#opnfv-sec: Security Group

Meeting started by LukeHinds at 14:00:26 UTC (full logs).

Meeting summary

    1. https://etherpad.opnfv.org/p/opnfv-sec-meetings (LukeHinds, 14:01:54)
    2. Luke is a prize idiot, reinstalled OS and has forgotten the username for gotomeeting as it was in browser cache. We will need to instead do this over IRC, sorry * (LukeHinds, 14:02:44)

  2. agree agena (LukeHinds, 14:03:03)
    1. anyone want to add to the agenda at all? (LukeHinds, 14:03:53)
    2. Inspector will hopefully get a review for that tomorrow from the TSC (LukeHinds, 14:05:24)
    3. AGREED: agenda (LukeHinds, 14:05:58)

  3. last minutes? (not much there) (LukeHinds, 14:06:14)
    1. AGREED: last minutes (LukeHinds, 14:06:46)

  4. work item updates (LukeHinds, 14:07:19)
    1. Jira has been updated so that we can raise security bugs, which are not public (only a member of the osvm / security group and the proj lead / lead commiter) can see. We just need to test this a bit more. I have not been pushing the guys at the linux foundation much though as they are super busy with first release stuff at the same time. But progress (LukeHinds, 14:09:05)
    2. Need some members of the group who can read code to join to help handle ulnerbailites as and when they happen (LukeHinds, 14:09:34)
    3. I don't forsee it being very busy / much of a time sink (LukeHinds, 14:09:47)
    4. I also am working still on putting up the page to map to ETSI requirements. (LukeHinds, 14:10:12)
    5. we can do this with Inspector which might be nice. So for every ETSI requirement that is present in inspector we can show the relation, if that makes sense? (LukeHinds, 14:10:51)
    6. good, so I will get onto that next week I hope. been a bit busy this week with other stuff on my desk. (LukeHinds, 14:11:54)
    7. marcel (LukeHinds, 14:12:49)
    8. Currently looking at the Integration projects, trying to identify policy-relevant issues. I'm compiling a document for the issues I find. Then we can discuss what to put on the Int.Sec.Policy (mwinandy, 14:14:50)
    9. also found another nice example: Apache WSS4J Security Best Practices. Lists tools-related security guidelines (mwinandy, 14:15:36)
    10. Marcel, we need to work on the upstream vulnerbitlies and how deployment teams handle those (generate patches) (LukeHinds, 14:15:59)
    11. for example, openstack let us know 3-4 days in advance of a pending sec patch, which we will need to work with oscar (deployment projects) to have ready (LukeHinds, 14:16:56)

  5. inspector discussions (LukeHinds, 14:19:16)
    1. inspector will use sec group for incubation, until it needs its own time for a dedicated meeting / channel. that way it get the eyes of new members to the group and encourages them to get involved. Plus feedback is available each week (if its needed) (LukeHinds, 14:20:27)
    2. https://github.com/openstack/pycadf/tree/master/etc/pycadf (LukeHinds, 14:25:39)
    3. inspector will extend openstack taxonomies (above link as examples) (LukeHinds, 14:26:16)
    4. inspector is needs a means to audit the taxonomies, and favourite is tempest, but still being evaluated. (LukeHinds, 14:28:21)
    5. ACTION: , try to get more ODL into the group (LukeHinds, 14:32:35)
    6. mwinandy suggested including ONOS colleagues to work on ONOS inspector based taxonomies, jaosorior agreed it would be good, as long as people working on it (LukeHinds, 14:42:20)

  6. any other biz? (LukeHinds, 14:46:30)
    1. reminder, sign up for the mailing list if you have not already. that way you will see gerrit review tagged alerts. (LukeHinds, 14:49:38)


Meeting ended at 14:52:22 UTC (full logs).

Action items

  1. , try to get more ODL into the group


People present (lines said)

  1. LukeHinds (67)
  2. jaosorior (42)
  3. mwinandy (15)
  4. collabot (3)


Generated by MeetBot 0.1.4.