17:02:07 #startmeeting security 17:02:11 Meeting started Thu Dec 1 17:02:07 2016 UTC and is due to finish in 60 minutes. The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:02:12 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:02:15 The meeting name has been set to 'security' 17:02:18 o/ 17:02:20 #chair hyakuhei 17:02:21 Current chairs: hyakuhei tmcpeak 17:02:27 o/ 17:02:29 o/ 17:02:42 o/ 17:02:49 Hey tkelsey this is the right time, right ? :P 17:03:08 yep 17:03:09 i guess lol, some folks seem to be here :) 17:03:10 1700 17:03:11 #link https://etherpad.openstack.org/p/security-agenda 17:03:13 Hi tmcpeak singlethink 17:03:16 Thanks tmcpeak 17:03:19 hallo 17:03:21 hi 17:03:24 hi 17:03:32 sup guys 17:03:54 Sup dawg! 17:05:09 Question - did anyone see my mail about PTL elections on the ML? 17:05:13 I don't think it sent 17:05:17 nope 17:05:20 o/ 17:05:44 pants 17:05:47 no 17:05:51 hyakuhei: notes FTW 17:05:54 Hey ccneill - sorry I missed you earlier in the week 17:05:58 tkelsey lol 17:06:01 notes :'( 17:06:21 Oi, I'll have no Notes bashing here. You should all be so lucky. 17:06:23 allright, what we doing today? 17:06:31 #topic Syntribos 17:06:33 ccneill: 17:06:36 sigmavirus are you joining us today? 17:06:53 I don't know much wrt syntribos 17:06:58 hey tmcpeak unrahul here 17:07:03 unrahul, knangia ? 17:07:07 ^^ :) 17:07:27 so after our design session on redesign of templates 17:07:41 we are now working on the agreed upon design 17:08:02 ccneill: was also involved in the design, the last design session he was part of :) 17:08:21 We had a few bugs in syntribos as well, that we have fixed and a few we are looking into 17:08:32 thats it from us for this week 17:08:39 sweet 17:08:39 link to the notes from our templates discussion: https://etherpad.openstack.org/p/syntribos-templates 17:08:42 seems like good progress 17:09:15 I think it's gonna ultimately make syntribos muuuch easier to spin up for new projects 17:09:19 oh dam 17:09:20 way less boilerplate 17:09:21 o/ 17:09:26 +2 17:09:28 ccneill +1 17:09:31 Looks good 17:09:34 that would be good, that's the biggest barrier to entry IMO 17:09:38 lhinds: just in time 17:09:42 #topic OSSN 17:09:43 +1 17:09:49 tmcpeak: phew 17:10:15 by the seat of your pants, what a risk taker 17:10:23 OSSN: So we still have the same embargoed notes, so need to do my weekly poke of hyakuhei and tmcpeak 17:10:38 lhinds I just poked the Bug tracker re mine 17:10:44 lhinds please add me to the review and I'll take a look 17:10:48 It's waiting for a core from the affected project to review IIRC 17:11:10 hyakuhei: ack, will monitor that and make sure they come in. 17:11:16 lol, weekly poke 17:11:19 Thanks 17:11:23 tmcpeak steady now... 17:11:38 :D 17:11:51 that's really it for now, as per last week I hope to do some work on the API over Christmas 17:11:54 cool 17:11:59 oh yeah, saw your change on the doc 17:12:00 good stuff 17:12:10 #topic Blog 17:12:20 hyakuhei: you do any writeup on LF badge? 17:12:29 tmcpeak I did not because I suck 17:12:29 and/or do you still want to? 17:12:36 lol, fair enough 17:12:37 Could potentially bash something out tomorrow AM though. 17:12:49 Then you can refine it in the PM? 17:12:55 Failing that I'll probably write it on the plane. 17:13:03 sure 17:13:05 I can do that 17:13:16 there is also my OSSN post which we can put out now 17:13:38 that will fill a gap until the LF badge stuff gets put up 17:13:43 ok cool, I'll get you guys the +2w anyway 17:13:53 hyakuhei thx 17:14:06 aight 17:14:14 #action hyakuhei to give tmcpeak and lhinds merge privs on the Blog repo 17:14:28 capnoday just dropped and I doubt we have anything else on security review 17:14:30 is that a fair statement? 17:14:50 Almost 17:14:50 gr8 17:14:53 tmcpeak: there was a guy on the mailing list 17:14:58 oh yeah? 17:15:01 with security tag? 17:15:01 he wants to help with threat reviews 17:15:07 intern i think. 17:15:13 awesome 17:15:14 I asked him to come on here and help out 17:15:16 So upstream we haven't done a bunch but we've been working on the internal process, that we mirror that upstream largely so it's good 17:15:19 lhinds excellent 17:15:29 hyakuhei: re LF badge, is this notifying other projects about the program? 17:15:40 he emailed yesterday, so you should see it on the openstack-security mailing list 17:15:48 I think its a guy called Bjorn 17:16:06 is it with a [security] tag? hope my ML juju isn't failing again 17:16:22 Björn Stübe 17:16:30 lhinds you're "lukehinds" on Github right? 17:16:37 tmcpeak +1 didn't land in my inbox 17:16:41 hyakuhei: yup 17:16:43 :'( 17:16:49 subject: [Openstack-security] Security Audit 17:16:55 ahh 17:17:08 then at least mailman isn't broken 17:17:09 That's the list that we really should have made R/O 2 releases ago 17:17:11 let me know if you don't have it tmcpeak , I can forward 17:17:16 I don't, please do 17:17:30 I vaguely remember that fungi had some ideas around how to do that ..... 17:17:43 tmcpeak: in the post 17:18:04 ahh, yep 17:18:05 lhinds you have an invite for write privs. tmcpeak you already had them :) 17:18:14 tha powa!!! 17:18:28 thanks hyakuhei 17:18:29 we just did a similar configuration for the release-announce ml, so shouldn't be hard to repeat 17:18:30 fungi what's required for us to cut that over to R/O for everyone apart from a few specific system generated email addresses? 17:18:33 got it and accepted 17:18:46 I'm not even subscribed to that old one anymore 17:18:47 Cool, what do I need to do fungi ? 17:19:05 set the list to moderate and reject posts by default, and then add a whitelist entry for the addresses you want to be able to continue to post to it that bypass moderation 17:19:34 probably shouldn't waste meeting time walking you through it--have time immediately after? 17:20:42 +1 on later, though predicatbly I don't have a bunch of time right now, can we sync by email? 17:21:17 cool 17:21:27 you guys all good to skip security guide? 17:21:38 with the exception of lhinds thoughtful addition I don't think there's much going on 17:21:39 tmcpeak: quick one 17:21:47 reviews please: https://review.openstack.org/#/c/404139/ 17:21:48 #topic Security Guide 17:21:58 sicarie was supposed to be able to continue on with that but I don't know if that's still the case. 17:21:58 #link https://review.openstack.org/#/c/404139/ 17:21:58 I <3 this already 17:22:19 yeah, dunno 17:22:22 its a round up of new horizon goodies adopted from django 17:22:24 hyakuhei: can you mergies that ^ 17:22:54 doneth 17:22:58 thx 17:23:14 sweet 17:23:37 #topic MD5 17:23:53 ok so there was some discussion of this on ML, but… I don't think we got anywhere definitive 17:24:20 as we thought migration seems to be insurmountable 17:24:30 tmcpeak: yep, I need to revist this. I plan to do an audit at least. 17:24:51 so I wanted to ask what medium I should use? Etherpad or patch? 17:24:51 The main point is that i's extremely hard to change for existing deployments. 17:24:59 yeah 17:25:12 I think the best that could ever be achieved would be to have a flag that allows you to toggle at install time 17:25:15 I found a python patch which I am going to look at possible getting landed 17:25:29 lhinds: you file that bug too? 17:25:39 you can pass `usedforsecurity = False` in hashlib.md5() 17:25:59 tmcpeak: I read that a bit more, and was going to chat with you again. 17:26:05 ok cool 17:26:06 just mad busy 17:26:24 yeah sames 17:26:26 let's catch up next week 17:26:46 ok 17:26:49 will do. I will start dumping down a plan in etherpad, and we can mull it over next week 17:26:53 #topic Working like OpenStack 17:26:56 hyakuhei: is this you? 17:27:11 * hyakuhei nods 17:27:19 We're on a short release cycle this time around 17:27:35 and it would be good to ensure that all our code projects are behaving like OpenStack code projects. 17:27:48 i.e. formal release process with the cycles? 17:27:55 Yeah 17:28:02 but tbh I don't really know what the requirements are 17:28:11 does that mean we cant push new versions of Bandit in between? 17:28:21 hmm.. I won't speak for the syntribos team since I'm only a minor component at this point, but I don't think it's ready for strict versioning yet 17:28:30 it's not on 1.0 yet, which is when that would be more appropriate imio 17:28:32 imo* 17:29:10 I don't know what we gain from release cycles in Bandit either 17:29:31 tmcpeak: +1 17:29:32 I think there's a noop / stable thing that can be done 17:30:14 I don't think it would be *bad* to release a version at cycle completion 17:30:46 Yeah, there's the milestone stuff too, though I'm not sure how that changes as we migrate away from LP 17:31:05 oh crap, I didn't know we were migrating away from LP lol 17:31:14 we are? lol 17:31:20 * tkelsey feels out of the loop 17:31:22 * ccneill too 17:31:32 spoiler alert! :P 17:31:44 lol 17:31:46 lol 17:32:06 #link https://lists.launchpad.net/openstack/msg25443.html 17:33:00 oh hmm 17:33:06 I'm definitely not subscribed to the launchpad mailing list o_O 17:33:14 yeah me neither 17:33:24 or at least, I don't think I have ever affirmatively chosen to be - maybe I am.. 17:33:57 rofl +1 the link to this gif in that first email https://i.imgur.com/MQUmmqo.gif 17:33:59 hey all, I've got to roll out 17:34:01 heh seeds of confusion sown 17:34:03 hyakuhei: can you finish this up? 17:34:30 lhinds: ? 17:34:49 tmcpeak: any way we can get a new bandit release push up? 17:34:55 pushed 17:34:55 #chair lhinds 17:34:56 Current chairs: hyakuhei lhinds tmcpeak 17:35:07 hehe that's completely the wrong one. 17:35:09 browne: sure, we just did one a couple weeks ago 17:35:11 we ready for a new one? 17:35:13 browne: I can help with that 17:35:19 tkelsey: is the pusher man 17:35:23 lol 17:35:25 yep, i'd like one with the stdin stuff 17:35:30 thanks tkelsey 17:35:49 sure no probs 17:35:58 also anchor woefully needs review attention. currently openstack bot is blocked 17:35:58 Thread title is "Migration from Launchpad" but I cant find it in the archives 17:36:39 browne: I can also help with that, though I think I have reviewed most stuff in the pipe already 17:37:13 need a second for +W etc 17:37:45 https://review.openstack.org/#/c/393019/ 17:38:26 browne: ah right OK 17:38:29 * tkelsey looks 17:38:40 bonk 17:38:59 thx 17:39:46 I looked previously but it was when my MFA broke and one I fixed that it had dropped off my radar. 17:41:45 browne: +2/+w'd 17:41:50 thx 17:42:13 #topic AOB 17:42:29 anything else? 17:43:00 if y'all haven't seen this, pretty cool: http://seiferteric.com/?p=356 17:43:03 btw, i'm working on a sublime bandit linter 17:43:05 https://github.com/ericwb/SublimeLinter-contrib-bandit 17:43:05 IP over QR codes 17:43:12 browne: oh nice 17:43:18 browne: awesome! 17:43:32 whoa nice! 17:43:34 yeah, think it'll be useful 17:43:41 browne that's epic :) 17:43:51 browne: when is the vim version coming? O:-) 17:44:08 ccneill: ha! i'd love to see that 17:44:14 maybe I'll have to look into it.. 17:44:20 :D 17:44:26 I can definitely see a lot of value there 17:45:27 emacs4life 17:45:33 boooooo :P 17:45:49 allright I'm wrapping this before we have a holy war 17:45:54 haha 17:45:58 +1 17:46:03 #endmeeting