========================== #opnfv-sec: Security Group ========================== Meeting started by LukeHinds at 14:00:26 UTC. The full logs are available at http://ircbot.wl.linuxfoundation.org/meetings/opnfv-sec/2015/opnfv-sec.2015-04-22-14.00.log.html . Meeting summary --------------- * https://etherpad.opnfv.org/p/opnfv-sec-meetings (LukeHinds, 14:01:54) * Luke is a prize idiot, reinstalled OS and has forgotten the username for gotomeeting as it was in browser cache. We will need to instead do this over IRC, sorry * (LukeHinds, 14:02:44) * agree agena (LukeHinds, 14:03:03) * anyone want to add to the agenda at all? (LukeHinds, 14:03:53) * Inspector will hopefully get a review for that tomorrow from the TSC (LukeHinds, 14:05:24) * AGREED: agenda (LukeHinds, 14:05:58) * last minutes? (not much there) (LukeHinds, 14:06:14) * AGREED: last minutes (LukeHinds, 14:06:46) * work item updates (LukeHinds, 14:07:19) * Jira has been updated so that we can raise security bugs, which are not public (only a member of the osvm / security group and the proj lead / lead commiter) can see. We just need to test this a bit more. I have not been pushing the guys at the linux foundation much though as they are super busy with first release stuff at the same time. But progress (LukeHinds, 14:09:05) * Need some members of the group who can read code to join to help handle ulnerbailites as and when they happen (LukeHinds, 14:09:34) * I don't forsee it being very busy / much of a time sink (LukeHinds, 14:09:47) * I also am working still on putting up the page to map to ETSI requirements. (LukeHinds, 14:10:12) * we can do this with Inspector which might be nice. So for every ETSI requirement that is present in inspector we can show the relation, if that makes sense? (LukeHinds, 14:10:51) * good, so I will get onto that next week I hope. been a bit busy this week with other stuff on my desk. (LukeHinds, 14:11:54) * marcel (LukeHinds, 14:12:49) * Currently looking at the Integration projects, trying to identify policy-relevant issues. I'm compiling a document for the issues I find. Then we can discuss what to put on the Int.Sec.Policy (mwinandy, 14:14:50) * also found another nice example: Apache WSS4J Security Best Practices. Lists tools-related security guidelines (mwinandy, 14:15:36) * Marcel, we need to work on the upstream vulnerbitlies and how deployment teams handle those (generate patches) (LukeHinds, 14:15:59) * for example, openstack let us know 3-4 days in advance of a pending sec patch, which we will need to work with oscar (deployment projects) to have ready (LukeHinds, 14:16:56) * inspector discussions (LukeHinds, 14:19:16) * inspector will use sec group for incubation, until it needs its own time for a dedicated meeting / channel. that way it get the eyes of new members to the group and encourages them to get involved. Plus feedback is available each week (if its needed) (LukeHinds, 14:20:27) * LINK: https://github.com/openstack/pycadf/tree/master/etc/pycadf (LukeHinds, 14:25:39) * inspector will extend openstack taxonomies (above link as examples) (LukeHinds, 14:26:16) * inspector is needs a means to audit the taxonomies, and favourite is tempest, but still being evaluated. (LukeHinds, 14:28:21) * ACTION: , try to get more ODL into the group (LukeHinds, 14:32:35) * mwinandy suggested including ONOS colleagues to work on ONOS inspector based taxonomies, jaosorior agreed it would be good, as long as people working on it (LukeHinds, 14:42:20) * any other biz? (LukeHinds, 14:46:30) * reminder, sign up for the mailing list if you have not already. that way you will see gerrit review tagged alerts. (LukeHinds, 14:49:38) Meeting ended at 14:52:22 UTC. People present (lines said) --------------------------- * LukeHinds (67) * jaosorior (42) * mwinandy (15) * collabot (3) Generated by `MeetBot`_ 0.1.4