#opnfv-sec log

14:02:12 <lhinds_> #startmeeting Security Group 14/10/2015
14:02:12 <collabot> Meeting started Wed Oct 14 14:02:12 2015 UTC.  The chair is lhinds_. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:02:12 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:02:12 <collabot> The meeting name has been set to 'security_group_14_10_2015'
14:02:26 <lhinds_> #topic Agenda
14:02:58 <lhinds_> I don't have any key topics, just some points...anyone want to add to an agenda. Ari 4 inspector / Sona 4 wiki ideas?
14:03:51 <aripie> one interesting issue is Amazon Inspector aiming at much the same as OPNFV Inspector
14:04:01 <aripie> and Google their auditability solution
14:04:10 <aripie> so we can briefly touch thosa
14:04:13 <aripie> *those
14:04:21 <lhinds_> hmm that is interesting!
14:05:27 <lhinds_> ok, I have a potential new project as well, just need to talk to the commiters..its more helping them out if they need it., we can cover that as well
14:05:34 <lhinds_> #topic inspector
14:05:53 <aripie> #info “Amazon launches Inspector, a tool that automatically finds security and compliance issues”
14:06:06 <aripie> #link http://venturebeat.com/2015/10/07/amazon-launches-inspector-a-tool-that-automatically-finds-security-compliance-issues/
14:06:20 <aripie> #info “Google launches its Cloud Platform Security Scanner out of beta, minutes after Amazon announced Inspector”
14:06:34 <aripie> #link http://venturebeat.com/2015/10/07/google-launches-its-cloud-platform-security-scanner-out-of-beta-minutes-after-amazon-announced-inspector/
14:07:06 <aripie> Looks like the auditability problemacy is very real and the big ones are doing things
14:07:14 <lhinds_> ahh ok, this is monkey from netflix
14:07:17 <lhinds_> I think?
14:07:29 <aripie> possibly
14:08:23 <lhinds_> #link https://github.com/Netflix/security_monkey
14:08:35 <aripie> it is worth digging a bit to see what Amazon and Google claim to be auditable in their infra
14:08:54 <lhinds_> sure, i think so
14:09:16 <lhinds_> It will all be centetred on AWS API's, but still interesting
14:10:14 <lhinds_> how is inspector looking now?  are you still going to be PTL? I can't recall what the action was (my bad memory)
14:10:47 <lhinds_> I remember you got voted in, but needed to consider some things.
14:11:08 <aripie> well I had to minus myself due to priorities in the company
14:11:20 <aripie> so we need to find another candidate
14:11:51 <lhinds_> understand, we all have day jobs too.
14:12:17 <lhinds_> maybe we can keep it open and see if a need drives the project up again as active
14:14:19 <lhinds_> anything else ari, or should we go to any other business?
14:14:35 <aripie> that is it for now, move ahead
14:14:55 <lhinds_> #topic Any Other Biz
14:15:43 <lhinds_> I am getting in contact with the committees behind #link http://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html
14:15:52 <lhinds_> see if they need some help
14:15:58 <lhinds_> I think this fills a big gap
14:16:29 <lhinds_> I know a few people who are concerened about glance images being swapped out for compromised clones
14:16:41 <aripie> +1
14:16:58 <lhinds_> It might be a fit for upstreaming via here and bringing into arno
14:17:17 <lhinds_> I was looking to do something like this, but others already had the idea which is good
14:21:55 <aripie> another thing, wiki improvements have been discussed; how much should we do before moving to Confluence?
14:22:32 <aripie> minor edits certainly are not problematic
14:23:07 <Sona> when are you planning to move to Confluence?
14:23:51 <lhinds_> I need to check with the TSC over the schedule, but I am sure they will leave both systems running in parallel for a few months, to allow people to migrate
14:27:34 <lhinds_> #action Luke to find out confluence > docuwiki timelines
14:28:47 <Sona> I will add a list of concise list of components/projects used in OPNFV and some security related info about each project, it would be good someone review it and make sure that the info is correct
14:29:57 <Sona> if the plan is to start confluence  soon, I can wait
14:31:12 <lhinds_> you could always draft to txt or word / libreoffice, I think copy and paste into confluence works well, but sure if you want to hold off, thats a good plan too
14:31:36 <lhinds_> oh I sent the OSVM slides, take a look
14:31:40 <lhinds_> see what you think
14:34:22 <Sona> I have seen but I will ahve a look at it again,
14:35:13 <Sona> what does PTL mean? (I might have asked before, I don't remember it :))
14:36:05 <lhinds_> Project Team Lead
14:36:20 <Sona> Ok, thanks
14:36:20 <lhinds_> So you have PTL and then commiters, but in our case, we have members
14:36:36 <Sona> How do you handle Embargoed disclosure issues in Jira?
14:36:38 <lhinds_> np
14:36:52 <Sona> do you have filter, visible by certain people?
14:37:00 <lhinds_> in jira?
14:37:10 <lhinds_> yep
14:38:50 <Sona> ok, good
14:58:35 <lhinds_> ok! I think we are done for now
14:58:40 <lhinds_> #endmeeting