#openstack-meeting-alt log

16:59:49 <tmcpeak> #startmeeting security
16:59:50 <openstack> Meeting started Thu Dec  8 16:59:49 2016 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:59:51 <hyakuhei> Hey.
16:59:52 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
16:59:54 <tmcpeak> o/
16:59:55 <openstack> The meeting name has been set to 'security'
16:59:56 <sigmavirus> o/
16:59:57 <hyakuhei> Doug was supposed to be starting things
17:00:04 <tmcpeak> #chair hyakuhei
17:00:05 <openstack> Current chairs: hyakuhei tmcpeak
17:00:09 <tmcpeak> I'll chair him when he comes
17:00:10 <tkelsey> o/
17:00:19 <tmcpeak> #link https://etherpad.openstack.org/p/security-agenda
17:00:26 <mdong> o/
17:00:29 <browne> o/
17:00:34 <ashcrack> hey, I'm here the first time
17:00:39 <iphutch> o/
17:00:41 <tmcpeak> welcome ashcrack
17:00:58 <iphutch> Hi all, here for the first time also
17:01:01 <rarora> hi, also here for the first time
17:01:09 <tmcpeak> wow
17:01:11 <mdong> welcome everyone!
17:01:17 <tmcpeak> welcome iphutch, rarora
17:01:17 <tkelsey> cool, lots of first timers :D welcome
17:01:24 <tmcpeak> while we're filing in you guys want to do quick intros?
17:01:31 <tmcpeak> #chair capnoday
17:01:31 <openstack> Current chairs: capnoday hyakuhei tmcpeak
17:01:36 <tmcpeak> capnoday: take it away
17:01:38 <capnoday> o/
17:01:43 <tmcpeak> we've got new members that are introducing themselves
17:01:52 <tmcpeak> I'm mostly gone for the first half of this, on a call
17:01:53 <hyakuhei> I'm on a call right now but I should be with you soonish :)
17:02:00 <capnoday> ok cool
17:02:16 <capnoday> thanks for starting the meeting tmcpeak
17:02:23 <tmcpeak> de nada
17:02:37 <capnoday> who have we got new with us today?
17:02:47 <iphutch> I'm Ianeta from docs team and I'd like to start contributing to security team via docs. Looking for a place to start, could be editing existing docs or working alongside devs on their docs.
17:03:06 <capnoday> hey iphutch
17:03:28 <capnoday> thanks for joining us, we desperatly need someone to help out with security docs
17:03:33 <rarora> tmcpeak: sure, I'm working with some people and we are possibly looking to get bandit to be part of the cinder gate... it was kind of last minute so didn't have time to edit the agenda before attending and was hoping to possibly talk a little bit about experiences with bandit once the main topics are covered
17:03:49 <tmcpeak> oh cool, we can definitely add that to the agenda
17:03:50 <capnoday> rarora great we will cover bandit
17:04:00 <capnoday> tmcpeak will you be able to join us for bandit talks later on?
17:04:19 <tkelsey> I can help with bandit stuff as well :)
17:04:39 <rarora> awesome, thanks all!
17:04:46 <tmcpeak> capnoday: yep
17:05:08 <capnoday> ty
17:05:39 <tkelsey> so, whats first on the agenda then?
17:05:48 <capnoday> agenda is here, add stuff if you have topics #link https://etherpad.openstack.org/p/security-agenda
17:05:54 <capnoday> first up is syntribos
17:06:10 <capnoday> #topic Syntribos
17:06:34 <capnoday> anyone here able to talk syntribos? ccneil?
17:06:58 <mdong> I can talk about it
17:07:05 <vds> o/
17:07:18 <capnoday> ok mdong
17:07:33 <mdong> So this week we’re working with the Swift team to do a round of testing on it
17:08:30 <mdong> it’s a good opportunity for us to test out our tool after the latest release to see if anything’s changed since the last time we did it
17:08:42 <capnoday> excellent
17:08:47 <capnoday> how is that progressing?
17:10:03 <capnoday> hey sicarie
17:10:07 <mdong> we just started yesterday, but we have xin9972 in charge of doing code reviews and static analysis, and unrahul is doing a set of manual tests that the Swift team had us look into
17:10:08 * sicarie waves
17:11:05 <mdong> other than that, we’re rewriting the way our templates are built to make them less cluttered
17:11:12 <capnoday> sounds like useful work, how do you plan to publish the results from this?
17:11:56 <mdong> we’ll file anything we find as a launchpad bug, much the same as we did last time
17:12:04 <capnoday> sweet
17:12:15 <capnoday> it would be interesting to have some kind of overall summary of the results from cinder
17:12:20 <capnoday> i mean swift
17:12:53 <capnoday> once its done, maybe write a summary for this meeting, or consider a talk at the next summit?
17:13:18 <notmyname> what is the thing being discussed with the swift team?
17:13:27 <mdong> sure thing, that would be valuable
17:14:23 <capnoday> great, anything else on syntribos?
17:14:36 <sigmavirus> notmyname: testing swift with Syntribos
17:14:44 <mdong> I know unrahul got in touch with the swift team to get a list of things they felt could be vulnerable to help in our testing
17:14:48 <mdong> that’s all I have for syntribos
17:14:50 <sigmavirus> (since no one else is answering you for unknown reasons)
17:15:07 <notmyname> sigmavirus: thanks. /me goes to google Syntribos
17:16:19 <capnoday> mdong got a link on syntribos for notmyname?
17:16:20 <notmyname> mdong: who did you talk to on the swift team?
17:16:24 <notmyname> I found it :-)
17:16:35 <vinaypotluri> notmyname: github.com/openstack/syntribos
17:17:21 <mdong> notmyname: that’s a question for unrahul, I’m afraid I don’t know
17:18:42 <capnoday> ok lets leave syntibos there
17:18:44 <vinaypotluri> notmyname: I could send you a few names in the swift team we got in touch
17:18:47 <capnoday> #topic OSSN
17:19:00 <hyakuhei> can we come back to OSSN in 10 minutes please?
17:19:06 <hyakuhei> I'll be off my call then
17:19:13 <capnoday> ok
17:19:32 <capnoday> #topic Security Guide
17:20:10 <capnoday> sicarie whats the current status of the security guide? we have a new volunteer who is keen to help
17:20:12 <notmyname> vinaypotluri: thanks. I'm trying to catch up on this. I hadn't heard (or don't remember) anything with syntribos and swift before
17:20:18 <sicarie> So after moving laptops I found I was unable to actually post changes to the guide
17:20:33 <sicarie> I have a few very rough drafts of some changes, but it's been static
17:20:45 <capnoday> ok action tmcpeak - fix sicaries laptop
17:20:47 <sicarie> There are definitely good bugs out there, and as always we could do with a Neutron/Nova review
17:20:49 <sicarie> =1
17:20:50 <sicarie> +1
17:21:02 <hyakuhei> iphutch wanted to do documentation things IIRC
17:21:13 <capnoday> iphutch has joined us today and wanted some advice on where to start with our docs
17:21:20 <sicarie> awesome
17:22:04 <sicarie> i'll /msg him
17:22:07 <sicarie> them
17:22:20 <iphutch> yep, Im sure I  can assist here
17:22:37 <capnoday> ok great
17:22:45 <capnoday> wheres the best place to get started on these?
17:23:04 <sicarie> docs is always just get a single bug - make sure the process is documented and up-to-date
17:23:19 <sicarie> once that's there, it's wherever the contributor feels most comfortable
17:23:23 <sicarie> I'm sure there are a few things we can do
17:24:37 <iphutch> sicarie: You can send me some ARs and we can get going
17:24:50 <sicarie> sounds good! and welcome :D
17:25:16 <iphutch> :) thanks!
17:27:03 <capnoday> lhinds hyakuhei where are we at with the blog?
17:27:09 <capnoday> #topic Blog
17:27:18 <hyakuhei> lhinds isn't around today. He has publish rights now though
17:27:34 <hyakuhei> I _still_ haven't written anything bloggy. Completely failed on that action.
17:27:57 <capnoday> thats fine, the day job is a thing
17:28:12 <capnoday> #Action hyakuhei write a blog post
17:28:22 <tmcpeak> spoiler alert - fixing sicarie's laptop is going to slip too
17:28:26 <hyakuhei> lol
17:28:28 <capnoday> lol
17:28:34 <sicarie> dang!
17:28:47 <sicarie> here I was looking forward to my first Lotus Notes experience
17:29:01 <capnoday> its actually better than you would expect
17:29:08 <capnoday> anyway
17:29:22 <capnoday> are you able to talk about OSSN yet hyakuhei?
17:30:51 <capnoday> ok
17:31:02 <capnoday> #topic Security Review
17:31:25 <capnoday> anyone got any updates on this? Its a no-op from me this week unfortunately, am hoping to get some more stuff pushed up for review this week
17:31:53 <tmcpeak> no updates on security review
17:31:55 <hyakuhei> The only update really is that we're continuing to work on some internal enhancements
17:32:01 <hyakuhei> That we should be able to push upstream soon.
17:32:13 <capnoday> great news
17:32:27 <capnoday> are those the internal enhancements you told me to write?
17:32:35 <hyakuhei> For the most part sure
17:32:57 <capnoday> excellent, two birds with one stone
17:33:01 <hyakuhei> :D
17:33:08 <capnoday> ok to talk OSSN?
17:33:09 <hyakuhei> So I can give a quick OSSN update if you like
17:33:20 <capnoday> #topic OSSN
17:33:38 <hyakuhei> We have four in the pipe.
17:33:49 <hyakuhei> Most of you will only see one because the other three are embargo
17:33:56 <hyakuhei> #link https://bugs.launchpad.net/ossn
17:34:07 <hyakuhei> One regarding Nova will be published later today
17:34:46 <hyakuhei> Apart from that not much to add TBH
17:35:08 <capnoday> ok great
17:35:33 <capnoday> #topic Bandit
17:35:51 <capnoday> tmcpeak tkelsey
17:35:56 <tmcpeak> yo
17:36:04 <tmcpeak> tkelsey: pushed a new version, know we've got that
17:36:11 <tmcpeak> gmurphy: has been filing up a storm of bugs too
17:36:11 <tkelsey> so pushed out a new version last week
17:36:15 <tkelsey> heh yeah
17:36:23 <capnoday> so whats new?
17:36:36 <hyakuhei> oooh bugs are good
17:36:37 <tkelsey> pipe files into bandit is the main thing
17:37:02 <capnoday> so we can chain bandit with other tools?
17:37:11 <tkelsey> #link https://github.com/openstack/bandit/releases/tag/1.3.0
17:37:14 <tkelsey> pathcnotes ^
17:37:42 <tkelsey> I think browne needed it for the sublime plugin he is working on
17:37:48 <capnoday> thanks tkelsey
17:37:49 <browne> yep
17:37:53 <browne> #link https://github.com/ericwb/SublimeLinter-contrib-bandit
17:38:07 <tkelsey> +1
17:38:08 <browne> still awaiting approval from sublime guys
17:38:44 <hyakuhei> That's very cool
17:39:39 <capnoday> rarora wanted to talk about bandit with cinder
17:39:40 <browne> thx
17:39:46 <tmcpeak> yeah, want to do that now?
17:39:49 <rarora> hey, yeah!
17:40:03 <tkelsey> tmcpeak do you have info on how to integrate bandit (a link or something) for rarora
17:40:13 <tmcpeak> integrate?
17:40:20 <rarora> so we were talking about possibly adding bandit to the cinder gate as non-voting at the cinder IRC meeting yesterday
17:40:21 <tmcpeak> I think I do, one sec
17:40:25 <tkelsey> as in use it in the gate
17:40:31 <rarora> we would appreciate that link!
17:40:45 <tmcpeak> #link https://wiki.openstack.org/wiki/Security/Projects/Bandit#Gate_Testing_with_Bandit
17:40:53 <rarora> tkelsey: yes, use it in the gate as non-voting so it doesn't stop any commits but gives people a heads up of possible issues
17:40:57 <rarora> tmcpeak: thanks!
17:41:11 <rarora> the main concern that they raised was false positives
17:41:20 <tmcpeak> two approaches
17:41:28 <tmcpeak> 1) exclude noisy tests from your run
17:41:36 <rarora> most of them hadn't used bandit in a while but they said that the results were overwhelmingly false positives
17:41:43 <tmcpeak> 2) nosec legitimate tests that are OK in a particular instance
17:41:55 <tmcpeak> yeah, by default you're running Bandit with a bunch of informational tests
17:42:01 <rarora> tmcpeak: right, that is what we were thinking too
17:42:02 <tmcpeak> things like "subprocess is being used"
17:42:08 <tmcpeak> try bandit -ll -ii
17:42:13 <tmcpeak> that should give you a better starting point
17:42:31 <rarora> thanks, we hadn't tried that out before
17:42:44 <tmcpeak> that is "filter medium+ severity, medium+ confidence"
17:42:50 <tmcpeak> it will get rid of all the informational stuff
17:42:56 <tkelsey> -ll and -ii configure a base level for severity and confidence, stuff that falls lower than that is ignored
17:43:16 <tkelsey> so yeah, what tmcpeak said :)
17:43:20 <tmcpeak> :D
17:43:31 <rarora> okay, yeah, I think that should help a lot because they seemed excited about the idea in general but didn't want too much extra noise
17:43:47 <tmcpeak> fair enough, you may have to further tune but that's a good starting point
17:44:09 <rarora> we were also going to talk to some people from keystone since they use it in their gate to get an idea of things they have found helpful
17:44:16 <rarora> that's pretty much all I had, thanks everyone!
17:44:40 <tkelsey> yeah, bandit can be configured down to just a few tests easily as well, using the config file ...  yeah the keystone folks have most experience using it outside of the bandit team
17:45:33 <hyakuhei> brb, might drop for a second.
17:45:37 <capnoday> thanks rarora, please let us know how you get on
17:45:42 <capnoday> hyakuhei we are almost done i think
17:45:44 <rarora> will do!
17:46:07 <capnoday> #topic AOB
17:46:16 <tkelsey> #link http://docs.openstack.org/developer/bandit/
17:46:33 <tkelsey> rarora: docs for bandit, incase you didn't find them already
17:46:41 <capnoday> moving to AOB, we have 'working like openstack' and 'MD5 everywhere' but i dont think we can talk to those today
17:46:53 <rarora> tkelsey: thanks!
17:47:08 <singleth_> Can people who are merely "community members" (as opposed to "foundation members") still be members of the OSSG?
17:47:24 <mdong> notmyname: our contacts on the Swift team are ntata, pdardeau, Mohit and Sashi - they’re all OSIC members I believe?
17:47:31 <capnoday> singlethink we welcome everybody
17:48:03 <capnoday> singlethink if you feel you can contribute to openstack security in any way, you're welcome here
17:48:12 <singlethink> ok... I got a notice that I was being knocked down to "community member" for not participating enough... and I don't know how soon that will change
17:48:27 <tmcpeak> singlethink: I got that too
17:48:33 <singlethink> lolz
17:49:09 <capnoday> #action tmcpeak participate more
17:49:15 <tkelsey> LOL
17:49:21 <tmcpeak> I've been reinstated..
17:49:23 <tmcpeak> by magics
17:49:36 <capnoday> singlethink feel free to push patches, open bugs, etc etc
17:49:40 <hyakuhei> when was that?
17:49:44 <tmcpeak> last week
17:50:04 <singlethink> capnoday: I feel free to... I just tend to be highly oversubscribed
17:50:13 <hyakuhei> I'm suspicious of my email filters.
17:50:21 <tmcpeak> lol
17:50:29 <tmcpeak> are you voting in elections hyakuhei?
17:50:33 <capnoday> singlethink I feel your pain!
17:50:59 <singlethink> I realize that can probably be said of everyone in this meeting.  (Unfortunately OpenStack is not part of my day job anymore.)
17:51:32 <tmcpeak> singlethink: you aren't the only one
17:51:39 <hyakuhei> far from it.
17:51:40 <tmcpeak> I get far less allocation to it than I used to
17:51:51 <capnoday> i think this is something thats only going to get worse going forwards too
17:52:06 <tmcpeak> capnoday: ++
17:52:19 <capnoday> anyway, any other AOB?
17:52:25 <hyakuhei> not from me
17:52:27 <tmcpeak> nopes
17:52:31 <tkelsey> nope
17:52:36 <hyakuhei> excepting to say thanks to capnoday for chairing.
17:52:42 <capnoday> np
17:52:51 <capnoday> lets wrap that up then, thanks everybody for attending
17:52:54 <tmcpeak> thanks capnoday!
17:52:57 <singlethink> thanks capnoday
17:53:25 <capnoday> #endmeeting
17:53:36 <tmcpeak> #endmeeting