17:01:00 <lhinds> #startmeeting security
17:01:01 <openstack> Meeting started Thu Sep  7 17:01:00 2017 UTC and is due to finish in 60 minutes.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:02 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:05 <openstack> The meeting name has been set to 'security'
17:01:11 <lhinds> #topic roll call
17:01:36 <lhinds> hyakuhei, gagehugo , mdong and others?
17:01:42 <gagehugo> o/
17:01:43 <lhinds> dave-mccowan
17:01:50 <lhinds> hey gagehugo
17:01:56 <gagehugo> hey!
17:01:58 <lhinds> michaelxin ?
17:02:08 <raildo> o/
17:02:12 <lhinds> raildo !
17:02:14 <lhinds> welcome
17:02:23 <raildo> hey lhinds :)
17:02:55 <lhinds> cool, will focus on the agenda parts pertinant to the audience
17:03:09 <lhinds> pertinent rather
17:03:19 <lhinds> #link https://etherpad.openstack.org/p/security-agenda
17:03:31 <lhinds> #topic agenda
17:04:24 <lhinds> So lets focus on bandit, custodia / PTG
17:04:34 <lhinds> and docs if we have time.
17:05:08 <lhinds> also is there any new / hanging out wants to say hi? (I invited a few during the week too)
17:05:12 <dave-mccowan> o/
17:05:21 <lhinds> any/anyone
17:05:25 <lhinds> hi dave-mccowan !
17:05:32 <rajathagasthya> Hi! New here and will be working on https://bugs.launchpad.net/bandit/+bug/1708582.
17:05:34 <openstack> Launchpad bug 1708582 in Bandit "Insecure hash functions created by hashlib.new() should be flagged" [High,Confirmed] - Assigned to Rajath Agasthya (rajagast)
17:05:44 <lhinds> hi rajathagasthya , great to have you!
17:05:50 <lhinds> thanks for taking on that bug
17:06:08 <lhinds> #topic bandit
17:06:12 <rajathagasthya> Thanks lhinds!
17:06:47 <lhinds> so really we have the nosecs in keystone (for sha1 false postives / HMAC) and the sha1 change itself.
17:07:18 <lhinds> I have triaged a lot of the issues as there was some old stuff from 2016 that I moved to wish list
17:07:44 <gagehugo> yeah I saw
17:07:52 <lhinds> Otherwise, I still plan to do the audit and find out who is missing and try and approach them during the PTG
17:08:05 <gagehugo> sounds good
17:08:19 <lhinds> and rajathagasthya as mentioed is working on hashlib.new() not being picked up (thanks)
17:08:57 <lhinds> i think that's it for now. unless you guys have a quick work to two on Bandit?
17:09:03 <lhinds> work/word
17:09:04 <rajathagasthya> lhinds: Any simple enough bugs I can take on? You mentioned you traiged some stuff.
17:09:35 <lhinds> rajathagasthya: , good point - I don't have them to hand, but let me add them to the etherpad for next meeting.
17:09:51 <rajathagasthya> Sounds good.
17:09:58 <lhinds> the queue is here: https://bugs.launchpad.net/bandit
17:10:48 <lhinds> ok, custodia / PTG
17:10:56 <lhinds> #topic custodia / PTG
17:11:09 <raildo> rajathagasthya, lhinds I suggest add the flag "low-hanging-fruit" on that bugs, so it will be easier for the new contributors find it
17:11:25 <rajathagasthya> Will do, thanks.
17:11:28 <lhinds> raildo: good point, I can set up a tag
17:11:46 <lhinds> #topic custodia
17:11:59 <lhinds> so raildo , looks like you have some times now buddy?
17:12:05 <lhinds> @ the PTG that is
17:12:16 <raildo> yeap, more that I thought hahaha
17:12:51 <raildo> so, we'll have our first moment with the olso team on Monday at 10:00-10:40 am
17:13:15 <raildo> (that time slot was changed)
17:14:16 <raildo> after that at 2:00-4:00 with the tripleo/deployment team, we have on topic on that time slot to discuss more about the k8s relation
17:14:56 <raildo> and how to integrate that idea if some other efforts, like to use the k8s concept to ConfigMap to manage configurations
17:15:36 <raildo> and finally, we will have an Custodia demo/walktrought with the Barbican/sec team later in the week
17:15:40 <raildo> TBD
17:16:09 <lhinds> cool, dave-mccowan - how would you like to do the custodia slot, on the fly or set a time?
17:16:20 <gagehugo> yeah I need to make a schedule of events
17:16:44 <gagehugo> I'll def try to make the custodia meeting
17:16:44 <raildo> but if anyone guys want to talk with me about in any other time, just ping me or send an emails, I'm glad to talk about it :)
17:17:03 <dave-mccowan> on the fly works for me.  or if we need to block something to help attendance, that good too.  just add note the wiki.
17:17:08 <raildo> gagehugo, please do :) would be great having your feedback on that topic
17:17:36 <dave-mccowan> here's the wiki: https://etherpad.openstack.org/p/barbican-ptg-queens
17:17:54 <dave-mccowan> we can also use the new ptg schedule page:
17:18:15 <dave-mccowan> http://ptg.openstack.org/ptg.html
17:18:53 <lhinds> what I would like to do, is have 20 minutes or so to discuss having custodia incubation in the security project.
17:19:29 <lhinds> raildo: this would be a bit like bandit above, just means extra eyes on helping with reviews, taking on bugs, blogs, security guide content etc.
17:19:51 <lhinds> does not mean we would be the drivers of the project, it would still look like any other project.
17:19:58 <lhinds> does not need to be permenant as well..
17:20:14 <lhinds> we can discuss that at the PTG though to dig into the details.
17:20:22 <raildo> lhinds, hum, that's might be a trick point, but will be great to discuss about it
17:20:35 <gagehugo> yeah that might be something good to discuss with people in the room
17:21:06 <dave-mccowan> i'm happy to offer the key management project as incubator as well, if our core team would be helpful.
17:21:15 <lhinds> raildo: yes mate, its mainly about if its of value to custodia..
17:21:33 <lhinds> raildo: if not, then that's how it should be.
17:21:52 <lhinds> good point dave-mccowan
17:22:39 <lhinds> we can chew it over at the PTG, as I guess the oslo driver project aspect will have some play in the project as well.
17:22:59 <gagehugo> yeah
17:23:08 <lhinds> really though , its about whatever helps the project get the traction it needs.
17:23:13 <dave-mccowan> yea, if oslo will adopt it, that's the better place.
17:23:20 <lhinds> +1
17:23:42 <lhinds> we can then be like a nice auntie :)
17:24:03 <raildo> lhinds, dave-mccowan actually I have to take a look more on the "incubation" mean for that case. since Custodia fit better as a general key management not only for OpenStack, and I don't want to have that idea to Custodia been a Castellan concurrent since it's not even the same use cases
17:24:54 <raildo> lhinds, so, I think that is a good point, and we are always opened to help, I really appreciate that :)
17:25:13 <lhinds> raildo: ack, no worries
17:25:33 <lhinds> so we have five mins left..lets go over a few quick bits.
17:26:11 <lhinds> there is an OSSN in fly, if anyone is interested: https://review.openstack.org/#/c/499176/
17:26:28 <lhinds> a blog entry just gone up: http://openstack-security.github.io/security-notes/2017/09/01/openstack-security-notes.html
17:27:03 <lhinds> last point, should we hold this meeting still next week (with it being PTG)?
17:28:41 <lhinds> dave-mccowan: what do you do for barbican meetings during PTG?
17:29:08 <dave-mccowan> we usually cancel the IRC meeting
17:29:19 <gagehugo> yeah usually everyone cancels the irc meetings
17:29:19 <lhinds> I think we will do the same then.
17:30:07 <lhinds> so next meeting will be on the 21st, I will send an email out to -dev
17:30:44 <lhinds> ok, thanks all!
17:30:51 <lhinds> see some of you next week!
17:30:59 <lhinds> #endmeeting