#openstack-meeting-alt log

17:03:26 <lhinds> #startmeeting security-project
17:03:27 <openstack> Meeting started Thu Jan 11 17:03:26 2018 UTC and is due to finish in 60 minutes.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:03:28 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:03:31 <openstack> The meeting name has been set to 'security_project'
17:03:42 <lhinds> hey gagehugo , just checking if you're around
17:03:52 <gagehugo> o/
17:04:14 <lhinds> hey gagehugo !
17:04:17 <gagehugo> how was your holiday?
17:04:24 <lhinds> nice thanks, how about you?
17:04:46 <gagehugo> it was ok, I was sick for part of it but oh well
17:05:08 <lhinds> eugh, glad you got over that
17:05:16 <lhinds> never nice during non work times.
17:05:19 <gagehugo> for the most part haha
17:05:20 <fungi> i somehow managed not to let my family infect me with any maladies
17:06:12 <lhinds> hey fungi
17:06:26 <lhinds> so here is our weekly agenda:
17:06:30 <lhinds> #link https://etherpad.openstack.org/p/security-agenda
17:06:52 <lhinds> I am still a little in catch up mode, so main topic from me would be PTG planning
17:06:59 <lhinds> anyone have anything they want to go over?
17:07:09 <fungi> i'm only just coming out of the meltdown patching tunnel
17:07:50 <fungi> ttx had a good openstack faq about spectre and meltdown vulnerabilities, if you didn't see it
17:08:01 <fungi> #link https://ttx.re/openstack-spectre-meltdown-faq.html OpenStack Spectre/Meltdown FAQ
17:08:17 <lhinds> great, good work there.
17:08:41 <lhinds> I was out of the loop totally when those hit..I had a few days completely offline
17:09:00 <fungi> good planning on your part! ;)
17:09:18 <gagehugo> oh nice
17:09:25 <lhinds> yep, I had an endurance race thing on and wanted to get my head down for that.
17:09:34 <lhinds> so I have a PTG pad here:
17:09:43 <lhinds> https://etherpad.openstack.org/p/security-agenda
17:09:44 <fungi> totally understand, it's been a few years since my last race. i need to get back into it
17:10:10 <lhinds> wrong link. you should fungi , I do it to keep me sane :S
17:10:21 <lhinds> https://etherpad.openstack.org/p/security-ptg-rocky
17:10:21 <fungi> #link https://etherpad.openstack.org/p/security-ptg-rocky
17:10:38 <lhinds> I sent out an email to try and rouse some x-project topics.
17:11:27 <lhinds> hoping some projects bite, but if you two know of anything that needs collaboration or is proviing tricky to get consensus on, please do propose what will be the security SIG room
17:11:31 <gagehugo> I don't have confirmation yet if I will be going, but might hear something soon
17:11:56 <gagehugo> I just have the keystone policy roadmap
17:12:05 <lhinds> fingers crossed gagehugo , I want to buy you a pint of the black stuff
17:12:08 <gagehugo> but that's on there already so that's good
17:12:11 <gagehugo> yay
17:12:37 <lhinds> https://www.thesun.co.uk/wp-content/uploads/2017/03/nintchdbpict000309517795.jpg
17:13:09 <gagehugo> awesome
17:13:42 <fungi> i'm not sure whether my compatriots on the vmt will be in dublin or whether it's just me again, but i sent along the url to the planning pad just in case they have suggestions
17:14:02 <fungi> aha, kmalloc says affirmative!
17:14:10 <lhinds> good idea fungi
17:14:11 <kmalloc> o/
17:14:19 <lhinds> hey kmalloc
17:14:21 <kmalloc> i plan on trying to be there
17:14:25 <kmalloc> but it's up in the air
17:14:27 <gagehugo> kmalloc o/
17:14:53 <lhinds> so yes, if you want to have any VMT sessions, use our room...its there for the good of all things Security
17:15:19 <fungi> sounds great
17:15:40 <gagehugo> sure
17:16:17 <lhinds> kmalloc / gagehugo and any keystone'y things too that need other projects involvement.
17:16:34 <cleong> hi
17:16:52 <kmalloc> just continuation of previous initiatives
17:16:55 <lhinds> Hey cleong
17:17:00 <kmalloc> nothing new iirc, but gagehugo might have more thoughts
17:17:07 <gagehugo> policy input for sure
17:17:15 <gagehugo> as that will affect everything
17:17:15 <lhinds> have that on ^
17:17:48 <lhinds> there is also the keystone-pyclient Threat-a we could wrap up
17:18:34 <lhinds> ok, so that should do for PTG
17:18:44 <fungi> oh, a few new hardening opportunities are publicly disclosed now. as usual, see the openstack-security ml where those notifications get copied
17:18:56 <fungi> #link http://lists.openstack.org/pipermail/openstack-security/2018-January/thread.html security ml archive for january, 2018
17:20:14 <lhinds> thx, had not seen that
17:20:52 <fungi> actually i guess only one of those is a new hardening opportunity
17:21:02 <lhinds> which one do you think fungi ?
17:21:05 * gagehugo takes a look
17:21:40 <fungi> the other threads there are also hardening opportunities, just not new ones
17:22:00 <fungi> technically the new one isn't new either, we just overlooked lifting teh embargo on it for a month or so
17:22:18 <gagehugo> ah ok
17:22:47 <fungi> but it may still be interesting to pay attention to developments on them
17:23:14 <fungi> for example, the one there for bug 1649634 is noting that a previously in-progress change claiming to address teh issue was abandoned for inactivity
17:23:16 <openstack> bug 1649634 in Cinder "Insecure Randomness for AES Passphrase Generation" [Low,In progress] https://launchpad.net/bugs/1649634 - Assigned to Tin Lam (lamt)
17:24:32 <fungi> so could be low-hanging fruit to restore and adopt that change
17:25:18 <fungi> the sort of stuff we could be highlighting for people who are interested in getting involved, per the outreach question on the ptg planning pad
17:26:10 <lhinds> added that fungi , there are no big objections to the patch on there, so someone could fix the merge conflicts and try to get it landed.
17:26:29 <lhinds> There are also a lot of security-doc bugs folks could pick up on.
17:26:48 <lhinds> so plenty around for getting feet wet
17:27:02 <lhinds> ok..other topics/
17:27:09 <lhinds> #topic bandit
17:27:18 <lhinds> gagehugo: just landed your patch
17:27:27 <gagehugo> \o/
17:27:33 <lhinds> doc/requirement.txt
17:28:11 <lhinds> #topic OSSN
17:28:35 <lhinds> I need to get my finger out here and clear the backlog. I will also push for involvement at the PTG too.
17:29:11 <lhinds> gagehugo: makes sense to clean up the VMT keystonemiddleware client TA at the PTG?
17:29:24 <lhinds> clean up as in finish up
17:29:28 <gagehugo> definitely
17:29:37 <lhinds> ok, let's do that
17:29:50 <lhinds> k, so unless any other burning topics..I think we can close for this week
17:29:52 <gagehugo> would be nicer to have people in the room to get that done
17:30:02 <lhinds> gagehugo: +1 , agree
17:30:10 <fungi> nothing else on my end
17:30:25 <gagehugo> I am good
17:30:31 <lhinds> gagehugo: all ok for you?
17:30:36 <gagehugo> yup
17:31:08 <lhinds> great, see you all next week !
17:31:10 <fungi> thanks lhinds!
17:31:14 <lhinds> #endmeeting