17:00:15 <hyakuhei> #startmeeting Security
17:00:16 <openstack> Meeting started Thu Feb  9 17:00:15 2017 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:17 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:19 <openstack> The meeting name has been set to 'security'
17:00:20 <unrahul> o/
17:00:25 <vinaypotluri> o/
17:00:36 <sigmavirus> o/
17:00:44 <dave-mccowan> o/
17:00:51 <knangia> 0/
17:01:09 <aasthad> o/
17:01:46 <capnoday> o/
17:01:55 <hyakuhei> Hey guys :D
17:02:08 <hyakuhei> I've been back to back all day, I'll just update the agenda now
17:02:18 <hyakuhei> oh wait
17:02:23 <hyakuhei> Someone else did it.
17:02:26 <hyakuhei> OMG.
17:02:31 <hyakuhei> The agenda fairy
17:02:38 <unrahul> :D
17:02:44 <hyakuhei> I'm assuming that's sigmavirus ?
17:02:53 <hyakuhei> #link https://etherpad.openstack.org/p/security-agenda
17:03:03 <sigmavirus> Yes that was
17:03:12 <capnoday> ty
17:03:16 <hyakuhei> ty sir!
17:03:23 <vinaypotluri> great
17:03:34 <hyakuhei> ok, so lhinds passed his apologies for not being able to make it today
17:03:37 <sigmavirus> Just one item
17:04:39 <hyakuhei> Added a couple but lets start with OSSN
17:04:42 <hyakuhei> #topic OSSN
17:05:02 <hyakuhei> A couple of embargoed OSSN will go out this week, I think they've already gone to the pre-notify people
17:05:17 <hyakuhei> There's a public OSSN that needs an owner: https://bugs.launchpad.net/ossn/+bug/1606495
17:05:17 <openstack> Launchpad bug 1606495 in OpenStack Security Notes "copy_from in api v1 allows network port scan" [Undecided,New] - Assigned to Travis McPeak (travis-mcpeak)
17:05:52 <hyakuhei> tmcpeak say's he is fine with it
17:06:50 <hyakuhei> Ok, no one wants it. That's ok I'll un-assign it for now
17:07:11 <hyakuhei> sigmavirus did you add the other one?
17:08:19 <sigmavirus> I did
17:08:35 <sigmavirus> It was more of a "Should we have an OSSN about this given that it's in the public now?"
17:08:52 <hyakuhei> Oh I see
17:08:57 <sigmavirus> I tend towards not, because it's a problem that's disregarded across openstack (drivers disabling TLS verification)
17:09:33 <sicarie> sigmavirus: if not, is that in the driver documentation (or service documentation)?
17:09:35 <hyakuhei> Interesting. If that is the case then we should probably still have an OSSN but regarding TLS being disabled in many services.
17:09:45 <sicarie> +1
17:10:15 <sigmavirus> sicarie: it's not. And I only have that opinion because I tried to fight this battle in glance's glance-store project before
17:10:34 <sicarie> then I'm of the opinion we should have an OSSN
17:11:11 <hyakuhei> I'm inclined to agree
17:12:26 <hyakuhei> sigmavirus thoughts?
17:12:42 <sigmavirus> I'm always in favor of telling people their software is doing silly things
17:13:03 <sigmavirus> I think it would be valuable if we gave driver authors some common patterns to use though for dealing with this
17:13:23 <sigmavirus> i.e., drivers should be able to handle client certificates, certificate authority pem paths, and toggling verification
17:13:48 <sigmavirus> That's an ideal though, and I don't know how many of those drivers use requests, but those are all things they'd just need to pass into requests
17:14:06 <sigmavirus> For socket level stuff, I can also provide some documentation around doing it correctly there too
17:14:10 <sigmavirus> But that's a separate concern
17:14:13 <hyakuhei> It gets messy when there's so many different implementations
17:14:16 <sicarie> So IMO that should be sec-guide material, specific drivers disabling TLS in a service should be an OSSN
17:14:22 <hyakuhei> +1
17:14:35 <sigmavirus> agreed
17:14:41 <sigmavirus> I meant that should all be in addition to the OSSN
17:14:42 <hyakuhei> Though it would be nice if the OSSN could point to the relevant info in the sec guide.
17:14:50 <sigmavirus> Because too many driver authors don't know any of this
17:15:03 <sicarie> +1 hyakuhei I'll see what I can do
17:16:45 <michaelxin> sigmavirus: Are you still working on Glance Project?
17:16:58 <sigmavirus> michaelxin: for certain quantities of "work"
17:17:10 <sigmavirus> Just like I still work on this project
17:17:17 <sigmavirus> And the 4 others I'm assigned to work on
17:17:51 <hyakuhei> sheesh
17:18:37 <hyakuhei> ok, so we're agreed
17:18:46 <hyakuhei> Next up, security docs
17:18:52 <hyakuhei> #topic Security Guide
17:18:59 <hyakuhei> We had a productive conversation last week
17:19:14 <hyakuhei> My key concern is still that we need other teams to be more involved.
17:19:43 <hyakuhei> I was considering sending out a plea to the mailing list, which I might still do, however, I wondered if we should try to coordinate this with something at the PTG too
17:21:00 <hyakuhei> Hmm, no thoughts on that, ok, well I'll wait for the PTG then.
17:21:03 <unrahul> We the OSIC ppl would be contributing to the sec guide  from now on as we discussed last week, we have initiated talks with the docs PTL and she has given us some pointers on things were we can contribute , around 26 bugs for now ..
17:21:10 <unrahul> michaelxin: ^
17:21:17 <hyakuhei> Oh excellent
17:21:27 <hyakuhei> I'd still like project teams to be more involved
17:21:40 <unrahul> hyakuhei:  agreed ..
17:21:45 <michaelxin> we finished our priority planning for next cycle. I put helping security guide into it. OSCI is ok with it.
17:21:54 <hyakuhei> Excellent!
17:22:11 <knangia> michaelxin: +1
17:22:30 <ankur-gu_> +1
17:22:33 <hyakuhei> ok cool, lets move swiftly on :)
17:22:45 <hyakuhei> #topic Barbican SimpleCryptoThingy
17:22:50 <hyakuhei> #link https://review.openstack.org/#/c/431228/2/specs/pike/enhance-simple-crypto.rst
17:22:58 <hyakuhei> Crypto monkies, Attack!
17:23:08 <hyakuhei> That is to say, please give this a thoughtful review.
17:23:14 <hyakuhei> I've put a cautious -1 on there at the moment
17:23:26 <hyakuhei> @dave-mccowan fyi ^^^
17:23:56 <dave-mccowan> hyakuhei thanks!  please, all, provide input early in Pike, so we have time to implement. :-)
17:24:19 <hyakuhei> Cool, you all heard the man, have at it!
17:24:52 <hyakuhei> We're doing well time wise, lets move to AOB
17:24:56 <hyakuhei> #topic Any Other Business
17:25:20 <hyakuhei> I won't be available for a meeting next week because of the way my travel has fallen regarding the PTG
17:25:31 <hyakuhei> Are others happy to take it or should we postpone?
17:25:43 <hyakuhei> oh and a reminder to keep this up to date
17:25:45 <hyakuhei> #link https://etherpad.openstack.org/p/ptg-security-team
17:26:10 <hyakuhei> sicarie did you get auth to go ?
17:26:20 <sicarie> I got time, but not funding
17:26:24 <sicarie> so I will not be attending
17:26:56 <capnoday> :(
17:27:07 <sicarie> +1
17:27:20 <hyakuhei> booo, sorry to hear that sicarie
17:27:27 <hyakuhei> ok, anything else to discuss?
17:28:21 <unrahul> hyakuhei:  We are working on glance testing from this week had a very productive meeting with the glance PTL.. nothing as of yet on bugs, will keep you all posted.
17:28:33 <unrahul> Also we have one more person who joined our team
17:28:35 <unrahul> aasthad:
17:29:01 <hyakuhei> welcome aasthad!
17:29:20 <aasthad> Hello everyone .. I am happy to be a part of osic security team..
17:29:20 <sigmavirus> hyakuhei: calling back to your question, if people want to have the meeting, I'm happy to chair it
17:29:37 <hyakuhei> Thanks sigmavirus might as well see what happen then :)
17:29:47 <hyakuhei> ok that's time people! Thanks everyone, thanks sigmavirus for your help!
17:29:51 <hyakuhei> #endmeeting