#opnfv-sec log

14:04:48 <lhinds> #startmeeting Security Group 30/03/2016
14:04:48 <collabot`> Meeting started Wed Mar 30 14:04:48 2016 UTC.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:04:48 <collabot`> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:04:48 <collabot`> The meeting name has been set to 'security_group_30_03_2016'
14:05:25 <lhinds> let me get the agenda..
14:05:41 <lhinds> #link https://etherpad.opnfv.org/p/opnfv-sec-meetings
14:05:59 <lhinds> any items to add Sona?
14:06:27 <Sona> no
14:06:50 <lhinds> #topic wiki migration
14:06:57 <lhinds> So the wiki is now hosted here....
14:07:07 <Sona> I noticed
14:07:50 <lhinds> #link https://wiki.opnfv.org/display/security
14:08:06 <lhinds> If you get a chance, have a look through for any migration errors.
14:08:22 <lhinds> it looks ok to me though, just some image issues.
14:08:26 <Sona> the google search give wrong link
14:08:45 <lhinds> yep, we need to wait for googles spiders to re-crawl the site
14:09:06 <Sona> yes :)
14:09:23 <lhinds> #topic Security Guide
14:09:26 <lhinds> <hides>
14:10:03 <lhinds> Guilty of still not doing anything, just been really busy with work stuff and the functest scripting / planning
14:10:16 <Sona> I have created subtasks to https://jira.opnfv.org/browse/SECURITY-2
14:10:43 <lhinds> that looks good, how are you for pushing to gerrit now?
14:11:05 <Sona> I am not ready for push
14:11:25 <Sona> I will add my text in the Jira so you can have a look
14:12:57 <lhinds> ok, I will have time at the end of the week to scope up what we both have and push it up
14:13:04 <Sona> Compute security is too broad, I need to focus on the righ context
14:13:23 <lhinds> understand
14:13:46 <lhinds> main thing is we highlight what security concerns should be (the general area) and point them up stream.
14:14:00 <Sona> yes
14:14:12 <lhinds> so we don't need to go a complete in-depth guide, its more like a yellow pages with some intro tex
14:14:21 <lhinds> *text
14:14:32 <lhinds> ok, moving on..
14:14:35 <lhinds> #topic Badge Program
14:14:46 <lhinds> all yours Sona
14:14:55 <lhinds> (i have some updates too)
14:15:25 <Sona> I need to update security page https://jira.opnfv.org/browse/SECURITY-16
14:15:33 <Sona> with contact list
14:16:06 <Sona> shall I add to the main page or https://wiki.opnfv.org/display/security/Osvm
14:16:48 <lhinds> yes please, I will have my key for you soon.
14:17:02 <Sona> where do you think I should add "How to contact OPNFV securly"?
14:17:04 <lhinds> using webmail @ redhat and still need to get thunderbird set up
14:17:43 <Sona> you need Enigmail
14:17:52 <Sona> to thunderbird
14:17:55 <lhinds> at the top
14:18:23 <Sona> do you mean at top in the main page?
14:18:59 <lhinds> yes please
14:19:06 <Sona> ok, thanks
14:19:07 <lhinds> you can take inspiration from here https://security.openstack.org/#how-to-report-security-issues-to-openstack
14:19:25 <Sona> ok
14:20:18 <lhinds> I am just working on a google form for PTL's to  complete. This will be audit on what lang, libraries they use.
14:22:16 <Sona> I forgot again , what the "PTL" is :(
14:22:38 <lhinds> other then that, how is the general status? are there many still not assigned?
14:23:20 <Sona> it is going forward
14:23:26 <Sona> regarding publicly-known vulnerability fixed: https://jira.opnfv.org/browse/SECURITY-24
14:23:53 <Sona> what software is OPNFV specific?
14:24:17 <Sona> That we need to have track of vulnerabilities
14:25:14 <lhinds> This is what I will audit, but its most likely going to be the installers, as they are what we tend to not upstream
14:25:48 <lhinds> for test projects, its not as fair to scrutinize them, as its not code that should be run outside of a test / dev enviroment.
14:26:19 <lhinds> other stuff would be code that is queued to go upstream, but has not been accepted yet
14:26:54 <Sona> Can you please update SECURITY-24 with this info?
14:30:21 <lhinds> I have assigned to me
14:30:49 <Sona> Thanks, I added some comments
14:30:51 <lhinds> It's going to be a fair amount of work on its own that one
14:31:32 <Sona> I know :)
14:31:42 <Sona> moving to https://jira.opnfv.org/browse/SECURITY-23
14:32:23 <Sona> I think all iso image/tar balls should be checksumed with sha2
14:32:34 <lhinds> agree there
14:32:40 <Sona> release note should be signed
14:32:52 <lhinds> action: I think all iso image/tar balls should be checksumed with sha2 (Sona)
14:33:00 <lhinds> lets bring that up on the badge call tomorrow?
14:33:08 <Sona> ok
14:34:01 <Sona> I will have a look at https://jira.opnfv.org/browse/SECURITY-17 today
14:34:29 <lhinds> just looking..
14:34:33 <Sona> Ulrich Kleber will work with this, but we can add some comments
14:34:46 <Sona> make the life easy for him :)
14:34:57 <lhinds> sounds good, can you assign to him?
14:35:36 <Sona> yes I can
14:36:44 <lhinds> thanks
14:37:04 <Sona> we need to give some attention to https://jira.opnfv.org/browse/SECURITY-19
14:37:25 <Sona> I will have a look at this
14:37:41 <lhinds> yep, now for this one the google form audit I mentioed will help
14:37:51 <lhinds> we will then know what static analysis we will need]
14:38:01 <Sona> ok
14:38:02 <lhinds> Dynamic is going to be a headache
14:38:18 <lhinds> but I think we can cover static
14:38:37 <Sona> we still need to run this only on the OPNFV code
14:38:46 <lhinds> I am committer on the Bandit pylint project, so I can get that into our CI
14:38:54 <lhinds> and push changes if we need them
14:39:12 <Sona> good, Thanks
14:39:13 <lhinds> "we still need to run this only on the OPNFV code" yes
14:39:44 <lhinds> you can assign that one to me, if you have a lot on. I don't mind covering that as it goes in hand with the audit I am doing
14:39:44 <Sona> I am done with badge program
14:40:09 <Sona> ok, good, I will help as much as I can
14:41:22 <Sona> can we move on to OPNFV summit?
14:41:45 <lhinds> sure..
14:41:57 <lhinds> #topic OPNFV Summit
14:42:11 <lhinds> #action get Sona to chair a meeting, as fallback
14:42:22 <lhinds> (just a note for myself)
14:42:57 <lhinds> ok, so I rushed in the proposal, apologies for being a bit loose in commitment then, it was during a mini family holiday we had over easter
14:43:22 <Sona> no problem
14:43:39 <Sona> have you sent the title & abstract?
14:44:02 <lhinds> 'Security Group Update' - but we can change this.
14:44:48 <lhinds> I mentioned the talk would be on, Security Efforts (functest, secure code, VMT etc) and the badge program and how it will effect you as developers
14:45:13 <lhinds> we could also talk tomorrow with Fatih and Uli to see if we can have a workshop? Does that sound good?
14:45:14 <Sona> it is good
14:45:29 <Sona> yes
14:46:02 <lhinds> We can capture stuff in here
14:46:09 <lhinds> #link https://etherpad.opnfv.org/p/summit-security-2016
14:46:25 <lhinds> and then build a presentation deck
14:46:56 <Sona> or https://jira.opnfv.org/browse/SECURITY-34 :)
14:48:04 <Sona> we can add stuff in etherpad, I will add this link in the jira
14:49:12 <Sona> ok good
14:49:28 <lhinds> #topic functest
14:49:28 <Sona> we can move on to func test, if you don't have more to add
14:49:56 <Sona> I haven't looked at functest, what is the status?
14:49:58 <lhinds> I have started to code some test calls to OpenSCAP as a prototype. Here is some of the documents I have so far
14:51:03 <lhinds> (one min, need to get google drive links)
14:52:30 <Sona> ok
14:52:56 <lhinds> this is the plan for the various installers
14:54:25 <Sona> very good, thanks
14:54:33 <lhinds> https://docs.google.com/presentation/d/1ZJk873Ge-rf39o3QEogPgUTpJCRzU1N262t2VnkeXYY/edit?usp=sharing
14:54:42 <lhinds> The deck is WIP
14:56:03 <lhinds> That is it for now, I will run this past the functest guys, and likely get a prototype going with Apex (as its the installer I know best so far)
14:56:29 <Sona> good
14:56:41 <lhinds> ok, I am done :)
14:56:44 <lhinds> you good?
14:56:51 <Sona> yes, thanks
14:56:57 <Sona> bye
14:57:03 <lhinds> I have a call to jump on now, so will end meetbot
14:57:06 <lhinds> thanks Sona!
14:57:09 <lhinds> #endmeeting