 hyakuhei: good luck 17:02:27 Cheers 17:02:34 i missed the first part of this convo. but i also hope the dog is ok. 17:02:43 Righto. One more minute and we’ll get started 17:02:48 o/ 17:02:58 hey buddy! 17:03:02 i had a thought about a name if we ever get to run a Pwn2Own type competition, "Attack the Stack" 17:03:44 got some minor nits on your note Rob 17:03:46 looks good 17:03:58 elmiko: +1 17:04:20 Cool, yeah I just wrote it now, very much WIP but given how nasty that issue is I thought I’d put it up for review early 17:04:20 elmiko hehe, that's awesome 17:04:58 since we're talking about it, can we start with OSSN? 17:05:03 yeah 17:05:11 o/ 17:05:40 this came up on dave-mccowan's review, the issue of service naming and capitalization... 17:06:05 what's this now? 17:06:05 #topic OSSN-0064 17:06:19 #link https://review.openstack.org/#/c/300091/ 17:06:32 what about 0063... ;) 17:06:36 I know it’s scrappy, just read the bug today and got very yikes 17:06:49 lol yeah 17:06:50 http://docs.openstack.org/contributor-guide/writing-style/general-writing-guidelines.html 17:06:57 63 is taken per the wiki that or I missed it because I’m dumb 17:07:05 bknudson: right, for docs that's true 17:07:21 OSSNs have always been a bit more informal 17:07:28 i just wanted to make sure we stay consistent in the notes, i'm totally fine with following that convention but we already have bifurcation of opionoins 17:07:49 sicarie: exactly, and those doc rules about caps are for official "docs" 17:08:17 and annoying as hell 17:08:43 IMO it's consistency through the note itself - though having a convention to point to for all notes may be useful 17:08:49 sicarie: +1 17:08:59 +1 17:09:16 I’m not sure which we’ve done historically 17:09:19 and i happened to notice that hyakuhei was using caps for his note (and stayed internally consistent mind you, hyakuhei++) ;) 17:09:23 but certainly we should stick with one 17:09:37 and whichever it is, add it to our OSSN guidance and template file. 17:09:39 i think we have historically stuck with the doc standard 17:09:52 hyakuhei: +1 17:09:53 I think I Will Have Used Caps Because I Always Do 17:10:00 haha! 17:10:05 Gee 17:10:08 Just generally that’s how I tend to write things 17:10:22 Ok, lets skip past caps for now. I’d appreciate reviews on that 17:10:23 shouty? 17:10:29 As long as it not all Caps 17:10:44 ossn, now in all caps for extra emphasis 17:11:35 we're kind of a big deal so caps 17:11:44 :) 17:12:27 but also thank you for writing a note Rob 17:12:39 I don't think we've produced many lately 17:13:30 actually for that matter what's our plan for notes? 17:13:48 should we just accumulate a few and batch through them all at midcycle? 17:13:49 To write more? 17:14:00 I picked a few more bugs for note tasks yesterday 17:14:01 Midcycle is 3 months away or more 17:14:17 THere’s only 3-4 I at the moment I think but I know there’s at least that many in the pipeline too 17:14:42 might be interesting to see how many folks in opentack-operators ml actually refer to / use these notes. 17:14:44 seems like our pool of people that can and have the time to write notes is dwindling a bit 17:14:45 I can probably commit to starting one each week, at least progressing them to the stage something like this Keystone one today. 17:14:50 gmurphy: ++ 17:14:55 +1 17:15:12 tmcpeak: is our backlog on notes growing? 17:15:13 +1 17:15:30 elmiko: a bit 17:15:44 https://bugs.launchpad.net/ossn 17:15:47 we've got 5 now 17:15:48 ok, i can try to pick one up too 17:16:18 2 in process, 3 new. not horrible, but needs to be addressed 17:16:23 elmiko: awesome 17:16:40 Thanks elmiko 17:16:57 Like I said, there’s 3-4 that will drop in the next week or so I think (currently embargoed) 17:17:13 yep yep 17:17:14 I will take one later this week. 17:17:26 michaelxin: awesome, thank you 17:18:01 I will ask my guys to take on some too since they are supposed to work full time on upstream projects. 17:18:05 I wonder what's the best way to find out if people are using them? 17:18:09 and if so how they are using them 17:18:11 and if not why not 17:18:22 tmcpeak: +1 17:18:24 Thanks michaelxin 17:18:27 send out survey? 17:18:41 Very harrd to get anything difinitive 17:18:44 good questions, i like the idea about hitting the operator ml, might also be worth it to have an ossp rep at the operator meetup for summit? 17:18:46 and whether they even know the notes exist... 17:18:54 lol 17:18:55 I’d certainly like to know from deployers what we could do to make them more accessible/usable. 17:19:00 gmurphy: a survey would be great if we have a forum to do so 17:19:02 +1 for ops meetup 17:19:17 I suspect a part of that may well be the parser/db thing we talked about before 17:19:49 hyakuhei: +1 17:19:58 is there an operators working group or something? 17:20:00 if there was a nice portal where you could select your versions and get the relevant notes 17:20:01 maybe we crash an ops session at the summit 17:20:08 tmcpeak: ooh, nice +1 17:20:19 tmcpeak: that’s the dream ;) 17:20:28 I think gmurphy and nkinder both did work in this area. 17:20:33 gmurphy: yea, would be cool if we could get a moderator to give us a few minutes on the agenda 17:20:38 * gmurphy hides 17:20:43 We could also have a blog about it 17:20:51 and I’ll write one about this keystone issue too 17:20:56 this is the kind of thing gmurphy smashes out in like 10 minutes with breakfast 17:21:30 (did I do a good job being motivational?) 17:21:36 heroic 17:21:46 lol 17:21:46 take the bait gmurphy? :) 17:22:17 nah. 17:22:33 bah, my game is weak 17:22:46 anyway how to make notes better seems like a great topic for the summit 17:22:56 +1 17:23:01 i did put on the agenda for the summit sessions about separating the ossa repo so we can have more control over the security.opentack.org content 17:23:15 so could also cover this 17:23:22 oh cool 17:23:26 as well 17:23:26 where is that agenda anyway? 17:23:33 the etherpad 17:23:43 #link https://etherpad.openstack.org/p/security-20160331-agenda 17:23:50 #link https://etherpad.openstack.org/p/security-newton-summit-brainstorm 17:23:53 oh sorry, I meant summit sessions 17:23:54 is where i put some stuff 17:24:18 yeah, that's the one 17:24:45 allright anything else for notes? 17:24:55 Nope 17:25:10 longest notes discussion evar... 17:25:14 lol, yeah 17:25:26 anybody talk to nkinder lately btw? 17:25:37 not me, sadly 17:25:41 :( 17:25:48 :( 17:25:52 I know he's pretty busy doing manager'y things 17:25:57 i heard from him on email a few days ago, but that's about it 17:26:19 allright 17:26:24 #topic Summit Sessions 17:26:28 probably not much to say here? 17:26:28 tmcpeak: yea, i think he's just up to his eyeballs with internal stuffs 17:26:34 we should have some! o/ 17:26:42 \o/ 17:26:58 Defintely should have some :D 17:27:02 I would like to propose a session on Threat Analysis and a session on PKI 17:27:07 BYOK would be interesting. 17:27:11 Do it dg____ 17:27:20 dg____: yeah we're supposed to do that one with that one project 17:27:20 we have those both in the etherpad 17:27:26 as fishbowls no less 17:27:28 I suck with names 17:27:34 what was the project we were going to do TA for? 17:27:39 anchor? 17:27:40 kolla 17:27:40 I wonder if we're still on track to do that... 17:27:43 Kolla 17:27:47 yeah that's the one 17:27:47 ah, cool 17:27:53 sdake that's you, right? 17:27:54 yeh...no... 17:27:55 kollah as 14 slots at summit 17:27:59 TA is a way behind 17:28:01 and a full day contributor meetup 17:28:07 ooh very cool 17:28:08 sdake: woof, impressive 17:28:17 lets burn up one or two of our slots for TA 17:28:22 awesome! 17:28:25 assuming we want to do that at summit 17:28:27 I'm really looking forward to that 17:28:33 for sure we do 17:28:34 one or two slots needed? 17:28:40 how long is a slot? 17:28:44 40 minutes 17:28:46 sdake: that’d be cool 17:28:50 I'd say two then 17:28:52 nice 17:28:55 my guess is it cold easily run 2 slots 17:28:55 another optoin is friday for the all day contributor meetup 17:29:04 ok lets do this, lets use 1 slot 17:29:06 that would be my vote 17:29:07 could easily run 5 but 2 should be useful. 17:29:08 Friday will not be good. 17:29:10 and then we can use more on friday 17:29:16 hyakuhei: yea, exactly 17:29:19 becuase we have a super packed agenda already 17:29:24 ok cool 17:29:29 sdake: +1 17:29:31 so the 1 slot will be an intro to threat analyssis 17:29:33 sdake: you have any luck with architecture diagrams yet? 17:29:35 for our team 17:29:47 if so we can get an early start on them, would probably make the slot we have more effective 17:29:55 tmcpeak overloaded but i promise before summit they will be done to prep for this session 17:30:05 sdake: awesome, thank you 17:30:10 i almost feel it's more valuable to spend our time empowering the kolla team to run their own initial TA 17:30:16 please let us know in #openstack-security when they are so we can do our homework 17:30:29 elmiko the requirements require 3rd party ta 17:30:31 elmiko: it's useful to have security people involved I think 17:30:32 not self-ta 17:30:33 as a design pattern for how we can do this type of work with other teams 17:30:34 sdake: we can help, the earlier the better we can just ask dumb uestions. 17:30:55 the tagging VMT requriements require third party 17:30:56 sdake: ah, missed that. is that for the tag? 17:31:00 i think we can meld that into third part y+ the project 17:31:03 right for the tag 17:31:11 if we have one slot maybe we should shoot for people having read the blog post on TA for background first 17:31:21 my feeling is that initial analysis should be done by the team, then handed off to a 3rd party for review 17:31:24 provide a link and i'll put it in the agenda 17:31:46 mainly to help overcome the domain knowledge gap 17:31:47 elmiko i can bounce that change off the governance repository 17:32:01 lol, I can't find any links 17:32:04 elmiko if the security team can come together and agree that is the best way to scale 17:32:05 one of you have the blog for that? 17:32:14 sdake: oh, i'm fine with the ultimate governor being a third party review, but does the whole thing need to be 3rd party? 17:32:26 elmiko as written yes 17:32:30 ah, gotcha 17:32:33 so lets fix that if thats what you want 17:32:37 governance repo can be changed 17:32:37 sdake: that policy is kind of BS ;) 17:32:40 well, i'm curious to hear other's thoughts on this too 17:32:45 tmcpeak lets fix it 17:32:52 sdake: makes sense 17:32:59 tmcpeak can you hold a vote or something to see if the security team wants that model 17:33:03 that being said I do like the nudge to actually do a TA before getting a VMT tag 17:33:18 where the projects do their own threat analysis and hand off to a third party for review 17:33:23 100% 17:33:41 i need irc logs to convince the tc ;-) 17:33:42 I don't think most (any?) of the projects have ever done a third party TA 17:33:44 right. but the question here is, do we as a group agree that the initial TA can be done by the team with a 3rd party review for the final tag, is that sufficient? 17:34:04 tmcpeak ya many have vmt tags with grandfathered status which is a bunch of bs imo 17:34:09 if you want that fixed, vote for me for tc ;) 17:34:10 sufficient for what though? I'm saying this requirement is pretty much pie in the sky 17:34:25 yeh i think so 17:34:25 oooh, grandfathered 17:34:30 i like the idea of the project teams starting the work, hopefully pointing to the areas *they* think are weak. then an external team reviewing the work and doing a further analysis. 17:34:48 elmiko: I don’t think that the TA process is well documented enough yet to expect teams to be able to do it hands-off 17:34:51 im a bit wary of fully handing off to project teams, given we havent managed to successfully document a process for performing a TA 17:34:54 snap lol 17:34:57 hyakuhei: agreed 17:35:06 we'll need to help get the fire burning 17:35:32 i can possib yget a cross project TA session on tuesday 17:35:37 where we can discuss how to do that 17:35:38 if we're saying "from now on all projects that are new to VMT will have a TA done" sounds legit to me :) 17:35:41 cool 17:35:45 That would be good 17:35:49 yea, i agree that currently we can't just "hand this off", which is why i like the idea of these early reviews being an opportunity for the ossp to build educational materials about TA 17:35:49 no gurantees 17:36:01 elmiko +1 17:36:08 you tell me what you want, and i'll make it happen ;) 17:36:10 elmiko: +1 17:36:25 yuor the security experts here 17:36:34 for me, the ultimate goal is empowering future teams to start this work on their own, possibly while they are developing their projcets 17:37:01 sdake: step 1 - architecture diagram(s) step 2 - have a few security conscious people from your team try to do a TA and ask us for any help in the process step 3 - security team will review and give the "third party" stamp 17:37:02 ok so sound slike we have short term which is we work together to define a ta process 17:37:07 otherwise, i feel we will run into the issues that we've seen with scaling efforts that require a single team to help bless a process. 17:37:10 o/ sorry I'm late! needed to grab some lunch 17:37:17 elmiko: +1 - we don't have bandwidth to do reviews for all projects 17:37:22 right 17:37:36 We have a TA-light process to some extent 17:37:39 tmcpeak right scaling is a problem 17:37:45 It’s mainly documented in the Anchor blog at the moment 17:37:54 i really like the idea of doing a session at summit with kolla to help kick this process off, find out what we need to provide, what we will need from teams, etc... 17:37:58 +1 17:37:59 ok well i think the next step is to get that on docs.openstack.org 17:38:08 good point 17:38:12 cross project is all projects 17:38:31 Yeah it needs to be improved / iterated on first really, which means partnering with a project to develop it 17:38:36 title of session would be "VMT threat analysis generation" 17:38:46 this could definitely grow from an ossp skunkworks type thing into a cp spec 17:38:46 kolla can be that project 17:39:03 just don't ask me to write a cp spec ;) 17:39:04 ok so shall we do this as a security session or a Kolla session? 17:39:15 sdake: no, i think we would need to author it 17:39:17 i think you said you only have 3 or 4 sessions 17:39:25 so lets use a kolla session 17:39:31 and a cross project session 17:39:33 Kolla have more spare 17:39:36 +1 CP 17:39:37 ok cool 17:39:38 we dont have spare 17:39:42 but we have more capacity 17:39:46 s/spare// 17:39:49 we actually had 25 planned sessions 17:39:55 whoa! 17:39:55 wow 17:39:55 ;-) 17:40:01 so what steps are needed to make sure we can actually pull this off in an organized way at the summit? 17:40:04 well, containers are hot ;) 17:40:25 tmcpeak here is my recommendation 17:40:36 we add a cross project session tuesday on scaling the VMT threat analysis process 17:40:44 kolla sessions are wed/thur 17:40:48 I don’t think it’s fair to call it that 17:41:03 hyakuhei come up with a better title nd i'll use it ;) 17:41:03 As the VMT has zero involvement and at the moment no agreement to recognise/leverage TA 17:41:13 they do agee to use ta 17:41:19 i got that change in the governance repo ;) 17:41:23 Whoop! 17:42:12 ok sdake this sounds reasonable 17:42:14 so is scaling th evmt threat analysis process a fair title then? 17:42:17 how do we schedule those sessions? 17:42:27 I like it 17:42:27 tmcpeak using the corss project wiki 17:42:36 tmcpeak i could use ptl help from the security team 17:42:44 forgive my ignorance but i'm no tsure which one of you is he ptl :) 17:42:48 So long as the VMT don’t mind yeah. I mean VMT is part of Security anyway 17:42:51 hyakuhei is 17:42:52 o/ 17:43:03 * elmiko points at hyakuhei 17:43:03 I'm just chatty :P 17:43:09 why not s/vmt/ossp/ ? 17:43:16 good question 17:43:19 +1 17:43:22 +1 17:43:30 gmurphy: +1 17:43:35 someone write a title down in irc since mine was shot down :) 17:43:40 vmt probably has more traction but is probably a little missleading . 17:43:46 and i'll work with hyakuhei to make it happen 17:43:54 "Scaling the OSSP Threat Analysis Process" 17:44:01 scaling the ossp threat analysis process? 17:44:02 lol 17:44:05 jinx! 17:44:09 ;) 17:44:14 All The Caps! 17:44:18 wfm 17:44:36 do we need changess to hte governance repo to streamline things 17:44:49 ok so we do that Tuesday and then have a session with Kolla Weds or Thurs and then possible extended work Friday? 17:44:55 or is that a subject for later 17:44:58 i think we should discuss it out at summit first, before making gov. changes 17:44:59 Sounds good. So I can probably throw some real time at this on Monday/Tuesday 17:45:02 tmcpeak sounds good 17:45:15 ok cool 17:45:15 elmiko ok sounds good 17:45:25 (Refining the process a little as it stands, finishing the anchor documentation) 17:45:33 ok cool 17:45:38 i would like to make as many of these sessions as possible, but i have a feeling i will spread thin, yet again.... 17:45:39 should we put an action item? 17:45:45 for sdake and hyakuhei? 17:45:51 yup 17:45:55 tuesday is ONLY cross project 17:45:59 so we dont have to worry about conflicts then 17:46:02 cool 17:46:06 #action sdake and hyakuhei to schedule TA sessions at summit 17:46:17 i just saw that sahara and ossp sessions are crossed again =( 17:46:28 :( 17:46:52 too many projects syndrome i suppose 17:47:04 allright 17:47:10 this is going to be good 17:47:14 let's run through the rest of the things 17:47:16 #topic Anchor 17:47:21 dg____: hyakuhei whatup 17:47:24 can we get docs on security.openstack.org documenting the ta process 17:47:32 sdake: Sure can 17:47:32 oops sorry to disrupt 17:47:35 sdake: yes for sure 17:47:50 if that can happen prior to summit that would help out the cp thing and kolla ta 17:47:50 hyakuhei: you OK to take that as well? 17:47:52 We need to refine it a little more combine what I’ve written with the docs dg____ has put up in the repo already 17:47:56 tmcpeak: sure 17:47:59 and our ultimate goal of making governance changes 17:48:00 cool 17:48:09 #action hyakuhei to get TA process on docs.openstack 17:48:23 I’d like TA to eventually become a project maturity tag 17:48:37 hyakuhei i think that is what VMT is :) 17:48:45 hyakuhei: that makes sound sense 17:49:03 maybe vmt should depend on a ta tag 17:49:14 I don't think that's the purpose of VMT but probably a decent side effect ;) 17:49:16 these are probably discussions for the corss project session 17:49:17 something to consider, #link https://review.openstack.org/#/c/220712/ 17:49:49 oh for the sec guide? 17:49:58 any help there is welcomed 17:50:17 that's what is up now, but maybe it should live somewhere else eventually. i think we just decided that sec-guide was a good place to start 17:50:28 plus, now that it's all rst, we can link from anywhere 17:51:08 sec guide is mostly for deployers though yeah? 17:51:16 although, maybe that TA is more user facing and less developer facing, should we have 2 sets of TA stuff? (sounds like a lot) 17:51:27 tmcpeak: yea, exactly 17:51:41 i think there is some overlap 17:51:50 yeah TA should definitely be done by both 17:52:00 right, but the process will be similar? 17:52:00 but the guidance should be different 17:52:07 in some wayss 17:52:09 ok, i can get that 17:52:17 process is the same but the kind of things you're looking at are different I think 17:52:24 we probably need to hash this out more 17:52:28 yeah 17:52:32 maybe something on ml? 17:52:43 sure 17:52:49 (since we're chewing through valuable meeting time) 17:53:09 ok, i'll put together an email to get the ball rolling 17:53:10 ok 17:53:14