17:00:11 <tmcpeak> #startmeeting security
17:00:12 <openstack> Meeting started Thu Apr  7 17:00:11 2016 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:12 <tmcpeak> o/
17:00:13 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:16 <openstack> The meeting name has been set to 'security'
17:00:19 <ccneill> o/
17:00:23 <michaelxin> o/
17:00:44 <singlethink> o/
17:00:45 <ccneill> I feel like I need a new greeting just to be different
17:00:51 <ccneill> ﾟ･✿ヾ╲(｡◕‿◕｡)╱✿･ﾟ
17:00:54 <ccneill> :D
17:00:57 <tmcpeak> ~o\
17:01:11 <mdong> \o/
17:01:24 <elmiko> o/
17:01:34 <elmiko> ccneill: very nice /me tips fedora
17:01:36 <tmcpeak> no hyakuhei today, he passes his hello's
17:01:37 <ccneill> \m/(>_<)\m/
17:02:17 <tkelsey> o/
17:02:40 <tmcpeak> #link https://etherpad.openstack.org/p/security-20160407-agenda
17:03:02 <tmcpeak> allright, let's roll it
17:03:07 <tmcpeak> #topic Anchor
17:03:10 <tmcpeak> tkelsey: anything new here?
17:03:19 <elmiko> imo, we really need to just use a single etherpad for all these agendas
17:03:26 <ccneill> +1
17:03:39 <ccneill> I end up bookmarking the new one every week lol
17:03:45 <elmiko> right... me too
17:03:52 <tkelsey> tmcpeak: nope, nothing on my radar
17:03:59 <elmiko> we could just have a long list (i've seen other projects do this)
17:04:15 <ccneill> would be easier to search
17:04:25 <ccneill> but you can still quickly see just the most recent stuff
17:04:33 <michaelxin> good point
17:04:38 <tmcpeak> allright
17:04:54 <tmcpeak> elmiko: like a wiki?
17:05:14 <elmiko> nah, we can keep it on etherpad. just a suggestion to make it more convenient
17:05:20 <tmcpeak> ahh cool
17:05:24 <michaelxin> it is easier to copy and paste
17:05:28 <ccneill> we can do it in reverse order so newest is still at the top
17:05:31 <elmiko> although, other projects do use the openstack wiki for their agendas
17:05:31 <michaelxin> :-)
17:05:37 <tmcpeak> https://etherpad.openstack.org/p/security-agenda
17:05:43 <elmiko> \o/
17:05:45 <ccneill> boom
17:05:46 <tmcpeak> we'll put new meetings at the top
17:05:47 <ccneill> making moves
17:05:48 <elmiko> progress!
17:05:58 <tmcpeak> :D
17:05:58 <michaelxin> +1
17:06:01 <tmcpeak> that's it, I can go back to bed
17:06:07 <elmiko> finally, an etherpad worth bookmarking ;)
17:06:11 <elmiko> hahaha!
17:06:20 <ccneill> lol DONE!
17:06:27 <tmcpeak> this is why they pay me the big bucks, I steal elmiko's good ideas for profit
17:06:38 <elmiko> i'm happy to share =)
17:06:46 <michaelxin> haha
17:06:48 <tmcpeak> allright
17:06:50 <tmcpeak> #topic Bandit
17:06:54 <tmcpeak> 1.0, 1.0, 1.0
17:06:55 <tmcpeak> woot
17:06:58 <elmiko> \o/
17:07:10 <michaelxin> +2
17:07:13 <tkelsey> well 1.0.1 :P
17:07:19 <elmiko> hehe
17:07:20 <tmcpeak> bknudson: it working allright for you guys?
17:07:25 <tmcpeak> I assume I would have heard about it if it didn't
17:07:28 <tmcpeak> elmiko: you as well?
17:07:32 <bknudson> haven't seen any problems.
17:07:40 <elmiko> tkelsey: did you ever sort out the 1.0 tag to pypi?
17:07:41 <tmcpeak> have you gotten rid of the old config?
17:07:46 <elmiko> tmcpeak: yup, working on our end
17:07:53 <bknudson> someone should raise the requirement in global requirements.
17:08:05 <tmcpeak> browne proposed a change for that
17:08:10 <bknudson> so we can forget about support for the old bandit
17:08:10 <tkelsey> elmiko: nope, it seems jenkins/zuul whatever died
17:08:17 <elmiko> we still have the old bandit.yaml
17:08:21 <tkelsey> but the tag was taken then so i had to go with 1.0.1
17:08:23 <elmiko> tkelsey: that stinks =(
17:08:30 <tkelsey> elmiko: i know!!
17:08:32 <tkelsey> :(
17:08:37 <tmcpeak> well we could have manually pushed to PyPI but that sucks
17:08:46 <elmiko> ack
17:09:02 <tmcpeak> I'd like to help projects start getting rid of their config
17:09:20 <tmcpeak> for those that use it
17:09:23 <tkelsey> tmcpeak: I tried that, but it didnt like the manifest
17:09:31 <tmcpeak> ahh
17:09:35 <tkelsey> tmcpeak: yeah tis https://review.openstack.org/#/c/302234/
17:09:39 <tkelsey> *this
17:09:52 <elmiko> tmcpeak: i'll take a look at removing ours, expect questions =D
17:10:01 <tkelsey> elmiko: :D
17:10:17 <tmcpeak> why are they using a config at all?
17:10:37 <tkelsey> in that path?
17:11:03 <tmcpeak> yeah, can just remove the bandit.yaml from that check in yeah?
17:11:04 <tkelsey> well the had pre 1.0 stuff, same as everyone else. Now thay can move to a bold new config free future :D
17:11:24 <ccneill> (ﾉ^_^)ﾉ
17:11:27 <tmcpeak> ahh
17:11:29 <tmcpeak> sick
17:11:56 <tmcpeak> allright what else for Bandit?
17:11:58 <tmcpeak> anything?
17:12:06 <tkelsey> so yeah, lets start helping people move over
17:12:15 <tmcpeak> cool, plan
17:12:19 <tkelsey> thats about it for bandit :) good work team
17:12:31 <tmcpeak> thanks for all the release guiding work tkelsey
17:12:37 <elmiko> +1
17:12:57 <tmcpeak> I will buy you beer$ at our next communal shindig
17:13:09 <michaelxin> excellent work
17:13:13 <ccneill> +1.0.1
17:13:15 <ccneill> ;)
17:13:16 <tkelsey> tmcpeak: sounds like a plan :)
17:13:18 <elmiko> haha
17:13:21 <tmcpeak> lol
17:13:25 <tmcpeak> allright
17:13:27 <tmcpeak> #topic Docs
17:13:34 <tmcpeak> elmiko sicarie
17:13:39 <elmiko> don't think there is much new to report here
17:13:50 <elmiko> we've had a few more patches coming in, and some minor updates
17:13:58 <tmcpeak> where da pdf at
17:14:00 <elmiko> but the big issue is still producing the new leaf version
17:14:02 <elmiko> yea...
17:14:02 <tmcpeak> ;)
17:14:09 <elmiko> we have top minds looking into it
17:14:33 <sicarie> it's true, elmiko is the brains of the outfit
17:14:44 <elmiko> haha, i meant you and pdesai!
17:15:05 <tmcpeak> I'm a man of the people and the people demand sec guide PDF
17:15:05 <sicarie> it's a huge pita and we were going to all get in a room at the summit and try to figure something out
17:15:06 <michaelxin> +1
17:15:35 <tmcpeak> what's wrong with it?
17:15:46 <sicarie> all the automated tools don't deal with mutliple files
17:15:51 <sicarie> they want to convert rst from a single file
17:15:52 <elmiko> yea, the rst move was awesome for making new content. but it makes generating a pdf really difficult
17:16:09 <tmcpeak> ahh
17:16:27 <elmiko> not to shed too much, but maybe we can developer a single-page html solution from the rst?
17:16:45 <tmcpeak> that or squash all the RST into one flat file and PDF that ;)
17:16:54 <elmiko> right
17:17:16 <tmcpeak> allright anyways
17:17:18 <tmcpeak> top minds and all that
17:17:19 <tmcpeak> onward
17:17:22 <tmcpeak> #topic Syntribos
17:17:26 <tmcpeak> lots going on here
17:17:32 <ccneill> yep :)
17:17:44 <tmcpeak> what it do?
17:17:56 <mdong> so ccneill has been working on documentation
17:18:06 <mdong> which is something we sorely needed
17:18:07 <ccneill> (thanks, elmiko, for getting us started!)
17:18:14 <tmcpeak> nice, docs are good
17:18:14 <mdong> +1
17:18:23 <ccneill> started doing code documentation with RST docstrings
17:18:39 <tmcpeak> it getting any love at the summit btw?
17:18:48 <ccneill> it's merged in master now, so if you wanna see what I've been playing with, do a tox -e docs
17:18:53 <ccneill> tmcpeak: mdong and I won't be there unfortunately :\
17:19:02 <mdong> michaelxin is the only one of us going to summit
17:19:06 <tmcpeak> it's like 3 blocks away from the castle :P
17:19:15 <tmcpeak> (yes I know they are different cities)
17:19:16 <ccneill> sigh.. yeah
17:19:22 <mdong> it’s like 30 blocks from my apartment
17:19:25 <michaelxin> we do have austin office
17:19:36 <tmcpeak> you guys at least going to crash the party?
17:19:47 <ccneill> which partY?
17:19:54 <tmcpeak> summit party
17:20:01 <tmcpeak> Oo there's other partys?
17:20:09 <michaelxin> The summit party
17:20:18 * amrith wonders, the topic is "security" and they're talking about crashing a party ...
17:20:26 <ccneill> yeah I think someone mentioned there were a few evening parties, but I haven't done a summit before so I don't know much about it
17:20:35 <tmcpeak> amrith: it's how we roll :D
17:20:37 <elmiko> amrith: shhh
17:20:38 <ccneill> amrith: we'll bring hacked HID cards and all ;)
17:20:39 <elmiko> ;)
17:20:42 <mdong> i’ll bring my ski mask
17:20:53 <elmiko> mdong rolls serious!
17:20:54 <michaelxin> let's get back to Syntribos
17:20:58 <tmcpeak> lol
17:21:04 <tmcpeak> yep, back on topic
17:21:07 <mdong> go hard or go home
17:21:07 <mdong> anyway
17:21:13 <elmiko> haha
17:21:21 <michaelxin> rahul pushed code change for payloads of keystone
17:21:24 * amrith wanders away, I heard party and came here. no party and I'm off
17:21:32 <elmiko> amrith: +1
17:21:40 <michaelxin> ccneill and mcdong are working on improving reporting features.
17:21:40 <mdong> or rather, “request templates”, as we are calling them now
17:22:12 <mdong> we’ve also started the process of removing OpenCAFE dependencies
17:22:12 <ccneill> I think we've mostly got the finding/issue/defect/whatever schema figured out at this point
17:22:27 <tmcpeak> sweet
17:22:28 <ccneill> https://github.com/cneill/syntribos-schema
17:22:36 <ccneill> for anyone who's curious
17:22:38 <ccneill> sorry
17:22:40 <ccneill> #link https://github.com/cneill/syntribos-schema
17:23:10 <tmcpeak> yea looks reasonable
17:23:18 <michaelxin> That should cover what we are working on.
17:23:33 <ccneill> yep, we'll be rejoined by Rahul in a few weeks after training
17:23:36 <ccneill> so just mdong and I for the moment
17:23:56 <tmcpeak> still seems like you guys are flying through the work
17:24:00 <mdong> there’s a few places where it’s low hanging fruit to remove OpenCAFE, ccneill and rahulunair have ben working on that
17:24:22 <michaelxin> I want to talk a little more about the broken API that we talked last week
17:24:27 <ccneill> yep, removed OpenCAFE's custom TestSuite class, but it looks like other deps may take a little more work
17:24:47 <michaelxin> We want to use the broken API as a test bed for Syntribos
17:25:01 <michaelxin> What's your take on this?
17:25:08 <tmcpeak> makes perfect sense
17:25:34 <tmcpeak> are you planning to build up broken API as you go or write a lot of it and then build of Syntribos to detect?
17:25:52 <michaelxin> We already have one
17:26:01 <tmcpeak> no I know
17:26:06 <ccneill> we'll probably focus on Syntribos first
17:26:07 <tmcpeak> I assume you'll keep adding to it?
17:26:17 <michaelxin> We are thinking about adding defects while we are moving along
17:26:23 <elmiko> i would love to see an overlap of broken api and machine learning to predict bad behaviors
17:26:29 <ccneill> we need to robustify some of our tests before it'll be ready to reliably detect weird edge cases and stuff
17:26:31 <tmcpeak> ideally you'd have different developers work on the broken API and Syntribos so you aren't fitting Syntribos to the broken API
17:26:34 <tmcpeak> but that might not be practical
17:26:36 <ccneill> but it'll probably be some back-and-forth
17:26:44 <elmiko> tmcpeak: +1 to different devs
17:26:53 <ccneill> tmcpeak: true
17:27:01 <ccneill> so far mvaldes is our lead on the broken API
17:27:25 <michaelxin> https://github.com/mattvaldes/vulnerable-api/
17:27:25 <ccneill> so not exactly a huge barrier between the two projects, but at least we're not literally copying/pasting or anything haha
17:27:54 <elmiko> nice
17:28:16 <michaelxin> Will OpenStack accept it as a project in the future?
17:28:26 <tmcpeak> it should
17:28:30 <michaelxin> Or does it make sense to make it a OWASP project?
17:28:39 <tmcpeak> don't mature security projects automatically get brought in?
17:28:58 <michaelxin> We have talked with OWASP and they showed strong interest.
17:28:59 <elmiko> not sure, i think we still need to propose their addition to the openstack tent
17:29:04 <ccneill> michaelxin: just thought of something. vulnerable API could be used for BOTH syntribos + bandit
17:29:10 <tmcpeak> michaelxin: up to you guys really
17:29:24 <michaelxin> The problem is that it is not mature enough yet.
17:29:30 <tmcpeak> ccneill: it would make a good demo
17:29:32 <michaelxin> ccneill: That's a good point.
17:29:34 <tmcpeak> for Bandit that is
17:29:47 <ccneill> <3 dat synergy
17:29:49 <michaelxin> Thanks all.
17:29:56 <tmcpeak> lol
17:30:11 <michaelxin> That's all for Syntribos and broken API
17:30:15 <tmcpeak> cool
17:30:21 <tmcpeak> thanks RAXers
17:30:22 <michaelxin> Time to think a cool name again
17:30:25 <tmcpeak> looking to be a cool tool
17:30:34 <tmcpeak> #topic Summit Planning
17:30:42 <tmcpeak> sdake: you around?
17:31:46 <tmcpeak> seems not :D
17:32:15 <tmcpeak> so I wanted to see how we're coming on the threat analysis sessions but given that sdake and hyakuhei are both not here let's punt
17:32:24 <elmiko> fair
17:32:27 <tmcpeak> anything else anybody wants to say for summit planning?
17:32:28 <sdake> tmcpeak yo
17:32:32 <tmcpeak> ahh there he is
17:32:35 <tmcpeak> he? she?
17:32:39 <tmcpeak> there it is
17:32:40 <sdake> tmcpeak he :)
17:32:46 <tmcpeak> haha ok cool
17:32:47 <tmcpeak> there he is
17:32:55 <sdake> tmcpeak so ta - our plan is still in place to have cross project and 1 koll asummit session on ta
17:33:05 <sdake> kolla deadline pushed to 15th, after that i work on diagrams for  ta
17:33:11 <tmcpeak> ok cool, we get anywhere with setting up those sessions?
17:33:17 <tmcpeak> sdake: fair enough
17:33:31 <sdake> tmcpeak kolla's session is set, i submitted the cp session for review by the tc
17:33:35 <sdake> i am certain it will be accepted
17:33:41 <sdake> but its possible it may not be
17:33:43 <tmcpeak> awesome
17:33:58 <sdake> that will be on tuesday
17:33:58 <sdake> hui* will lead it
17:34:02 <tmcpeak> allright finger crossies
17:34:03 <sdake> i am just a facilitator ;)
17:34:12 <tmcpeak> cool seems reasonable
17:34:14 <michaelxin> +1
17:34:27 <tmcpeak> cool, that's all I wanted to check on summit
17:34:38 <sdake> thanks and o/ sorry i'm late ;)
17:34:42 <tmcpeak> I'm skipping publicity for now since I don't think anybody has done or is doing anything
17:34:42 <michaelxin> which project will we do TM?
17:34:44 <sdake> completely skipped my mind
17:34:45 <tmcpeak> thanks sdake
17:34:48 <tmcpeak> michaelxin: kolla
17:34:56 <michaelxin> tmcpeak: Thanks.
17:35:02 <tmcpeak> #topic OSSN
17:35:13 <elmiko> i started researching the mongo one
17:35:19 <tmcpeak> hyakuhei is working on an embargoed one
17:35:21 <tmcpeak> elmiko: sweet
17:35:33 <elmiko> but, some internal stuff started heating up and i wasn't able to start writing it yet :/
17:35:55 <tmcpeak> looks like michaelxin is assigned on that one
17:35:56 <michaelxin> elmiko: you already started?
17:36:04 <michaelxin> I just signed up today.
17:36:12 <elmiko> michaelxin: just research, if you have a good handle on it, go for it
17:36:13 <michaelxin> I will not fight elmiko for this.
17:36:21 <elmiko> no no, it's fine
17:36:36 <tmcpeak> lol
17:36:36 <elmiko> i'm out next week anyways, so probably best if someone can work on it
17:36:36 <michaelxin> elmiko: Cool, I will take on this one.
17:36:41 <tmcpeak> sweet
17:36:44 <elmiko> great, thanks michaelxin !
17:36:55 <michaelxin> elmiko: anytime
17:37:34 <michaelxin> The only remaining issue is that we do not know whether it impacted other versions.
17:37:46 <elmiko> yea
17:37:47 <michaelxin> Rob asked them did not get answer.
17:37:51 <michaelxin> I asked them again.
17:37:53 <elmiko> and other dbs too
17:38:17 <michaelxin> Once we have all infos, I can start working on it.
17:38:25 <michaelxin> elmiko: good point
17:38:41 <tmcpeak> cool
17:38:45 <elmiko> it seemed like they tried to limit the issue to mongo production stuff, the other dbs seemed like experimental
17:38:58 <tmcpeak> dave-mccowan: you working on this one still? https://bugs.launchpad.net/ossn/+bug/1523646
17:38:59 <openstack> Launchpad bug 1523646 in OpenStack Security Notes "Nova/Cinder Key Manager for Barbican Uses Stale Cache" [Medium,Confirmed] - Assigned to Dave McCowan (dave-mccowan)
17:40:09 <tmcpeak> allright we can follow up more next week
17:40:11 <tmcpeak> thanks for the work on those
17:40:15 <tmcpeak> #topic Blog
17:40:21 <tmcpeak> sicarie: you've been working on stuff, yeah
17:40:22 <tmcpeak> ?
17:40:53 <dave-mccowan> tmcpeak https://review.openstack.org/#/c/267800/
17:41:21 <tmcpeak> elmiko dave-mccowan: ok, what do we need to unblock here?
17:41:27 <dave-mccowan> i'll update the patch description to mention the bug id, that's why it's not linked.
17:41:38 <tmcpeak> looks like cosmetic changes
17:41:49 <elmiko> i think we just need to figure out how we will handle project names
17:41:52 <tmcpeak> so it's in good shape
17:41:58 <sicarie> sorry, was multitasking
17:42:06 <elmiko> since rob went with capitalized for his, i'm ok with doing that on 0063
17:42:06 <sicarie> yes, I have two blog posts pending
17:42:15 <sicarie> one is a blurb about image signing
17:42:20 <elmiko> i'll take another look at that
17:42:26 <tmcpeak> lol, everybody woke up at once
17:42:33 <sicarie> the other will probably take quite a bit more work - i just threw up a rough draft
17:42:34 <tmcpeak> ok so first note
17:42:35 <sicarie> https://github.com/openstack-security/openstack-security.github.io/pulls
17:42:39 <tmcpeak> small changes and then this  is done
17:43:11 <elmiko> dave-mccowan: minor spelling/grammer stuff aside, let's just go with capitalized project names
17:43:16 <elmiko> i'll add a comment to the reivew
17:43:20 <tmcpeak> sicarie: this looks good
17:43:50 <sicarie> Yeah, the shorter one should be pretty ready
17:44:01 <michaelxin> +1
17:44:08 <michaelxin> good job
17:44:13 <sicarie> the other one i was actually thinking about refactoring and looking at "traditional" vs something like an embedded team model
17:44:28 <sicarie> but yeah, please comment/nit/anything
17:45:11 <tmcpeak> sweet
17:45:29 <tmcpeak> so please have a look at sicarie's blog post if you get a chance
17:45:33 <tmcpeak> posts
17:45:36 <tmcpeak> #topic AOB
17:45:41 <tmcpeak> anything else? might wrap early today
17:45:49 <elmiko> those posts are pull requests in github currently?
17:46:00 <sicarie> yes
17:46:07 <elmiko> thanks!
17:47:05 <tmcpeak> allright well if nothing else let's roll it
17:47:09 <tmcpeak> #endmeeting