15:00:38 <lhinds> #startmeeting security
15:00:38 <openstack> Meeting started Thu Mar 22 15:00:38 2018 UTC and is due to finish in 60 minutes.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:39 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:43 <openstack> The meeting name has been set to 'security'
15:00:47 <lhinds> anyone else around (security folks?)
15:00:54 <gagehugo> o/
15:00:55 <nickthetait> me
15:01:05 <lhinds> cool! we have some life.
15:01:05 <fungi> i am here though also have tc office hour starting now
15:01:16 <lhinds> ack fungi
15:01:37 <fungi> ping me if you need me and i'll catch up
15:02:42 <lhinds> nickthetait: just approved your membership
15:02:55 <lhinds> #topic agenda
15:03:04 <lhinds> #link https://etherpad.openstack.org/p/security-agenda
15:03:28 <lhinds> anything interesting last week gagehugo we need to continue on?
15:03:57 <gagehugo> lhinds not really, ttx followed up on some of the spectre/meltdown
15:04:08 <lhinds> ok cool
15:04:28 <lhinds> how about the LCOO, do they have plans to seed some stuff in the SIG?
15:04:54 <gagehugo> eeiden o/
15:05:02 <eeiden> o/
15:05:36 <nickthetait> thanks lhinds
15:06:00 <gagehugo> lhinds decided to wait until this week to discuss LCOO
15:06:14 <gagehugo> last week was pretty light
15:06:28 <lhinds> gagehugo: ack, eeiden will ping you when the topic is on
15:06:40 <eeiden> perfect
15:06:48 <lhinds> #topic Docs
15:07:21 <lhinds> nothing new here, just a patch to remove `os`, I don't think we need that for spinx / tox stuff, but will double check
15:07:30 <lhinds> #link https://review.openstack.org/#/c/553421/
15:08:00 <lhinds> #topic Keystone Threat Analysis
15:08:17 <gagehugo> probably something that used to be used in there and leftover
15:08:24 <gagehugo> re: import os
15:08:44 <lhinds> gagehugo: I think so too.
15:08:49 <gagehugo> I added the pycrypto findings into the KSM vmt doc
15:09:03 <gagehugo> https://review.openstack.org/#/c/447139/
15:09:25 <lhinds> thanks gagehugo
15:09:39 <gagehugo> lhinds was there anything else that you think should be added to the review findings?
15:09:44 <lhinds> #action look into new central store for TA
15:09:56 <lhinds> gagehugo: nope, that should be it now..
15:10:09 <lhinds> I just need to look at the above and find a better more easily searched home for them.
15:10:27 <lhinds> and fungi we need to look at bringing the above into VMT's loving care
15:10:39 <lhinds> (keystone-middlewareclient)
15:11:18 <gagehugo> ok
15:11:44 <fungi> cool. next step i suppose is for the keystone team to propose the addition of the vulnerability:managed tag to that deliverable in the governance repo's reference/projects.yaml file?
15:12:05 <fungi> and make sure to refer to any threat analysis artifacts in the commit message
15:12:10 <lhinds> gagehugo: I guess you would be a good candidate for the above.
15:12:16 <gagehugo> sure
15:12:30 <gagehugo> lbragstad ^
15:12:33 <lhinds> I don't mean to keep piling actions onto you bud, but being a keystone core that would work
15:12:42 <lhinds> hey lbragstad
15:12:42 <gagehugo> yeah that's fine :)
15:12:58 <lhinds> great, so nice to have that one in the bag
15:13:03 <fungi> yeah, it's just best when tag additions like that come from the team responsible for the project in question (and get acknowledged by the ptl for it)
15:13:17 <fungi> raises fewer questions at the tc level
15:13:31 <gagehugo> fungi sounds good
15:13:31 <nickthetait> What does tc stand for?
15:13:35 <fungi> technical committee
15:13:38 <nickthetait> thx
15:14:10 <lhinds> lbragstad: gagehugo there are some other keystone siblings that were going to be proposed for TA iirc?
15:14:15 <fungi> #link https://governance.openstack.org/tc/ OpenStack Technical Committee
15:14:45 <gagehugo> lhinds yes
15:15:09 <gagehugo> pycadf, keystoneauth, oslo.policy
15:15:21 <gagehugo> s/policy/cache
15:15:35 <lbragstad> o/
15:16:11 <lhinds> great, I addded those to the pad, so we can look at kicking those off perhaps next meeting or two.
15:16:23 <gagehugo> sure
15:16:25 <lhinds> #topic Spectre/Meltdown mitigation
15:16:37 <lhinds> anything else here, ttx ?
15:16:50 <lhinds> I guess he might be busy in the other meeting.
15:17:50 <ttx> nope
15:17:52 <fungi> yeah, tc office hours
15:17:53 <gagehugo> heh
15:18:18 <ttx> Don't have much to add to what I said on the topic last week :)
15:18:28 <lhinds> no worries..I think we can skip POlicy Roadmap too, I need to contact some patrole folks and find out where we are
15:18:53 <lhinds> #topic LCOO
15:19:02 <lhinds> eeiden, floor is yours :)
15:19:25 <eeiden> Thanks lhinds!
15:20:36 <eeiden> I'm the current chair for LCOO [stands for Large Contributing OpenStack Operators -- essentially a group of larger companies working to promote and address operator-specific concerns within the community]
15:21:07 <nickthetait> which company do you work for eeiden ?
15:21:12 <eeiden> No solid plans from my end at the moment, but was hoping to sync up on priorities so that we can learn about/promote important security initiatives as a working group
15:21:13 <eeiden> AT&T!
15:22:41 <lhinds> eeiden: sounds good. so we moved to a sig in the hope of getting more users involved, so this fits us well.
15:23:05 <lhinds> have you found any topics have come up around sec yet, and what the 'in demand' features are for ops?
15:23:45 <lhinds> things that are making it a challenge to go to production for example (compliance maybe)?
15:24:20 <gagehugo> I know policy is a big one
15:25:25 <eeiden> I'm relatively new to the group, so haven't heard much from others. We'll be having a meeting shortly to discuss current priorities, so that's something I'll queue up for discussion.
15:25:48 <eeiden> But ghugo -- definitely policy
15:26:09 <lhinds> please do eeiden , I am happy to join...could you email the sig mailing list and with a date / agenda when set?
15:26:17 <eeiden> Absolutely!
15:26:22 <lhinds> others will likely jump on to then
15:26:32 <eeiden> would love to have you guys there
15:26:55 <lhinds> we will keep LCOO as an agenda item (ongoing), even if nothing new, its a touchstone
15:27:55 <lhinds> ok. lets skip thorugh the other items, as close to the 30 min mark
15:28:17 <lhinds> does not look like ebrown is here, regaring bandit migration to python QA tools
15:28:31 <lhinds> I also don't think Mr Tatu is here.
15:28:36 <nickthetait> is bandit being abandoned?
15:28:45 <lhinds> nickthetait: no, far from it.
15:29:02 <lhinds> nickthetait: its going to move to being part of the main python test tools
15:29:08 <nickthetait> oh neat :)
15:29:17 <lhinds> so will live alongside tools like pep8 lint etc.
15:29:33 <fungi> so relocating it's perceived association out of openstack and into the python testing community
15:29:37 <fungi> er, its
15:30:31 <lhinds> gagehugo: just noticed some new patches from ebrown, we could review those
15:30:50 <gagehugo> lhinds one is pretty simple, the other looks like still wip
15:30:53 <lhinds> oh sorry, you already have :)
15:31:11 <lhinds> that yaml typo is on its way in.
15:31:21 <lhinds> so last but not least.
15:31:27 <lhinds> #topic OSSN and OSSA
15:31:43 <lhinds> raises guilty hand, I need to work on clearing the OSSN back log
15:32:06 <lhinds> in the mean time if anyone is interested in writing some security notes, I will support you lots on your first one.
15:32:16 <lhinds> you and your company get a credit in the note.
15:32:30 <lhinds> best to read this if you're interested <goes to get link>...
15:32:51 <lhinds> #link https://openstack-security.github.io/security-notes/2017/09/08/openstack-security-notes.html
15:33:13 <lhinds> check it out nickthetait / eeiden see if its something you would like to get involved in.
15:33:40 <lhinds> fungi: anything big in OSSA that's public and needs some more eyes / views?
15:33:42 <eeiden> oh awesome, will do
15:34:08 <nickthetait> sounds like a good fit for me right now. invovles research and documentation right lhinds?
15:34:33 <lhinds> nickthetait: yes, very much. its a very good intro to working in openstack sec.
15:34:39 <lhinds> its how I started out
15:34:44 <nickthetait> nice
15:35:04 <lhinds> have a read, and you can email me or ping in irc
15:35:09 <lhinds> the current list is:
15:35:17 <lhinds> https://bugs.launchpad.net/ossn
15:35:32 <lhinds> ok, we are over time.
15:35:37 <lhinds> thanks all
15:35:44 <gagehugo> o/
15:35:56 <lhinds> nice to see some new names, you're very welcome here, please do come back again :)
15:36:01 <lhinds> #endmeeting