17:00:00 #startmeeting security 17:00:00 Meeting started Thu Jun 9 17:00:00 2016 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:02 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:04 The meeting name has been set to 'security' 17:00:06 #chair elmiko 17:00:06 Current chairs: elmiko tmcpeak 17:00:08 o/ 17:00:11 #link https://etherpad.openstack.org/p/security-agenda 17:00:16 good morning/afternoon everybody 17:00:20 hey! 17:00:22 o/ 17:00:25 hyakuhei is out living the dream somewhere so he won't make it today 17:00:28 o/ 17:00:29 o/ 17:00:33 o/ 17:00:37 we'll give a couple of minutes for folks to show up and then roll on with the agenda in the Etherpad 17:00:40 dg__ sends his regards, he will try to be along shortly 17:00:51 sicarie: ack 17:01:34 allright, let's get started 17:01:37 #topic Anchor 17:01:51 anything new here? have we reached steady state or still have roadmap items? 17:02:01 tkelsey: this is for you :) 17:02:05 o/ 17:02:07 o/ 17:02:14 o/ 17:02:25 allright, nice attendance today 17:02:31 tmcpeak: well I have a backport patch for bandit 1.0.1 in mitaka 17:02:53 tkelsey: Bandit or Anchor? 17:02:59 babdit 17:03:03 oh cool 17:03:04 *bandit 17:03:13 let's go on to that then if there isn't anything on Anchor 17:03:24 I have seen some Bandit activity 17:03:29 #topic Bandit 17:03:34 tkelsey: so what's that about tkelsey? 17:04:07 mitaka stable has pre 1.0 bandit in req's 17:04:22 ahh ok cool 17:04:27 #link https://review.openstack.org/#/c/327135/ 17:04:28 so just bump it in global-req? 17:04:31 yup 17:04:47 cool 17:04:51 browne has added a nice man page as well 17:05:02 ha yep 17:05:03 yeah browne has a couple of things it looks like 17:05:42 I guess at some point we should circle back on if there is anything left we really want to do for Bandit and decide if we plan to do any of the state tracking stuff or not 17:06:04 we still also have a bunch of work to do to get projects using Bandit 17:06:13 yeah we should work out a new roadmap since I think we basically got where we wanted to be with 1.0 17:06:16 would be a nice thing to tackle at the midcycle 17:06:18 yeah, reviews from other projects have been slow 17:06:31 browne: +1 17:06:35 +1 17:07:17 one way forward would be to do that thing where security joins other project's meetings and introduces what we propose and how it will help 17:07:37 we could chop up the projects and try to attend one or two each week, etc 17:07:43 +1 seems reasonable 17:07:51 sounds good 17:08:15 I think we have a etherpad from the summit where we listed projects and their current Bandit status 17:08:23 link? 17:08:29 trying to find it 17:08:47 lost to my browser history :( 17:08:48 o/ 17:08:52 hi dg___ 17:08:54 hey dguryanov2 17:08:59 nope dg___ 17:08:59 lol 17:09:06 tab fail 17:09:20 lol yup 17:09:27 i type good! :p 17:09:28 I'm surprised that doesn't happen more with ~400 people in here 17:09:32 #link let's use this: https://etherpad.openstack.org/p/bandit-project-status 17:09:35 #link https://etherpad.openstack.org/p/bandit-project-status 17:09:41 I don't think I used the link command correctly :P 17:09:51 tmcpeak: https://etherpad.openstack.org/p/bandit-worksession ? 17:10:04 elmiko: you are a hero 17:10:11 ^5 17:10:20 +1 17:10:39 realistically I won't have as much time for this as I'd hope for a bit 17:10:52 this might have to wait until midcycle or something 17:10:58 maybe I'll get inspired on vacation :P 17:10:59 i know the feeling ;) 17:11:16 anyways, I think we need to start doing more of that 17:11:23 anything else for Bandit? 17:11:23 +1 17:11:30 nothing from me 17:11:43 cool, fair enough 17:11:45 #topic Syntribos 17:11:51 kewl 17:12:12 so we're still working through some architectural questions 17:12:26 https://etherpad.openstack.org/p/syntribos-signals 17:12:45 we're collecting questions/feedback on different approaches here, and will regroup on signals tomorrow 17:12:53 we're also regrouping on the vAPI and the results we've gotten from it tomorrow 17:13:18 "slug" 17:13:22 unrahul has pointed out that the results aren't very actionable today, so if we don't cover it tomorrow, we'll be discussing reporting very soon 17:13:33 browne: added a man page for us https://review.openstack.org/#/c/327305/1, thanks michaelxin ccneill mdong vinaypotluri can you guys take a look at this and give your review.. 17:13:57 browne - the keeper of the docs :) 17:14:00 we’re thinking through different ways to write tests, ccneill has a commit on github to prototype what that might look like 17:14:02 right, so the tl;dr is this: we want for Syntribos to look at a series of "signals" that are just pieces of information (e.g. "500 status code" or "connection failed" or "this bad string is present") 17:14:03 #link https://github.com/cneill/syntribos/tree/http_signal2 17:14:28 and create issues from those signals, with our confidence determined by the signals we get back 17:14:59 e.g. a 500 + a bad error string + a long response time = high confidence in a command execution attempt for doing ;sleep 10 17:15:10 makes sense 17:15:10 we are trying out the ccneill version of writing tests using signals , the idea is to make tetsts more robust and in a way smart, thus making it *easier* for the end user to extend and write more tests 17:15:29 browne: thanks for working on that manpage. I hadn't even thought about writing that 17:15:44 np 17:15:54 browne: as unrahul said in his comment though, things are kind of in flux for us at the moment, so we may need to regroup once we have a better idea of the setup process / final command line options 17:16:14 it's very much based on the CAFE paradigm right now 17:16:30 ok, no rush 17:16:37 luckily, our main CAFE contact is back from leave, so we'll be meeting with him soon to discuss our plans for ripping it out 17:16:44 probably next week or so 17:16:57 that will probably inform our discussion of config options, installation, etc. 17:17:33 if anyone wants an idea of what "signals" we're thinking about 17:17:35 #link https://gist.github.com/cneill/9526cd2fcfbe88696b039c1509c4d55f 17:17:40 I've started putting together a list here 17:17:48 if you have any suggestions, let us know in the comments, or in IRC 17:17:56 it's not a complete list at this point - still working on that 17:18:03 whew. I think that's it for us :) 17:18:25 great, lots of good work on this project 17:18:37 I expect there will be a lot of Syntribos hacking at the midcycle 17:18:42 :D I hope so 17:18:45 #topic OSSN 17:19:00 we had a couple last week we were going to try to get finished 17:19:46 I don't remember the link for the open security doc reviews 17:19:49 sicarie: you have it? 17:19:51 I cleaned up some nits, and will push nginx config for OSSN-0068 before the week is out 17:20:09 I just need to sanity check the nginx rate limit stuff works 17:20:20 uhhh 17:20:24 docs or ossns? 17:20:34 they're both in the same repo 17:20:44 so open reviews should be the same 17:20:51 #link https://review.openstack.org/#/c/313896/ 17:20:53 lhinds: awesome! 17:21:06 lhinds: you blocked anywhere? 17:21:27 tmcpeak: it's cool, I just need to add something for nginx as well 17:21:32 and the full one is 17:21:34 #link: https://review.openstack.org/#/q/is:watched+project:openstack/security-doc+is:open 17:21:37 lhinds: looks like Jenkins killed you 17:21:42 sicarie: thanks, thats the one 17:21:56 tmcpeak: that is the config files going over 72 chars 17:21:59 #link https://review.openstack.org/#/q/project:openstack/security-doc+is:open 17:22:08 gotta take out the is-watched filter :) 17:22:15 tmcpeak: sort of unavoidable 17:22:25 this is good, this means that dave-mccowan's merged, yeah? 17:22:43 https://review.openstack.org/#/c/267800/ 17:22:49 review.o says yes 17:23:29 dave-mccowan: around? 17:23:52 o/ 17:24:01 ok so we need to get the published note on the wiki 17:24:11 and we need to send a notification to a ML, don't remember which 17:24:14 nkinder has been doing this 17:24:20 announce? 17:25:02 checking with him in #openstack-security if he can still do these things 17:25:26 and lhinds let us know when you're ready and we'll get eyeballs on your note 17:25:35 thank you lhinds and dave-mccowan for taking the time to write them 17:26:07 I know we were going to work on parseable format too, but unless anybody is teaming with excitement to get that going I realistically don't see it happening prior to midcycle 17:26:27 tmcpeak: thanks for the opportunity 17:26:39 ps. any reviews needed, just add me too. 17:26:47 lhinds: thanks! 17:27:01 allright, let's move to midcycle 17:27:06 #link https://etherpad.openstack.org/p/barbican-security-midcycle-N 17:27:20 I think Rob was going to work on budget and scoring a room, but since he isn't here we can't speak to that 17:27:39 our attendance numbers are looking lower than they have been in the past 17:28:06 good midcycle work is honestly one of the things that has kept OSSP productive 17:28:19 I'd like to keep as much participation as possible but I know travel budget and schedules can be tough 17:28:51 anybody on the fence and want a motivational speech? :P 17:29:25 tmcpeak: looking forward to making it this time :) 17:29:28 i'm always up for a pep talk ;) 17:29:33 ccneill: will be great to have you 17:29:39 especially since it sounds like it's happening in Austin this go-around 17:29:57 elmiko: the time is now, to make security history. Only you have the power to make the internets safe for all the childrens 17:30:00 how am I doing? 17:30:09 * elmiko swoons 17:30:13 lol 17:30:17 hehe 17:30:27 anyway hopefully we can get more registered and participating 17:30:37 I'm skipping publicity... 17:30:39 #topic Docs 17:30:44 sicarie, elmiko 17:30:46 i could potentially participate remotely like elmiko 17:30:53 browne: we'll take it :) 17:30:56 not much going on in docs land 17:31:03 I jumped on the bugs earlier today 17:31:04 things have been extra slow on the docs front 17:31:04 everybody is saving their money for Barcelona, huh? 17:31:08 ping’d a few poeple 17:31:16 I’m going to push at least one next week to keep things moving 17:31:25 really very little 17:31:27 sicarie: are we still holding the monday meetings? 17:31:37 it's been quiet the last few weeks 17:31:43 pdesai is out of OpenStack now too huh? 17:31:50 tmcpeak: think so 17:31:55 ah, my bad, i got migrated to o365 and it messed with my calendar 17:31:58 or at least, on other stuff 17:32:10 sicarie: no worries, it's been just you and me anyways 17:32:13 elmiko: i’ll ping you offline 17:32:15 lol 17:32:26 sicarie: sounds good 17:32:43 allright guys, it might be a good time to discuss what we want to prioritize with lower participation I'm seeing 17:32:51 so the security guide is very good and mature 17:32:56 needless to say, i think we could use a few more warm bodies on docs. i know, this is a common openstack issue 17:32:59 realistically how much work is required to keep it current? 17:33:11 quite a bit, actually 17:33:14 yeah 17:33:16 I was afraid of that 17:33:17 the neutron chapter hasn’t been updated in a while 17:33:23 that really needs some work 17:33:46 I’ve been trying to keep up with some of the others, but a few of them are too project-specific for me to realistically handle 17:34:12 we really need a ‘rootwrap’ section and good best practices around that 17:34:13 any plan for how to keep it current with limited time and having a hard time getting access to the right SME's? 17:34:25 who even knows about good use of rootwrap? 17:34:31 exactly 17:34:34 lol 17:34:42 bug people in person at midcycles and summits 17:34:52 doesn't sound like that can scale 17:34:53 that usually kicks off a contribution or two 17:34:55 :D 17:35:54 sicarie is spot on 17:35:55 so you guys have more work than you can handle and a very hard time getting access to the right SME's huh? 17:36:03 pretty much 17:36:05 :\ 17:36:30 I assume that both of you are also carving off time from otherwise very busy schedules to work on it too huh? 17:36:32 ideally, we need to increase the potential of CPLs from each team to the docs team 17:36:36 not like the guide is your full time job 17:36:50 yep 17:36:58 unfortunately, docs is so far down on my list that i barely have time to take on issues 17:37:20 i feel like this is something we need to reach out to the greater community to help solve 17:37:28 yeah elmiko i was thinking so too 17:37:39 it's one of our great resources, and something I point people to all the time 17:37:44 i mean, if the TC et al. feel that it is important to have quality security docs, then we need to make noise and have it be a priority 17:37:47 but having out of date security material can in some ways be worse than not having it 17:38:02 exactly 17:38:09 I wonder if we should section certain sections as "possibly out of date" and reaffirm a commitment to keep certain sections up to date 17:38:31 the security guide is huge and maintaining all of it must be a ton of work 17:38:57 anyway I don't have a good answer for this, just something we should think about 17:39:00 we may also need to come up with some sort of sec-docs tag that can be applied to projects 17:39:11 to help add some stick to projects that want to contribute 17:39:27 we just need help, that's the main message 17:39:28 hah projects are bad enough at keeping their own projects up to date 17:39:33 right 17:39:34 *own docs I mean 17:40:04 allright, well on that note, let's move on 17:40:19 I don't think we have anything new on the blog so.. 17:40:23 #topic Threat Analysis 17:40:29 sdake_: around? 17:40:47 hoot 17:40:49 shoot 17:40:57 hoot indeed :) 17:41:09 sdake_: you have that link to the threat analysis change you're proposing? 17:41:13 specifically to create the new repo? 17:41:21 the repo has ben created 17:41:28 \o/ 17:41:34 sdake_ thanks for sorting that out 17:41:52 +1 17:41:56 although i don't see it on github 17:41:57 which is odd 17:43:03 https://review.openstack.org/#/c/325049/ 17:43:17 hmm looks like we went with security-analysis 17:43:19 awesome 17:43:21 not threat-analysis 17:43:37 ahh ok 17:43:37 because this repo will contain other types of analysis that community members provide 17:43:38 thats fine 17:43:43 cool 17:43:44 the way the vmt wording is written is 17:43:55 Im not massively in love with the term 'threat analysis' anyway 17:43:59 https://review.openstack.org/#/c/300698/ 17:44:16 security analysis or security review is far better 17:44:22 dg___: +1 17:44:46 might want to add tht project to your watchd list 17:44:49 i am going to be making sosme improvements 17:44:51 like adding reno 17:44:53 and whatnot 17:45:08 thanks sdake 17:45:23 ok cool, so next we need to do some actual analysis 17:45:25 sure happy to help 17:45:29 what are our current plans for moving that forward? 17:45:44 i need the flow diagram hyakuhei did 17:45:47 so we can reproduce that for kolla's snowflakes 17:45:49 rob and I have been super busy with the day jobs, but are aiming to meet up and review progress and a path forward 17:45:51 of which there ar e7 or 8 17:45:57 ahh ok cool 17:46:03 pesky day jobs 17:46:17 although they pay better than upstream ;) 17:46:20 #action dg__ progress threat analysis 17:46:27 upstream pays pretty well :) 17:46:30 I will do *something* on it this next week 17:46:39 cool, ok anything else for TA? 17:46:46 dg___ if you can get me the flow diagram hyakuhei did, that owuld be a good start 17:46:51 so our team can finish the flow diagrams for the other snowflakes 17:46:53 sdake_, dg___: thanks for the work on this 17:47:08 sdake do you mean the sequence diagram? 17:47:16 yup 17:47:25 ok I'll talk to hyakuhei when he is back 17:47:37 #topic AOB 17:47:39 open floor 17:48:30 if you don't come to the midcycle in Austin, you'll miss out on awesome tacos like this: http://s3-media1.fl.yelpcdn.com/bphoto/LRcdHCl52zmMRJb9DND1qw/o.jpg 17:48:33 :P 17:48:41 that does look very good 17:48:48 * elmiko misses Torchy's 17:48:52 also, this 17:48:52 https://franklinbarbecue.com/wp-content/uploads/2012/02/DSC_8825.jpeg 17:48:57 what days are the midcycle 17:49:12 that's actually a great question 17:49:17 nomnomnom 17:49:20 have we figured out the division of days for Barbican and Security? 17:49:47 realistically I can probably only make the security half so it would be good to know what those are 17:50:33 I've added an agenda item for it next week 17:50:49 allright folks, anything else? 17:51:23 * ccneill hears crickets 17:51:43 allright 17:51:47 laters everybody! 17:51:49 #endmeeting