15:00:26 #startmeeting Security Sig 15:00:26 Meeting started Thu Apr 19 15:00:26 2018 UTC and is due to finish in 60 minutes. The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:27 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:29 The meeting name has been set to 'security_sig' 15:00:41 o/ 15:00:49 hey lhinds 15:00:50 pings: eeiden fungi gagehugo lhinds nickthetait ebrown 15:00:54 hey gagehugo ! 15:01:05 I think fungi is on leave today or out and about 15:01:05 heyo 15:01:07 o/ 15:01:10 hey nickthetait ! 15:01:11 o/ 15:01:15 hey browne 15:01:25 Sorry for missing previous meetings. Didn't realize the time changed 15:01:28 forgot you don't have an e at the front of browne 15:01:36 no worries 15:01:39 browne: no worries, understandable 15:01:41 is here the telemetry meeting? 15:01:48 lkwan: nope, security 15:02:07 ok, let's get this party started.. 15:02:13 #topic agenda 15:02:18 #link https://etherpad.openstack.org/p/security-agenda 15:02:25 #chair gagehugo 15:02:26 Current chairs: gagehugo lhinds 15:02:42 anyone have any additions? I put bandit migration to the top. 15:03:16 ok.. 15:03:34 I saw browne pushed a change for that 15:03:37 #topic Bandit Migration 15:03:47 gagehugo: that was just for the new pypi site. 15:03:54 ah ok 15:03:55 not the move to pycqa 15:04:02 I though it was that too :) 15:04:14 heh 15:04:15 python-novaclient stable maintainers for pike, would you review https://review.openstack.org/#/c/562500/ ? This patch fixes pike gate job failure. 15:04:23 so I think we should be good to make the move next week 15:04:33 takashin: please try #openstack-nova 15:04:44 I think we need to start by sending an email to the ML announcing bandit's migration 15:04:45 #link https://etherpad.openstack.org/p/bandit-migration 15:04:52 lhinds: sorry. 15:04:55 browne: just did that 10 mins ago. 15:04:57 :) 15:05:01 oh cool 15:05:20 browne / gagehugo did you both get pycqa org invites? 15:05:28 i did yes 15:05:29 yup 15:05:35 great. 15:05:57 so who has admin on the github openstack/bandit 15:06:12 good question 15:06:20 still wondering how the github project group changes from openstack to pyqca 15:06:29 ok.. 15:06:34 so here is how it will work 15:07:07 I will do the import from review.openstack.org/bandit.git to github.com/pycqa/bandit 15:07:24 github has an import feature that automates this, I already did a test run and it works very well. 15:08:00 after that is done, we will push a patch to the openstack (gerrit based) repo to 'git rm' all files, apart from the readme 15:08:23 the readme will then tell users where to go to contribute or raise issues (which will be on github/pycqa/bandit) 15:08:40 if you check out the etherpad I am compiling the specific steps. 15:09:09 ah ok 15:09:23 I have spoke with fungi a lot and we don't need to do anything else in regards to patches, as all projects use tox / pypi, and pycqa will continue using pypi to release 15:09:51 I just need to check with ian around pypi account maters (for sdist upload / twine operations) 15:09:54 and also... 15:10:07 but unit testing will switch from zuul to travis CI or something 15:10:13 how will bandit/docs/*.rst get hosted on readthedocs. 15:10:40 browne: was just typing out how I need to work that out with ian too :) 15:10:43 good call! 15:11:10 I think it will be travis-ci 15:11:17 as that's what the other projects are working on. 15:11:20 cool, i like travis-ci 15:11:41 appears as though the use travis and appveyor 15:11:48 my recommendation is that we hold off on any pull requests until we get a .travis file in place. 15:12:16 yep 15:12:24 I am happy to make a PR with a .travis and we can review from there. 15:12:39 I should also add that functional testing on bandit no longer works. It previously did 15:12:52 so much of the plugin testing isn't happening, which is bad 15:13:10 is there an open issue for that? 15:13:14 browne: we could do some functional tests in bandit 15:13:18 hmm, i'll poen one 15:13:22 open 15:13:25 sounds good 15:13:42 browne: as long as they have an failure exit code that travis will pick up. 15:14:21 I also need to work out how this redirect is happening: https://bandit.readthedocs.io/en/latest/ 15:14:42 or rather how has upload rights 15:14:48 (its not a redirect) 15:14:52 any idea browne ? 15:15:11 ha, didn't know of that link. strange 15:15:24 but normally on github, with admin you can setup readthedocs 15:15:39 actually it might be in bandits sphinx config 15:15:46 that's where you set the theme 15:15:52 I bet they are using the openstack theme 15:16:06 i also think we'll need the PyPI user/password from one of the former cores (Travis, etc) 15:16:11 and we just need to change to this one: https://pycodestyle.readthedocs.io/en/latest/ 15:16:38 browne: yep. I am touch with travis and ian so I can get in touch with them. 15:16:48 browne: I guess you will be handling releases? 15:17:07 or at least heading them up initially, with back fill from others? 15:17:16 lhinds: sure i can handle releases 15:17:21 browne: cool 15:17:25 but we should have backups 15:17:54 browne: +1 15:18:31 ok, anything else on bandit migration..I will make sure all of the above is captured 15:19:00 sounds good. 15:19:30 ok, not sure if mr tatu is here. 15:19:52 nothing new for docs, let's go to nickthetait 's OSSN 15:19:57 thanks nickthetait ! 15:20:03 :) 15:20:25 It looks good to me, once another core +2's I will send out an email to the lists and make a wiki entry (both will credit you). 15:20:34 gagehugo: do you have +2 on security docs? 15:20:40 lhinds nah 15:21:07 k, I will ask the docs ptl to add you, if that's ok by you? 15:21:12 lhinds sure 15:21:22 nickthetait I have an email to review that, I'll do it today 15:21:22 great! 15:21:43 gagehugo: if you +1 that's good enough for me to do mergies 15:21:44 thx gagehugo 15:21:54 lhinds sounds good 15:21:55 +1 means "this change is ok by me", but +2 means what? 15:22:20 nickthetait: +2 is like extra powers that allow you to merge the change 15:22:29 ok 15:22:36 double ok by me 15:22:41 'core reviewer' 15:22:47 ok 15:22:51 thanks again nickthetait 15:23:03 great to have you on board 15:23:12 #topic threat analysis 15:23:19 if any other OSSNs were to be confirmed I might take a crack at them too ;) 15:23:31 nickthetait: sounds great! 15:23:43 gagehugo: I am little out of touch here, anything needed for TA? 15:23:58 is the keystone-middlewareclient ok now? 15:24:11 lhinds I believe it's good 15:24:16 oh I see it 'Approved' 15:24:17 the tag was added 15:24:25 so oslo and pycadf 15:24:27 not sure if anything else is needed but I don't believe so 15:24:35 I will take an action to look at those 15:24:49 lhinds yeah I need to look through those 15:24:56 #action lhinds look at pycadf / oslo.cache TA 15:25:08 great! 15:25:18 ok, the other one to get in before the end. 15:25:27 #topic chair rotation 15:25:36 so been meaning to sort this out for a while 15:25:45 the current SIG chairs are lhinds and gagehugo 15:25:58 and we planned to have a rotation on chairing meetings. 15:26:17 I thought we should put it open to the sig. 15:26:40 gagehugo: any preferences, every month / week / 2 months? 15:26:52 lhinds month would be good for me 15:26:53 i think each week is to frequent 15:26:58 agreed 15:27:02 month seems reasonable 15:27:06 let's do that then 15:27:09 2 months and I'm liable to forget 15:27:20 so this would mean you take on May 15:27:26 I will wrap up April 15:27:44 sounds good gagehugo ? 15:27:58 lhinds works for me 15:28:07 maybe we can put this down on a schedule somewhere? 15:28:17 like the agenda 15:28:20 gagehugo: will do 15:28:34 #action lhinds to update wiki about chair rotation information 15:28:47 k, let's end this now, as ian is over in openstack-security 15:28:51 gagehugo / browne 15:29:05 can we meet in there now / after this to go over the Q's we had? 15:29:10 sure 15:29:12 thanks all! 15:29:14 sure 15:29:16 #endmeeting