17:01:52 <sigmavirus> #startmeeting security
17:01:53 <openstack> Meeting started Thu Feb  2 17:01:52 2017 UTC and is due to finish in 60 minutes.  The chair is sigmavirus. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:54 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:57 <openstack> The meeting name has been set to 'security'
17:01:59 <unrahul> 0/
17:01:59 <openstack> hyakuhei: Error: Can't start another meeting, one is in progress.  Use #endmeeting first.
17:02:00 <hyakuhei> nvm
17:02:01 <hyakuhei> heh
17:02:02 <sigmavirus> heh
17:02:05 <hyakuhei> Thanks sigmavirus
17:02:06 <sigmavirus> #chair hyakuhei
17:02:06 <lhinds> o/
17:02:06 <openstack> Current chairs: hyakuhei sigmavirus
17:02:07 <knangia> o/
17:02:15 <sigmavirus> yw hyakuhei
17:02:17 <michaelxin> o/
17:02:28 <sigmavirus> \o
17:02:32 <tkelsey> o/
17:02:40 <sigmavirus> Congratulations to our (returning) PTL :)
17:02:40 <hyakuhei> #link https://etherpad.openstack.org/p/security-agenda
17:02:48 <lhinds> +1
17:02:49 * hyakuhei waves
17:02:53 <unrahul> :)
17:02:57 <hyakuhei> Thanks y'all
17:02:58 <knangia> :)
17:03:13 <hyakuhei> Only 5 projects were contested I think, the rest had single-candidates
17:03:19 <hyakuhei> Democracy in action....
17:03:28 <browne> o/
17:03:29 <hyakuhei> However, thanks for the support :)
17:03:33 <hyakuhei> sup browne
17:03:52 <sigmavirus> hyakuhei: i think you meant "Democracy inaction"
17:03:58 <mdong> o/
17:03:59 <hyakuhei> heh.
17:04:02 <vinaypotluri> o/
17:04:27 <hyakuhei> ok, 30 minute meeting so lets crack on - welcome mdong vinaypotluri michaelxin et al.
17:04:39 <hyakuhei> We can skip the PTL bit
17:04:43 <hyakuhei> #link PTG
17:04:46 <hyakuhei> Sigh
17:04:50 <hyakuhei> #topic PTG
17:04:57 <hyakuhei> #link https://etherpad.openstack.org/p/ptg-security-team
17:05:10 <hyakuhei> Reminder to update this if you are coming and either way please add to the topics list.
17:05:18 * mhayden stumbles in late
17:05:23 <hyakuhei> sup mhayden
17:05:31 <lhinds> hey mhayden
17:05:44 <michaelxin> hi mhayden
17:05:44 <hyakuhei> Just poking people to update https://etherpad.openstack.org/p/ptg-security-team with ideas for security topics for hte PTG
17:05:48 <hyakuhei> and if they're attending
17:06:10 <michaelxin> at least we have some people attending
17:06:10 <michaelxin> Thanks
17:06:35 <hyakuhei> Yeah a couple yet to confirm, I think lhinds is a no-go, is that correct?
17:06:54 <lhinds> sadly yes, but will be going to future PTGs
17:07:03 <michaelxin> Major is going. Woho
17:07:09 <hyakuhei> whoop!
17:07:11 <hyakuhei> :D
17:07:24 <hyakuhei> Anything more on the PTG?
17:07:40 <browne> i'll be there
17:07:57 <michaelxin> browne: +1
17:08:03 <hyakuhei> Excellent :)
17:08:12 <hyakuhei> Should I add you to the etherpad?
17:08:31 <browne> oh i'll add myself
17:08:37 <hyakuhei> :D
17:08:44 <hyakuhei> Cool, lets roll on then
17:08:52 <hyakuhei> #topic Security Docs
17:09:04 <hyakuhei> Do we have a sicarie today?
17:09:10 * sicarie waves
17:09:20 <hyakuhei> Hey, have you caught up on your email from the docs ptl ?
17:09:23 <sicarie> yes
17:09:28 <hyakuhei> Want to update here?
17:09:31 <sicarie> sure
17:09:43 <sicarie> So contributions to the sec-guide have slowed, and the docs team is looking for ways to keep that content fresh
17:09:59 <sicarie> The first move is to change where bugs are reported: https://review.openstack.org/#/c/427760/
17:10:25 <sicarie> and the eventual migration would be to move the sec-guide to where the rest of the specialty guides reside
17:10:54 <sicarie> As the docs team could then better curate and encourage contributions from the pool of those who contribute to docs
17:11:06 <sicarie> hyakuhei: did I miss anything?
17:11:08 <hyakuhei> We need to sync on this at the PTG because it felt to me more like they wanted to remove the security guide from docs.o.o rather than drum up support
17:11:32 <hyakuhei> I'm yet to see how any description of how moving the content from one repo to another will improve contribution
17:11:43 <michaelxin> why do them want to remove security guide?
17:11:55 <hyakuhei> It is low on contribution and falling behind projects
17:12:24 <hyakuhei> I pointed out in email that's because we need contributions _from_ these projects. However I do think we could do a lot more to chase these projects and orchestrate the updates
17:12:26 <sicarie> for example: i've been pinging neutron resources for about the last year, and we have no meaningful contributions to that area in that time
17:12:30 <sigmavirus> asettle: ping
17:12:49 <sicarie> so much so that I am now doing a code review of neutron on my own to look at what hte current state is
17:12:59 <hyakuhei> As before, we'll have a meeting about this at the PTG, but as we likely only have one more meeting before the PTG I wanted people to start thinking about it
17:13:08 <sicarie> +1
17:13:08 <michaelxin> gee
17:13:18 <asettle> sigmavirus: wassup
17:13:25 <asettle> Worried Iw asn't attending your 3rd meeting for the day?
17:13:32 <hyakuhei> lol
17:13:36 <michaelxin> Is there anything that OSIC can help?
17:13:42 <hyakuhei> hi asettle we're talking about the security docs
17:13:45 <hyakuhei> michaelxin possible
17:13:51 <sigmavirus> asettle: do the docs team want to remove the security content from docs.o.o?
17:13:51 <asettle> Oh no this is legit
17:13:52 <asettle> Hahahah
17:13:53 <michaelxin> In OSIC here, we seem to have people working on different projects
17:13:53 <asettle> let me read it up
17:13:54 <asettle> One second
17:13:56 <sigmavirus> heh
17:14:02 <michaelxin> lots of core members
17:14:03 <asettle> *back scroll time*
17:14:07 <mhayden> FWIW, we could add some docs in there more focused around host machine / base host security
17:14:09 <unrahul> osic has a docs member ianeta who we worked closely for some syntribos stuff
17:14:59 <hyakuhei> Interesting unrahul I didn't know that :) That would be useful but fundamentally we have an engagement problem. Swift seem to be pretty good but I can't think of other good examples
17:15:04 <asettle> Hey! So :) I can speak to a few of the concerns and questions above.
17:15:12 <michaelxin> unrahul: +1
17:15:15 <asettle> My proposal was just that, a proposal. With obviously no backing to it.
17:15:25 <unrahul> we could take some ownership and helpout in any way.. we are sitting with around 80 ppl working on all kinds of openstack stuff
17:15:28 <asettle> My point was: we don't want to 'dump and run' but we want to find a better place for people to be looking at this guide.
17:15:28 <michaelxin> hyakuhei: We can defintely help for engagement
17:15:30 <knangia> unrahul: +1
17:15:42 <asettle> So, when you say hyakuhei that "I'm yet to see how any description of how moving the content from one repo to another will improve contribution"
17:15:51 <michaelxin> Before we do any security testing, we always engage with some core members of the projects.
17:15:52 <asettle> I agree with you, but that's simply because we're getting nothing in the manuals repo.
17:16:03 <sigmavirus> asettle++
17:16:04 <asettle> At the moment, it's turning into tech debt for our team. We are dwindling, and fast, and we cannot keep up with all the guides we have.
17:16:05 <michaelxin> unrahul has been talking with them quite a lots.
17:16:16 <knangia> michaelxin: +1
17:16:31 <asettle> I would like to look into, further, where people go for their security content. Manuals, or the sec repo (what has the most hits based on analytics)
17:16:33 <sigmavirus> michaelxin: that doesn't translate to security-doc activity
17:16:37 <asettle> That, to me, would determine where the guide should live.
17:16:40 <sigmavirus> Most project core teams are already swamped with enough
17:16:57 <michaelxin> At least we can start the conversation and use the relationship
17:17:11 <asettle> unrahul: Ianeta will be working with me (I am also OSIC and docs PTL) on HA guide engagement.
17:17:13 <michaelxin> If needed, we can contribute one full time doc guy
17:17:19 <unrahul> michaelxin: +1 true.. we can reach out more easily I guess..
17:17:30 <asettle> michaelxin: problem is, you have already dedicated one full time 'doc guy' and we are in this situation.
17:17:37 <asettle> Nathaniel is swamped.
17:17:38 <unrahul> asettle: yup I know :).. she is sitting next to me.. so said
17:17:43 <asettle> There are 28 bugs alone reported for the sec guide.
17:17:51 <asettle> That is the highest count for any individual guide.
17:18:08 <michaelxin> So, our top priority is to work on 28 current bugs
17:18:10 <sigmavirus> And of our own security team the people who review content to that repo has dwindled as well
17:18:18 <knangia> yes, we can reach out here easily ...since we have many ppl here sitting around working on different openstack projects
17:18:20 <sigmavirus> michaelxin: I think Intel sets OSIC's priorities
17:18:24 <hyakuhei> To some extent that's true
17:18:28 <sigmavirus> Which for security participation was syntribos last I heard
17:18:32 <hyakuhei> However I expect that most of those bugs require input from the project teams.
17:18:37 <asettle> My point is, this needs to be addressed properly. I do believe the bugs should be moved out of the manuals repo and reported to you all directly. From there, we can work on best placement for the guide itself.
17:18:37 <asettle> https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide
17:18:52 <hyakuhei> I'm happy enough to move bugs over
17:18:55 <asettle> This is the proposal patch for moving the bugs:
17:18:55 <asettle> https://review.openstack.org/#/c/427760/
17:19:02 <hyakuhei> Probably makes things simpler
17:19:03 <michaelxin> sigmavirus: For security project, I work with Intel peer to setup our priority.
17:19:03 <asettle> We need one more security core (docs people have approved)
17:19:11 <unrahul> michaelxin: +1
17:19:23 <sigmavirus> michaelxin: good to hear that
17:19:32 <vinaypotluri> michaelxin: +1
17:19:57 <sigmavirus> I'm going by what I hear in the random one-off meetings but I think asettle has a good sense of what's going on with the docs team and this seems to be a joint OSSP+Docs team project
17:19:59 <michaelxin> If there is need for security doc, we might be able to get resource working on it.
17:20:02 <knangia> michaelxin: +1
17:20:12 <unrahul> OSIC security will be adding one more person to the group from Intel side .. so we have people to help out..
17:20:20 <unrahul> just need the structure on how we can help ..
17:20:24 <hyakuhei> I've had customers reference the security guide back to me before
17:20:26 <unrahul> asettle: michaelxin  ^
17:20:30 <sigmavirus> unrahul: Are they a documentation person or just a random security person?
17:20:41 <asettle> michaelxin: that OSIC person would have to be security, not documentation. Just to clarify.
17:20:43 <hyakuhei> My understanding is that when it was in print and up to date it was the best selling tree-form openstack book at the time
17:20:47 <unrahul> A new joinee not a documentation per se sigmavirus
17:20:58 <michaelxin> It is security.
17:20:59 <unrahul> we would have more bandwidth
17:21:01 <hyakuhei> I think we know there's a need for it, it just turns out to be hard to maintain
17:21:06 <asettle> Yes, I don't wish to come across and bash and smash the idea - but we are not short of writers. We need someone with the bandwidth and security knowledge.
17:21:06 <knangia> unrahul: +1
17:21:07 <michaelxin> But we can help with documentation
17:21:09 <unrahul> michaelxin: +1
17:21:26 <knangia> michaelxin: +1 ..we can help with documentation
17:21:28 <sigmavirus> knangia: unrahul the +1s are noisey and kind of useless at this point, please stop
17:21:39 <unrahul> asettle:  I think that is where we can help.. as documentation is your forte
17:21:41 <hyakuhei> I'm loving all the positivity :) It should be a very easy meeting at the PTG
17:21:54 <asettle> Okay, just so I can ensure we are all on the same page - give me 5 seconds here people :)
17:21:56 <vinaypotluri> michaelxin: +1   yes we can all help with that
17:22:05 <asettle> 1. Happy to move bug reporting to the ossg launchpad, and out of docs.
17:22:12 <asettle> I need a sec core please: https://review.openstack.org/#/c/427760/
17:22:25 <asettle> 2. The guide will be worked on by OSIC michaelxin to check in and report back
17:22:32 <hyakuhei> 1. done
17:22:40 <asettle> michaelxin: please include me in any emails you send off (osic or otherwise - ping me, and I can give you my RAX email)
17:22:49 <asettle> 3. I will move pre-exisiting bugs over to ossg for monitoring
17:23:09 <asettle> 3. I will check in with analytics and report back on how highly viewed the sec-guide is and we can begin a discussion at the PTG on the home of hte guide
17:23:10 <hyakuhei> We have a sec-guide topic for the PTG session which has been productive in the past.
17:23:21 <asettle> *nods* hyakuhei perfect. What day would that be on?
17:23:34 <hyakuhei> We're in teh first block
17:23:58 <asettle> hyakuhei: damnit, same. Okay, well, we will sync up and coordinate further :) please drop me a line: a.settle@outlook.com (openstack email too many emails)
17:24:02 <hyakuhei> We haven't scheduled out what's happening when exactly yet but that will form up over the next week or so, we've got notes here: https://etherpad.openstack.org/p/ptg-security-team
17:24:03 <asettle> And we can ensure we are on teh same page.
17:24:11 <asettle> hyakuhei: great, I will add to that properly.
17:24:21 <asettle> Thanks for including it on your list :)
17:24:28 <sicarie> unfortunately it's looking more and more like I'm not going to make it to the PTG
17:24:35 <hyakuhei> Sure thing
17:25:00 <asettle> Great :) thanks for your input everyone
17:25:02 <hyakuhei> Like I said previously (and in our email) the big issue for us is that we need involvement (sporadic) from individual project teams
17:25:09 <asettle> michaelxin: ping me in a PM sec OSIC email things
17:25:12 <hyakuhei> We need to work out how to drive that better
17:25:28 <asettle> hyakuhei: yeah totally, it's hard. Perhaps we can work togehter further and you can utilise our doc-liaisons.
17:25:31 <hyakuhei> Maybe look at making it part of the vulnerability managed tag that you have to help keep your sec-info up to date.
17:25:40 <hyakuhei> asettle That sounds like a good first step
17:25:57 <michaelxin> asettle, will do it
17:25:58 <asettle> hyakuhei: perfect. We're updating the list at the moment, actually. So I can get back to you after the list is finalised.
17:26:01 <asettle> michaelxin: thanks :)
17:26:23 <hyakuhei> That sounds good. We're thankful for the support asettle
17:26:36 <asettle> No, thank YOU guys :)
17:26:41 <asettle> Appreciate you all taking this on board!
17:26:46 <asettle> We need to find a good action plan :)
17:27:03 <lhinds> sorry, crash / reboot..back now
17:27:09 <hyakuhei> Perfectly reasonable, letting it wither on the vine is not an option :)
17:27:28 <asettle> Ahhhhmennnnn
17:27:32 <hyakuhei> ok, lets move the conversation to AOB, you can provide any important OSSN/Syntribos stuff there (2.5 minutes left)
17:27:37 <hyakuhei> #topic Any other business
17:27:41 <hyakuhei> Thanks again asettle
17:27:56 <lhinds> OSSN,we only have one public now: https://bugs.launchpad.net/ossn/+bug/1606495
17:27:56 <openstack> Launchpad bug 1606495 in OpenStack Security Notes "copy_from in api v1 allows network port scan" [Undecided,New] - Assigned to Travis McPeak (travis-mcpeak)
17:28:12 <lhinds> if anyone thinks they can really do some magic with it, let me know and will reassign
17:28:16 <hyakuhei> Cool, I'm not sure tmcpeak has time to manage this atm
17:28:20 <lhinds> if not i will pick it up
17:28:31 <lhinds> hyakuhei: yep thats fines
17:28:35 <hyakuhei> I suggest posting on the bug asking as much, if he doesn't reply by Monday then cut it over to someone who's free I guess
17:28:41 <lhinds> its not a killer OSSN, so its ok to sit for awhile
17:28:45 <hyakuhei> Righto
17:28:47 <unrahul> syntribos we have started looking into glance.. along with some improvements to the tool
17:28:51 <lhinds> hyakuhei: sounds good
17:29:27 <unrahul> For now we have stopped swift testing, thats it from us, unless I am missing something.. michaelxin  ?
17:29:39 <michaelxin> unrahul: you are right
17:29:43 <vinaypotluri> unrahul: +1
17:30:00 <hyakuhei> Excellent, thanks for coming guys, remember to hang out in #openstack-security when you can.
17:30:02 <hyakuhei> #endmeeting