15:01:35 <gagehugo> #startmeeting security
15:01:36 <openstack> Meeting started Thu Jun 20 15:01:35 2019 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:01:37 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:01:39 <openstack> The meeting name has been set to 'security'
15:01:46 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda agenda
15:01:47 <gagehugo> o/
15:02:30 <fungi> light agenda this week, but that's a good topic there
15:03:32 <gagehugo> #topic Spruce up the security.openstack.org page
15:04:19 <gagehugo> yeah I believe we briefly touched on this last week?
15:04:48 <nickthetait> hey
15:04:55 <fungi> yep, it was also on our list of things we wanted help with
15:05:06 <fungi> so this seems like a good way to kick off some of that
15:05:46 <fungi> we can step through it section-by-section maybe and take notes on what it might need?
15:06:05 <gagehugo> that sounds good
15:06:54 <fungi> i just skimmed the preamble and it still seems fine to me, though it could maybe do with content about more than just ossa.ossn
15:07:15 <gagehugo> yeah looking at that now
15:08:02 <fungi> ideally any of the high-level sections of that page (at least any we don't decide should be (re)moved) would be good to introduce there as well
15:08:27 <gagehugo> ok
15:08:58 <gagehugo> #topic how to report security issues
15:09:10 <gagehugo> I'm writing all this down in the agenda notes btw
15:09:41 <fungi> thanks!
15:10:03 <fungi> so on security reporting, we ought to include process for reporting via storyboard
15:10:13 <gagehugo> definitely
15:10:27 <nickthetait> that sounds good :)
15:10:47 <gagehugo> maybe add info about not marking public things as private too, I've seen that before
15:10:49 <fungi> it's a glaring omission at the moment, and recent feature improvements in storyboard also make for a much nicer workflow in this regard
15:11:07 <fungi> oh, yeah that's a great suggestion gagehugo
15:11:52 <fungi> basically warn reporters that if you initially report something in public, we're going to just assume it was disclosed at that point
15:12:03 <fungi> as lots of people will have received notifications about it
15:12:15 <fungi> and it's not worth trying to put that cat back in the bag
15:12:19 <fungi> those beans back in the can
15:12:24 <fungi> whatever metaphor you prefer
15:12:27 <nickthetait> toothpaste in the tube!
15:12:34 <fungi> that one!
15:13:16 <fungi> otherwise i thnik this section is in good shape
15:13:17 <gagehugo> sure
15:13:35 <gagehugo> #topic security info for openstack deployers
15:13:50 <gagehugo> ossa looks fine
15:14:05 <fungi> the preamble here is a bit disconnected as a bullet list
15:14:36 <gagehugo> remove the bullet list?
15:14:47 <fungi> i thought we ought to rework it as prose (but also not try to significantly duplicate any summary we put in the top level preamble for the page)
15:15:03 <fungi> maybe just a couple sentences there
15:15:37 <gagehugo> sure
15:15:57 * fungi is not a fan of higher-level headings which are directly followed with lower-level headings and no information to introduce them
15:17:23 <fungi> the ossa section seems fine, yeah. it's mostly just autogenerated from the most recent ossa titles anyway
15:17:58 <fungi> the ossn section could probably stand to have "(OSSN)" appended to its heading title for consistency
15:18:10 <gagehugo> ok
15:19:07 <fungi> more of a separate-but-related project, getting the ossn corpus imported into a git repo would allow us to autogenerate content similar to how we do for ossa
15:19:30 <fungi> the ossa section doesn't really have much in the way of internal description, while the ossn section is nothing but
15:19:59 <gagehugo> sure
15:20:02 <gagehugo> makes sense
15:20:24 <fungi> we've also said in the past that we consider an ossn to be an addendum to the security guide, might be nice to mention that somewhere
15:20:53 <fungi> (which is why they're sequentially numbered and not arranged by year)
15:21:03 <gagehugo> ok
15:21:11 <nickthetait> should I add that into security guide?
15:21:26 <fungi> maybe? not sure
15:21:44 <nickthetait> i'll keep eyes open to see if there is a good place
15:22:00 <nickthetait> (currently reading through the whole thing)
15:22:12 <fungi> in fact, we could stand to explain the numbering schemes for both ossa and ossn, maybe that belongs in the security information preamble prose
15:23:26 <fungi> one other thing (not to get too far off topic, sorry) which ossn in git could provide is an easy way to transclude them as *actual* addenda in the security guide builds
15:23:49 <fungi> or maybe even just as a generated index in an appendix or embedded into the toc
15:24:06 <fungi> but that's a nice-to-have for later
15:24:16 <gagehugo> ok
15:24:56 <fungi> the security guide section looks okay to me, assuming we get the guide itself refreshed a bit
15:25:23 <gagehugo> that's a rabbit hole heh
15:25:27 * nickthetait nods
15:25:29 <fungi> but as nickthetait is the one who has presumably been looking most closely at it lately, he may have ideas for things we should add/remove in that paragraph
15:27:08 <fungi> i feel like the security project blog section should probably be removed, unless we have volunteers to resurrect that effort
15:27:09 <nickthetait> seems reasonable in its current state
15:27:27 <nickthetait> yeah :S
15:27:42 <fungi> hails from an era when we had far more folks in the ossg who liked to write editorials
15:28:06 <fungi> we could still link to it from somewhere as a source of historical info, i dunno
15:28:24 <fungi> it looks like it only really existed for ~1.5 years and hasn't been touched in almost 2 years now
15:28:55 <gagehugo> yeah :/
15:28:59 <fungi> or longer if you ignore the most recent post which was nearly a year gap from the one preceding it
15:29:06 <nickthetait> any blog posts that are particularly relevant/noteworthy?
15:30:24 <fungi> some look like things which might make sense to incorporate into the security guide if they're still relevant, but also i don't see any license listed so would need to get permission from each author for the pieces in question
15:31:56 <nickthetait> i was thinking of just a little bit of curation, linking to a few important ones
15:33:44 <gagehugo> #topic security info for openstack devs
15:35:31 <gagehugo> propose/review could be updated for storyboard, although the process is the same
15:39:41 <gagehugo> the development guides could probably use curating
15:40:53 <fungi> sorry, power went out briefly
15:41:25 <gagehugo> no worries
15:41:34 <fungi> and yeah, i might hold off on adding storyboard bits there until we get the attachments feature in place
15:42:02 <fungi> it's close now, so we can soon recommend attaching patches instead of having to quote them in story comments
15:42:09 <gagehugo> ok
15:43:47 <fungi> just saves having to rewrite heavily
15:43:53 <gagehugo> sure
15:44:01 <gagehugo> #topic OpenStack Security Project¶
15:44:17 <gagehugo> this definitely needs some love
15:44:35 <fungi> in need of a post-sig rewrite
15:44:38 <gagehugo> yes
15:48:24 <gagehugo> Do we want bandit & syntribos here?
15:50:52 <fungi> i suspect not any longer
15:51:22 <fungi> while bandit started within our community it has grown beyond and is now officially maintained outside openstack
15:51:27 <gagehugo> so remove the security tool section then?
15:51:28 <gagehugo> yeah
15:51:38 <nickthetait> sure
15:51:41 <fungi> syntribos looked promising, but seems like it may have been abandoned?
15:51:55 <fungi> if so, then this section should likely go away
15:52:04 <gagehugo> Yeah, it gets occasional zuul-related updates
15:52:07 <gagehugo> afaik
15:52:20 <fungi> (and we should perhaps visit retiring the syntribos repo)
15:53:07 <gagehugo> ok
15:56:53 <gagehugo> Nice job everyone, got a good list of todos
15:57:04 <nickthetait> \o/
15:57:28 <gagehugo> I'll add retiring syntribos to the newsletter and maybe someone will respond
15:58:33 <fungi> awesome
15:58:58 <gagehugo> otherwise thanks everyone and have a good rest of the week & weekend!
15:59:01 <gagehugo> #endmeeting