17:00:52 <lhinds> #startmeeting security
17:00:53 <openstack> Meeting started Thu Oct 12 17:00:52 2017 UTC and is due to finish in 60 minutes.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:55 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:58 <openstack> The meeting name has been set to 'security'
17:01:05 <lhinds> #topic roll-call..
17:02:51 <openstack> macermak: Error: Can't start another meeting, one is in progress.  Use #endmeeting first.
17:03:00 <lhinds> hi macermak
17:03:06 <macermak> hi, lhinds
17:03:18 <lhinds> just waiting to see if more turn up
17:04:05 <lhinds> macermak: I will try and dig into these zuul failures tomorrow that our holding up your bandit patch
17:04:50 <gagehugo> o/
17:04:55 <lhinds> hey gagehugo
17:05:02 <gagehugo> zuul is very unstable atm
17:05:07 <mdong> o/
17:05:14 <macermak> lhinds, Thank you, I have no idea why it fails.
17:05:37 * fungi is sort of around, but dealing with infra wildfires
17:05:42 <lhinds> macermak: its not your code, its like gagehugo says its not happy right now since they tried to upgrade to 3
17:05:50 <mdong> syntribos is also running into the same errors as bandit, it looks like
17:05:52 <lhinds> hey mdong
17:06:31 <lhinds> #topic agenda
17:06:39 <lhinds> #link https://etherpad.openstack.org/p/security-agenda
17:06:58 <lhinds> should be a lite meeting tonight, but anyone can add something should they wish too...
17:06:58 <fungi> for the record, the current issues are all unrelated to zuul v3 (broken xenial package mirroring, logs site filling up, et cetera)
17:07:03 <macermak> lhinds, I've read about the update, no problem, I get it.
17:07:51 <lhinds> fungi: This seems the common failure in bandit gate "ERROR: These requested packages were not installed:" ...followed by big list of OS packages
17:08:42 <fungi> lhinds: yep, that's a problem with our ubuntu xenial package mirror being several days behind due to updating breaking, and then images got built with newer packages (because our image building doesn't use our package mirrors) which leads to apt getting confused over version dependencies when trying to install things
17:09:13 <fungi> basically it tries to install something from the mirror and has newer packages already installed for something else with similar dependencies, but they disagree about which version they were built against
17:09:23 <gagehugo> ah
17:09:26 <fungi> and so it gives up
17:09:55 <lhinds> makes sense, so we will just wait for that issue to resolve and then see if we have anything specific to bandit failing
17:10:20 <lhinds> ok, I will spin through the agenda
17:10:27 <lhinds> #topic documentation
17:10:43 <lhinds> all clear for patches now: https://review.openstack.org/#/q/project:openstack/security-doc
17:11:13 <lhinds> If anyone is interested in working on security docs, we have a nice bug list now...
17:11:46 <lhinds> lhinds hunts for URL
17:12:05 <lhinds> #link https://bugs.launchpad.net/ossp-security-documentation
17:12:12 <lhinds> actually, will add this to the pad
17:12:28 <lhinds> #topic Bandit
17:12:45 <lhinds> so macermak , we have your contribution.
17:12:58 <lhinds> I guess this is waiting on gate, I promise I will make a review tomorrow
17:13:10 <lhinds> and it looks like you fixed up ebrowns nits
17:13:17 <lhinds> thanks for contributing
17:13:43 <lhinds> Rajath's patch should be good to go to, once gate is functioning again.
17:13:47 <macermak> lhinds, thank you.. I tried to fix as many things as I could. I was told about the blueprint thing, dunno how that exactly works. Should I make any?
17:14:31 <lhinds> typically that is ideal, but no concern now that you're this far..although I can't confess to know much about the plugin yet
17:14:44 <lhinds> I can show you where a blueprint goes though for next time.
17:14:56 <gagehugo> macermak what is that formatter going to be used for?
17:15:03 <lhinds> plugin / formatter
17:15:10 <gagehugo> just curious
17:17:00 <macermak> okay .. gagehugo except for another option for customizing the output, I am planning to add bandit as a plugin to csmock and since csmock has it customized parser, that is based on gcc / pylint like output, I found a new formatter for bandit would be ideal
17:17:38 <macermak> bandit will then be as another tool for static analysis
17:17:58 <gagehugo> https://github.com/kdudka/csmock
17:18:02 <gagehugo> is that it?
17:18:09 <macermak> Ye, I was just about to paste it
17:18:13 <gagehugo> interesting
17:18:36 <lhinds> ^ +1
17:18:49 <lhinds> so scan python-<application>.srpm 's ?
17:19:57 <macermak> lhinds, yes
17:20:03 <lhinds> so macermak , do you expect 'custom' to be a formatter used by any project who needs it, or is it quite specific to csmock?
17:20:17 <lhinds> I am just thinking if this should be a csmock formatter
17:20:49 <gagehugo> yeah if this is only designed for csmock, I would change the patch to specify that
17:23:29 <macermak> I believe that the output using this formatter is very flexible and can be used in various ways. Moreover, (and this is not completely up to me, tho) we are considering adding bandit scan as an optional output to our coverity scan implementation - it will be tested on csmock first
17:24:05 <macermak> hence, as for the name, I don't think csmock formatter would be very precise
17:24:42 <lhinds> ok, makes sense..and I cannot see anything specific in the tags you introduce.
17:25:09 <macermak> It allows user to access the report variables directly and parse it, as user wants, which had not been possible before
17:25:27 <lhinds> macermak: ack.
17:25:36 <lhinds> I will make sure I take a look tomorrow
17:25:41 <macermak> Thank you.
17:25:52 <lhinds> ok time is moving on towards the end
17:26:12 <lhinds> mdong: anything important for Syntribos?
17:26:37 <mdong> Finally got reviews on multithreading patch, I’m just waiting for the zuul errors to clear up
17:26:58 <lhinds> mdong: yep I saw that, that's good
17:27:03 <mdong> after that merges, probably going to cut a release
17:27:10 <lhinds> mdong: cool!
17:27:29 <lhinds> mdong: we could do a blog post , after release
17:27:46 <lhinds> that will get picked up by planet.openstack.org
17:27:47 <mdong> oh, that’d be great!
17:27:53 <lhinds> let's do it!
17:28:06 <mdong> =)
17:28:12 <lhinds> so for OSSN, there is only one outstanding, but it needs more info still
17:28:45 <lhinds> last but not least I have not forgot the STIG discussion, that might be on again next week
17:29:10 <lhinds> and threat analysis possibly next week too when me and fungi are freed up a bit more.
17:29:30 <lhinds> well fungi is never really freed up, but he does not need to be, I will take the lead on it.
17:29:38 <lhinds> ok, any other burning business?
17:29:49 <gagehugo> lhinds we might be pushing more threat analysis docs up for keystoneauth/oslo soonish
17:29:56 <gagehugo> just fyi
17:30:08 <lhinds> gagehugo: sounds great, look forward to it, and thanks for the efforts
17:30:28 <lhinds> ok, bang on :30 so thanks all, and see you next week
17:30:36 <lhinds> #endmeeting