17:03:07 <lhinds> #startmeeting security
17:03:08 <openstack> Meeting started Thu Feb  8 17:03:07 2018 UTC and is due to finish in 60 minutes.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:03:10 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:03:12 <openstack> The meeting name has been set to 'security'
17:03:18 <lhinds> agenda:
17:03:21 <lhinds> #link https://etherpad.openstack.org/p/security-agenda
17:03:39 <lhinds> please do add if you have something and we will see if we can fit it in.
17:03:47 <lhinds> #topic PTG planning
17:04:00 <lhinds> #link https://etherpad.openstack.org/p/security-ptg-rocky
17:04:11 <lhinds> we have some new additions.
17:04:33 <lhinds> a project called tatu that I have no had a chance to read up on yet.
17:04:55 <lhinds> " OpenStack SSH (Certificate management and bastion hosts) as a Service"
17:05:33 <lhinds> other news, we have a room set for Monday
17:05:34 <gagehugo> hmm
17:05:46 <lhinds> I expect we can get most done in a full day
17:06:30 <lhinds> gagehugo: would you be able to check if keystoners can make it in for the Policy Security Roadmap discussion?
17:06:48 <gagehugo> yeah, where is the schedule at?
17:07:12 <gagehugo> oh it's on the site now
17:07:20 <fungi> maybe kmalloc can weigh in there
17:07:40 <gagehugo> we should figure out a time then
17:07:50 <lhinds> fungi: yup, kmalloc would be a great help in that discssion
17:07:58 <gagehugo> definitely
17:08:21 <lhinds> gagehugo: have keystone got a room on Monday? I think the first two days are x project stuff?
17:08:47 <lhinds> just thinking if I need to schedule around keystone activities?
17:09:06 <lhinds> #action lhinds set agenda
17:09:18 <gagehugo> lhinds I think we're doing policy/scope stuff mon/tue
17:09:45 <lhinds> so you plan to cover this in the keystone room?
17:10:08 <gagehugo> most likely, but that won't be until wed-fri
17:10:18 <gagehugo> would like to pull people in on Monday
17:10:26 <gagehugo> lbragstad
17:10:32 <gagehugo> ^
17:11:02 <lbragstad> o/
17:11:31 <gagehugo> lbragstad can we setup a time monday to meet with security for the vmt keystonemiddleware coverage?
17:11:34 <lbragstad> are we going to go over RBAC security stuff with the security team/
17:11:40 <gagehugo> that too
17:11:43 <lbragstad> oh - sure
17:11:48 <lbragstad> let me grab the schedule
17:12:08 <lbragstad> this is what we have open for wednesday - friday
17:12:10 <lbragstad> #link https://etherpad.openstack.org/p/keystone-rocky-ptg
17:12:38 <lbragstad> this is what we have for availability on monday and tuesday
17:12:41 <lbragstad> #link https://etherpad.openstack.org/p/baremetal-vm-rocky-ptg
17:12:54 <lbragstad> since keystone is going to be involved in a bunch of cross-project discussions those days
17:13:01 <gagehugo> so sometime between 1330-17
17:13:08 <gagehugo> for monday anyway
17:13:09 <lhinds> thx lbragstad
17:13:12 <lbragstad> yep
17:13:20 <lbragstad> monday afternoon is pretty open at this point
17:13:41 <lbragstad> we also have several open times wednesday - friday for the VMT stuff, since that's probably more project specific
17:13:59 <lhinds> friday would be good
17:14:05 <fungi> whatever time you pick for the vmt coverage discussion, i'll try to prioritize that in my schedule
17:14:23 <lhinds> as we only have a room on Monday (and need a little of the afternoon for some other topics)
17:14:31 <gagehugo> sure
17:14:34 <lbragstad> awesome - friday we're setting time aside to do peer-reviews and peer-programming (hopefully)
17:14:40 <fungi> though hopefully kmalloc can be in on the ksm vmt discussion even if i have a conflict
17:14:58 <lbragstad> so we should have plenty of time to dig into the vmt stuff then
17:15:24 <lhinds> lbragstad / gagehugo for the threat review do you want to come over the security room?
17:15:34 <lbragstad> sure
17:15:38 <lbragstad> i'm fine with that
17:15:41 <gagehugo> same
17:16:13 <lhinds> ok cool, I will set our agenda to have the keystone threat analysis discussion at 13:30?
17:16:29 <lhinds> s/keystone/keystonemiddleware
17:17:15 <lhinds> Done: https://etherpad.openstack.org/p/security-ptg-rocky
17:17:24 <lhinds> I will set the others over the next few days
17:17:40 <gagehugo> cool
17:18:02 <lhinds> so that's the main things for the PTG
17:18:14 <lhinds> anyone have anything to add?
17:18:27 <lhinds> fungi: any VMT x-discussions you want to have?
17:18:48 <lhinds> perhaps how things will work when we become a SIG?
17:19:39 <fungi> maybe... it's as much a tc discussion as anything i think
17:20:09 <lhinds> fungi: true, should we put it to a TC discussion?
17:20:15 <fungi> i'm in favor of doing the sig transition first and then the vmt can put together whatever tc resolution we need to just have a delegation process or something for vmt efforts
17:20:35 <fungi> i'd rather not unnecessarily complicate the security sig formation
17:21:02 <fungi> the vmt isn't going to stop doing what it does regardless of the resulting formality of its charter
17:21:35 <lhinds> ack, makes sense. we have some discussions around the SIG during the PTG too, so what comes out of there.
17:21:36 <fungi> and the vmt members are still likely to be participants in the sig
17:21:54 <lhinds> good to hear :0
17:21:57 <fungi> (not speaking for anyone else, but i intend to anyway)
17:22:16 <lhinds> ok, moving on to Bandit
17:22:20 <lhinds> #topic Bandit
17:22:29 <lhinds> new contributor!
17:22:38 <fungi> excellent news
17:22:39 <lhinds> a few patches in which is nice.
17:22:47 <browne> yay!
17:22:53 <lhinds> https://review.openstack.org/#/q/project:openstack/bandit
17:23:08 <lhinds> nice to see some django stuff
17:23:42 <lhinds> I think he needs some help with the developer flow around gerrit
17:24:05 <lhinds> I will drop him an email. shall I include you gagehugo ?
17:24:21 <lhinds> / browne
17:25:04 <browne> yeah, so I wanted to pitch possibly moving Bandit to the Python Code Quality Authority on GitHub
17:25:23 <lhinds> do you have a link browne ?
17:25:25 <browne> Bandit really has only one plugin that is specific to OpenStack
17:26:01 <browne> yeah, let me find it
17:26:01 <lhinds> https://github.com/PyCQA ?
17:26:14 <lhinds> browne: ^
17:26:27 <browne> ha, yep
17:26:42 <browne> so that's the home of pylint, flake8 and many other linters
17:26:48 <lhinds> browne: have you already disscussed this with PyCQA? were they receptive to the idea?
17:27:00 <browne> so makes sense to put bandit there also.  but i need to ask them if they are ok with it
17:27:18 <browne> i know signmavirus liked the idea a while back
17:27:28 <lhinds> so I personally have no objection to that myself
17:27:53 <gagehugo> sure
17:27:54 <lhinds> especially if it helps the project gain more contributions / testers and users (which I think it will)
17:28:10 <browne> cool.  yes, i do think it'll allow it to gain contributions
17:28:29 <fungi> in the spirit of embracing the wider python ecosystem and making it clear this tool is of general interest, i think it's a great idea
17:28:33 <lhinds> browne: would perhaps me and gagehugo be able to get some sort of merge oversight (perhaps join the org)?
17:28:37 <browne> alright, i'll talk with pycqa folks and see if they are ok with it
17:28:42 <lhinds> I guess you would need to ask that first
17:29:07 <browne> yeah, i think we could maintain the same core (maintainers) in github
17:29:25 <gagehugo> yeah I'm fine with that
17:29:35 <lhinds> that way we can be there as key stakeholders to ensure nothing breaks anyhing for openstack
17:29:46 <browne> other question, is there someone in the openstack side to ask about removing a project from that domain
17:30:41 <lhinds> please enlarge on removing a project?
17:30:49 <lhinds> do you mean from a config somewhere?
17:31:11 <browne> yeah, config, gerrit, etc
17:31:25 <browne> not sure how that's generally handled
17:31:42 <fungi> if you're concerned about changes to bandit after moving to github breaking openstack use cases, the infra team is now piloting jobs in our ci system reporting on pull requests for projects developed in github
17:31:53 <lhinds> we will need to some due-diligence there.
17:32:18 <lhinds> lets see what they say (PyCQA) and we can take it from there.
17:32:27 <browne> ok sounds good
17:32:35 <lhinds> a lot of the planning side of the migration could be fleshed out at the PTG
17:32:40 <fungi> right now our zuul is running shade integration tests incorporating pull requests from ansible/ansible on github and reporting back results on them
17:32:50 <gagehugo> hmm
17:32:53 <fungi> acting as a third-party ci system basically
17:33:19 <lhinds> fungi: that would be good. we could then run Bandit against some key projects and insure it passes
17:33:32 <lhinds> right, we are out of time folks.
17:33:36 <fungi> yeah, or, you know, whatever
17:34:00 <fungi> browne: we have a documented repository retirement process too
17:34:07 <lhinds> I will add this to the agenda and browne please let us know what the python peoples say
17:34:14 <fungi> i can provide links to the documentation when the time comes
17:34:25 <lhinds> +1 fungi
17:34:37 <fungi> we have used it for other repos which moved from gerrit to github
17:35:20 <browne> lhinds:  will do
17:35:36 <lhinds> cool thanks
17:35:51 <lhinds> right great meeting everyone, feels like the band is back together again :)
17:36:19 <lhinds> see you all again next time!
17:36:37 <lhinds> thanks all!
17:36:39 <gagehugo> o/
17:36:42 <lhinds> #endmeeting