14:04:09 #startmeeting Security Group 09/03/2016 14:04:09 Meeting started Wed Mar 9 14:04:09 2016 UTC. The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:04:09 Useful Commands: #action #agreed #help #info #idea #link #topic. 14:04:09 The meeting name has been set to 'security_group_09_03_2016' 14:04:18 ok, quite a busy agenda today 14:04:22 #link https://etherpad.opnfv.org/p/opnfv-sec-meetings 14:04:44 I will give you all a second, to read, and topic is.. 14:04:52 #topic any items to add to agenda? 14:05:12 looks good 14:05:29 #topic Security Guide 14:05:36 So main points here are.. 14:05:57 #info a jira is now in place to track chapters / sections: 14:06:05 #link https://jira.opnfv.org/projects/SECURITY/issues/SECURITY-12?filter=allopenissues 14:06:17 #info we use the label 'SECGUIDE' 14:06:51 ok, 14:06:56 the other point is we need to decide if we will take part in the C-Release 14:07:29 is there anything we could do for C release? 14:07:32 I think as we are a living document, we can say yes. They left it right until the last minute before asking if we wanted in on the last release. 14:07:51 Sona: I think we should try to get all of the chapters with some content. 14:08:23 not a huge document, but poiting upstream with some descriptions on the topic / chapter 14:09:01 as discussed with you, we don't need details on how to implement. Your compute trust is a good example 14:09:02 ok I will continue working with SECURITY-2 and will assign another one 14:09:09 around one page and then point them to the source 14:09:18 sounds good Sona 14:09:27 I think Mazdak & Florin are very busy in another projects 14:10:00 armband is really keeping us busy at the moment, we try to ship it for B-Release SR1 and of this month 14:10:04 that's ok, lets not over commit oursleves on this doc. we are not on the radar here. 14:10:31 we can grow it slowly, and add to it as the platform matures. 14:10:59 So c-release is six months away, so I think we can have a basic structure in place for then 14:11:12 on SECURITY-11, some new ETSI drafts in: 14:11:41 #link https://portal.etsi.org/tb.aspx?tbid=799&SubTB=799 14:12:18 I need some eye bleach from looking at the website 14:12:46 I forgot how bad it is! 14:12:50 thanks aripie 14:13:04 I think you put yourself forward for ETSI collection? 14:13:17 but the other guy has not shown up since? 14:14:14 oh it seems the links I saw yesterday are not there any more... 14:14:32 yes, I can work on that one 14:14:41 we have this still: 14:14:45 #link https://wiki.opnfv.org/security/upstream 14:15:00 it will be useful for the functest which we come to soon 14:15:13 ok, i think thats it for the guide now? 14:15:41 #topic inspector 14:16:41 #info I closed the two issues on here, one was fixed in matika 14:17:25 #info INSPECTOR-1 fixed 14:17:56 #info INSPECTOR-2 was a misunderstaning on how keystone works by the reporter 14:18:28 #topic functest-security 14:18:44 #link https://etherpad.opnfv.org/p/functest-sec 14:19:00 so an email was sent to us (email in the etherpad above).. 14:19:17 it is in regards to including some security tests into the functional testing project 14:19:55 I recommend taking a look at the wiki and reading up on the functest projects wiki (also a link in etherpad page) 14:20:30 I put some of my own points at the bottom, but you're all welcome to add additions or feedback 14:22:18 I think this might be an opportunity for us to start putting some code into other projects, so I have some ideas on what we could do there. But its a community, so I don't want to run before all have had a chance to say their bit too 14:22:37 its all in the etherpad though 14:22:47 Sona: welcome to copy/paste your bits in too. 14:23:00 ok, I will do it 14:24:14 #topic C badge program 14:24:19 #undo 14:24:19 Removing item from minutes: 14:24:26 #topic LF Badge Program 14:24:41 #link https://www.coreinfrastructure.org/programs/badge-program 14:25:09 Some of you may recall we spoke about this last year, but it was defered until post release. 14:25:22 Now we are post release again, its a topic for us. 14:26:32 The program is about us as an opensource project, meeting a security standard. Not as in OPNFV platform security, or code, but the website, how we release, tell new developers about how to contribute 14:27:12 We already put this together in a spreadsheet, and I would say 60% of it we meet already 14:27:20 any questions / points? 14:28:53 ok, moving on, which relates to this... 14:29:01 no wait :) 14:29:05 sure :) 14:29:17 I don't know what to do with badge-program? 14:29:30 should we join them? 14:29:48 I was reading the web page ... 14:30:02 yep, ok, so we had a discussion with the linux foundation, and said we have an interest in taking part. 14:30:15 So we got a TSC nod to go ahead if we wanted to. 14:30:35 ok 14:30:50 what we would have to do is work with the LF guys (ray / aric) to get the various tasks implemented 14:31:00 a quick example would be this... 14:31:31 when we offer the ISO to download on our website, opnfv.org we don't provide an MD5 hash of the image or a signature 14:31:54 so this means we could have something nasty happen like with Linux Mint 14:32:09 oh yes 14:32:12 someone swaps out the ISO for an image containing trojans / malware 14:32:19 I heard 14:32:31 so one of the actions in the list is to tick off each one (secure release program) 14:32:32 we really should sign iso images 14:32:47 once we get through the list, we get a badge 14:32:59 ok, I see now :) 14:33:06 the badge don't mean much, but its a good process for us. 14:33:32 for the coming release I hope we sign images/releases ... documentation etc .. 14:33:45 #info Luke to share spreadsheet on LF badge program 14:33:45 maybe we can help with this 14:33:50 #undo 14:33:50 Removing item from minutes: 14:33:58 #action Luke to share spreadsheet on LF badge program 14:34:11 Sona, that brings me to our next topic :) 14:34:31 #topic leads for each work area 14:35:01 So we have a few projects brewing now, and we could be primed to do some great work and get ourselves on the OPNFV map. 14:35:20 So I want to put it out there, that each item could have its own lead. 14:35:29 ok 14:35:41 So that way, when we meet, it would be each of us giving an update on our thing. 14:36:05 sound good 14:36:09 That means it does not bottleneck at me, and gives everyone a place to feel they are a key part of the group 14:36:54 So I am open to anyone coming forward and putting themsevles up, also if people don't or want to hold off, no one will be judged, its great just having you all here 14:37:41 Sona, I was thinking you would be a great match for the LF badge program, as you have an interest in all the things that fall under that topic. 14:37:53 Have a think and if its somethign you would like to do. 14:38:00 then we can all +1 it at the next meeting. 14:38:17 ok Luke, I will do my best 14:38:34 Also, we would still work as a group, so no one would be left to just them to carry things. 14:38:53 good 14:39:08 I will email more out about the LF program. 14:39:26 thanks 14:39:42 In fact we could even vote now, if you like Sona. Does not mean we start on the badge program, but you start looking into it and gather topics ? 14:39:58 sure 14:40:07 +1 lhinds 14:40:13 +1 aripie 14:40:16 done! 14:40:44 #info Sona will start to look at the badge program and take lead. 14:40:55 #action, luke to go over what we have with Sona 14:41:07 We can even have a call maybe, with some slides/ 14:41:14 I can arrange that for next week 14:41:39 I have the stuff I presented to the TSC 14:41:47 ok 14:42:02 #topic any other business? 14:42:26 not from me 14:42:59 ok, thanks all. minutes will go up shortly 14:43:04 #endmeeting