17:02:17 <lhinds> #startmeeting Security Project Meeting
17:02:18 <openstack> Meeting started Thu Mar 16 17:02:17 2017 UTC and is due to finish in 60 minutes.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:19 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:21 <openstack> The meeting name has been set to 'security_project_meeting'
17:02:22 <unrahul> o/
17:02:23 <knangia> 0/
17:02:25 <tkelsey> o/
17:02:25 <capnoday> o/
17:02:27 <lhinds> o/
17:02:28 <vinaypotluri> o/
17:02:34 <mdong> o/
17:02:54 <lhinds> #topic agenda
17:02:57 <lhinds> #link https://etherpad.openstack.org/p/security-agenda
17:03:07 <lhinds> #chair hyakuhei
17:03:08 <openstack> Current chairs: hyakuhei lhinds
17:03:24 <capnoday> hyakuhei has got held up in a meeting, please carry on lhinds
17:03:34 <lhinds> feel free to make additions to agenda ^
17:03:37 <lhinds> thanks capnoday
17:03:40 <lhinds> #chair capnoday
17:03:40 <openstack> Current chairs: capnoday hyakuhei lhinds
17:03:53 <lhinds> #topic Syntribos
17:03:59 <unrahul> we have been testing cinder
17:04:04 <lhinds> anything Syntribos devs?
17:04:05 <unrahul> as part of the core project testing
17:04:18 <unrahul> and have added i18n to syntribos
17:04:20 <aasthad> o/
17:04:35 <unrahul> thats the major stuff we did this week on syntribos front
17:04:49 <lhinds> sounds good!
17:04:54 <lhinds> anything interesting found?
17:05:09 <unrahul> we have found few 500 and possible xss
17:05:17 <lhinds> ohh
17:05:20 <unrahul> more tests have to be done to confirm
17:05:40 <unrahul> mdong:  can chip give further info on this
17:05:46 <lhinds> gj unrahul
17:05:57 <hyakuhei> Hey!
17:06:01 <hyakuhei> Thanks lhinds
17:06:02 <unrahul> hey hyakuhei
17:06:05 <lhinds> hi hyakuhei
17:06:06 <hyakuhei> I'm in a crazy call, running late
17:06:07 <vinaypotluri> welcome hyakuhei
17:06:12 <hyakuhei> Insane day, so sorry I'm late guys
17:06:17 <hyakuhei> lhinds please carry on!
17:06:24 <lhinds> no worries hyakuhei
17:06:43 <lhinds> #topic Security Docs
17:06:51 <lhinds> #link https://review.openstack.org/#/c/427760/
17:06:57 * asettle runs in
17:07:22 <lhinds> hey asettle
17:07:22 <hyakuhei> hi asettle !
17:07:26 <unrahul> hey asettle
17:07:26 <asettle> Hey teammmmm
17:07:31 <asettle> Aw that's a nice welcome
17:07:31 <unrahul> welcome.
17:07:32 <knangia> hey asettle
17:08:04 <asettle> p/
17:08:07 <asettle> ... derp
17:08:11 <asettle> o/
17:08:59 <unrahul> so with asettle s and the entire docs team awesome help, we were able to merge 5 security guide bugs, close 1 and have wishlist'd 1  B-)
17:09:09 <hyakuhei> You guys are all hereos!
17:09:16 <hyakuhei> I can't spell
17:09:19 <asettle> On that note...
17:09:23 <asettle> I'm going through and doing edits
17:09:24 <asettle> #link https://review.openstack.org/445911
17:09:28 <asettle> #link https://review.openstack.org/446033
17:09:30 <hyakuhei> but I am genuinely happy with all this progress
17:09:31 <capnoday> great work :)
17:09:31 <asettle> Please take the time to review
17:09:50 <asettle> They should be fast merges. Please take the patch off me instead of commenting if I've forgotten a little thing :)
17:09:51 <lhinds> great work!
17:09:56 <asettle> Also, I'm tracking some of the work here
17:09:57 <asettle> #link https://etherpad.openstack.org/p/sec-guide-pike
17:10:09 <asettle> EVeryone take the time to look if you can, and put your name down if you can :)
17:10:16 <asettle> that's a lot of 'if you cans'
17:10:18 <asettle> But you get me
17:10:20 <unrahul> thanks hyakuhei  capnoday  :)
17:10:32 <unrahul> looking at the patch now asettle
17:10:35 <asettle> Gracias
17:10:52 <unrahul> Guys we need the community input on a bug
17:10:57 <unrahul> vinaypotluri: can you fill in?
17:10:59 <knangia> thanks hyakuhei
17:11:18 <vinaypotluri> I've been working on this bug https://bugs.launchpad.net/ossp-security-documentation/+bug/1619485 and would need the community's input on it
17:11:18 <openstack> Launchpad bug 1619485 in OpenStack Security Guide Documentation "Annual Cipher Validation - Introduction to TLS and SSL in Security Guide" [Medium,Confirmed] - Assigned to Vinay Potluri (vinay-potluri)
17:11:40 <asettle> (I gotta go, have a great day people!)
17:11:46 <vinaypotluri> acccording to the bug the recommendation mentioned still holds good and i feel it should remain the same
17:11:51 <lhinds> #link https://bugs.launchpad.net/ossp-security-documentation/+bug/1619485
17:11:53 <unrahul> see you later asettle
17:12:10 <lhinds> thanks asettle
17:12:11 <vinaypotluri> I made a small gist explaining about it https://gist.github.com/vinaypotluri/6ea068e1073fd51267f2052a85479067
17:12:17 <vinaypotluri> thanks asettle
17:12:21 <knangia> thanks asettle
17:12:39 <asettle> o/
17:13:10 <lhinds> thx vinaypotluri , will take a look
17:13:18 <lhinds> I put all the above links in the etherpad as well
17:13:21 <vinaypotluri> If you guys feel the recommendation still provides with high level of security for network communication we can close the bug
17:13:32 <vinaypotluri> sure lhinds
17:13:38 <unrahul> hyakuhei: lhinds capnoday ^
17:13:55 <hyakuhei> asettle really thankful for the leadership you're providing here
17:14:11 <hyakuhei> vinaypotluri I think I'm happy with closing :)
17:14:28 <vinaypotluri> thank you hyakuhei
17:15:05 <lhinds> will a patch follow up to docs?
17:15:24 <unrahul> I don't think there is a need for a new patch ryt lhinds ?
17:15:43 <lhinds> ok cool, not read into it much so go with you folks
17:15:50 <lhinds> anything more on docs?
17:15:51 <unrahul> As the info as it is provided in the guide still valid?
17:16:00 <lhinds> unrahul: sgtm
17:16:10 <unrahul> nop.. we have assigned few more to ourselves..and have started on them
17:16:14 <unrahul> thats it from us on docs
17:16:26 <lhinds> #topic OSSN
17:16:55 <lhinds> one OSSN I want to 'won't fix', please let me know what you think:
17:16:57 <lhinds> https://bugs.launchpad.net/ossn/+bug/1649248
17:16:57 <openstack> Launchpad bug 1649248 in OpenStack Security Notes "Glance image upload wizard does not restrict invalid image files" [Undecided,New]
17:17:11 <lhinds> its yet another rate limit ' set admin only for glance upload.
17:18:05 <lhinds> I think sigmavirus agrees with me too, as well as another glance core
17:18:20 <lhinds> but happy to take other input, if people still think its a note.
17:18:25 * sigmavirus looks
17:19:09 <sigmavirus> Yeah, I don't know that that needs an OSSN
17:19:12 <sigmavirus> It's been covered before
17:19:39 <lhinds> agree, i will no fix that.
17:19:44 <sigmavirus> Part of the motivation behind glance tasks for v2 was to allow operators to write things to introspect uploaded data, but those are kind of not really well used (as v2 isn't adopted very well)
17:20:35 <lhinds> if some sort of escalation was possible, then its concern, but if not..meh
17:20:47 <lhinds> its no different to putting eicar.txt in dropbox.
17:21:04 <lhinds> well a little different, but you catch my drift
17:21:31 <lhinds> another new possible note is :https://bugs.launchpad.net/ossn/+bug/1673085
17:21:31 <openstack> Launchpad bug 1673085 in OpenStack Security Notes "scheduler hints are unbounded and never deleted" [Undecided,New]
17:21:46 <lhinds> awaiting to see if a mitgation is available.
17:22:20 <lhinds> if not, I am hesitant to send out a note, with no recommended action for operators to take.
17:22:41 <lhinds> I will get my inbox bombed with replies over what people should do.
17:22:56 <lhinds> thats it for notes.
17:23:06 <lhinds> #topic any other business?
17:23:39 <lhinds> we have 5 mins still if any more topics?
17:24:31 <lhinds> k. thanks all
17:24:34 <lhinds> #endmeeting