17:00:00 <tmcpeak> #startmeeting security
17:00:01 <openstack> Meeting started Thu Sep 15 17:00:00 2016 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:02 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:03 <tmcpeak> o/
17:00:05 <openstack> The meeting name has been set to 'security'
17:00:12 <tmcpeak> #link https://etherpad.openstack.org/p/security-agenda
17:00:19 <tmcpeak> o/
17:00:20 <tkelsey> o/
17:00:28 <gmurphy> o/
17:00:29 <mdong> o/
17:00:32 <sicarie> o/
17:00:41 <tmcpeak> Mr. Sicarie, back from the dead!
17:00:47 <hyakuhei> o/
17:00:52 <unrahul> o/
17:00:53 <tmcpeak> #chair hyakuhei
17:00:53 <openstack> Current chairs: hyakuhei tmcpeak
17:00:58 <knangia> o/
17:01:06 <elmiko> _へ__(‾◡◝ )>
17:01:08 <tmcpeak> hi knagia, welcome
17:01:09 <vinaypotluri> O/
17:01:35 <tmcpeak> elmiko is that your finest Jabba the Hutt ascii art?
17:02:19 <tmcpeak> speak of the devil
17:02:27 <tmcpeak> dg___ you're going to be first up
17:02:30 <hyakuhei> heh
17:02:35 <tmcpeak> #topic dg for sec-core
17:02:36 <knangia> thank you tmcpeak :)
17:02:49 <tmcpeak> we discussed last time, we need another sec core, dg seems like a logical candidate
17:02:53 <lhinds> hey o/
17:02:57 <tmcpeak> hey lhinds
17:03:03 <hyakuhei> Seems reasonable to me.
17:03:05 <hyakuhei> Welcome lhinds
17:03:13 <lhinds> hey tmcpeak hyakuhei et al
17:03:16 <tmcpeak> #vote dg yes no
17:03:17 <sicarie> +1 on dg___
17:03:26 <tmcpeak> meh
17:03:26 <elmiko> tmcpeak: something like that ;)
17:03:27 <hyakuhei> lol, we don't need a vote
17:03:29 <lhinds> +1 on dg___
17:03:34 <tmcpeak> good, because it didn't work
17:03:35 <elmiko> #vote yes
17:03:36 <hyakuhei> The appropriate thing to do is mail a proposal to -dev
17:03:48 <dg___> #vote yes
17:03:51 <hyakuhei> Then the VMT guys / whomever can comment
17:04:05 <tmcpeak> smells like an action for hyakuhei :P
17:04:09 <hyakuhei> As per #link http://lists.openstack.org/pipermail/openstack-dev/2016-August/101152.html
17:04:19 <hyakuhei> The only concern might be the size of the group
17:04:19 <tmcpeak> I've abandoned -dev :'(
17:04:32 <hyakuhei> wow dude
17:04:38 <hyakuhei> How will you know about all the things?
17:04:59 <tmcpeak> hearsay mostly
17:05:40 <tmcpeak> anybody itching to blast a mail on dev?
17:05:50 <hyakuhei> I'll happily do it
17:05:56 <tmcpeak> awesome!
17:06:01 <hyakuhei> Though I expect the concern will be that the group is now pretty big
17:06:14 <tmcpeak> #action hyakuhei to send email about dg for sec core
17:06:17 <tmcpeak> well not bigger than it was
17:06:27 <hyakuhei> Yes
17:06:27 <tmcpeak> we lost elmiko and nkinder and picked up lhinds and dg
17:06:32 <hyakuhei> Ah true
17:06:34 <elmiko> +1
17:06:42 <hyakuhei> I don't think elmiko is out yet
17:06:50 <hyakuhei> Ok that should be fine then.
17:06:54 <tmcpeak> I can fix that, muwahahahaha
17:06:59 <sicarie> elmiko is doing his best al pacino right now
17:07:06 <elmiko> yup, you can remove me when necessary =)
17:07:10 <hyakuhei> ;)
17:07:17 <hyakuhei> We thank you for your service kind sir!
17:07:21 <tmcpeak> +1
17:07:34 <elmiko> i'm glad to have been part of such an awesome group
17:07:34 <dg___> or better idea, elmiko comes back and does more awesome...
17:07:39 <elmiko> haha
17:07:51 <elmiko> ossp4lyfe!
17:07:57 <hyakuhei> :'(
17:08:27 <tmcpeak> allright, next up
17:08:29 <tmcpeak> #topic Syntribos
17:08:37 <tmcpeak> mdong: ?
17:08:43 <tmcpeak> unrahul: ?
17:08:51 <unrahul> hey tmcpeak
17:09:00 <unrahul> so we are testing the glance this week..
17:09:21 <unrahul> and got a vuln finally
17:09:42 <unrahul> second order XSS , the details Charles would be raising a CR
17:10:21 <unrahul> we have improved the tool as well.. so if anyone  needs to test the tool .. then they can
17:10:33 <unrahul> we have templates for neutron , glance and keystone now..
17:10:54 <tmcpeak> nice!
17:11:24 <hyakuhei> Very cool
17:11:27 <unrahul> Also in glance we are seeing htere is not much validation for images uploaded from a uri.. it will accept anything as an image url and even allow us to spin up an instance.. doesnt matter if the image is a valid format or not..
17:11:39 <unrahul> we are trying to see if something can be done with that..
17:11:44 <unrahul> thanks hyakuhei ..
17:11:45 <hyakuhei> Make sure to fill us in once the bug is out of embargo
17:11:55 <unrahul> yup!..
17:12:06 <unrahul> thats it from us this week.. mdong ?
17:12:44 <tmcpeak> cool
17:12:46 <tmcpeak> #topic OSSN
17:12:49 <tmcpeak> lhinds: you're up
17:12:54 <lhinds> k..
17:13:02 <lhinds> Three notes released:
17:13:04 <lhinds> [OSSN-0075] Deleted Glance image IDs may be reassigned
17:13:06 <lhinds> [OSSN-0073] Horizon dashboard leaks internal information through cookies
17:13:08 <lhinds> [OSSN-0066 ]MongoDB guest instance allows any user to connect
17:13:18 <lhinds> All public OSSN now closed, and out the door
17:13:20 <tmcpeak> lhinds: you're a beast!
17:13:24 <hyakuhei> HERO!
17:13:31 <tmcpeak> hyakuhei: you have a couple that are really close too, don't you?
17:13:34 <lhinds> Five embargoed notes to clear (but all assigned)
17:13:55 <lhinds> those assigned to lhinds tmcpeak hyakuhei
17:14:07 <tmcpeak> :'(
17:14:29 <lhinds> its ok, will be making gentle pings next week with friendly reminders :)
17:14:48 <lhinds> one other point, tmcpeak - 0075 can be public again.
17:15:05 <lhinds> was not sure if I should do this, but thought it prudent to check first
17:15:22 <tmcpeak> oh cool
17:15:28 <hyakuhei> cool
17:15:28 <tmcpeak> either way
17:15:40 <tmcpeak> I've got 74 ready to go (I think)
17:15:43 <lhinds> I will ping you outside the channel for how to go about it
17:15:47 <tmcpeak> awesome
17:15:54 <lhinds> cool tmcpeak , send it over when your done.
17:15:58 <tmcpeak> will do
17:16:01 <lhinds> also I think the google docs works well.
17:16:13 <tmcpeak> +1, google docs gud
17:16:21 <hyakuhei> +1
17:16:30 <hyakuhei> So much easier than faffing with gitlab
17:16:37 <lhinds> yup, deffo
17:16:48 <lhinds> that's it for notes from my side
17:16:51 <tmcpeak> awesome
17:16:53 <tmcpeak> #topic Blog
17:16:59 <tmcpeak> lhinds: you ready for mergies?
17:17:05 <lhinds> sure, go for it.
17:17:07 <hyakuhei> oh yes, we need blog things!
17:17:19 <dg___> has anyone written a blog on the ATX midcycle?
17:17:30 <lhinds> https://github.com/openstack-security/openstack-security.github.io/pull/25
17:17:32 <tmcpeak> no, would be good to update our thoughts about security review too
17:18:11 <hyakuhei> Yeah
17:18:20 <hyakuhei> I'm waiting for dg___ to finish his TA stuff :P
17:18:27 <hyakuhei> Last time we spoke he was blocking
17:18:39 <tmcpeak> looks like dg___ has some comments lhinds
17:18:47 <hyakuhei> I'll ask redrobot if he fancies co-writing an entry
17:18:55 * redrobot pokes head in
17:18:58 <hyakuhei> Once we finish the TA for Barbican
17:18:59 <tmcpeak> ohai
17:19:02 <dg___> hey redrobot
17:19:04 * hyakuhei looks at dg___
17:19:11 <dg___> i am litterally working on that right now
17:19:15 <hyakuhei> redrobot we should finish your TA stuff and write it up :)
17:19:23 <redrobot> hyakuhei agreed
17:19:27 <lhinds> tmcpeak: I cleaned up dg___ nits, but I don't think I clicked the 'reviewable' buttons
17:19:31 * elmiko waves to redrobot
17:19:31 <dg___> although there is a draft architecture page at https://review.openstack.org/#/c/357978/1
17:19:34 <lhinds> (its a new one to me)
17:19:37 <hyakuhei> redrobot maybe something for #link https://openstack-security.github.io/
17:19:53 <tmcpeak> dg___: review latest from lhinds and see if it's good to go?
17:19:58 <hyakuhei> oh cool
17:20:04 <hyakuhei> I didn't know that was a thing dg___ thanks
17:20:06 <dg___> tmcpeak sure
17:20:06 <tmcpeak> I "acknowledged" his fixes of my stuff
17:20:14 <tmcpeak> thank you sir
17:20:16 <dg___> kk
17:20:29 <tmcpeak> gr8
17:20:31 <lhinds> ok, I marked 'done' against the nites
17:20:31 <tmcpeak> what else?
17:20:37 <lhinds> nites/nits
17:20:46 <hyakuhei> I'll sneak a review in
17:20:55 <dg___> hyakuhei its WIP atm, I am currently writing up the findings. I have added 'We need to get improve recording of finding from review, so they make sense a month later.'
17:21:15 <dg___> good work on the blog btw lhinds
17:21:23 <tmcpeak> well since we're already talking security review...
17:21:23 <lhinds> thx dg___
17:21:26 <tmcpeak> #topic Security Review
17:22:02 <tmcpeak> dg___: has done a bunch of stuff, where we at?
17:22:51 <dg___> the third party review for Designate is up, it doesnt exactly match what our process looks like, but I am fairly happy with it
17:23:01 <tmcpeak> that's fine, A review is better than no review
17:23:22 <tmcpeak> the fine folks at HPE fighting the good fight
17:23:34 <dg___> comments so far from tmcpeak and hyakuhei, all others invited: https://review.openstack.org/#/c/354879/
17:23:43 <dg___> tmcpeak +1
17:23:57 * gmurphy pulls out his red pen..
17:24:05 <dg___> Ive updated the architecture page for barbican, draft here: https://review.openstack.org/#/c/357978/1
17:24:16 <dg___> I will submit another patch with the findings added soon, probably tomorrow
17:24:33 <tmcpeak> champion
17:24:36 <dg___> has anyone heard from sdake about kolla?
17:24:53 <tmcpeak> oh yeah, where is sdake_
17:25:00 <tmcpeak> he was going to set up some time for us
17:25:05 <tmcpeak> also Manilla - where we at with that dg?
17:25:10 <tmcpeak> Manila
17:25:16 <sdake_> hey tmcpeak
17:25:20 <tmcpeak> o/
17:25:24 <hyakuhei> Oh yeah that's right
17:25:27 <sdake_> tmcpeak - we haent set up any time
17:25:33 <sdake_> tmcpeak slammed by rc1
17:25:38 <tmcpeak> ahh
17:25:47 <sdake_> tmcpeak i'm honestly not sure when we will have time before 3.0.0
17:25:54 <sdake_> tmcpeak i'll ping our coresec team
17:26:04 <sdake_> how much time d you think we will need to get a rough idea of the new process?
17:26:10 <tmcpeak> ok, well we're happy to help, we can be accommodating with schedules
17:26:21 <dg___> tmcpeak manila is waiting for me to reach out to them
17:26:24 <tmcpeak> we should be able to complete a good review in 2-3 hours..
17:26:30 <tmcpeak> hyakuhei: dg___ agrees?
17:26:36 <sdake_> tmcpeak but we have no review documentation
17:26:52 <sdake_> tmcpeak and last direction i had was not to use flow diagrams as that model has been drepecated
17:27:01 <dg___> 3 hours sounds possible, although barbican is probably running to 6? I think with good pre-work its possible
17:27:08 <tmcpeak> dg___: you have the latest guidance for sdake_?
17:27:22 <sdake_> an example would be fantastic :)
17:27:28 <hyakuhei> deprecated is a strong word. We've kind of iterated towards only using them to explain complicated things
17:27:28 <dg___> sdake yes that is correct, we are still looking to use an architecture diagram, but we are not looking for dfds or sequence diagrams, to try and reduce the workload
17:27:38 <sdake_> hyakuhei sorry its best i could come up with
17:27:38 <hyakuhei> Barbican TA should be a good template
17:27:55 <hyakuhei> sdake_ it's fine, I just meant any efforts there haven't been wasted
17:28:16 <sdake_> is barbican ta in a review somewhere
17:28:16 <sdake_> or etherpad?
17:28:23 <sdake_> i can get our team rolling with that
17:28:24 <hyakuhei> They just fall into 'explanatory diagrams' that cover things that required extra info on more of an ad-hoc process
17:29:05 <hyakuhei> I don't think it's ready yet
17:29:07 <sdake_> hyakuhei i dont care about sunk costs anyway :)
17:29:09 <hyakuhei> We want it to be polished
17:29:18 <sdake_> different between nt ready and availaable
17:29:21 <sdake_> i'll take available
17:29:24 <dg___> not quite yet, we will have the draft process published asap
17:29:30 <sdake_> and we can polish kolla's ta from there
17:29:44 <dg___> currently decrpyting etherpads and turning that into readable text
17:30:18 <sdake_> if there i a threat analysis of baarbican in draft form that would help tremendously
17:30:30 <sdake_> if not, can wait on the readable text fro mthe etherpad decryption
17:30:46 <sdake_> i/is
17:30:48 <tmcpeak> etherpad is at least a good reference
17:30:56 <tmcpeak> #link https://etherpad.openstack.org/p/barbican-threat-analysis
17:31:08 <hyakuhei> Yeah
17:31:10 <tmcpeak> starting from the DFD at the top and then "Data Assets"
17:31:10 <sdake_> tmcpeak thanks - so only thing available is an etherpad
17:31:22 <tmcpeak> sdake_: currently but dg has some stuff in review
17:31:25 <sdake_> yup we hae our data assets recorded
17:31:26 <dg___> the draft architecture page is here: https://review.openstack.org/#/c/357978/2/doc/source/artifacts/barbican/newton/architecture-page.rst
17:31:28 <tmcpeak> you can also look at that
17:31:42 <hyakuhei> There's also this: #link https://drive.google.com/file/d/0B0osRPn3qBq5Ml9JOUVETDhJbVk/view
17:32:10 <tmcpeak> come on hyakuhei, be adventurous, share the drawio link (again)
17:32:34 <sdake_> ok i'll process thosse - and do my best to get a drat reiew in the ta repo queeu
17:33:06 <tmcpeak> thanks sdake_ let us know if you have questions or get stuck
17:33:21 <hyakuhei> +1
17:33:23 <sdake_> tmcpeak i'm sure both of those are a possiblit y:)
17:33:24 <sdake_> thanks
17:33:28 <tmcpeak> :P
17:33:35 <tmcpeak> ok, anything else on security reviews?
17:33:38 <tmcpeak> oh, Manila
17:33:43 <tmcpeak> dg___: did you get a hold of them?
17:33:46 <dg___> sdake feel free to reach out on this one, you should have my email address
17:33:51 <dg___> tmcpeak not had time this week, sorry
17:34:01 <tmcpeak> ok no worries, you're doing a bunch of stuff already
17:34:06 <tmcpeak> who are our contacts from there?
17:34:16 <sdake_> dg___ i probably do but will get again offline - i've got a million addresses :)
17:34:26 <dg___> ok cool cheers
17:34:27 <sdake_> thanks fokls
17:34:39 <tmcpeak> thanks sdake_, we're looking forward to working with you guys on this
17:34:55 <sdake_> likewise
17:35:37 <tmcpeak> allright, moving on
17:35:41 <tmcpeak> #topic Summit Sessions
17:35:42 <dg___> i have to drop, thanks everybody
17:35:46 <tmcpeak> thanks dg___
17:35:56 <tmcpeak> if anybody has anything they think would make a good session please add here:
17:36:03 <tmcpeak> #link https://etherpad.openstack.org/p/barcelona-security-sessions
17:36:45 <tmcpeak> allright, otherwise...
17:36:46 <tmcpeak> #topic AOB
17:37:06 <hyakuhei> I don't have much to add
17:37:13 <hyakuhei> I requested a bunch of rooms for barcelona
17:37:25 <tmcpeak> when do you find out if we got any?
17:37:28 <hyakuhei> I guess everyone knows this is the last summit that'll be in this format
17:37:34 <hyakuhei> tmcpeak couple of weeks I guess
17:38:45 <hyakuhei> I don't have much more to add today. We might have an interesting new IBM technology getting opensourced and incubated within the OSSP but I can't commit to that yet so I'll just leave it dangling here ;)
17:39:01 <tmcpeak> yayy
17:39:37 <tmcpeak> allright
17:39:38 <elmiko> sounds.... mysterious
17:39:50 <hyakuhei> I know right :)
17:39:54 <elmiko> =)
17:40:10 <hyakuhei> ok, lets wrap and get back to securing all the things!
17:40:13 <tmcpeak> #endmeeting