#opnfv-sec log

14:04:09 <lhinds> #startmeeting Security Group 09/03/2016
14:04:09 <collabot`> Meeting started Wed Mar  9 14:04:09 2016 UTC.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:04:09 <collabot`> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:04:09 <collabot`> The meeting name has been set to 'security_group_09_03_2016'
14:04:18 <lhinds> ok, quite a busy agenda today
14:04:22 <lhinds> #link https://etherpad.opnfv.org/p/opnfv-sec-meetings
14:04:44 <lhinds> I will give you all a second, to read, and topic is..
14:04:52 <lhinds> #topic any items to add to agenda?
14:05:12 <aripie> looks good
14:05:29 <lhinds> #topic Security Guide
14:05:36 <lhinds> So main points here are..
14:05:57 <lhinds> #info a jira is now in place to track chapters / sections:
14:06:05 <lhinds> #link https://jira.opnfv.org/projects/SECURITY/issues/SECURITY-12?filter=allopenissues
14:06:17 <lhinds> #info we use the label 'SECGUIDE'
14:06:51 <Sona> ok,
14:06:56 <lhinds> the other point is we need to decide if we will take part in the C-Release
14:07:29 <Sona> is there anything we could do for C release?
14:07:32 <lhinds> I think as we are a living document, we can say yes. They left it right until the last minute before asking if we wanted in on the last release.
14:07:51 <lhinds> Sona: I think we should try to get all of the chapters with some content.
14:08:23 <lhinds> not a huge document, but poiting upstream with some descriptions on the topic / chapter
14:09:01 <lhinds> as discussed with you, we don't need details on how to implement. Your compute trust is a good example
14:09:02 <Sona> ok I will continue working with SECURITY-2 and will assign another one
14:09:09 <lhinds> around one page and then point them to the source
14:09:18 <lhinds> sounds good Sona
14:09:27 <Sona> I think Mazdak & Florin are very busy in another projects
14:10:00 <florind> armband is really keeping us busy at the moment, we try to ship it for B-Release SR1 and of this  month
14:10:04 <lhinds> that's ok, lets not over commit oursleves on this doc. we are not on the radar here.
14:10:31 <lhinds> we can grow it slowly, and add to it as the platform matures.
14:10:59 <lhinds> So c-release is six months away, so I think we can have a basic structure in place for then
14:11:12 <aripie> on SECURITY-11, some new ETSI drafts in:
14:11:41 <aripie> #link https://portal.etsi.org/tb.aspx?tbid=799&SubTB=799
14:12:18 <lhinds> I need some eye bleach from looking at the website
14:12:46 <lhinds> I forgot how bad it is!
14:12:50 <lhinds> thanks aripie
14:13:04 <lhinds> I think you put yourself forward for ETSI collection?
14:13:17 <lhinds> but the other guy has not shown up since?
14:14:14 <aripie> oh it seems the links I saw yesterday are not there any more...
14:14:32 <aripie> yes, I can work on that one
14:14:41 <lhinds> we have this still:
14:14:45 <lhinds> #link https://wiki.opnfv.org/security/upstream
14:15:00 <lhinds> it will be useful for the functest which we come to soon
14:15:13 <lhinds> ok, i think thats it for the guide now?
14:15:41 <lhinds> #topic inspector
14:16:41 <lhinds> #info I closed the two issues on here, one was fixed in matika
14:17:25 <lhinds> #info INSPECTOR-1 fixed
14:17:56 <lhinds> #info INSPECTOR-2 was a misunderstaning on how keystone works by the reporter
14:18:28 <lhinds> #topic functest-security
14:18:44 <lhinds> #link https://etherpad.opnfv.org/p/functest-sec
14:19:00 <lhinds> so an email was sent to us (email in the etherpad above)..
14:19:17 <lhinds> it is in regards to including some security tests into the functional testing project
14:19:55 <lhinds> I recommend taking a look at the wiki and reading up on the functest projects wiki (also a link in etherpad page)
14:20:30 <lhinds> I put some of my own points at the bottom, but you're all welcome to add additions or feedback
14:22:18 <lhinds> I think this might be an opportunity for us to start putting some code into other projects, so I have some ideas on what we could do there. But its a community, so I don't want to run before all have had a chance to say their bit too
14:22:37 <lhinds> its all in the etherpad though
14:22:47 <lhinds> Sona: welcome to copy/paste your bits in too.
14:23:00 <Sona> ok, I will do it
14:24:14 <lhinds> #topic C badge program
14:24:19 <lhinds> #undo
14:24:19 <collabot`> Removing item from minutes: <MeetBot.ircmeeting.items.Topic object at 0x2e0eb90>
14:24:26 <lhinds> #topic LF Badge Program
14:24:41 <lhinds> #link https://www.coreinfrastructure.org/programs/badge-program
14:25:09 <lhinds> Some of you may recall we spoke about this last year, but it was defered until post release.
14:25:22 <lhinds> Now we are post release again, its a topic for us.
14:26:32 <lhinds> The program is about us as an opensource project, meeting a security standard. Not as in OPNFV platform security, or code, but the website, how we release, tell new developers about how to contribute
14:27:12 <lhinds> We already put this together in a spreadsheet, and I would say 60% of it we meet already
14:27:20 <lhinds> any questions / points?
14:28:53 <lhinds> ok, moving on, which relates to this...
14:29:01 <Sona> no wait :)
14:29:05 <lhinds> sure :)
14:29:17 <Sona> I don't know what to do with badge-program?
14:29:30 <Sona> should we join them?
14:29:48 <Sona> I was reading the web page ...
14:30:02 <lhinds> yep, ok, so we had a discussion with the linux foundation, and said we have an interest in taking part.
14:30:15 <lhinds> So we got a TSC nod to go ahead if we wanted to.
14:30:35 <Sona> ok
14:30:50 <lhinds> what we would have to do is work with the LF guys (ray / aric) to get the various tasks implemented
14:31:00 <lhinds> a quick example would be this...
14:31:31 <lhinds> when we offer the ISO to download on our website, opnfv.org we don't provide an MD5 hash of the image or a signature
14:31:54 <lhinds> so this means we could have something nasty happen like with Linux Mint
14:32:09 <Sona> oh yes
14:32:12 <lhinds> someone swaps out the ISO for an image containing trojans / malware
14:32:19 <Sona> I heard
14:32:31 <lhinds> so one of the actions in the list is to tick off each one (secure release program)
14:32:32 <Sona> we really should sign iso images
14:32:47 <lhinds> once we get through the list, we get a badge
14:32:59 <Sona> ok, I see now :)
14:33:06 <lhinds> the badge don't mean much, but its a good process for us.
14:33:32 <Sona> for the coming release I hope we sign images/releases ... documentation etc ..
14:33:45 <lhinds> #info Luke to share spreadsheet on LF badge program
14:33:45 <Sona> maybe we can help with this
14:33:50 <lhinds> #undo
14:33:50 <collabot`> Removing item from minutes: <MeetBot.ircmeeting.items.Info object at 0x2d2ce50>
14:33:58 <lhinds> #action Luke to share spreadsheet on LF badge program
14:34:11 <lhinds> Sona, that brings me to our next topic :)
14:34:31 <lhinds> #topic leads for each work area
14:35:01 <lhinds> So we have a few projects brewing now, and we could be primed to do some great work and get ourselves on the OPNFV map.
14:35:20 <lhinds> So I want to put it out there, that each item could have its own lead.
14:35:29 <Sona> ok
14:35:41 <lhinds> So that way, when we meet, it would be each of us giving an update on our thing.
14:36:05 <Sona> sound good
14:36:09 <lhinds> That means it does not bottleneck at me, and gives everyone a place to feel they are a key part of the group
14:36:54 <lhinds> So I am open to anyone coming forward and putting themsevles up, also if people don't or want to hold off, no one will be judged, its great just having you all here
14:37:41 <lhinds> Sona, I was thinking you would be a great match for the LF badge program, as you have an interest in all the things that fall under that topic.
14:37:53 <lhinds> Have a think and if its somethign you would like to do.
14:38:00 <lhinds> then we can all +1 it at the next meeting.
14:38:17 <Sona> ok Luke, I will do my best
14:38:34 <lhinds> Also, we would still work as a group, so no one would be left to just them to carry things.
14:38:53 <Sona> good
14:39:08 <lhinds> I will email more out about the LF program.
14:39:26 <Sona> thanks
14:39:42 <lhinds> In fact we could even vote now, if you like Sona. Does not mean we start on the badge program, but you start looking into it and gather topics ?
14:39:58 <Sona> sure
14:40:07 <lhinds> +1 lhinds
14:40:13 <aripie> +1 aripie
14:40:16 <lhinds> done!
14:40:44 <lhinds> #info Sona will start to look at the badge program and take lead.
14:40:55 <lhinds> #action, luke to go over what we have with Sona
14:41:07 <lhinds> We can even have a call maybe, with some slides/
14:41:14 <lhinds> I can arrange that for next week
14:41:39 <lhinds> I have the stuff I presented to the TSC
14:41:47 <Sona> ok
14:42:02 <lhinds> #topic any other business?
14:42:26 <Sona> not from me
14:42:59 <lhinds> ok, thanks all. minutes will go up shortly
14:43:04 <lhinds> #endmeeting