15:00:23 #startmeeting security 15:00:24 Meeting started Thu May 3 15:00:23 2018 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:25 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:27 The meeting name has been set to 'security' 15:00:39 ping eeiden fungi gagehugo lhinds nickthetait browne 15:00:46 #link https://etherpad.openstack.org/p/security-agenda 15:00:49 o/ 15:00:56 hi everyone 15:01:07 hey nickthetait 15:01:35 as usual, i'm mostly focused on tc office hour, but ping me if something needs my input here 15:01:51 will do 15:02:04 o/ 15:02:17 o/ jessegler 15:02:53 give people another minute or so 15:04:20 #topic Bandit Migration 15:04:33 #link https://etherpad.openstack.org/p/bandit-migration 15:05:03 I saw that the change to remove bandit gating merged 15:05:10 so https://review.openstack.org/#/c/564453/ will hopefully pass now 15:05:11 patch 564453 - bandit - Project Migration to PyCQA 15:06:00 thats a big change set :O 15:06:28 nickthetait yup, it'll change the openstack repo to point people to the new one on pycqa 15:06:31 #link https://github.com/PyCQA/bandit 15:07:08 so as far as the bandit code itself, this should include "everything" required to move it over? 15:08:04 on the openstack repo side 15:08:14 the migration is done afaia 15:08:50 nice 15:09:15 I know browne was spending a good part of last week migrating the launchpad bugs to github issues 15:09:47 but I think so far everything is moving good 15:10:03 #topic PTG (denver) 15:10:24 would like lhinds here for this, but does anyone know if they can attend? 15:10:37 I will be 15:10:54 cool 15:11:08 Only a 1 hour drive away :) 15:11:11 I haven't gotten approval yet, but I'll update once I know 15:11:13 oh nice 15:11:53 Denver was pretty cool last fall when we were there 15:12:34 #topic Tatu 15:12:42 I'm not aware of any updates here 15:13:45 #topic Documentation 15:14:02 same here, nothing to update atm 15:14:59 #topic #OSSN 15:15:22 Is this one ready to start turning into a notice? https://bugs.launchpad.net/ossn/+bug/1699573 15:15:23 Launchpad bug 1699573 in OpenStack Security Notes "ScaleIO volumes contain previous data" [Undecided,New] 15:15:32 not sure if all the software changes have happened yet 15:16:08 i've also been told by a friend at emc that it's no longer called "scaleio" 15:16:43 looks like https://review.openstack.org/#/c/555546/ merged 15:16:44 patch 555546 - cinder - ScaleIO: Prevent usage of unsafe volumes (MERGED) 15:16:59 yep 15:17:18 fungi is there a new name for it? 15:17:37 they renamed the product to something like "VxFlex OS" (though i suppose that's immaterial from the standpoint of the ossn) 15:18:28 ah 15:18:39 the engineers are annoyed because it's not an operating system, but marketing seemed to think that name would sell it better 15:18:49 fungi: if you can find a public press briefing for me I'll update the naming when making the ossn 15:18:49 lol 15:19:27 we probably ought to stick to whatever naming cinder is using for the driver anyway 15:19:40 ok 15:22:17 #topic OSSA 15:22:27 any updates here? 15:23:20 #link https://bugs.launchpad.net/ossa/ Public OSSA bugs under review 15:23:35 as usual, that's a great place for people who want to pitch in to help the vmt 15:24:19 #link https://security.openstack.org/ossa/OSSA-2018-001.html OSSA-2018-001: Raw underlying encrypted volume access 15:24:36 that one happened a couple weeks ago, but i didn't get a chance to mention in last week's meeting 15:25:00 first advisory of the year, which seems pretty good 15:25:20 interesting 15:26:04 even better that it's only a denial of service vector 15:26:47 roughly how many ossas were there in 2017? 15:31:02 * gagehugo fails at searching by age opened in launchpad 15:31:57 looks like ~11 or so 15:32:13 if I didn't completely mess up this advanced search 15:32:34 #topic Threat Analysis Documents 15:32:55 there's a couple drafts for pycadf and oslo.cache up 15:33:09 #link https://review.openstack.org/#/c/527202/ 15:33:09 patch 527202 - security-analysis - Initial draft for Oslo.Cache Review 15:33:22 #link https://review.openstack.org/#/c/529945/ 15:33:22 patch 529945 - security-analysis - Initial draft for pyCADF security review 15:33:43 I need to take a look at them when I get a chance 15:34:56 nickthetait: only 6 in 2017 15:35:07 #link https://security.openstack.org/ossalist.html OpenStack Security Advisories 15:35:21 ok thanks 15:35:24 (as opposed to 13 in 2016) 15:35:32 fungi thanks 15:36:55 is there somewhere that I can subscribe to new threat analysis documents? 15:38:56 I'm subbed on launchpad: https://bugs.launchpad.net/ossa 15:39:03 ossn too 15:40:32 #topic Chair Rotation 15:40:34 so these analysis docs will either not be a real threat or into ossa/ossn? 15:41:02 nickthetait I believe they are triaged in ossa/ossn once submitted 15:41:12 ok 15:41:26 if the thread analysis documents are being submitted to gerrit, you could just subscribe your gerrit account to that repository 15:41:34 er, threat analysis 15:41:45 oh I misread 15:41:51 nickthetait, do what fungi said 15:42:06 thx 15:42:09 https://review.openstack.org/#/q/project:openstack/security-analysis 15:42:13 that's the gerrit repo 15:42:56 lhinds and I will alternate months chairing the meeting just fyi, I am currently scheduled to chair for the month of May 15:43:09 #topic General Discussion 15:43:14 floow is open :) 15:43:18 floor* 15:47:17 thanks for coming everyone 15:47:22 o/ 15:47:24 later 15:47:26 #endmeeting