17:00:33 #startmeeting security 17:00:34 Meeting started Thu Jul 7 17:00:33 2016 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:00:34 o/ 17:00:35 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:00:37 The meeting name has been set to 'security' 17:00:40 o/ 17:00:46 o/ 17:00:48 #chair hyakuhei 17:00:48 Current chairs: hyakuhei tmcpeak 17:00:51 hi all 17:00:52 #link https://etherpad.openstack.org/p/security-agenda 17:00:52 weee] 17:00:59 hey all! 17:01:28 ( ´ ▽ ` )ﾉ 17:01:34 Tough crowd tmcpeak :P 17:01:53 :D 17:02:23 I might have to duck out early, so I put the two OSSNs in etherpad 17:02:35 * mhayden wanders in 17:02:43 thanks lhinds 17:02:55 awesome, thank you lhinds 17:03:07 np 17:03:09 we've got serious business today… we need to pick a mascot :P 17:03:18 Dude you added all the authors ? wow 17:03:36 lhinds is a beast! 17:03:39 o/ 17:03:40 Yeah, lets leave that till towards the end because I see it taking the whole meeting tmcpeak :P 17:03:42 hyakuhei: got to be up early to catch me out :P 17:03:50 haha yeah, does seem rathole worthy 17:03:56 or whatever the saying is (that sounded wrong) 17:04:11 lol I think there’s a few in there where my name is spelled wrong 17:04:20 that sounds like a Taylor Swift jingle lhinds 17:04:21 “Nathan Kinder” is a terrible way to spell my name :P 17:04:30 lol 17:04:31 LGTM, ship it 17:04:38 However this must have taken an epic amount of digging and I’m really thankful to you lhinds 17:04:40 I’ll review 17:04:46 ahh yeah, so some of them may well be wrong, it was hard to know as I could not find the review 17:04:50 should the author have the company they work for now, or when the OSSN was written? 17:04:56 Yeah for sure! 17:05:00 add them to the launchpad and I will amend 17:05:04 hyakuhei: nice work, nathan 17:05:13 browne probably where they worked at the time 17:05:16 lol 17:05:24 “Author: Unknown” 17:05:26 o/ (sorry I'm late) 17:05:29 We probably need to fix that too hehe 17:05:36 tmcpeak: oh, that'll be harder and probably this patch needs edits then 17:05:41 hyakuhei: the very first one, I think it was heartbleed? 17:05:47 sorry is there a link to the etherpad that i missed or is this a review? 17:05:48 everybody edit your own then :) 17:05:57 gmurphy: https://review.openstack.org/#/c/337627/1 17:06:03 * gmurphy finds it just then 17:06:14 ok, I got to dash, please amened to launchpad https://bugs.launchpad.net/ossn/+bug/1599064 17:06:15 Launchpad bug 1599064 in OpenStack Security Notes "Add Author to Meta Data of Security Notes" [Undecided,New] - Assigned to Luke Hinds (lhinds) 17:06:17 good stuff lhinds, ++ 17:06:18 *amend 17:06:26 cheers lhinds 17:06:31 lhinds: amend or add comments in reviews? 17:06:33 thanks for doing this all! 17:06:40 huge effort, we really appreciate it 17:06:45 hi I have a question. I am a university student and I configured barbicab with cinder and nova for Volume encryption. i'm trying to understand how key rotation work but i can't find usefull information. is it possible to rotate the key(s) used to encrypt the volume? how it works?can I set yearly rotation schedule? 17:06:50 I will amend, make a comment in gerrit or lp, I don't mind 17:06:57 Righto 17:07:40 qwebirc57930: You might want to try #openstack-barbican 17:07:45 qwebirc57930: we are holding a meeting for the security project currently, you might want to ask that in openstack-dev or openstack-barbican 17:08:01 elmiko: The enforcer :D 17:08:06 lol! 17:08:14 * elmiko brandishes his axe 17:08:26 "which company did I work for when I wrote note xyz…" 17:09:08 Yeah, I’m not as worried about that 17:09:14 just don't hassle me over the HP / HPE stuff :P 17:09:19 ok, I am gone 17:09:23 * gmurphy will review 17:09:23 haha 17:09:24 oh god I forgot about that mess 17:09:26 later lhinds 17:09:35 forget it, that should all be HPE 17:09:49 the company that is now HP didn't do any OpenStack stuff 17:10:02 also didn't a bunch of people contribute to some during a midcycle? 17:10:05 maybe just put HP.* ? 17:10:08 do we care about that? 17:10:14 elmiko: lol 17:10:15 lol HP* 17:10:20 HP(E)? 17:10:22 gmurphy: yeah, multiple authors should be listed if applicable 17:10:34 That’s what the review process is for :) 17:10:40 yeah. 17:10:52 It’s in Gerrit, opensource b*tches 17:11:04 ^ Standard OpenStack response to defects. 17:11:11 LOL 17:11:18 elmiko: just use ▭ 17:11:29 ok so back to the agenda, lets start from the top #link https://etherpad.openstack.org/p/security-agenda 17:11:39 #topic Syntribos 17:11:46 Any shiny newness this week? 17:11:49 Hey all I am from the Syntribos team 17:12:16 Hey unrahul ! 17:12:24 yup, after our meeting with Nathan, decided on what to opencafe and transition to oslo config/log 17:12:30 hey hyakuhei 17:12:32 https://review.openstack.org/#/c/337938/2/ 17:13:07 this CR deals with some of it and we are hoping to remove opencafe dependencies by mid text week 17:13:34 I guess thats the major news we have for this week. 17:14:19 Most of signals code has been merged to the master and finally its not broken :D 17:14:20 Cool 17:14:30 did you guys see - http://lists.openstack.org/pipermail/openstack-dev/2016-July/098700.html 17:14:34 I know tkelsey took a look at the signals stuff, hopefully that was useful 17:15:12 hmmm. ugly bug gmurphy but these things happen in young projects 17:15:23 yeah.. it was broken till ysday, we have fixed it, things should work now.. most of it 17:15:33 Excellent! 17:15:38 some of the tests had to refactored... 17:15:41 thanks hyakuhei ! 17:16:02 Thanks gmurphy for the link, I had missed it.. 17:16:05 So I learned today that IBM is using Syntribos quite a bit for one of the bigger OpenStack projects we have, it’s wedged into the CI process somewhere. 17:16:14 Thought you guys would like to know 17:16:15 cool. i just wanted to make sure it got picked up 17:16:16 hyakuhei: +1 17:16:21 neat 17:16:21 whoa thats cool hyakuhei ! 17:16:32 awesome 17:16:37 do you have any further info on that..?? curious as to what they think.. 17:17:06 let me try to summon one of the guys working with it 17:17:11 I don’t have anything to hand but I’m happy to connect you guys if there’s common ground 17:17:36 one sec, edtubill is on the way 17:17:37 o/ 17:17:51 edtubill is one of the folks working with Syntribos 17:17:59 weeee ! 17:18:06 unrahul: one of the Syntribos devs, very curious about thoughts using it 17:18:22 it would be really helpful for the project to get early feedback hyakuhei ! 17:18:56 Hi, yeah so we have some people who ran Syntribos. I can get feedback from them or have them reach out to you. 17:18:57 thanks tmcpeak , hey edtubill do you have any feedback on the tool..? 17:19:16 yup that would helps us a lot, edtubill 17:19:24 edtubill: that would be awesome, I know when we were working on Bandit we loved feedback like that 17:20:10 cool, I'll let them know. I guess the security irc channel is the best way to reach out? 17:20:20 Probably yeah. 17:20:25 yeah, that sounds good 17:20:30 we are in the security channel, 17:20:35 yup, irc sounds good.. 17:20:40 sweet! 17:20:44 cool. 17:20:45 ccneill is leading the project from tech side 17:20:56 and michaelxin is our manager.. 17:21:25 you could just ask them to contact any of us, ! thanks once again! 17:21:36 np! 17:21:46 sweet 17:21:51 anything else for Syntribos? 17:21:58 Lets move onto… docs? 17:22:02 eh.. nop, thats for now !. 17:22:06 Unless there’s OSSN things 17:22:15 we need reviews for lhinds note 17:22:19 I don't have doc +2 anymore 17:22:24 one of you guys are going to have to do it 17:22:31 elmiko, hyakuhei, sicarie 17:22:56 ack 17:23:16 the authors one needs a little update from the looks of it, i didn't read the other one yet 17:23:17 I’ll review them this evening hopefully, the authors one will require some digging I’m guessing 17:23:23 yeah 17:23:25 elmiko: same here 17:23:43 cool 17:24:04 #topic Docs 17:24:25 wwwweeeeellllll 17:24:31 imo, we need more docs folks 17:24:43 yuh, big time 17:24:43 +1 17:24:53 +1 17:24:55 my timesuck ends this weekend, so i’ll be back doing docs stuffs 17:24:55 i'm not sure how we do that, but those are the facts 17:25:14 should get a crowd funding effort ;) 17:25:15 sadly, my priorities continue to shift away from openstack :/ 17:25:20 tmcpeak++ 17:25:30 We need to figure something out, maybe a better way to compartmentalize bits of docs to give people ownership of smaller parts? 17:25:34 elmiko: I'm sure you aren't the only one 17:25:41 i would offer to help but i karn't speel gud 17:25:52 hyakuhei: agreed, that and we need more outreach to the CPLs 17:25:58 gmurphy: spelling not required for docs 17:26:06 ideally, project specialists should be taking on these doc tasks 17:26:06 gmurphy: Google translate does Aus->American->English 17:26:27 elmiko: I don't know if that's realistic though 17:26:37 most projects probably don't have enough time to maintain their own docs, huh? 17:26:40 too bad =( 17:26:58 maybe we can deprecate maintenance on portions of the doc 17:27:24 well, and we had talked in austin about the idea of adding a new governance tag related to security docs. that might help 17:27:41 hmmm. WE definintely need to figure something out. elmiko I’m glad you mentioned that 17:27:48 +1 17:28:04 needs more stick, less carrot ;P 17:28:15 +1 17:28:29 with shrinking resources I'm not sure how well stick would work either 17:28:46 human nature is to fudge things that are in their way 17:28:53 Yarp 17:28:56 I suggest reducing scope 17:29:28 that's fair, it just adjusts our end goal 17:29:30 I presume all the docs people are spread thin 17:29:36 most likely 17:29:41 Not just the sec people? 17:29:55 Though IIRC the biggest problem was a lack of SME’s ? 17:30:07 yeah 17:30:16 Not easy to fix. 17:30:20 Or the ability to get the SME’s to focus on the problem/aging areas 17:30:34 well even if we had SMEs, do you guys have the time to speak with them, take their input, and write new content based on it? 17:30:47 i will after this weekend 17:31:00 i certainly don't 17:31:01 I think there’s good scope for doing another sprint 17:31:32 at the midcycle you mean? 17:31:33 does anyone have a reading on how the foundation feels about quality security docs? 17:31:34 Targetting the worst 4-5 areas, getting people in the same place to pair-author some stuff potentially 17:31:48 tmcpeak: maybe then maybe some other time. Might see if the foundation can help with funding. 17:32:02 elmiko: They’re paying more attention to security than ever before 17:32:06 elmiko: yeah, the foundation really wants good security docs AFACT 17:32:08 Which is to say, some. 17:32:10 AFAICT 17:32:34 yeah, apparently when it was being offered in physical copy, the secguide was their best-seller 17:32:43 well, that's good to hear. i would think that the need for more help in this area should be raised to them. 17:32:47 Interesting. Ok. 17:33:30 sicarie: elmiko: I’d like us to draft an email (google docs) to send out describing the state of the security docs, where the bottle necks are and presenting the community with a couple of proposals for fixing it, lets get something out on -dev at some point 17:33:39 if ownership of certain parts of docs is given to different ppl, I feel that would help us in getting ppl up to speed, so that we don't always need experts to always handle it.. 17:33:47 Agreed 17:33:47 +1 17:33:48 hyakuhei: ++, excellent idea 17:34:04 and the move away from docbook has to have lowered the bar significantly in terms of jumping in 17:34:13 yep! 17:34:14 oh hell yes 17:34:18 yup! 17:34:26 it presents other problems, but barrier to entry is not one 17:34:36 ok excellent. So we’ve got an action item 17:34:45 Lets move onto the next thing on the agenda 17:35:07 #topic Midcycle 17:35:26 I think we have rooms in Austin at IBM and final dates, yes? 17:35:28 Dates are now confirmed :) 17:35:32 yes and yes 17:35:38 awesome! 17:35:50 sweet 17:36:08 I'll start groveling for funding 17:36:12 for myself I mean 17:36:15 lol 17:36:18 hyakuhei: is chief groveler 17:36:21 :D 17:36:56 :D 17:37:02 might be useful to start working on an agenda 17:37:04 The trick is to grovel upwards 17:37:07 tmcpeak: For sure 17:37:10 to show management how much fun we're going to have 17:37:20 Though I want to unconference again so proposed topics is where it’s at. 17:37:34 +1 17:38:39 cool 17:38:47 next topic? 17:39:07 yupyup 17:39:39 #topic TA 17:39:42 where are we with this? 17:40:12 Right so, we are at a point where we’ve got some docs 17:40:24 and we want the other guys to do more work than us 17:40:32 eh, what is TA? 17:40:38 Largely stalled because of availability issues tbh 17:40:42 you know what it is ;) ;) 17:40:42 Threat Analysis 17:40:44 Doug Chivers hopes to have something better written up before the midcycle. 17:40:45 jk, threat analysis 17:40:58 Guest53547: == dg? 17:40:59 thanks hyakuhei ! 17:41:03 = Bryan Stephenson 17:41:09 still learning how to IRC 17:41:14 Don't know how to naem myself yet 17:41:26 try /name xyz 17:41:39 thanks 17:41:42 /nick 17:41:44 or maybe /nick 17:41:45 lol 17:41:47 yeah nick 17:41:49 I don't know how to IRC either 17:41:50 yay IRC. 17:41:53 lol 17:41:55 thanks 17:41:59 name and nick don't work 17:42:14 ok cool so the short is, Guest53547 and I have under-delivered on TA. 17:42:20 We’ll try to fix that 17:42:57 ok next up 17:43:07 #topic Mascot 17:43:28 OpenStack wants a more cohesive set of logos for OpenStack projects 17:43:35 and they don’t like us using the OpenStack logo 17:43:45 So they’ve settled on animals 17:43:49 .... 17:43:55 ... 17:43:56 They’ve got a graphic designer who will do the logos for such things 17:44:03 So they’ll all have a similar look and feel 17:44:18 the kicker is that we can't take anybody else's animal 17:44:22 lol 17:44:40 If Bear isn't taken we should take it 17:44:44 so..is there a list of animals that are taken? 17:44:44 honey badger 17:44:52 honey badger ++ 17:44:55 dang, elmiko beat me to it 17:44:58 hahaha 17:45:02 lol 17:45:09 tasmanian devil 17:45:10 could steal the blowfish from openbsd.. but i wouldn't want theo chasing us about that.. 17:45:22 Right so I knew you’d all get excited about this 17:45:26 gmurphy: yeah, that might be painful lol 17:45:28 The agenda has a list in it. 17:45:35 * gmurphy reads 17:45:36 ok so actually: an animal, fish, plant, or natural feature such as a mountain or waterfall 17:45:38 ATM it’s a list of one 17:45:43 Ah ok 17:45:59 So they hang together by virtue of having a similar look & feel 17:46:13 Feel free to suggest something on the agenda #link https://etherpad.openstack.org/p/security-agenda 17:46:19 and we can vote next week 17:47:01 similar to armadillo, pangolin 17:47:05 better armor, imo 17:47:23 wonder if we could do Fort Knox 17:47:30 that's kind of "natural feature" ish 17:47:32 not 17:47:32 haha, who put lemming? 17:47:40 rofl 17:47:50 ok simmer down. We’ll have a vote etc next week 17:47:50 * sicarie certainly did not do it 17:47:50 so so accurate 17:48:05 #topic AOB 17:48:14 Though I doubt the conversation will move on from animals/features :P 17:49:08 Armadillo is the natural choice: http://www.factzoo.com/sites/all/img/mammals/pangolin-desert.jpg 17:49:10 look at that bad boy 17:49:13 no no, you said simmer down... 17:49:14 very secure 17:49:36 actually that's a pangolin, whatever the hell that is 17:49:46 right, similar to armadillo but better armor ;) 17:49:52 what about a turtle.. because we get things done.. eventually… 17:49:57 haha 17:49:58 LOOL 17:50:11 or an ostrich with it's head burried in the sand? 17:50:17 hah 17:50:21 oh man 17:50:23 lol 17:50:26 sloth 17:50:44 what's keystone doing? 17:51:10 and can we submit ours *right* before they do? 17:51:17 hehe 17:51:18 * sicarie is just kidding … kind of 17:51:23 this Pangolin looks legit 17:51:29 or, wait till nova does something then copy that ;P 17:51:46 we haven't decided on one yet :) 17:51:57 great, we've got time then! 17:53:26 hyakuhei: as you suspected we aren't moving on… want to call the meeting before people start suggesting even more weak animals for the security project mascot? 17:53:42 ooh, the cactus wren https://en.wikipedia.org/wiki/Cactus_wren#/media/File:Cactus_Wren_nesting_1.JPG 17:53:45 great imagery 17:54:05 like whatever this thing is? https://s-media-cache-ak0.pinimg.com/236x/81/41/db/8141db7fdbec49d9e54188b8e37bdf6b.jpg 17:54:13 lol 17:54:18 hahaha, amazing 17:54:21 sicarie++ 17:54:29 that looks like one of those things in that stupid 80's horror movie 17:54:36 gremlins ;) 17:54:59 http://s3.amazonaws.com/digitaltrends-uploads-prod/2015/04/gremlins-gizmo.jpg 17:55:01 elmiko +1 17:55:01 mogwai 17:55:19 gizmo was a mogwai 17:55:22 i like the idea of just flat out having Gizmo as the mascot 17:55:27 true 17:55:30 that thing actually looks pretty steezy 17:55:34 browne gets the full bonus points 17:55:50 yes 17:56:09 you save those bonus points browne… might be a while before you get more :P 17:56:18 aww 17:56:32 hehe 17:56:54 lol 17:57:24 I think it’s time for me to stop googling - i’ve now learned animal mashups are very much a thing 17:57:35 Seems like a good time to end the meeting? 17:57:40 only a matter of time before you violate HPE's browsing policy 17:57:46 +1 17:57:53 lol 17:57:59 haha, totally 17:58:21 #endmeeting