15:02:10 <gagehugo> #startmeeting security
15:02:11 <openstack> Meeting started Thu Mar 28 15:02:10 2019 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:02:12 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:02:14 <openstack> The meeting name has been set to 'security'
15:02:23 <gagehugo> ping fungi gagehugo lhinds nickthetait browne redrobot
15:02:29 <fungi> aloha
15:02:31 <nickthetait> hi
15:02:32 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda
15:02:34 <gagehugo> o/
15:02:37 <nickthetait> I'm actually here this week :)
15:02:42 <gagehugo> \o/
15:03:16 <gagehugo> give it another couple minutes and then we can get started
15:05:15 <gagehugo> #topic help most needed for SIGS & WGs
15:05:29 <gagehugo> #link http://lists.openstack.org/pipermail/openstack-discuss/2019-March/004246.html
15:05:43 <gagehugo> fungi: I took a look at the email
15:06:06 <fungi> cool, just wanted to make sure it was on the radar
15:07:04 <gagehugo> I'll attend that forum too
15:07:07 <gagehugo> in Denver
15:07:25 <gagehugo> #link https://www.openstack.org/summit/denver-2019/summit-schedule/events/23612/help-most-needed-for-sigs-and-wgs
15:08:00 <gagehugo> #topic security-analysis reviewers wanted
15:08:09 <gagehugo> #link https://review.openstack.org/#/q/project:openstack/security-analysis+is:open
15:08:20 <gagehugo> the security-analysis repo hasn't seen much love
15:09:03 <fungi> yeah, i was putting together a list of the various security-related efforts within the community, in part as a response to this:
15:09:15 <fungi> #link https://www.eweek.com/search-engines/envoy-cncf-project-completes-security-audit-delivers-new-release
15:09:41 <fungi> osf board members are asking about whether we should be doing something similar
15:10:14 <fungi> and at the moment the closest thing we have is the security analysis effort, but we have more pending merge than we have published
15:10:46 <gagehugo> :)
15:10:49 <fungi> so wanted to make sure this was highlighted as a way people interested in improving the security posture of openstack can help make a huge difference
15:11:41 <gagehugo> who has +2 powers for security-analysis?
15:11:55 <gagehugo> is that the security-doc-core group?
15:12:29 <fungi> looking
15:12:45 <nickthetait> almost certain I don't
15:13:12 <fungi> #link https://review.openstack.org/#/admin/groups/security-doc-core
15:13:14 <fungi> yep
15:13:32 <fungi> that could stand to be refreshed/updated
15:13:37 <ricolin> o/
15:13:46 <fungi> i leave the decisions around that to the sig chairs
15:14:04 <gagehugo> if we want to get things moving, then I'd say yes
15:14:07 <gagehugo> ricolin o/
15:14:12 <fungi> sounds like a great idea
15:14:41 <nickthetait> is this the merge you were talking about fungi? https://review.openstack.org/#/c/648245/
15:15:47 <fungi> nickthetait: no, i meant we have many more security-analysis additions proposed for review than we've approved for publication
15:15:57 <nickthetait> gotcha
15:16:06 <fungi> #link https://docs.openstack.org/security-analysis/
15:16:17 <fungi> at the moment that's just barbican
15:16:42 <fungi> and dated current as of newton (going on 2.5 years)
15:17:19 <fungi> on a related note, i see that the security guide says it's current as of pike:
15:17:22 <fungi> #link https://docs.openstack.org/security-guide/
15:17:37 <fungi> so 1.5 years behind
15:17:42 <gagehugo> heh
15:17:44 <nickthetait> :o
15:18:02 <fungi> looks like there's been some occasional updating in it:
15:18:06 <fungi> #link https://opendev.org/openstack/security-doc/commits/branch/master
15:18:19 <fungi> though it could probably stand to get a bit of attention as well
15:18:26 <gagehugo> Yeah
15:18:51 <fungi> #link https://review.openstack.org/#/q/project:openstack/security-doc+is:open
15:19:21 <fungi> looks like there are a couple of new changes up for review today
15:19:32 <fungi> but nothing really backlogged for review there
15:19:48 <fungi> so i guess we're more in need of people going through and refreshing content than reviewing in that case
15:19:59 <gagehugo> sure
15:21:11 <nickthetait> how can we identify the most urgent topics needing update?
15:23:17 <gagehugo> good question
15:23:19 <fungi> that's a great question and i don't have an answer. i think if someone familiar with the current state of openstack software were to skim the existing content and then either tweak stuff that needs tweaking or just update the list of releases for which it's applicable if everything looks accurate still, that would be a big improvement
15:23:41 <nickthetait> hmm okay
15:24:10 <gagehugo> ok
15:25:14 <gagehugo> uh oh spam
15:25:28 <fungi> yeah, just saw the wallops from freenode staff
15:25:44 <gagehugo> fungi: what do you think the next steps then are?
15:26:02 <gagehugo> look into refreshing what is there for now?
15:26:42 <nickthetait> identify new security features that aren't even mentioned yet?
15:26:47 <fungi> what i said above, yeah. for someone who has a deeper understanding of operating current versions of openstack to read through and confirm what we say in there is still correct
15:26:58 <gagehugo> ok
15:27:35 <fungi> adding new features would be swell too, absolutely, but i think more important is to make sure what's already in there isn't incorrect in light of whatever's changed in the past 1.5 years in openstack
15:28:00 <gagehugo> fair point
15:28:19 <fungi> basically folks landing at the security guide right now are likely to get the impression they should avoid any releases newer than pike
15:28:26 <gagehugo> lol
15:28:28 <nickthetait> sound good
15:28:37 <gagehugo> new releases are scary sometimes
15:28:42 * redrobot sneaks in the back and pretends he's been here all along
15:29:02 * nickthetait retroactively says hi to redrobot
15:29:21 <gagehugo> ricolin o/
15:29:32 <gagehugo> wanna quickly talk about http://lists.openstack.org/pipermail/openstack-discuss/2019-March/004246.html ?
15:29:40 <ricolin> :)
15:30:49 <ricolin> So it's about what Security SIG needed the most
15:31:28 <ricolin> in terms of technical or non-technical  goal will be both fine
15:31:50 <gagehugo> ok
15:31:51 <ricolin> We have discussion in a forum about expose SIGs
15:32:00 <ricolin> I mean last summit
15:32:19 <gagehugo> https://www.openstack.org/summit/denver-2019/summit-schedule/events/23612/help-most-needed-for-sigs-and-wgs
15:32:25 <gagehugo> I saw that ^
15:32:38 <ricolin> And this needed the most for SIGs/WGs is consider as an action from that forum
15:32:42 <fungi> heh, today's meeting agenda is all about things we need help with, so that's excellent timnig
15:32:50 <gagehugo> ^
15:32:53 <ricolin> fungi, yay!
15:32:59 <gagehugo> ricolin https://etherpad.openstack.org/p/security-agenda
15:33:01 <nickthetait> :)
15:33:38 <fungi> the meeting minutes/logs will probably be a more useful representation as we also verged into discussing the languishing state of the security guide
15:33:47 <gagehugo> yeah
15:34:41 <ricolin> I assume we can list all, but needed the most list is also a way to encourage project teams to help if we tell them this is an important goal for Security SIG
15:35:10 <gagehugo> ricolin we can scribe our notes into something for the security sig goals
15:35:18 <fungi> that will be awesome
15:35:32 <ricolin> gagehugo, that will be very helpful
15:35:52 <gagehugo> :)
15:36:41 <ricolin> If we can tell PTLs what is the most important security issues in OpenStack, maybe we can have chance to find more people join the Security goal discussion/action
15:37:19 <gagehugo> that sounds good
15:37:20 <ricolin> I mean that's part of the mission for that forum
15:37:47 <fungi> they're unlikely to realize that the biggest security "issues" in openstack are documentation related
15:37:47 <gagehugo> ricolin I currently plan on being there so I can attend that forum as well
15:38:05 <gagehugo> fungi: we can put documentation first heh
15:38:23 <gagehugo> maybe in big bold letters
15:38:48 <fungi> this sort of takes us into the last topic i added to the agenda as well. i think the etherpad i've linked there may provide a good start for a list of things we would like help on
15:38:59 <ricolin> gagehugo, that will be awesome
15:39:17 <gagehugo> cool
15:39:19 <gagehugo> fungi: sure
15:39:31 <gagehugo> #topic security audit discussion
15:40:27 <fungi> so the leaders of osf open infrastructure projects including the openstack tc will be meeting with the osf board of directors on the sunday before the summit in denver
15:40:46 <gagehugo> 3rd party openstack auditing huh?
15:40:53 <fungi> #link https://etherpad.openstack.org/p/denver-joint-leadership-meeting the pad to brainstorm topics of disucssion
15:41:22 <fungi> yes, alan (current board chair) mentioned third-party software audits as a possible topic of discussion
15:41:48 <fungi> i did my best to prep a briefing there as to what we currently do and strive for
15:42:16 <gagehugo> quite a bit there
15:42:44 <fungi> i'm looking for suggestions for things i may have missed, but also i think this makes a possible outline for what ricolin talked about
15:43:08 <fungi> the existence of this sig is of course first on the list ;)
15:43:18 <gagehugo> I know the best practices guide is slightly out of date
15:43:25 <gagehugo> in some areas at least
15:43:40 * gagehugo sees PKI tokens in the identity section
15:44:42 <gagehugo> fungi: I can take a look over it, but imo it looks like you covered it pretty well
15:45:21 <fungi> cool, i didn't want to chew up a bunch of meeting time on it, but in the interest of transparency i wanted to make sure everyone interested had an opportunity to be involved in what we might talk about
15:45:47 <gagehugo> :)
15:46:18 * gagehugo has another meeting in a minute
15:46:22 <fungi> the third-party auditing bit is, in my opinion, cncf looking for ways to utilize its surplus cashflow. osf lacks similar financial resources
15:46:23 <gagehugo> Anything else real quick?
15:46:40 <fungi> nope, i'm tapped out. thanks for chairing!
15:46:40 <gagehugo> fungi: that makes sense
15:47:02 <gagehugo> external audit might be a good idea for official support
15:47:09 <gagehugo> thanks for coming everyone!
15:47:11 <nickthetait> nothing new from me
15:47:11 <gagehugo> o/
15:47:12 <nickthetait> laters
15:47:16 <gagehugo> have a good weekend
15:47:20 <fungi> you too!
15:47:26 <gagehugo> ping me in openstack-security if there's anything else
15:47:30 <gagehugo> #endmeeting