#opnfv-sec log

14:01:55 <Sona> #startmeeting Security Group 07/12/16
14:01:55 <collabot`> Meeting started Wed Dec  7 14:01:55 2016 UTC.  The chair is Sona. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:01:55 <collabot`> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:01:55 <collabot`> The meeting name has been set to 'security_group_07_12_16'
14:02:08 <Sona> Hi Ash
14:02:08 <ashyoung> #info Ash Young
14:02:11 <ashyoung> Hi
14:02:14 <Sona> welcome :)
14:02:22 <aripie> Hi
14:02:23 <ashyoung> Thanks
14:02:27 <Sona> here is the agenda
14:02:29 <Sona> https://etherpad.opnfv.org/p/opnfv-sec-meetings
14:02:36 <Sona> Hi Ari
14:03:44 <Sona> #topic agenda   Scanning of dependent binaries, where the source code is not in our repos
14:04:00 <Sona> Ash, du you have anything to discuss?
14:04:37 <ashyoung> Was just pulling up Luke's response
14:04:58 <Sona> I saw Luke's response
14:05:00 <ashyoung> "For one they should definitely have SHA-2 has verifications in place, or we need to put up a firm No. If we end having someone on opnfv-users running a compromised blob its going to be awful for the project."
14:05:17 <ashyoung> "If we need a way to find discovered compiled files, then I expect we could script something using `file` or an equivalent in the python standard library? We could then work through them on case by case (I am hoping there are not too many)?
14:05:17 <ashyoung> "
14:05:30 <ashyoung> So, it sounds like he is supportive of what I said in my email
14:05:39 <Sona> yes, I think so
14:05:57 <aripie> agreed
14:06:12 <ashyoung> I am currently setting up a discourse server for our discussions offline
14:06:22 <Sona> can you mention what projects are that might not fulfyll CII badge requirement?
14:06:48 <ashyoung> I can work with Aric to get a VM to pull in 3rd party sources for scanning and verification. I will script it so we don't have to make it so manual each time
14:07:08 <ashyoung> Well, VPP, ODL, Ceph,
14:07:22 <ashyoung> These are are not tied to an actual OPNFV project
14:07:27 <ashyoung> I'm sure there are more
14:07:44 <ashyoung> Anything that gets fetched as a binary falls into this category
14:08:11 <Sona> Do these projects have repos in the OPNFV project?
14:08:17 <ashyoung> It's pretty easy for me to find these
14:08:20 <ashyoung> No
14:08:28 <Sona> ok,
14:08:32 <ashyoung> That's the issue
14:08:41 <ashyoung> So because of that, CI never sees them
14:08:47 <Sona> I see
14:08:50 <ashyoung> They typically get pulled in during CD
14:09:44 <ashyoung> Another way of looking at it is it's a major step in helping our upstream communities achieve their own CII Badge
14:09:58 <Sona> Yes
14:10:31 <Sona> we should help/encourage them to achieve for their own CII Badge
14:10:53 <ashyoung> So, I think this is something we want as a check off for D release
14:10:57 <Sona> I will also look at these project and try to contact them
14:10:58 <ashyoung> Yes
14:11:17 <Sona> I can help with this
14:11:34 <ashyoung> awesome
14:12:17 <Sona> anything more you want to add about this topic?
14:12:22 <ashyoung> No
14:12:33 <Sona> #topic agenda  CII bage for D-release
14:13:06 <Sona> We need to make sure that D-release is CII compliant
14:13:13 <ashyoung> Correct
14:13:25 <Sona> what do you think is best approach?
14:13:54 <Sona> I have started to go through all requirements manually
14:14:03 <ashyoung> I think we have to make scanning a part of the CI
14:14:24 <ashyoung> But I also think we need to create a flow chart for the process
14:14:25 <Sona> yes, that would be good
14:14:52 <ashyoung> The process has to be clearly documented in a way that we can implement in code or be human readable
14:14:57 <Sona> Some criteria can be added as a security test
14:15:07 <ashyoung> Yes
14:15:19 <ashyoung> I don't think it has to be exhaustive at this point
14:15:25 <Sona> e.g. to check that md5 is not used
14:15:43 <ashyoung> But I think it will be important for the PTLs and for the Infra teams to know what we're looking for and what to expect
14:15:47 <ashyoung> yes
14:16:33 <Sona> do you think we need to be present att their meeting and talk to them about CII Badge requirements?
14:16:52 <ashyoung> I will be there in 15 mins
14:17:00 <Sona> very good :)
14:17:01 <ashyoung> I'm already in the room :)
14:17:07 <ashyoung> First one here
14:17:18 <ashyoung> And I discussed this at last week's call
14:17:19 <Sona> I think you will be a very good bridge between developer and security team
14:17:26 <Sona> :)
14:17:27 <ashyoung> So, they were actually hoping for a demo today
14:17:37 <ashyoung> But I discovered a bug
14:17:43 <ashyoung> yes
14:17:49 <ashyoung> Trying at least
14:17:51 <ashyoung> :)
14:18:22 <Sona> what demo?
14:18:52 <ashyoung> I wrote some code that pulls all the repos or selectively pulls certain ones and then scans them
14:19:05 <ashyoung> But I have to regress to an earlier version of anteater
14:19:14 <ashyoung> Current one is bailing on me
14:19:30 <Sona> ok,
14:19:41 <Sona> ok let's move on
14:19:45 <ashyoung> Luke is aware and is going to take a look when he gets home
14:19:48 <ashyoung> k
14:20:06 <Sona> #topic agenda  ETSI
14:20:19 <aripie> OK
14:20:35 <Sona> Any updates Ari :) ?
14:20:45 <aripie> there is a f2f meeting in Shenzhen Dec 12-16
14:20:50 <Sona> Anything you want to share with us?
14:20:59 <aripie> a number of security topics are on
14:21:04 <aripie> #link https://portal.etsi.org//tb.aspx?tbid=799&SubTB=799#50610-contributions
14:21:22 <Sona> are you going to attend?
14:21:43 <aripie> no, I am scanning through the contributions now
14:21:51 <ashyoung> Quick question
14:22:04 <aripie> yes
14:22:11 <ashyoung> Should we pull in the draft items or only the publicly published ones
14:22:46 <ashyoung> This isn't about sharing the docs
14:22:56 <ashyoung> it's about coding the unpublished requirements
14:23:03 <aripie> primarily the published ones, but in the drafts there may well be items we would want to influence on
14:23:05 <ashyoung> It's an IPR question
14:23:25 <aripie> yes, that is true, the IPR  aspects need to be considered
14:23:36 <ashyoung> ok
14:24:18 <Sona> Anything more about ETSI?
14:24:40 <ashyoung> yes
14:25:32 <ashyoung> We need to have ask our ETSI liaison if we can, without distributing draft docs, if we can code the requirements in an anticipatory fashion if the coder(s) is an ETSI member
14:28:24 <Sona> Can we move on to next topic?
14:28:29 <ashyoung> k
14:28:32 <aripie> ok
14:28:55 <Sona> I don't have any updates about Anteater or Security scan
14:29:14 <ashyoung> I do
14:29:23 <Sona> ok
14:29:28 <ashyoung> As I said earlier, found what looks like a bug
14:29:35 <ashyoung> Gonna look into it with Luke
14:29:45 <Sona> yes that is right
14:29:47 <Sona> good
14:30:09 <ashyoung> Also, the documentation on how to get started needs work. I tried getting the docker container working on CentOS, Ubuntu, Suse, and Fedora
14:30:18 <ashyoung> I got very mixed results across the board
14:30:31 <ashyoung> Need to make it more consistent for our community and CI to use it
14:30:36 <ashyoung> I'm working on this as well
14:30:40 <ashyoung> That's all I have
14:30:44 <Sona> ok we will have as an action to improve the documentation
14:31:17 <Sona> #topic agenda AOB
14:31:41 <Sona> thanks guys
14:31:43 <Sona> #endmeeting