17:00:06 #startmeeting security 17:00:07 Meeting started Thu May 26 17:00:06 2016 UTC and is due to finish in 60 minutes. The chair is elmiko. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:09 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:12 hi 17:00:12 The meeting name has been set to 'security' 17:00:15 o/ 17:00:20 #link https://etherpad.openstack.org/p/security-agenda 17:00:26 hows it going elmiko 17:00:27 o/ 17:00:32 o/ 17:00:33 not bad, how you been tkelsey ? 17:00:45 yeah not too bad thanks 17:00:50 cheers =) 17:00:54 hello 17:01:11 o/ 17:01:23 hello rhallisey 17:01:28 hi * 17:01:31 i'll give folks a minute or two to filte rin 17:02:12 ok, let's roll! 17:02:16 #topic Anchor 17:02:18 #link https://review.openstack.org/#/q/anchor+status:open,n,z 17:02:31 o/ 17:02:35 tkelsey, anything here? 17:02:38 o/ 17:02:43 * elmiko doesn't see dg_ 17:02:57 link should be https://review.openstack.org/#/q/openstack/anchor+status:open,n,z I think 17:03:13 thanks, i'll updte 17:03:16 #undo 17:03:17 Removing item from minutes: 17:03:20 elmiko: nothing on my radar. I'll poke dg_ 17:03:21 #link https://review.openstack.org/#/q/openstack/anchor+status:open,n,z 17:03:57 thanks 17:04:05 lol I like that the openstack bot returns the memory address for the link 17:04:13 ohh python 17:04:16 heh, yea, pretty cute 17:04:17 ROFL 17:04:27 o/ 17:04:30 someone needs to add a str() :P 17:04:36 ;) 17:04:50 gee 17:05:03 we'll circle back to anchor when dg is available 17:05:06 #Bandit 17:05:07 cool 17:05:14 #link https://review.openstack.org/#/q/bandit+status:open,n,z 17:05:23 so, same again here really, kinda quiet 17:05:26 tkelsey, tmcpeak what's up? 17:05:28 hehe 17:05:32 easy week ;) 17:05:42 also link is https://review.openstack.org/#/q/openstack/bandit+status:open,n,z :P 17:05:52 man... wtf is with these links... 17:05:55 #undo 17:05:56 Removing item from minutes: 17:06:02 #link https://review.openstack.org/#/q/openstack/bandit+status:open,n,z 17:06:03 before long weekend 17:06:03 at least in my browser lol 17:06:25 heh michaelxin yeah :) guess so 17:06:28 i'm just pulling these from the agenda page 17:06:29 sorry alls, away 17:06:44 later tmcpeak 17:06:45 no worries 17:06:51 #topic Syntribos 17:06:58 #link https://review.openstack.org/#/q/status:open+project:openstack/syntribos,n,z 17:06:59 tmcpeak: bye 17:07:05 mdong, michaelxin, ccneill what's up? 17:07:22 still testing against mvaldes' vulnerable API 17:07:24 (and hopefully that link is correct) 17:07:35 ccneill: mdong: rahul vinay 17:07:40 link LGTM ;) 17:07:53 we’ve made a first pass taking a deep dive on each of our existing tests 17:08:06 in general, they’re a lot less noisy now 17:08:15 we have a design meeting tomorrow where we're planning to discuss 1) our lessons learned from testing the vulnerable API, and 2) our plan for removing OpenCAFE 17:08:27 https://etherpad.openstack.org/p/syntribos-design 17:08:29 er 17:08:31 #link https://etherpad.openstack.org/p/syntribos-design 17:08:33 :P 17:08:41 if anyone wants to keep up with topics that we're thinking about 17:09:18 we're basically trying to get a baseline to see if our most basic tests are useful, and we'll try to collect some good data to get an idea of how effective we are at this point 17:09:39 cool, sounds good 17:09:44 and then we have some ideas for how to get fewer false positives, make test writing easier, etc. so that we can come up with some more exotic tests 17:09:51 and we'll compare 17:09:53 ccneill: Would you please share the link for our weekly meeting? 17:10:07 sure, sec 17:10:14 #link https://etherpad.openstack.org/p/syntribos-planning 17:10:25 boom, mdong beat me to it 17:10:59 does syntribos have separate meetings? 17:11:10 one other thing, I wrote a little script yesterday to generate weekly "status reports" from OpenStack projects 17:11:12 https://github.com/cneill/OS-PPP 17:11:14 :D 17:11:25 nice 17:11:40 we have our own internal meetings, but Charles updates the minutes from those on that etherpad 17:11:56 yeah, since we're working with the Intel folks in OSIC, we need a public place to put our docs 17:11:58 ccneill: your beard is much less epic in your github profile pic ;) 17:12:00 browne: Yes. 17:12:07 so pretty much everything is in the open 17:12:22 haha elmiko I definitely need a better picture in my Github profile.. 17:12:34 you look so.... respectable ;P 17:12:46 haha 17:12:51 elmiko: +1 17:12:52 wouldn't want anyone getting THAT idea, now would we 17:12:56 haha 17:13:02 definitely not 17:13:18 ok, sorry for the diversion 17:13:19 I think that's it for syntribos. hopefully we'll have some stats for the next OSSP meeting 17:13:25 great! 17:13:36 #topic OSSN 17:13:39 #link https://review.openstack.org/#/q/status:open+project:openstack/security-doc,n,z 17:13:49 hmm, no nkinder around 17:14:00 anyone have comments on the OSSN status? 17:14:07 i know we have one in flight (0065?) 17:14:18 need moar reviews :) 17:14:19 er 0063 sorry 17:14:27 I will send code review for mine this week. 17:14:30 Sorry for the delay. 17:14:33 #link https://review.openstack.org/#/c/267800/ 17:14:38 #info needs more reviews 17:14:45 #undo 17:14:46 Removing item from minutes: 17:14:50 seriously, if someone take a peek at rate-limting (0068) would be nice 17:14:57 #info OSSN-0063 needs more reviews 17:15:06 #info OSSN-0068 needs more reviews 17:15:10 thanks lhinds 17:15:44 lhinds: got a link for that review, i'm not seeing it in my gerrit folder 17:16:00 just a sec.. 17:16:47 #link https://review.openstack.org/#/c/313896/ 17:16:53 awesome, thanks! 17:17:06 ok back 17:17:10 you guys get this security stuff sorted out? 17:17:10 wb =) 17:17:16 we're working on it ;) 17:17:29 awesome, Rob would be so proud 17:17:33 \o/ 17:17:43 anything else for OSSN? 17:18:13 #topic Midcycle 17:18:26 #link https://etherpad.openstack.org/p/barbican-security-midcycle-N 17:18:39 this topic may be kinda light with hyakuhei around 17:18:49 well our attendance looks light 17:18:58 any comments about the dual barbican-ossp midcycle? 17:18:59 where's the cool security peoplee at? 17:19:02 elmiko, still working on getting rooms IBM@Austin. seems unlikely 17:19:04 we have a grand total of 6 17:19:13 diazjf: unlikely? 17:19:17 diazjf: that's a bummer =( 17:19:19 diazjf: oh, why? 17:19:35 tmcpeak: sadly, it's very unlikely i can attend 17:19:48 elmiko: nooooooooooooo 17:19:49 unacceptable 17:19:55 tmcpeak, Yeah my team doesn't have a good budget :(. I'm still trying to figure some things out, maybe we can host it at Rackspace@Austin 17:19:55 i know, i know... 17:20:18 i think i won't be able to make this one. had a vacay planned for that week 17:20:40 noooo 17:20:42 we're falling apart 17:20:49 bknudson is probably out too :( 17:20:57 :( 17:21:01 Rackspace @Austin might be challenging 17:21:03 the band is breaking up :( 17:21:14 soon we'll all be releasing solo albums 17:21:14 ouch 17:21:16 :P 17:21:17 lol 17:21:24 due to limit of conference rooms 17:21:44 michaelxin: we might be able to get the rally room 17:21:45 if we want to do it together with Barbican team. 17:21:52 it's going to be Rob, the Rax guys, and me in a conference room in Houston or something lol 17:22:01 michaelxin: but that's pretty much the only room we could realistically use for a pretty big meeting 17:22:18 Yeah I'm hoping I can book a room and say everyone has a gluten allergy so we don't have to get catering lol 17:22:18 Swift team is also wanting to do their mid-cycle 17:22:32 diazjf: haha 17:22:45 They might want do it in the castle. 17:23:00 midcycle on rainey street? 17:23:05 just a thought 17:23:06 ^ +100 17:23:13 ccneill: We need to check it. 17:23:18 michaelxin, yeah the castle seems like the most realistic scenario… 17:23:34 diazjf: yes. 17:23:44 let's book out that moonshine place for the week 17:23:50 haha, sweet! 17:23:52 ^ also +100 17:24:06 diazjf: Are you sure that you guys will not do it? 17:24:26 If yes, I need to follow up with my leaders to talk about budgests. 17:24:37 do we have a lot of folks who would have to drive to SA from Austin/elsewhere? or is everyone pretty much flying? 17:24:37 michaelxin not 100% sure, but we are having problems with funding. I need to talk to some other teams to help out like bluebox, etc. 17:25:04 Can you let me know the decision asap 17:25:07 diazjf: talk with Rob, he can usually make it rain 17:25:07 I don't mind making the drive, but I don't know where we have greater critical mass 17:25:39 tmcpeak: haha 17:25:41 good one 17:25:56 tmcpeak, michaelxin, lets talk next week. I can try and get you an answer by then 17:26:06 diazjf: cool 17:26:15 diazjf: Thanks for working on this. 17:26:19 I know it is not easy. 17:26:26 cool 17:26:30 we may have to do it at my apartment lol 17:26:37 ha! 17:26:43 hope you guys arn't allergic to dogs 17:26:46 SWIFT/Barbican/Security mid-cycle? 17:26:52 it will be awesome 17:26:56 <3 dogs 17:26:59 midsummit 17:27:00 lol 17:27:19 well, the good news is that this should all go away next year with the new schedule 17:27:21 I want to do it in UK 17:27:22 if only they had bars that were just covered in whiteboards and ethernet jacks 17:27:39 for any who haven't seen it, https://www.openstack.org/blog/2016/05/faq-evolving-the-openstack-design-summit/ 17:28:22 the rumors become truth 17:28:52 ok, anything else about the midcycle? 17:29:13 elmiko: you must come 17:29:15 :-) 17:29:34 =) 17:29:40 #topic Publicity 17:29:43 #link https://etherpad.openstack.org/p/security-raising-profile 17:29:49 tmcpeak: anything to discuss here? 17:29:53 nopes 17:29:58 I've been a bad pitchman lately 17:30:13 anyone else have news about conferences or talks they are giving related to OSSP? 17:30:24 bad pitchman, no donut! 17:31:13 Maybe OT, but what about the mid-cycle? Any news? 17:31:26 no worries, we just talked about midcycle 17:31:52 plans are forming around an austin/san antonio midcycle 17:32:00 splendid.. dates? 17:32:05 we are still trying to arrange the space, and preferably would be done with barbican 17:32:14 https://etherpad.openstack.org/p/barbican-security-midcycle-N 17:32:22 Ta 17:32:26 all info is ther =) 17:32:46 #topic Docs 17:32:54 #link https://review.openstack.org/#/q/status:open+project:openstack/security-doc,n,z 17:33:03 hmm, don't see sicarie 17:33:14 it's been very slow on the docs front, from my perspective 17:33:22 nothing much to report for the last week 17:33:50 #topic Blog 17:33:54 #link https://github.com/openstack-security/openstack-security.github.io 17:34:05 tmcpeak, anything of note here? 17:34:14 nopes 17:34:15 i know we've had a few more articles go up, which is nice 17:35:14 yeah, good traction over there 17:35:19 #topic Threat Analysis 17:35:33 i saw this on the ml, 17:35:36 #link http://lists.openstack.org/pipermail/openstack-dev/2016-May/095796.html 17:35:49 sounds like we need to help finish the job that was startd at summit 17:36:00 sadly, both Rob and Doug aren't in at the moment 17:36:21 FWIW, i've recently been playing with kolla 17:36:39 and? 17:36:40 nice, good project, friendly team 17:36:47 it is actually pretty awesome. :) 17:36:59 I hope to write some notes up. 17:37:17 anyone else here who was involved with the TA at summit? 17:38:11 ok, not much to yet then 17:38:20 s/to yet/to do yet/ 17:38:25 #topic AOB 17:38:35 anything else to discuss? 17:38:48 i had a topic 17:39:17 seems ubuntu 14.04's python is 2.7.6 which doesn't support TLS 1.1/1.2 17:39:32 forgot to mention, thanks for the CR on syntribos yesterday browne :) it was a good catch 17:39:43 browne: that's really weird 17:39:46 yet, all of openstack's CIs use it and believe its still recommended 17:40:02 browne: I think I've run into that on my local linux box.. it's a real pain in the butt 17:40:07 yeah, ubuntu has no patch for it either. you have to upgrade to 16.04 17:40:18 hmm, is thera an action we can take to inform the communnity or something? 17:40:40 but matters for openstack since most shops to comply with PCI-DSS are locking down servers to 1.1/1.2 17:41:09 do we need to reach out to infra about changing the image on CI to 16.04? 17:41:11 Active Directory/LDAP being one. so keystone gets affected. and any other service that needs to talk with newer TLS 17:41:30 or maybe talk with vmt about this? 17:41:31 elmiko: i think so 17:41:55 browne: do you want to bring it up on ML? 17:41:57 i'm not really sure where to go. just want to get the awareness out. maybe ML 17:42:06 ok will do 17:42:10 awesome! 17:42:33 #action browne send email to ML about python 2.7.6 in ubuntu 14.04 and lack of TLS 1.1/1.2 support 17:42:49 thanks browne 17:43:06 anything else? 17:43:08 np 17:43:23 thanks elmiko! 17:43:30 I'm just gonna +1 renting out Moonshine again ;) 17:43:35 lol 17:43:35 haha 17:43:37 nice 17:43:38 thanks 17:43:54 i propose we take back 15 minutes of the day, unless someone objects? 17:43:58 +1 17:44:06 +1 17:44:12 +2 17:44:14 SOLD! 17:44:20 MERGED 17:44:21 thanks everybody 17:44:24 thanks! 17:44:24 #endmeeting