#openstack-meeting-alt log

17:01:23 <lhinds> #startmeeting security
17:01:24 <openstack> Meeting started Thu Aug  3 17:01:23 2017 UTC and is due to finish in 60 minutes.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:25 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:27 <openstack> The meeting name has been set to 'security'
17:01:34 <lhinds> #chair hyakuhei
17:01:35 <openstack> Current chairs: hyakuhei lhinds
17:01:43 <gagehugo> o/
17:01:58 <lhinds> hi gagehugo , not sure how many around this week?
17:02:09 <lhinds> #info roll call for security project members / cores...
17:03:39 <lhinds> michaelxin mdong maybe?
17:04:01 <lhinds> #topic agenda
17:04:05 <lhinds> #link https://etherpad.openstack.org/p/security-agenda
17:04:26 <lhinds> gagehugo: we can jump to yours first, as I guess some are on holiday still.
17:04:36 <gagehugo> ok
17:04:37 <lhinds> oh having said that, I bet fungi is around
17:04:52 <lhinds> #topic Keystone VMT Coverage
17:05:01 <lhinds> #link  https://review.openstack.org/#/c/447139/
17:05:08 <lhinds> hows this going now gagehugo ?
17:05:38 <gagehugo> I'm not sure what else to add, if there is anything else missing
17:05:46 <gagehugo> otherwise I assume all the info is in there?
17:05:57 <gagehugo> This is my first security-review doc
17:06:12 <fungi> yep
17:06:29 * fungi is always around, just juggling several things at once
17:06:38 <lhinds> hey fungi
17:06:51 <lhinds> gagehugo: architecture-page.rst looks good from a cursory look
17:06:57 <fungi> i have a reminder for this meeting, just took me a few minutes to spot it
17:07:02 <fungi> sorry
17:07:06 <lhinds> no worries fungi
17:07:19 <lhinds> appreciate you being here
17:07:43 <lhinds> gagehugo: Looks like /review-findings.rst needs some entries
17:08:11 <lhinds> unless I am misunderstanding the flow of work
17:08:29 <gagehugo> lhinds I wasn't sure if that was supposed to be filled out by the auditors?
17:09:13 <lhinds> gagehugo: understood, will be honest I don't know too. But I will find out, and speak with doug and co who devised this.
17:09:25 <gagehugo> I basically followed this: https://security.openstack.org/vmt-process.html
17:09:52 <gagehugo> and followed what barbican did
17:10:06 <gagehugo> https://github.com/openstack/security-analysis/tree/master/doc/source/artifacts/barbican/newton
17:10:35 <lhinds> fungi: was you part of the verification of the barbican threat analysis (as a gate for it reaching VMT approved)?
17:11:30 <fungi> lhinds: i was not, no
17:11:50 <fungi> the vmt mainly just wanted to see that someone had assembled and published and reviewed something we could refer to later
17:12:07 <lhinds> ack, I will look into this, we can then move it forward
17:12:56 <lhinds> #action lhinds to find out next steps for ksmiddleware threat analysis (specifically who reviews in doc review-findings.rst)
17:13:05 <gagehugo> please let me know if you find anything else that I should do as well
17:13:39 <lhinds> gagehugo: leave it with me, I don't expect the meeting will be on next week, but will email you / ping you on irc.
17:13:53 <lhinds> definate want to make use of your good work
17:13:57 <gagehugo> lhinds sounds good!
17:14:04 <lhinds> thx gagehugo
17:14:07 <gagehugo> thanks for looking into this
17:14:27 <lhinds> so I don't believe we have any syntribos / bandit folks around now
17:14:33 <lhinds> #topic PTG
17:14:42 <lhinds> gagehugo: are you at the PTG at all?
17:14:53 <gagehugo> yup I am planning on being there
17:15:10 <fungi> i think i'm the only vmt member attending the ptg
17:15:39 <lhinds> ok cool, fungi gagehugo, if you're interested we will share rooms with barbican on wed/thurs
17:15:52 <fungi> though my time will be pretty heavily split between infra/tc/elections/release related discussions as well
17:15:54 <gagehugo> lhinds ok
17:16:05 <lhinds> we plan to go over custodia which is hoping to be an oslo driver
17:16:29 <lhinds> put simply, it means no more passwords hardcoded into configs, and instead there is a secure API that's used.
17:16:29 <fungi> if you have something you want vmt input on in some discussions there, please reach out to me and i'll try to drop in
17:16:44 <gagehugo> sure!
17:16:45 <lhinds> fungi: ack, sure will.
17:16:56 <gagehugo> yeah I might come by for custodia stuff
17:17:13 <lhinds> this is the planning pad:
17:17:15 <lhinds> https://etherpad.openstack.org/p/barbican-ptg-queens
17:17:28 <lhinds> feel free to put your name on (but its not signing up as commmited)
17:17:34 <gagehugo> will do
17:18:14 <lhinds> I expect we will also do some work on the security guide, including a sprint on key management. I will also add threat analysis
17:18:39 <lhinds> #topic OSSN
17:19:33 <mdong> o/ hey guys, sorry to be late, I can give some quick syntribos updates at then end if you’d like
17:19:36 <lhinds> fungi: I still have that last OSSN to get out, we currently have an embargoed one for a non VMT managed project that I allowed to jump to the front, so they have time to merge into master for pike.
17:19:43 <lhinds> hey mdong !
17:19:47 <lhinds> nice to see you man.
17:20:05 <lhinds> I think we can go to syntribos now
17:20:08 <mdong> good to be here =)
17:20:10 <lhinds> #topic syntribos
17:20:16 <fungi> lhinds: sounds good
17:20:35 <lhinds> mdong: are you at the PTG?
17:21:40 <mdong> cool, so after talking to team members who are using syntribos, one of the concerns they have on syntribos is performance, so the next thing we’re going to do is to address that by rewriting our HTTP client using asynchronous networking libraries
17:21:48 <mdong> since that is the main performance bottleneck
17:21:53 <mdong> no, I’m not at the PTG, unfortunately
17:22:29 <lhinds> sounds interesting mdong , which library did you decide on?
17:22:56 <mdong> Twisted looks promising
17:24:14 <lhinds> don't know it to well, but a colleague was using twisted.web and said it was pretty solid
17:25:12 <lhinds> I will make sure I bring up syntribos at the PTG to try and gather interest
17:25:16 <lhinds> thanks mdong
17:25:25 <fungi> i have some not-so-fond memories of twisted-python, but it's been a few years since i tried to use it for anything serious so hopefully it's improved
17:26:24 <fungi> for something that started out as a simple mud server backend, it got really complicated
17:26:27 <lhinds> python and anything asynchronous is a challenge I guess
17:26:53 <lhinds> ok, so we are almost at the .30 point and end of meeting
17:27:10 <lhinds> many thanks gagehugo , mdong and fungi for making it.
17:27:31 <lhinds> I don't expect the meeting will be on next week, as I am away and I don't think hyakuhei is around now.
17:28:03 <lhinds> so we can reconvene in two weeks (17th)
17:28:10 <lhinds> thanks all!
17:28:14 <lhinds> #endmeeting