Re: [openstack-dev] [all] [security] Security SIG

This is an important evolution for the security group / project / SIG! Congratulations everyone on taking things this far and to Luke for your excellent stewardship. -Rob On Thu, Dec 14, 2017 at 5:30 PM, Luke Hinds wrote: > Hi All, > > Following on from the mailing list

Re: [openstack-dev] [elections][security] Candidacy for Security Project PTL (Queens)

+1 Luke has been an excellent contributor to the Security project and would be an excellent PTL to take the project forward. On Tue, Aug 1, 2017 at 8:30 AM, Luke Hinds wrote: > Hello All, > > I would like to announce my candidacy for Security Project PTL for > Queens. > >

[openstack-dev] [Security] IRC Meeting today - 1700 UTC

Just a reminder for all that we'll be having a security meeting today at the usual time. Meeting agenda: https://etherpad.openstack.org/p/security-agenda Cheers -Rob __ OpenStack Development Mailing List (not for usage

Re: [openstack-dev] [release][tc][infra][security][stable] Proposal for shipping binaries and containers

I've been out on vacation but as a circle back to normal (working!) life I've found this thread very interesting. I share the concerns raised about the level of resource required to back this. I don't speak for the VMT but I agree with Jeremy that it should be possible to provide VMT support to

[openstack-dev] [Security] Today's IRC meeting.

Hi All, I won't be able to make today's meeting as I'm travelling. I've not found a chair to cover the meeting, please decide if you have a quorum and either proceed or go back to "real life" as you see fit. Cheers -Rob __

Re: [openstack-dev] [All] IRC Mishaps

#startmeeting in the wrong channel #startmeeting in the right channel but at the wrong time #startmeeting in the right channel and at the right time but someone else already started it I'm basically a pro at meetings. On Thu, Feb 9, 2017 at 1:14 AM, Lana Brindley

Re: [openstack-dev] [security] [telemetry] How to handle security bugs

You've done the right thing by posting here with the [Security] tag. Ian has provided advice on how you might become security managed, which is a good aspiration for any team to have. However, if you have a serious security issue that you need help mitigating the security project can help. We

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Just a quick note on Castellan, at the moment it's not a particularly strong abstraction for key management in general, just the openstack key management interface. The reason this is important is because if I recall correctly, Castellan requires a keystone token for auth. It should be no suprise

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

> > > The last I checked, Rob, they also support DogTag IPA which is purely > a Software based HSM. Hopefully the Barbican team can confirm this. > -- > Ian Cordasco > Yup, that's my understanding too. However, that requires Barbican _and_ Dogtag, an even bigger overhead. Especially as at least

Re: [openstack-dev] [all] [barbican] [security] Why are projects trying to avoid Barbican, still?

Thanks for raising this on the mailing list Ian, I too share some of your consternation regarding this issue. I think the main point has already been hit on, developers don't want to require that Barbican be deployed in order for their service to be used. The resulting spread of badly audited

[openstack-dev] [Security] Shorter Meetings

Hi All, As per our IRC meeting today[1] we've decided to try shortening the Security IRC meetings to 30 minutes per week. The other option was to have meetings every two weeks but we all agreed that would lead to missed meetings, confusion around holidays etc. The main reason for shortening our

Re: [openstack-dev] [ptl][release] ocata release management communication

[Resending without the PTLs in CC because it got my mail stuck in the spam filters] I'm struggling to find good info on when the adjusted PTL nomination cycle starts. I've checked here: https://releases.openstack.org/ocata/schedule. html#pike-ptls-self-nomination but it looks like the

Re: [openstack-dev] [ptl][release] ocata release management communication

I'm struggling to find good info on when the adjusted PTL nomination cycle starts. I've checked here: https://releases.openstack.org/ocata/schedule.html#pike-ptls-self-nomination but it looks like the 'elections' section was supposed to be added to the table and wasn't. I know from the updates

[openstack-dev] [Security] Weekly meeting canceled due to thanksgiving

All, I should have sent the notification out earlier however today's weekly IRC meeting is cancelled as most of our group are american and on vacation today. Have a great day. -Rob __ OpenStack Development Mailing List (not

Re: [openstack-dev] [barbican] Nominating Arun Kant for barbican-core

Congratulations Arun, you've put a lot of work in! On Mon, Nov 7, 2016 at 10:05 PM, Fernando J Diaz wrote: > +1 Congrats Arun, welcome to Barbican Core. > > > __ > OpenStack Development Mailing List (not

Re: [openstack-dev] [requirements][kolla][security] pycrypto vs cryptography

Good question, I know issues around this have arisen before. I think the main points have been covered well already, for my part I will always lean toward the better supported or actively developed project. I understand the desire to look for FIPS 140-2 compliance, however I'd caution about this

Re: [openstack-dev] [glance][VMT][Security] Glance coresec reorg

Hi Brian. I dont know Erno but trust your judgement. Im sure Ian will be a great coresec. +1 Rob On 19 Oct 2016 04:32, "Hemanth Makkapati" wrote: > +1 to both Erno and Ian. > Both have made solid contributions to Glance over the past few cycles and > are

[openstack-dev] [Summit][Security] Ops security session - flagging this for the OSSP

The Ops Meetup, organized by the User Committee's Ops Meetups Team, is a track comprised of collaborative, working sessions for people who are operating OpenStack clouds (and contributors who want to hear from them). The purpose is to share knowledge and best practices among cloud operators, as

[openstack-dev] [vmt][security][barbican] Threat Analysis for OpenStack Projects

Hi Guys, We've put together a session to go over TA and how we should apply what we've built moving forward. https://www.openstack.org/summit/barcelona-2016/summit-schedule/events/17017 -Rob __ OpenStack Development Mailing

Re: [openstack-dev] [nova][barbican][security] Ocata design summit session change

Thanks for the heads up, I'll do my best to attend and I'll encourage other security folks to do likewise. It looks like there's a good deal of security enforcing functionality in these specs, I knew we've discussed getting Octa through threat analysis, lets try to find a good time to schedule

Re: [openstack-dev] [all] planning the PTG -- lessons from Swift's midcycles

I agree with pretty much everything John's written, especially with regards to what's required of a host (and accepting that things will have to be different at the PTG). For security, although we have a pre-event etherpad to propose topics nothing is decided until the first day, where we will

Re: [openstack-dev] [security] [salt] Removal of Security and OpenStackSalt project teams from the Big Tent

I wanted to provide a quick update from Security. We had our weekly IRC meeting yesterday, dhellman was kind enough to attend to help broker some of the discussion. In advance of the meeting I prepared a blog post where I tried to articulate my position and where I think things need to go next

Re: [openstack-dev] [Security] Picking a new tag

I agree that sometimes simply filtering for "security" can get a bit noisy because only very occasionally is an email mentioning it or even using the [security] tag actually trying to get the attention of the OSSP. Most of the time (from my filters anyway) it's either a Neutron Security Groups

[openstack-dev] [Security] Blog Post: Maturing the security project

I wrote a blog post based on the recent thread about the future of the Security Project, it's published here: https://openstack-security.github.io/organization/2016/09/22/maturing-the-security-project.html Cheers -Rob __

Re: [openstack-dev] [manila] [security] [tc] Add the vulnerability:managed tag to Manila

Jeremy hit all the major points there. What we do is basically model things based on a best-practice use case, we rely on the project to make good choices in this regard with a view to configurations, protocols etc. Then we conduct an asset-oriented threat review, during which we create

Re: [openstack-dev] [security] [salt] Removal of Security and OpenStackSalt project teams from the Big Tent

For my part, I missed the elections, that's my bad. I normally put a calendar item in for that issue. I don't think that my missing the election date should result in the group being treated in this way. Members of the TC have contacted me about unrelated things recently, I have always been

[openstack-dev] Proposing Doug Chivers for Security Core

I'd like to nominate Doug for a CoreSec position as part of the Security Project. CoreSec team members support the VMT with extended consultation on externally reported vulnerabilities. Doug has been an active member of the Security project for several years. He's done significant recent work on

[openstack-dev] [Security] No IRC meeting this week

All, No IRC meeting this week as we're conducting the mid-cycle in Austin Weds->Friday. However, we'll be doing hangouts for those who can't make it onsite and will be monitoring IRC so just ping us on there if you want to contribute. Cheers -Rob

[openstack-dev] [Security] Proposing Luke Hinds (lhinds) for Security Core

I'd like to nominate Luke for a CoreSec position as part of the Security Project. CoreSec team members support the VMT with extended consultation on externally reported vulnerabilities. Luke has been an active member of the Security project for quite some time. He's done significant recent work

Re: [openstack-dev] [kolla][security] Finishing the job on threat analysis for Kolla

I have returned from #drownload and I'm super keen to get ontop of this, in this email I'll just try to tie a few different threads together. The etherpad we used at the summit, along with the Sequence Diagram texts are online [1] are we happy to continue using web sequence diagrams? I think the

Re: [openstack-dev] [tc][security] Item #5 of the VMT

Doug Chivers might have some thoughts on this but I'm happy with your proposal Steve, kind of you to do the leg-work. -rob On Fri, Jun 3, 2016 at 1:29 AM, Steven Dake (stdake) wrote: > Hi folks, > > I think we are nearly done with Item #5 [1] of the VMT. One question >

Re: [openstack-dev] [kolla][ssecurity] Threat Analysis Design Session

As per today's session (Thursday) the Anchor Threat Analysis blog post now has added sequence diagram goodness! https://openstack-security.github.io/threatanalysis/2016/02/07/anchorTA.html Cheers -Rob On Sat, Apr 16, 2016 at 1:19 PM, Steven Dake (stdake) wrote: > Hey Folks,

Re: [openstack-dev] [Security][Barbican][all] Bring your own key fishbowl sessions

nts/94 85 > > Thanks, Kevin > > ------ - -- > > *From:* Rob C [hyaku...@gmail.com] > *Sent:* Friday, April 22, 2016 1:44 PM *To:* OpenStack Development > Mailing List (not for usage questions) *Subject:* Re: > [openstack-dev] [Security][Barbican][all] Bring your own key > fishbowl sessions &g

Re: [openstack-dev] [Security][Barbican][all] Bring your own key fishbowl sessions

So that's one vote for option A and one vote for another vote :) On 22 Apr 2016 4:25 p.m., "Nathan Reller" wrote: > > Thoughts? > > Is anyone interested in the pull model or actually implementing it? I > say if the answer to that is no then only discuss the push model.

[openstack-dev] [Security][Barbican][all] Bring your own key fishbowl sessions

We have two BYOK sessions scheduled for the design summit, one on the Barbican track and one on the Security track. [1] Security: Wednesday 5:20pm-6:00pm Hilton Austin - MR 408 [2] Barbican: Thursday 3:10pm-3:50pm Hilton Austin - MR 406 I'd like to suggest two different approaches to getting the