14:03:29 #startmeeting sec-group 17/01 14:03:29 Meeting started Wed Mar 1 14:03:29 2017 UTC. The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:03:29 Useful Commands: #action #agreed #help #info #idea #link #topic. 14:03:29 The meeting name has been set to 'sec_group_17_01' 14:03:40 ping ashyoung , u around? 14:03:50 ack 14:04:05 cool, shall we cover anteater as a topic? 14:04:11 Sure 14:04:26 Also, we need to discuss CI in general 14:04:27 I can see some movement on techdiscuss 14:04:42 Yup. Fatih has gotten to it 14:04:45 k, we can have those as topics. I don't have anymore myself 14:04:51 #topic anteater 14:05:17 I need to read the thread ashyoung , so do you want to drive (I can see you replied) 14:05:43 Sure. Let me give a quick synopsis here. 14:05:47 thx 14:06:56 #info Fatih has gotten around to testing anteaterfw. At first, he thought Jenkins need to trigger build.sh. This is simply due to long time since we last talked. He now understands build script is a 1 time thing. 14:08:08 'ERROR - Cannot find entry for utils in ignorelist.yaml' - do i need to fix this? 14:08:28 #info He was successful at building and running anteater. The issue now is that when he tries to test a repo that is not in the virtualenv, anteater is blowing up on him. I'm pretty sure I tested that scenario, but the environment sometimes requires clearing things completely to make it all work properly. I'm looking into it now. 14:08:48 You do. You fixed it once, but then removed the fix. 14:09:03 I couldn't even find it in the git history. 14:09:04 oh I think you needed to upate iirc? 14:09:14 ? 14:09:34 iirc? 14:09:52 (if i recall correctly) :) 14:10:02 hold on, found an email between us 14:10:24 can I paste here... 14:10:31 Hey Ash, 14:10:32 In your session earlier, it tried to get ignorelist, but there is no longer an ignore list. Its two files; 14:10:35 binaries.yaml: https://github.com/lukehinds/anteater/blob/d034f2a8c56e0e77db34496dbbbfc2cd22dcbbe8/binaries.yaml 14:10:36 secretslist.yaml: https://github.com/lukehinds/anteater/blob/d034f2a8c56e0e77db34496dbbbfc2cd22dcbbe8/secretlist.yaml 14:10:38 These both contain the waivers now. 14:10:41 Just do a pull of the latest code and you should be fine. 14:10:42 Cheers, 14:10:44 Luke 14:10:47 ashyoung: Yup, that took care of it. No more error :) 14:12:00 that was your reply ^ 14:12:07 Somehow this is not working now 14:12:39 I'm not sure why, but can look into it again. 14:12:51 so where are we pulling anteater-fw from? 14:13:03 or rather lukehinds/anteater.git 14:14:43 github 14:14:56 and FW pulls anteater from your repo 14:15:07 But all of that needs to change. 14:15:20 ack 14:15:39 Once we resolve Fatih's issues, we'll want to have local copy of all source in gerrit 14:16:11 This way we don't have to worry about not being able to rebuild in OPNFV 14:16:23 anteater source and your scripts? 14:17:14 Yes 14:17:33 This ties in with #2 on the agenda 14:17:47 ok, I have fine with that. I wonder if TSC are going to want too have some project proposal though? 14:17:55 too/to 14:18:11 But to complete #1, I am looking into what might be causing the tests to fail when the repo is outside of virtualenv 14:18:32 Are we good with agenda #1? 14:19:14 sure, do let me know if you want me to help debug..my irc is 24/7 14:19:35 I will go and read the scripts again and get up to speed 14:19:44 wanna move to #2? 14:19:45 For #1, I still need your help with something. If I do a scan all, tests blow up. 14:19:58 Looks like a memory constraint 14:20:15 Can you look into that while I look into Fatih's issue? 14:20:20 i remember you mentioned that before 14:20:44 do you have a stack trace you could source me? 14:20:57 or maybe export your VM and I will dl and run it. 14:21:13 or you can add my pub key to a vm if its accessable? 14:21:17 Shoot! No. I pulled all of gerrit projects and did a scan all. It goes like 4 deep before it starts to bail. 14:21:39 I can give you access to it. I'll do that and then give you access. 14:21:55 ok, I will try that...so basically `anteater scan all` 14:22:00 Yup 14:22:05 against opnfv org 14:22:08 ok, onit 14:22:35 I have verified that if I go project by project, it all works fine again. It's only when the # of projects is something relatively large 14:22:56 It's not a problem with "scan all" in general, if the list is small. 14:23:08 But I will give you access to my VM 14:23:27 For #2, I talked with Uli last night (midnight my time) 14:23:41 I can do some debug from here 14:23:48 #topic CI in general 14:23:59 He would like to see a request from Sec WG to Infra WG about a joint meeting 14:24:43 I told him I thought that request should come from you and that I would bring it up this morning. 14:25:21 sounds good to me, it would help get more code orientated people looking at security, which I am very up for. 14:25:41 So, I see there being two related issues here. 14:26:27 1. We cannot scan what we do not have access to. And so we're "trusting" projects that do not participate in CII. This is not acceptable in my opinion. 14:27:09 2. Related to this is that we keep breaking our ability to replicate a release due to upstream binaries being non-reproducible. 14:27:28 Basically we lack the recipe to build the same artifacts from source code. 14:27:46 This means we cannot truly maintain or fix bugs in our releases. 14:28:02 We have had this issue in all 3 of our releases and will again in Danube. 14:28:40 so is this from folk pulling down blobs, or compiling on envs which have tooling not available on our CI systems? 14:28:55 CD, aka installers, are getting the upstream artifacts from upstream and not from our repos. Plus, we do not have the tool chains built to build the upstream dependencies in our projects' repos. This is the culprit. 14:29:00 Yes 14:29:34 Anteaterfw was an example of providing a build script to create the tool chain locally in OPNFV for all upstream components. 14:29:52 do you have a case you could highlight to help me understand better? 14:29:56 This is also what I did in the Brahmaputra for ONOSFW. 14:30:09 do you mean for example, an rpm that installs ovs? 14:30:50 The recent Colorado example had to do with a Fuel upstream dependency that was later removed by the upstream maintainer. 14:31:31 I'm not talking about package managers for the OS. However, that could be an issue going from OS to OS, as updates get applied. It's out of our control. 14:31:54 I understand, what do you feel is a suitable action to take? 14:32:29 Another example, but it's not an OPNFV project problem, was when I tried to build up ipop project on Github. It was based on Google's libjingle. That repo got removed. 14:33:05 The code got refactored to webrtc. And even with copies of the repo, the toolchains also broke because they had to point to the original repo location. 14:33:16 so this sounds like we need to verify upstream repos are still active / maintained? 14:33:21 So, ipop can no longer be built. This was tied to google. 14:34:13 In building anteaterfw, I found that several times, the repo source URLs for apache maven and apache ant became deprecated, which broke the build script. 14:34:23 No. 14:34:33 They will always disappear. It's out of our control. 14:35:02 Could be an individual's code, like "GitHub/lukehinds/anteater" 14:35:11 If we're dependent on it, it should be in our repo. 14:35:24 I see now. 14:35:31 And we should have a local tool chain "recipe" to build it all up. 14:35:45 so this goes beyond just security, but overall governance 14:35:53 Then we're always going to be self sufficient. It doesn't matter if they refactor or delete things upstream from us. 14:36:08 Perhaps 14:36:22 I'd say it's our #1 security issue. We cannot ensure we can fix bugs 14:37:24 This is one area where Openstack is doing a very nice job. They're fully in control of their dependencies. 14:38:00 We still have a lot of rather empty project repos because we're not building the code in our repos. 14:38:04 they have some external sourcing, mainly puppet module from puppetforge, but yes, most of it is under openstack/ 14:38:12 So, I don't know what Jenkins is actually building. 14:38:48 I agree this is an issue, but I think we need a wider audience - but I will get behind it 14:38:53 what was uli's thoughts? 14:39:11 This is why Uli wants joint meeting between both WGs 14:39:39 If both WGs are in alignment, then we can go back to TSC 14:40:03 And then this will trigger a discussion with BoD due to non-apache licenses in our repos. 14:40:11 ack, are you ok to kick an email off? 14:40:18 LOL! Sure 14:40:33 good :) 14:40:34 I will do that as soon as we conclude 14:40:46 That's all I have 14:40:56 Do you see the issue, though? 14:41:30 I very much do, and I am keen to help put whatever is needed into anteater to audit / police what we decide on. 14:41:44 but agree, we need a consensus first 14:41:46 I also agree on the issue 14:41:57 hi aripie 14:42:02 so that is all for me. 14:42:14 appreciate all the work on anteater-fw ashyoung , many thx 14:42:43 You're welcome. That's all I have too. 14:42:44 i think we can close now 14:42:48 yep 14:42:53 Have a great day! 14:42:56 yes 14:43:02 thx all! 14:43:06 #endmeeting