17:01:12 <lhinds> #startmeeting security
17:01:13 <openstack> Meeting started Thu Sep 28 17:01:12 2017 UTC and is due to finish in 60 minutes.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:01:14 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:17 <openstack> The meeting name has been set to 'security'
17:01:22 <lhinds> #topic roll-call
17:01:26 <lhinds> any folks around?
17:01:29 <raildo> o/
17:01:34 <lhinds> hey raildo
17:01:49 <raildo> lhinds, hey sir :)
17:02:06 <ssathaye> o/
17:02:13 <ssathaye> hi luke
17:02:13 <lhinds> gagehugo / fungi / mdong
17:02:14 <fungi> i am semi-around
17:02:15 <gagehugo> o/
17:02:17 <lhinds> ssathaye hey!
17:02:30 <fungi> zuul v3 cutover is underway so i'm not paying super close attention in here
17:02:37 <lhinds> cool, that's enough to merit a meeting
17:02:40 <lhinds> no worries fungi
17:02:40 <aprice> This is Allison from the OpenStack Foundation. I had a question I would like to present to the security team about the Sydney Summit, but can ask once the agenda has been completed
17:02:41 <ssathaye> hey!
17:02:51 <lhinds> hi aprice
17:03:02 <fungi> aprice! fancy meeting you here ;)
17:03:14 <aprice> :)
17:03:16 <lhinds> aprice: I will make sure I keep some time...how long do you need?
17:03:43 <aprice> 5 minutes would be sufficient. I can be brief
17:03:49 <lhinds> np
17:03:56 <lhinds> #topic SIG
17:04:42 <lhinds> I spoke with thiery at the PTG and he floated the idea of changing from a project to a SIG (special interest group)
17:04:53 <gj2017> o/
17:04:58 <gagehugo> makes sense imo
17:04:58 <lhinds> hi gj2017 !
17:05:31 <lhinds> I thought what we could do is digest this and read up, and then I will ask ttx along to the next meeting, and we can discuss pros / cons
17:05:37 <lhinds> #link https://wiki.openstack.org/wiki/OpenStack_SIGs
17:06:05 <fungi> for one thing, lhinds would no longer need to be a ptl!
17:06:14 <lhinds> seems like the structure would remain the same (which was my main consideration), just need to think about will it really improve things
17:06:49 <lhinds> fungi: theres that too...to be honest if it improves the dyanmics of the group / project / SIG..I don't mind
17:07:05 <lhinds> shortest PRL ever :P
17:07:09 <fungi> heh
17:07:16 <lhinds> s/PRL/PTL
17:07:16 <raildo> lhinds, makes sense for me, since we have a couple of projects related to security, where this group try to "unified discussions" across those teams
17:08:19 <lhinds> good point raildo , but I guess we can do that right now as well...for me its more about bodies, more than name
17:08:22 <ssathaye> I think it makes a lot of sense too.
17:08:28 <lhinds> let's go over it next week though
17:08:35 <raildo> ++
17:08:53 <lhinds> sounds like its a good idea for you though, so we can vote on it after giving folks time to digest and read
17:09:08 <lhinds> #topic Documentation
17:09:28 <lhinds> so we did a lot of work on a secrets management chapter:
17:09:30 <lhinds> #link https://review.openstack.org/#/c/451965/
17:09:56 <lhinds> this is almost final now, might be some nits that people can spot..but its close to done now.
17:10:09 <lhinds> if anyone can have a review that would be great.
17:10:16 <gagehugo> lhinds I'll take another look at it
17:10:25 <raildo> lhinds, thanks for doing that, great work!
17:10:30 <gagehugo> raildo ++
17:10:53 <lhinds> as always, looking for more people to help out on docs.. anyone wants to get involved, just send me a message and will help you settle in
17:11:27 <lhinds> k, I think that's it for docs.
17:12:05 <lhinds> I am still doing a sweep through to check its all relevant still and have a spec to go up soon on some possible tweaks
17:12:14 <lhinds> #topic bandit
17:12:46 <lhinds> mainly the hashlib.new() patch...
17:12:54 <lhinds> #link https://review.openstack.org/#/c/504544/
17:13:25 <lhinds> I think this is ready for mergies..I will try to reach ebrown and see if we can merge.
17:13:50 <gagehugo> ok
17:14:04 <lhinds> threre are a few wishlists if anyone would like to take something on: https://bugs.launchpad.net/bandit
17:14:39 <lhinds> mdong anything for syntribos?
17:15:33 <lhinds> k.
17:15:40 <lhinds> #topic OSSN
17:15:46 <ssathaye> Can someone point a newbie to a simple thing to target on https://bugs.launchpad.net/bandit? lhinds?
17:16:09 <ssathaye> (wasn't fast enough, I suppose)
17:16:14 <lhinds> ssathaye: not to sure if anything simple there.. OSSN might be good for you though
17:16:14 <fungi> oh, right, i owe you errata for 0081
17:16:24 <lhinds> https://bugs.launchpad.net/ossn
17:16:28 <ssathaye> lhinds: ok
17:16:59 <lhinds> so a good OSSN to work on is 1703369
17:17:00 <lhinds> https://bugs.launchpad.net/ossn/+bug/1703369
17:17:02 <openstack> Launchpad bug 1703369 in OpenStack Security Notes "get_identity_providers policy should be singular" [Undecided,Confirmed] - Assigned to Luke Hinds (lhinds)
17:17:22 <lhinds> This is assigned to me, but I could sponsor someone on writing this should they be up for it>
17:17:25 <lhinds> ?
17:18:19 <lhinds> The ScaleIO issue I think needs more info on it last time I looked
17:18:33 <fungi> not sure if anyone saw my link to the oss-security thread on passlib.hash.sha512_crypt bits
17:18:35 <fungi> #link https://launchpad.net/bugs/1543048
17:18:37 <openstack> Launchpad bug 1543048 in OpenStack Identity (keystone) "support alternative password hashing in keystone" [High,Fix released] - Assigned to Morgan Fainberg (mdrnstm)
17:19:17 <lhinds> I never saw that fungi , do you have it handy?
17:19:32 <fungi> it's linked there
17:19:57 <fungi> the ossn likely needs revamping/lightening (if not retracting) at this stage, but i'll get something written up
17:20:41 <lhinds> ack, got you now fungi - thanks!
17:20:55 <lhinds> if we need to enter something into the security guide too, we can do that
17:20:59 <fungi> short answer is that passlib's sha512_crypt is the sha512-based unix password hash kdf, not just a bare sha2-512 hash
17:21:11 <lhinds> perhaps a checklist item, or `note:` section
17:21:26 <lhinds> #topic threat-analysis
17:21:37 <ssathaye> lhinds: looking closely at 1703369.
17:21:41 <ssathaye> I will let you know
17:22:01 <lhinds> thanks ssathaye , I can help out a lot on that one and we can meet whenever to go over it if you like
17:22:30 <lhinds> fungi, when zuul v3 calms down will ping you about keystone client
17:22:53 <lhinds> gagehugo: do you know anything about the others (pycadf etc)?
17:23:16 <gagehugo> lhinds we decided at the PTG to start writing docs for them
17:23:56 <lhinds> ok cool, sorry I did not make that discussion, did not catch the pings until later after the PTG
17:23:59 <gagehugo> similar to what we did for keystonemiddleware
17:24:01 <gagehugo> np
17:24:12 <gagehugo> you didn't miss too much
17:24:17 <lhinds> ok, please add me to any reviews if it helps.
17:24:22 <gagehugo> will do
17:24:42 <lhinds> right last five mins for sydney
17:24:53 <lhinds> #topic sydney security question
17:25:34 <lhinds> aprice: all yours..
17:26:11 <aprice> so we have a reporter that attends the Summits and he focuses on security. With his attendance, we give him a 40-minute breakout session and in the past what has worked successfully is partnering him with someone from the security team to talk about the latest updates with OpenStack security
17:26:32 <aprice> I wanted to open it to the team to see if anyone has the bandwidth at the Sydney Summit or would be interested in participating with him in a casual format.
17:27:23 <lhinds> I won't be present myself.
17:27:37 <lhinds> anyone else, i think gagehugo might be there
17:27:42 <fungi> this would be akin to the one we did in boston where i was on a panel with major, redrobot et al?
17:27:47 <aprice> correct
17:28:11 <gagehugo> I'll be there, but I can't say that I'm entirely familiar with what has been going on with security lately :(
17:28:12 <aprice> so it could be a panel with several folks or 1-2 people. we are pretty flexible on format
17:28:43 <fungi> yeah, sean kerner moderated. worked out well
17:28:51 <lhinds> we might be able to do it with different project people, so keystone, barbican ..
17:29:09 <fungi> right, i'd love to see us mixit up
17:29:20 <aprice> ok - I love that idea.
17:29:27 <lhinds> gagehugo: I guess you could do keystone
17:29:31 <gagehugo> that would work
17:29:35 <lhinds> dave-mcc_: are you in sydney?
17:29:39 <fungi> boston ended up the way it did because hyakuhei had to bow out so we wrangled some random project representatives on no notice
17:29:48 <fungi> but still worked great
17:30:12 <lhinds> I will add this for a topic for next week and we can add interested parties in there.
17:30:22 <aprice> and if there are any other recommendations on those other project teams, I am happy to reach out to folks directly
17:30:26 <aprice> lhinds: thanks!
17:30:48 <aprice> feel free to ping me directly here if you have anyone in particular that you hear from or you think it would be a good fit.
17:30:50 <fungi> consider me a potential backup panelist. i'll be in sydney, but i was on the last one so we should try to share the love
17:31:00 <lhinds> aprice: will track in here https://etherpad.openstack.org/p/security-agenda
17:31:08 <aprice> fungi: thanks! but yes, agree that it would be great to have more reps
17:31:16 <aprice> lhinds: awesome - will do
17:31:37 <lhinds> great, so we are at the end...very good meeting all, thank you so much for coming.
17:31:49 <ssathaye> thank you
17:31:50 <fungi> thanks for chairing, lhinds!
17:31:51 <lhinds> good to have new folks, so welcome ssathaye and gj2017
17:31:59 <ssathaye> :-)
17:32:06 <gj2017> ;-)
17:32:08 <lhinds> ssathaye: will ping you about OSSNs and helping out! many thanks
17:32:20 <ssathaye> Great! thx agn
17:32:29 <lhinds> see you all next week, and thanks gagehugo for covering for me last week
17:32:35 <lhinds> #endmeeting