#opnfv-sec log

14:09:28 <lhinds_> #startmeeting Security Group 25-11-2015
14:09:28 <collabot> Meeting started Wed Nov 25 14:09:28 2015 UTC.  The chair is lhinds_. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:09:28 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:09:28 <collabot> The meeting name has been set to 'security_group_25_11_2015'
14:09:42 <lhinds_> #topic Agree Agenda
14:10:08 <lhinds_> I have two Ari, the security guide and the LF secure badge scheme
14:10:15 <lhinds_> anything you want to add?
14:10:29 <aripie> inspector/PTL way forward?
14:10:55 <lhinds_> ok!
14:11:51 <lhinds_> btw, need to leave a little again, but that should be it then, issues with collecting kid, but wife takes over again next week
14:12:01 <lhinds_> #topic Security Guide
14:12:10 <aripie> np
14:12:20 <lhinds_> So main thing I wanted to check was if anyone had tried getting set up yet?
14:12:27 <lhinds_> e.g. gerrit / git / sphinx
14:12:40 <aripie> connectivity issues with gerrit, tried half hour ago
14:12:56 <lhinds_> np, its not a chase up, more to see if anyone needs support
14:13:01 <aripie> I did get there earlier, but did not yet clone
14:13:10 <lhinds_> if you need help at all, you're welcome to email me direct
14:13:23 <aripie> will do
14:13:38 <lhinds_> ok, so I have some new stuff which I will git amend towards the end of the week.
14:13:56 <lhinds_> I think Sona said she wants to cover neutron as well, so will try to get her up and running
14:14:09 <lhinds_> #topic Linux Security Badge
14:14:15 <lhinds_> #undo
14:14:15 <collabot> Removing item from minutes: <MeetBot.ircmeeting.items.Topic object at 0x2dc6c50>
14:14:27 <lhinds_> #topic Linux Foundation Security Badge
14:15:05 <lhinds_> so we had someone from the linux foundation get in touch, about the OPNFV getting security status, as a secure open source project.
14:15:27 <lhinds_> it includes code scanning, vuln management, who builds are made, secure compliers
14:15:51 <aripie> very good initiative
14:15:52 <lhinds_> Chris Price will be bringing this up, to see what the community thinks, but I said on behalf of us guys we would like to do it.
14:15:59 <lhinds_> Let me try and get a link...
14:16:35 <lhinds_> #link https://github.com/linuxfoundation/cii-best-practices-badge/blob/master/doc/criteria.md
14:17:03 <lhinds_> I will start tracking and reporting this to the sec meetings, and if anyone wants involvement, of course they are welcome
14:17:26 <lhinds_> I will also email, when the topic is raised to the community, I just need to check with Chris P on times.
14:17:43 <aripie> ok, there is a connection to the Sec Guide as regards development practices
14:17:55 <lhinds_> not so much
14:18:06 <lhinds_> this is more development processes and tools
14:18:27 <lhinds_> security guide, is how to secure the platform
14:18:40 <lhinds_> oh, do you mean tools?
14:18:45 <lhinds_> like sphinx etc?
14:19:19 <aripie> yes - I think sphinx is fine, though
14:19:59 <aripie> code checkers etc
14:20:12 <aripie> we should have recommendations, references
14:20:31 <lhinds_> this will not likely be a hosted project...its more a checklist, that if we can do a fully compliant on, we get a badge which we can put on the opnfv website
14:20:41 <lhinds_> the badge will be awarded by the Linux Foundation...
14:20:58 <lhinds_> and essentially says, this is a secure opensource project!
14:21:39 <lhinds_> but going through the process, is very beneficial as it makes us audit how we as an open source project, govern our security
14:21:56 <lhinds_> for example, I noted that we don't provide an MD5 hash of arno ISO images.
14:22:11 <aripie> yes, two sides to it, to comply we need in OPNFV to follow CII Badge advice, but we can also suggest CII criteria
14:22:12 <lhinds_> this is quite standard, to make sure there is no MITM and someone downloads a malicous version
14:22:30 <lhinds_> I guess so, I can certinaly check on that
14:22:36 <lhinds_> ok, I have a few mins..
14:22:40 <lhinds_> lets do inspector
14:22:44 <lhinds_> don't want to miss that
14:22:49 <lhinds_> #info inspector update
14:23:00 <lhinds_> #topic inspector update
14:23:23 <aripie> the solicitation for PTL candidates has not been successful...
14:23:35 <aripie> I guess we have three alternatives
14:23:45 <aripie> 1. again solicit for candidates
14:24:11 <aripie> 2. merge Inspector to another project (Moon has been named)
14:24:21 <aripie> 3. put inspector to sleep
14:24:34 <lhinds_> my two cents, we should keep it going, its a good idea.
14:24:48 <aripie> personally, I am obviously fond of the project and would like to see it continued
14:25:20 <lhinds_> not so sure it makes sense to merge with moon, moon is very much its own project and whereas inspector is multi project upstream
14:25:24 <aripie> so should we try again to get a new PTL
14:25:34 <lhinds_> i feel it may then just become a vehicle to get moon changes upstream
14:25:46 <lhinds_> I have a recommendation, how about we put me as acting PTL?
14:25:59 <aripie> I am good with that
14:26:14 <lhinds_> cool,  it would be very good to keep it going
14:26:22 <lhinds_> I will do some more work on it as well.
14:26:39 <lhinds_> #agree lhinds to be acting PTL for inspector project
14:26:51 <lhinds_> ok! I have to go and get my kid!
14:26:56 <lhinds_> nice speaking with you ari!
14:26:58 <aripie> I agree, even more relevant with what happens around security/privacy with the threats
14:27:00 <lhinds_> thanks for joining
14:27:04 <lhinds_> #endmeeting