15:00:37 <gagehugo> #startmeeting security
15:00:38 <openstack> Meeting started Thu Jul 11 15:00:37 2019 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:39 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:42 <openstack> The meeting name has been set to 'security'
15:01:21 <gagehugo> o/
15:02:05 <fungi> i added a couple items of possible interest on the agenda
15:02:18 <gagehugo> awesome
15:02:23 <gagehugo> #topic Image Encryption popup team meeting
15:02:52 <gagehugo> so image encryption meeting Monday @ 1300 UTC
15:03:05 <gagehugo> oof 8am
15:04:08 <fungi> for you anyway ;)
15:04:17 <fungi> (that's 9am for me at the moment)
15:04:41 <fungi> i also just now (well, in the past hour during the tc meeting) volunteered to be the tc liaison for that popup team
15:05:19 <fungi> so hopefully i can remember to attend their meetings and keep the security sig abreast of the developments there
15:05:40 <gagehugo> I'll attempt to attend then as well
15:06:01 <fungi> #link http://lists.openstack.org/pipermail/openstack-discuss/2019-July/007617.html
15:06:12 <fungi> #link     http://eavesdrop.openstack.org/#Image_Encryption_Popup-Team_Meeting
15:07:59 <gagehugo> ok
15:08:45 <gagehugo> #topic Syntribos may still be in use?
15:09:08 <gagehugo> #link https://review.opendev.org/#/c/670048/
15:09:19 <gagehugo> zte using it hmm
15:10:06 <fungi> yeah, saw that "Fix client argument for neutronclient" change announced by gerritbot in #openstack-security and thought maybe there are still users after all, enough that they want to try and help fix problems on it still
15:10:30 <gagehugo> I never heard anything back about it
15:10:36 <gagehugo> we can leave it for now
15:10:52 <fungi> it's *possible* this was just a maintenance change someone is mass-proposing to stuff that uses neutronclient, but that user has only previously contributed to rally
15:11:13 <fungi> so it looks like it may be a genuine bug a user turned up and worked out the fix for
15:11:38 <fungi> and, yeah, maybe this is someone who does qa work for zte
15:11:55 <fungi> given rally and syntribos are both testing tools
15:12:47 <gagehugo> yeah, good point
15:12:51 <fungi> if we decide not to retire it, we maybe ought to reach out there and find out if they want to help maintain it
15:13:19 <gagehugo> we could send out a mailing list email asking specifically if anyone still uses it?
15:13:27 <fungi> (also we need to pin sphinx or switch to python3 so the docs jobs will pass, if we're keeping it around)
15:13:33 <gagehugo> yeah
15:13:56 <fungi> separate ml thread makes sense, sure
15:14:21 <gagehugo> #action gagehugo to send out an email to the ml about syntribos usage
15:14:28 <fungi> something scary enough to reach and rouse the handful of users out there, if they exist
15:14:46 <gagehugo> [security] DELETING SYNTRIBOS NOW!!!!1!
15:14:54 <nickthetait> theres lots of spider webs who wants to give it a sweep? :)
15:15:36 <gagehugo> but yeah, ping out and hope someone notices
15:16:44 <gagehugo> #topic Security guide update
15:16:51 <gagehugo> nickthetait o/
15:16:55 <nickthetait> hey
15:17:11 <nickthetait> so far I have read a significant portion of the docs
15:17:41 <nickthetait> have a few questions on what is(n't) out of date
15:17:53 <gagehugo> sure
15:17:59 <nickthetait> openstack-announce email list has been shut down right?
15:19:21 <fungi> nope, that still exists
15:19:33 <nickthetait> ok, ez!
15:19:37 <fungi> we do send major release announcements and security advisories there
15:19:50 <nickthetait> CVSSv2 is referenced, should those be turned into v3?
15:20:14 <fungi> what is the context? who is applying cvss scores to stuff?
15:20:21 <nickthetait> 1 sec
15:20:56 <fungi> i think hyakuhei had ideas about the ossg doing cvss scoring of vulnerabilities in openstack and its dependencies once upon a time, but that didn't go anywhere that i can recall
15:21:51 <fungi> it seemed like a nice idea to get some of the analysts around our community more involved with something that's in their wheelhouse, but ultimately most of the folks in the ossg were there to be able to say they were involved and really only showed up to meetings (if that)
15:22:13 <nickthetait> #link https://docs.openstack.org/security-guide/management/continuous-systems-management.html#triage
15:22:34 <fungi> there were rarely more than a handful of folks actually taking on work, and most of them weren't security analysts
15:23:14 <nickthetait> sounds like not worth updating then?
15:23:58 <gagehugo> Maybe not
15:23:59 <fungi> hrm, in that specific context sure, doesn't hurt to say v3 instead
15:24:07 <fungi> or just drop the version
15:24:13 <nickthetait> sure, simplify it
15:24:39 <fungi> reading through, it's saying that cvss doesn't accurately depict cloud vulnerability risks
15:24:55 <fungi> not saying we apply cvss scoring to our vulnerabilities
15:25:18 <fungi> so i think it's fine there, but can't hurt to generalize it slightly to save on future churn
15:25:39 <nickthetait> is this statement still accurate? "very few clouds are using secure boot technologies in a production environment."
15:26:30 <gagehugo> hmm
15:28:47 <nickthetait> if it is too unclear, then we can just leave wording as is
15:29:14 <gagehugo> Seems a bit generalizing, could just leave it yeah
15:29:58 <nickthetait> ok
15:30:22 <nickthetait> know what is up with this bibliography section? it seems out of place https://docs.openstack.org/security-guide/management/management-interfaces.html#bibliography
15:30:31 <nickthetait> like it should be at bottom of the page?
15:31:49 <fungi> i wouldn't be surprised that few clouds use secure boot, only because few servers use secure boot to this day, but i don't know that we should be asserting that without data to back it up
15:32:08 <fungi> maybe that's my inner scientist
15:32:31 <fungi> i just don't like baseless assertions in technical documents. it's editorializingh
15:32:43 <fungi> but up to you realy
15:32:50 <fungi> it's probably not "wrong" anyway
15:33:40 <nickthetait> ok, will clean that up a little bit
15:34:09 <fungi> i'd drop that "bibliography" section, sure
15:34:17 <nickthetait> k
15:34:20 <fungi> if for no other reason than because it links to a wiki article
15:34:28 <nickthetait> ;)
15:34:50 <fungi> if we need to call out things which were implemented in the liberty cycle, we should just say that instead
15:35:20 <fungi> but in this case it's contextless
15:35:39 <fungi> what part of the dashboard section was it relevant to? doesn't say
15:35:47 <nickthetait> yeah exactly
15:35:59 <fungi> it's just like... ohai, have a link to some releasenotes, kthxbai
15:36:20 <fungi> not helpful
15:36:48 <nickthetait> there is a big section on SSL/TLS, recommends only using v1.2, and yet 1.3 is now available https://docs.openstack.org/security-guide/secure-communication/introduction-to-ssl-and-tls.html#cryptographic-algorithms-cipher-modes-and-protocols
15:40:29 <fungi> should say 1.2 or later hopefully
15:40:37 <fungi> 1.3 is still not widely deployed
15:40:45 <nickthetait> true
15:40:56 * fungi was struggling to get apache working with 1.3 on debian/unstable just a few months ago even
15:44:24 <nickthetait> so this claims keystone can't block after set number of failed logins https://docs.openstack.org/security-guide/identity/authentication.html#invalid-login-attempts
15:44:46 <gagehugo> yeah that's been changed
15:44:54 <gagehugo> it has that capability now
15:45:10 <fungi> yay!
15:45:13 <nickthetait> nice!
15:45:25 <nickthetait> i'll get that fixed
15:45:25 <fungi> should the document be updated to say what release that support was added in?
15:45:37 <gagehugo> yeah lemme find a link
15:45:42 <nickthetait> thx
15:45:42 <gagehugo> I know it was newton though
15:45:47 <fungi> (obviously it's still not available in the releases folks are running earlier than the one which added it)
15:45:48 <gagehugo> (I helped with it partially)
15:45:57 <nickthetait> :D
15:46:14 <gagehugo> #link https://docs.openstack.org/keystone/latest/admin/configuration.html#security-compliance-and-pci-dss
15:46:29 <fungi> having teh security guide be somewhat release-agnostic and provide guidance for folks who are running a variety of versions of openstack would be good, if we can manage to swing that
15:47:29 <fungi> if only because we lack the people power to maintain per-release copies of the guide
15:47:43 <nickthetait> yeah, will see how I can pull that off
15:48:02 <fungi> so "go look at the rocky security guide because you're running rocky" isn't really a solution
15:48:32 <fungi> "go look at the openstack security guide" and then it may say "if you're running rocky this can be done thusly..."
15:48:42 <fungi> or whatever
15:49:23 <fungi> "consider upgrading your deployment to rocky if you want to take advantage of this feature"
15:49:31 <gagehugo> ^
15:49:38 <nickthetait> that sounds good
15:49:46 <fungi> spitballing, but you get the idea
15:50:20 <gagehugo> sorry nickthetait, I got another topic I wanna touch on while I got people here
15:50:32 <nickthetait> no problem go for it
15:50:33 <gagehugo> please do ask in openstack-security though if you have more questions
15:50:40 <nickthetait> ok
15:50:53 <gagehugo> I'm usually on all the time so I can typically respond
15:50:59 <fungi> yeah, i have my irc client set to notify me if there's any activity at all in that channel too
15:51:00 <gagehugo> and I believe fungi is as well :)
15:51:05 <gagehugo> #topic Shanghai PTG Attendance
15:51:23 <gagehugo> they sent out emails asking about attendance, are either of you planning on attending?
15:51:29 <gagehugo> I will not be there unfortunately
15:51:40 <fungi> if my visa is accepted, and barring no new natural disasters at home this year, i plan to attend the full week
15:51:53 <nickthetait> i know for sure can't go
15:51:58 <nickthetait> nice fungi :)
15:52:01 <fungi> er, barring ANY new
15:52:33 <fungi> in that case, i'm happy to be the standard bearer for the sig while i'm there
15:52:52 <fungi> and will do my best to recruit a few new folks
15:53:11 <gagehugo> fungi: up to you, I just wanted to ask now and not put it off until the last minute
15:53:18 <fungi> yep
15:53:34 <fungi> i don't think just me going is enough to warrant a room though
15:53:48 <fungi> but i'll do my best to spread the word that we exist
15:53:49 <gagehugo> yeah, I think that's more of what they're asking
15:53:53 <gagehugo> do we want a room
15:54:34 <gagehugo> lets follow up next week with this, and I can respond to the survey then
15:54:35 <fungi> as usual i'd end up sprinting between other rooms most of the time anyway, so not much point in having a room with no security sig members in it
15:54:48 <gagehugo> I'll ask in the ml as well, I see other teams doing that
15:54:51 <gagehugo> ok
15:54:53 <fungi> but yeah, maybe ask on the ml (in the weekly update?)
15:54:58 <fungi> awesome
15:55:20 <gagehugo> #action gagehugo to ask about the ptg in the ml
15:55:28 <fungi> perhaps there are people who would show up and talk security who just aren't at our irc meetings
15:55:43 <gagehugo> yeah, we had quite a few at the bof session in denver
15:56:10 <gagehugo> #topic open discussion
15:56:15 <gagehugo> anything else real quick?
15:56:34 <nickthetait> "security is important" agree or disagree? :P
15:56:42 <gagehugo> I'll try to send out the emails today, I'm going to be leaving on vacation tomorrow afternoon
15:56:51 <gagehugo> so my productivity tomorrow will likely be approaching 0
15:57:03 <fungi> have a great vacation!
15:57:13 <fungi> my productivity usually hovers just above 0 anyway
15:57:15 <nickthetait> yeah yeah have fun
15:57:21 <gagehugo> going to float on a river over the weekend :)
15:57:30 <gagehugo> nickthetait "agree"
15:57:39 <fungi> don't forget your sunblock
15:57:44 <gagehugo> yup
15:58:03 <gagehugo> thanks for coming everyone, have a good weekend!
15:58:06 <nickthetait> laters
15:58:06 <gagehugo> #endmeeting