14:01:55 <Sona> #startmeeting Security Group 07/12/16 14:01:55 <collabot`> Meeting started Wed Dec 7 14:01:55 2016 UTC. The chair is Sona. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:01:55 <collabot`> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:01:55 <collabot`> The meeting name has been set to 'security_group_07_12_16' 14:02:08 <Sona> Hi Ash 14:02:08 <ashyoung> #info Ash Young 14:02:11 <ashyoung> Hi 14:02:14 <Sona> welcome :) 14:02:22 <aripie> Hi 14:02:23 <ashyoung> Thanks 14:02:27 <Sona> here is the agenda 14:02:29 <Sona> https://etherpad.opnfv.org/p/opnfv-sec-meetings 14:02:36 <Sona> Hi Ari 14:03:44 <Sona> #topic agenda Scanning of dependent binaries, where the source code is not in our repos 14:04:00 <Sona> Ash, du you have anything to discuss? 14:04:37 <ashyoung> Was just pulling up Luke's response 14:04:58 <Sona> I saw Luke's response 14:05:00 <ashyoung> "For one they should definitely have SHA-2 has verifications in place, or we need to put up a firm No. If we end having someone on opnfv-users running a compromised blob its going to be awful for the project." 14:05:17 <ashyoung> "If we need a way to find discovered compiled files, then I expect we could script something using `file` or an equivalent in the python standard library? We could then work through them on case by case (I am hoping there are not too many)? 14:05:17 <ashyoung> " 14:05:30 <ashyoung> So, it sounds like he is supportive of what I said in my email 14:05:39 <Sona> yes, I think so 14:05:57 <aripie> agreed 14:06:12 <ashyoung> I am currently setting up a discourse server for our discussions offline 14:06:22 <Sona> can you mention what projects are that might not fulfyll CII badge requirement? 14:06:48 <ashyoung> I can work with Aric to get a VM to pull in 3rd party sources for scanning and verification. I will script it so we don't have to make it so manual each time 14:07:08 <ashyoung> Well, VPP, ODL, Ceph, 14:07:22 <ashyoung> These are are not tied to an actual OPNFV project 14:07:27 <ashyoung> I'm sure there are more 14:07:44 <ashyoung> Anything that gets fetched as a binary falls into this category 14:08:11 <Sona> Do these projects have repos in the OPNFV project? 14:08:17 <ashyoung> It's pretty easy for me to find these 14:08:20 <ashyoung> No 14:08:28 <Sona> ok, 14:08:32 <ashyoung> That's the issue 14:08:41 <ashyoung> So because of that, CI never sees them 14:08:47 <Sona> I see 14:08:50 <ashyoung> They typically get pulled in during CD 14:09:44 <ashyoung> Another way of looking at it is it's a major step in helping our upstream communities achieve their own CII Badge 14:09:58 <Sona> Yes 14:10:31 <Sona> we should help/encourage them to achieve for their own CII Badge 14:10:53 <ashyoung> So, I think this is something we want as a check off for D release 14:10:57 <Sona> I will also look at these project and try to contact them 14:10:58 <ashyoung> Yes 14:11:17 <Sona> I can help with this 14:11:34 <ashyoung> awesome 14:12:17 <Sona> anything more you want to add about this topic? 14:12:22 <ashyoung> No 14:12:33 <Sona> #topic agenda CII bage for D-release 14:13:06 <Sona> We need to make sure that D-release is CII compliant 14:13:13 <ashyoung> Correct 14:13:25 <Sona> what do you think is best approach? 14:13:54 <Sona> I have started to go through all requirements manually 14:14:03 <ashyoung> I think we have to make scanning a part of the CI 14:14:24 <ashyoung> But I also think we need to create a flow chart for the process 14:14:25 <Sona> yes, that would be good 14:14:52 <ashyoung> The process has to be clearly documented in a way that we can implement in code or be human readable 14:14:57 <Sona> Some criteria can be added as a security test 14:15:07 <ashyoung> Yes 14:15:19 <ashyoung> I don't think it has to be exhaustive at this point 14:15:25 <Sona> e.g. to check that md5 is not used 14:15:43 <ashyoung> But I think it will be important for the PTLs and for the Infra teams to know what we're looking for and what to expect 14:15:47 <ashyoung> yes 14:16:33 <Sona> do you think we need to be present att their meeting and talk to them about CII Badge requirements? 14:16:52 <ashyoung> I will be there in 15 mins 14:17:00 <Sona> very good :) 14:17:01 <ashyoung> I'm already in the room :) 14:17:07 <ashyoung> First one here 14:17:18 <ashyoung> And I discussed this at last week's call 14:17:19 <Sona> I think you will be a very good bridge between developer and security team 14:17:26 <Sona> :) 14:17:27 <ashyoung> So, they were actually hoping for a demo today 14:17:37 <ashyoung> But I discovered a bug 14:17:43 <ashyoung> yes 14:17:49 <ashyoung> Trying at least 14:17:51 <ashyoung> :) 14:18:22 <Sona> what demo? 14:18:52 <ashyoung> I wrote some code that pulls all the repos or selectively pulls certain ones and then scans them 14:19:05 <ashyoung> But I have to regress to an earlier version of anteater 14:19:14 <ashyoung> Current one is bailing on me 14:19:30 <Sona> ok, 14:19:41 <Sona> ok let's move on 14:19:45 <ashyoung> Luke is aware and is going to take a look when he gets home 14:19:48 <ashyoung> k 14:20:06 <Sona> #topic agenda ETSI 14:20:19 <aripie> OK 14:20:35 <Sona> Any updates Ari :) ? 14:20:45 <aripie> there is a f2f meeting in Shenzhen Dec 12-16 14:20:50 <Sona> Anything you want to share with us? 14:20:59 <aripie> a number of security topics are on 14:21:04 <aripie> #link https://portal.etsi.org//tb.aspx?tbid=799&SubTB=799#50610-contributions 14:21:22 <Sona> are you going to attend? 14:21:43 <aripie> no, I am scanning through the contributions now 14:21:51 <ashyoung> Quick question 14:22:04 <aripie> yes 14:22:11 <ashyoung> Should we pull in the draft items or only the publicly published ones 14:22:46 <ashyoung> This isn't about sharing the docs 14:22:56 <ashyoung> it's about coding the unpublished requirements 14:23:03 <aripie> primarily the published ones, but in the drafts there may well be items we would want to influence on 14:23:05 <ashyoung> It's an IPR question 14:23:25 <aripie> yes, that is true, the IPR aspects need to be considered 14:23:36 <ashyoung> ok 14:24:18 <Sona> Anything more about ETSI? 14:24:40 <ashyoung> yes 14:25:32 <ashyoung> We need to have ask our ETSI liaison if we can, without distributing draft docs, if we can code the requirements in an anticipatory fashion if the coder(s) is an ETSI member 14:28:24 <Sona> Can we move on to next topic? 14:28:29 <ashyoung> k 14:28:32 <aripie> ok 14:28:55 <Sona> I don't have any updates about Anteater or Security scan 14:29:14 <ashyoung> I do 14:29:23 <Sona> ok 14:29:28 <ashyoung> As I said earlier, found what looks like a bug 14:29:35 <ashyoung> Gonna look into it with Luke 14:29:45 <Sona> yes that is right 14:29:47 <Sona> good 14:30:09 <ashyoung> Also, the documentation on how to get started needs work. I tried getting the docker container working on CentOS, Ubuntu, Suse, and Fedora 14:30:18 <ashyoung> I got very mixed results across the board 14:30:31 <ashyoung> Need to make it more consistent for our community and CI to use it 14:30:36 <ashyoung> I'm working on this as well 14:30:40 <ashyoung> That's all I have 14:30:44 <Sona> ok we will have as an action to improve the documentation 14:31:17 <Sona> #topic agenda AOB 14:31:41 <Sona> thanks guys 14:31:43 <Sona> #endmeeting