#opnfv-sec log

14:03:29 <lhinds> #startmeeting sec-group 17/01
14:03:29 <collabot`> Meeting started Wed Mar  1 14:03:29 2017 UTC.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:03:29 <collabot`> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:03:29 <collabot`> The meeting name has been set to 'sec_group_17_01'
14:03:40 <lhinds> ping ashyoung , u around?
14:03:50 <ashyoung> ack
14:04:05 <lhinds> cool, shall we cover anteater as a topic?
14:04:11 <ashyoung> Sure
14:04:26 <ashyoung> Also, we need to discuss CI in general
14:04:27 <lhinds> I can see some movement on techdiscuss
14:04:42 <ashyoung> Yup. Fatih has gotten to it
14:04:45 <lhinds> k, we can have those as topics. I don't have anymore myself
14:04:51 <lhinds> #topic anteater
14:05:17 <lhinds> I need to read the thread ashyoung , so do you want to drive (I can see you replied)
14:05:43 <ashyoung> Sure. Let me give a quick synopsis here.
14:05:47 <lhinds> thx
14:06:56 <ashyoung> #info Fatih has gotten around to testing anteaterfw. At first, he thought Jenkins need to trigger build.sh. This is simply due to long time since we last talked. He now understands build script is a 1 time thing.
14:08:08 <lhinds> 'ERROR - Cannot find entry for utils in ignorelist.yaml' - do i need to fix this?
14:08:28 <ashyoung> #info He was successful at building and running anteater. The issue now is that when he tries to test a repo that is not in the virtualenv, anteater is blowing up on him. I'm pretty sure I tested that scenario, but the environment sometimes requires clearing things completely to make it all work properly. I'm looking into it now.
14:08:48 <ashyoung> You do. You fixed it once, but then removed the fix.
14:09:03 <ashyoung> I couldn't even find it in the git history.
14:09:04 <lhinds> oh I think you needed to upate iirc?
14:09:14 <ashyoung> ?
14:09:34 <ashyoung> iirc?
14:09:52 <lhinds> (if i recall correctly) :)
14:10:02 <lhinds> hold on, found an email between us
14:10:24 <lhinds> can I paste here...
14:10:31 <lhinds> Hey Ash,
14:10:32 <lhinds> In your session earlier, it tried to get ignorelist, but there is no longer an ignore list. Its two files;
14:10:35 <lhinds> binaries.yaml: https://github.com/lukehinds/anteater/blob/d034f2a8c56e0e77db34496dbbbfc2cd22dcbbe8/binaries.yaml
14:10:36 <lhinds> secretslist.yaml: https://github.com/lukehinds/anteater/blob/d034f2a8c56e0e77db34496dbbbfc2cd22dcbbe8/secretlist.yaml
14:10:38 <lhinds> These both contain the waivers now.
14:10:41 <lhinds> Just do a pull of the latest code and you should be fine.
14:10:42 <lhinds> Cheers,
14:10:44 <lhinds> Luke
14:10:47 <lhinds> ashyoung: Yup, that took care of it. No more error :)
14:12:00 <lhinds> that was your reply ^
14:12:07 <ashyoung> Somehow this is not working now
14:12:39 <ashyoung> I'm not sure why, but can look into it again.
14:12:51 <lhinds> so where are we pulling anteater-fw from?
14:13:03 <lhinds> or rather lukehinds/anteater.git
14:14:43 <ashyoung> github
14:14:56 <ashyoung> and FW pulls anteater from your repo
14:15:07 <ashyoung> But all of that needs to change.
14:15:20 <lhinds> ack
14:15:39 <ashyoung> Once we resolve Fatih's issues, we'll want to have local copy of all source in gerrit
14:16:11 <ashyoung> This way we don't have to worry about not being able to rebuild in OPNFV
14:16:23 <lhinds> anteater source and your scripts?
14:17:14 <ashyoung> Yes
14:17:33 <ashyoung> This ties in with #2 on the agenda
14:17:47 <lhinds> ok, I have fine with that. I wonder if TSC are going to want too have some project proposal though?
14:17:55 <lhinds> too/to
14:18:11 <ashyoung> But to complete #1, I am looking into what might be causing the tests to fail when the repo is outside of virtualenv
14:18:32 <ashyoung> Are we good with agenda #1?
14:19:14 <lhinds> sure, do let me know if you want me to help debug..my irc is 24/7
14:19:35 <lhinds> I will go and read the scripts again and get up to speed
14:19:44 <lhinds> wanna move to #2?
14:19:45 <ashyoung> For #1, I still need your help with something. If I do a scan all, tests blow up.
14:19:58 <ashyoung> Looks like a memory constraint
14:20:15 <ashyoung> Can you look into that while I look into Fatih's issue?
14:20:20 <lhinds> i remember you mentioned that before
14:20:44 <lhinds> do you have a stack trace you could source me?
14:20:57 <lhinds> or maybe export your VM and I will dl and run it.
14:21:13 <lhinds> or you can add my pub key to a vm if its accessable?
14:21:17 <ashyoung> Shoot! No. I pulled all of gerrit projects and did a scan all. It goes like 4 deep before it starts to bail.
14:21:39 <ashyoung> I can give you access to it. I'll do that and then give you access.
14:21:55 <lhinds> ok, I will try that...so basically `anteater scan all`
14:22:00 <ashyoung> Yup
14:22:05 <lhinds> against opnfv org
14:22:08 <lhinds> ok, onit
14:22:35 <ashyoung> I have verified that if I go project by project, it all works fine again. It's only when the # of projects is something relatively large
14:22:56 <ashyoung> It's not a problem with "scan all" in general, if the list is small.
14:23:08 <ashyoung> But I will give you access to my VM
14:23:27 <ashyoung> For #2, I talked with Uli last night (midnight my time)
14:23:41 <lhinds> I can do some debug from here
14:23:48 <lhinds> #topic CI in general
14:23:59 <ashyoung> He would like to see a request from Sec WG to Infra WG about a joint meeting
14:24:43 <ashyoung> I told him I thought that request should come from you and that I would bring it up this morning.
14:25:21 <lhinds> sounds good to me, it would help get more code orientated people looking at security, which I am very up for.
14:25:41 <ashyoung> So, I see there being two related issues here.
14:26:27 <ashyoung> 1. We cannot scan what we do not have access to. And so we're "trusting" projects that do not participate in CII. This is not acceptable in my opinion.
14:27:09 <ashyoung> 2. Related to this is that we keep breaking our ability to replicate a release due to upstream binaries being non-reproducible.
14:27:28 <ashyoung> Basically we lack the recipe to build the same artifacts from source code.
14:27:46 <ashyoung> This means we cannot truly maintain or fix bugs in our releases.
14:28:02 <ashyoung> We have had this issue in all 3 of our releases and will again in Danube.
14:28:40 <lhinds> so is this from folk pulling down blobs, or compiling on envs which have tooling not available on our CI systems?
14:28:55 <ashyoung> CD, aka installers, are getting the upstream artifacts from upstream and not from our repos. Plus, we do not have the tool chains built to build the upstream dependencies in our projects' repos. This is the culprit.
14:29:00 <ashyoung> Yes
14:29:34 <ashyoung> Anteaterfw was an example of providing a build script to create the tool chain locally in OPNFV for all upstream components.
14:29:52 <lhinds> do you have a case you could highlight to help me understand better?
14:29:56 <ashyoung> This is also what I did in the Brahmaputra for ONOSFW.
14:30:09 <lhinds> do you mean for example, an rpm that installs ovs?
14:30:50 <ashyoung> The recent Colorado example had to do with a Fuel upstream dependency that was later removed by the upstream maintainer.
14:31:31 <ashyoung> I'm not talking about package managers for the OS. However, that could be an issue going from OS to OS, as updates get applied. It's out of our control.
14:31:54 <lhinds> I understand, what do you feel is a suitable action to take?
14:32:29 <ashyoung> Another example, but it's not an OPNFV project problem, was when I tried to build up ipop project on Github. It was based on Google's libjingle. That repo got removed.
14:33:05 <ashyoung> The code got refactored to webrtc. And even with copies of the repo, the toolchains also broke because they had to point to the original repo location.
14:33:16 <lhinds> so this sounds like we need to verify upstream repos are still active / maintained?
14:33:21 <ashyoung> So, ipop can no longer be built. This was tied to google.
14:34:13 <ashyoung> In building anteaterfw, I found that several times, the repo source URLs for apache maven and apache ant became deprecated, which broke the build script.
14:34:23 <ashyoung> No.
14:34:33 <ashyoung> They will always disappear. It's out of our control.
14:35:02 <ashyoung> Could be an individual's code, like "GitHub/lukehinds/anteater"
14:35:11 <ashyoung> If we're dependent on it, it should be in our repo.
14:35:24 <lhinds> I see now.
14:35:31 <ashyoung> And we should have a local tool chain "recipe" to build it all up.
14:35:45 <lhinds> so this goes beyond just security, but overall governance
14:35:53 <ashyoung> Then we're always going to be self sufficient. It doesn't matter if they refactor or delete things upstream from us.
14:36:08 <ashyoung> Perhaps
14:36:22 <ashyoung> I'd say it's our #1 security issue. We cannot ensure we can fix bugs
14:37:24 <ashyoung> This is one area where Openstack is doing a very nice job. They're fully in control of their dependencies.
14:38:00 <ashyoung> We still have a lot of rather empty project repos because we're not building the code in our repos.
14:38:04 <lhinds> they have some external sourcing, mainly puppet module from puppetforge, but yes, most of it is under openstack/
14:38:12 <ashyoung> So, I don't know what Jenkins is actually building.
14:38:48 <lhinds> I agree this is an issue, but I think we need a wider audience - but I will get behind it
14:38:53 <lhinds> what was uli's thoughts?
14:39:11 <ashyoung> This is why Uli wants joint meeting between both WGs
14:39:39 <ashyoung> If both WGs are in alignment, then we can go back to TSC
14:40:03 <ashyoung> And then this will trigger a discussion with BoD due to non-apache licenses in our repos.
14:40:11 <lhinds> ack, are you ok to kick an email off?
14:40:18 <ashyoung> LOL! Sure
14:40:33 <lhinds> good :)
14:40:34 <ashyoung> I will do that as soon as we conclude
14:40:46 <ashyoung> That's all I have
14:40:56 <ashyoung> Do you see the issue, though?
14:41:30 <lhinds> I very much do, and I am keen to help put whatever is needed into anteater to audit / police what we decide on.
14:41:44 <lhinds> but agree, we need a consensus first
14:41:46 <aripie> I also agree on the issue
14:41:57 <lhinds> hi aripie
14:42:02 <lhinds> so that is all for me.
14:42:14 <lhinds> appreciate all the work on anteater-fw ashyoung , many thx
14:42:43 <ashyoung> You're welcome. That's all I have too.
14:42:44 <lhinds> i think we can close now
14:42:48 <ashyoung> yep
14:42:53 <ashyoung> Have a great day!
14:42:56 <aripie> yes
14:43:02 <lhinds> thx all!
14:43:06 <lhinds> #endmeeting