#openstack-meeting log

15:00:54 <gagehugo> #startmeeting security
15:00:55 <openstack> Meeting started Thu Apr 26 15:00:54 2018 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:56 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:58 <openstack> The meeting name has been set to 'security'
15:01:10 <gagehugo> ping eeiden fungi gagehugo lhinds nickthetait browne
15:01:23 <fungi> ohai
15:01:28 <nickthetait> hey
15:02:00 <browne> o/
15:02:17 <gagehugo> o/
15:02:21 <eeiden> o/
15:02:32 <browne> the migration has started!
15:02:36 <gagehugo> yup
15:02:48 <gagehugo> #topic Bandit Migration
15:03:07 <gagehugo> browne so is bandit officially pycqa now?
15:03:09 <browne> so can someone add me back as core
15:03:27 <browne> https://github.com/PyCQA/bandit
15:03:55 <browne> gagehugo: yeah, more or less official now
15:04:24 <gagehugo> cool
15:04:35 <nickthetait> will there be a migration of open issues to github?
15:04:50 <gagehugo> I assume so yeah
15:04:56 <gagehugo> launchpad -> github
15:05:17 <gagehugo> might be worth re-evaulating them as we move as well
15:05:17 <browne> yeah, I'm planning to move all the bugs/features over to issues
15:05:37 <nickthetait> ok
15:06:39 <gagehugo> I think lhinds pushed a ps to delete most of the code on gerrit as well
15:06:43 <browne> btw, the new IRC channel will be ##python-code-quality for bandit
15:07:37 <gagehugo> browne is there anything else for the migration?
15:08:08 <browne> I think we're all working off of https://etherpad.openstack.org/p/bandit-migration
15:08:23 * gagehugo updates the agenda
15:08:36 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda
15:08:40 <browne> i think a bunch of code tweaks will be needed and removal of openstacky stuff
15:09:07 <gagehugo> I think lhinds has a pull request for that
15:09:19 <gagehugo> but the copyright may need to be reverted
15:09:25 <browne> yeah
15:09:32 <gagehugo> wasn't sure how that worked
15:10:49 <browne> i believe you can add copyrights, but not remove them
15:11:02 <gagehugo> ah
15:11:13 <gagehugo> makes sense
15:12:01 <gagehugo> I don't think there's any Tatu or Docs updates
15:12:24 <nickthetait> copyrights can be transferred tho https://www.copyright.gov/help/faq/faq-assignment.html
15:12:34 <fungi> which specific copyright statements are you concerned about in bandit?
15:12:48 <gagehugo> fungi https://github.com/PyCQA/bandit/pull/1
15:13:46 <fungi> yeah, so i would question whether any of that was actually authored by an employee of the openstack foundation (if so, it wasn't me at least)
15:14:28 <gagehugo> hmm
15:14:41 <fungi> openstack projects don't practice copyright assignment to the foundation, and the openstack foundation isn't set up to handle having copyrights assigned to it by other individuals they aren't employing directly
15:15:05 <browne> https://wiki.openstack.org/wiki/Documentation/Copyright
15:15:07 <fungi> so it's entirely possible that copyright entry was added by mistake
15:15:22 <browne> this link states that a doc page should have OpenStack foundation
15:15:23 <fungi> thanks browne, i was just looking for that
15:16:13 <fungi> browne: what part are you interpreting to indicate that documentation should be (c) openstack foundation?
15:16:41 <browne> In a Nova dev doc page, for example, the copyright notice should be "© 2013, https://wiki.openstack.org/wiki/OpenStack Foundation" if the content has been updated this year or "© 2012, https://wiki.openstack.org/wiki/OpenStack Foundation" if the content was last updated in 2012.
15:16:53 <fungi> i fear you're misinterpretnig that section
15:17:00 <browne> maybe this is just an example
15:17:09 <fungi> it's talking about content which was previously copyrighted by "openstack, llc"
15:17:14 <browne> ah ok
15:17:21 <fungi> which was a copyright rackspace was using
15:17:35 <fungi> back before the foundation was formed in 2012
15:17:52 <fungi> rackspace handed over their existing openstack, llc copyrights to the openstack foundation
15:19:00 <fungi> but aside from things which were copyright openstack, llc back before 2012, the only things which should be copyright openstack foundation written since then would be things written by openstack foundation employees or as a work for hire by contract companies paid by the foundation
15:19:30 <fungi> so, e.g., content on www.openstack.org
15:20:17 <browne> fungi: could you add a comment to the PR
15:20:25 <fungi> the copyright entry in doc/source/conf.py ought to reflect the copyright in any of the docs content you have
15:20:41 <fungi> yep, happy to do so
15:21:07 <fungi> i'll want to do a little git pickaxing of that file first to determine where/when the line was added
15:21:13 <fungi> but happy to follow up there
15:21:29 <browne> most likely it was copy/pasted
15:21:45 <fungi> yep, that's what i expect as well
15:23:50 <browne> question: when migrating bugs to issues, do we can about closed bugs?  do we want that history?  if so, are there tools to migrate launchpad to github?
15:24:14 <nickthetait> will the info be lost otherwise?
15:24:27 <gagehugo> good question
15:24:48 <browne> yeah, I imagine launchpad will still have the history
15:25:03 <fungi> even if you close down bug reporting in lp, the existing bugs (open and closed) remain there
15:25:22 <fungi> you just no longer have a link from the project page for filing new bugs, and no bug index view for the project
15:25:42 <fungi> for that matter, you can't even stop people who find the old lp bugs from posting new comments
15:25:56 <nickthetait> thats kinda funny
15:26:16 <fungi> part of this is because lp's data model doesn't map bug reports directly to projects
15:26:31 <fungi> you have bug reports and then indicate one or more projects (and series) which are affected by them
15:26:40 <fungi> via bugtasks
15:26:58 <browne> ok, sounds like I don't need to bother with closed bugs
15:27:03 <fungi> so there aren't "bandit bugs" in lp, there are bugs which include "bandit bugtasks"
15:27:31 <browne> another question, what will happen with this: https://github.com/openstack/bandit
15:27:53 <fungi> that will continue to be a mirror of whatever is in review.openstack.org/git.openstack.org
15:28:14 <browne> ok, if that's the case, I think we need to point people to https://github.com/PyCQA/bandit
15:28:18 <fungi> so if you approve a change which deletes all content except a readme stating the project has move elsewhere, then that's what will be in the gh mirror too
15:29:03 <gagehugo> ok
15:29:12 <browne> oh ok, lhinds has done this
15:30:15 <browne> we need to remove bandit from the zuul jobs
15:31:52 <browne> ok, I'll do a patch to remove bandit from project-config
15:32:49 * gagehugo lost track of time
15:33:12 <gagehugo> we can spill over to either the ##python-code-quality or #openstack-security channels
15:33:15 <gagehugo> #endmeeting