Friday, 2015-03-06

« Thursday, 2015-03-05 Index Saturday, 2015-03-07 »
*** tmcpeak has joined #openstack-security00:02
*** voodookid has quit IRC00:02
*** windwhisked_ has joined #openstack-security00:02
*** windwhisked_ has quit IRC00:02
*** markvoelker has quit IRC00:11
*** Krisbelly has joined #openstack-security00:22
*** Krisbelly has left #openstack-security00:29
*** tmcpeak has quit IRC00:34
openstackgerritDavid Wyde proposed stackforge/bandit: Add tests for subprocesses and deserialization  https://review.openstack.org/16196700:51
*** dwyde has quit IRC00:56
*** dave-mcc_ has joined #openstack-security01:11
*** dave-mccowan has quit IRC01:14
*** markvoelker has joined #openstack-security01:15
*** tmcpeak has joined #openstack-security01:20
*** markvoelker has quit IRC01:20
*** JAHoagie has quit IRC01:22
*** bdpayne has quit IRC01:33
*** dave-mcc_ has quit IRC01:45
*** tmcpeak has quit IRC01:51
*** dave-mcc_ has joined #openstack-security01:54
*** dave-m___ has joined #openstack-security01:54
*** bpokorny_ has quit IRC02:04
*** tmcpeak has joined #openstack-security02:08
*** markvoelker has joined #openstack-security02:17
*** markvoelker has quit IRC02:21
*** tmcpeak has quit IRC02:40
*** fletcher_ has quit IRC02:59
*** browne has quit IRC03:04
*** markvoelker has joined #openstack-security03:18
*** markvoelker has quit IRC03:22
*** browne has joined #openstack-security03:42
*** amrith is now known as _amrith_04:04
*** _amrith_ is now known as amrith04:16
*** markvoelker has joined #openstack-security04:19
*** markvoelker has quit IRC04:25
*** dave-mcc_ has quit IRC05:09
*** dave-m___ has quit IRC05:09
*** markvoelker has joined #openstack-security05:21
*** markvoelker has quit IRC05:26
*** JAHoagie has joined #openstack-security05:38
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Imported Translations from Transifex  https://review.openstack.org/16202406:01
*** browne has quit IRC06:02
*** browne has joined #openstack-security06:02
openstackgerritMerged openstack/security-doc: Imported Translations from Transifex  https://review.openstack.org/16202406:18
*** markvoelker has joined #openstack-security06:22
*** markvoelker has quit IRC06:27
*** jamielennox is now known as jamielennox|away07:16
*** markvoelker has joined #openstack-security07:24
*** markvoelker has quit IRC07:29
*** browne has quit IRC08:12
*** markvoelker has joined #openstack-security08:25
*** markvoelker has quit IRC08:31
*** hyakuhei has joined #openstack-security08:59
openstackgerritTim Kelsey proposed stackforge/anchor: Adding functional testing  https://review.openstack.org/16182109:10
*** markvoelker has joined #openstack-security09:27
*** markvoelker has quit IRC09:33
*** rkgudboy has joined #openstack-security09:55
*** hyakuhei has quit IRC10:03
*** hyakuhei has joined #openstack-security10:06
*** rohitkashyap has joined #openstack-security10:19
*** rkgudboy has quit IRC10:22
*** markvoelker has joined #openstack-security10:29
*** markvoelker has quit IRC10:35
*** hyakuhei has quit IRC10:42
*** rohitkashyap has quit IRC10:50
*** markvoelker has joined #openstack-security11:31
*** tmcpeak has joined #openstack-security11:32
*** markvoelker has quit IRC11:36
openstackgerritTim Kelsey proposed stackforge/anchor: Adding functional testing  https://review.openstack.org/16182111:48
*** markvoelker has joined #openstack-security12:32
*** markvoelker has quit IRC12:36
*** hyakuhei has joined #openstack-security12:41
*** markvoelker has joined #openstack-security13:06
*** amrith is now known as _amrith_13:25
*** hyakuhei has quit IRC13:49
*** hyakuhei has joined #openstack-security14:06
*** salv-orl_ has joined #openstack-security14:09
*** salv-orlando has quit IRC14:09
*** hyakuhei has quit IRC14:20
*** hyakuhei has joined #openstack-security14:21
*** _amrith_ is now known as amrith14:23
*** dave-mccowan has joined #openstack-security14:32
*** hyakuhei has quit IRC15:24
*** sicarie has joined #openstack-security15:25
*** voodookid has joined #openstack-security15:32
*** hyakuhei has joined #openstack-security15:38
*** dwyde has joined #openstack-security15:43
*** JAHoagie has quit IRC15:43
*** hyakuhei has quit IRC16:02
*** bpokorny has joined #openstack-security16:05
*** fletcher has joined #openstack-security16:20
*** browne has joined #openstack-security16:30
*** hyakuhei has joined #openstack-security16:50
*** hyakuhei has quit IRC16:52
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Updated from global requirements  https://review.openstack.org/16222516:54
*** hyakuhei has joined #openstack-security16:57
tmcpeakdwyde: you around?16:57
dwydeyep16:58
tmcpeakso for this change you have16:58
tmcpeakwhen you're moving os.exec with params l, le, etc out of blacklist calls16:59
tmcpeakit looks like you're replacing them with os.execl, os.execle etc16:59
tmcpeakare those the same?16:59
tmcpeakI'd assume that first case is a parameter 'l' to a function os.exec17:00
tmcpeakwhereas in new case os.execl is a function called… os.execl17:00
tmcpeakwhat am I missing? :D17:00
dwydenone of the exec* blacklist_functions were found in the example17:01
dwydemaybe it’s looking for exec(‘l’)?17:01
dwydei’m in the process of just putting everything back in the config file, including an explicit list of all the exec* and spawn* functions17:02
tmcpeakwell actually where are those blacklist functions even checked?17:02
tmcpeakoh got it17:03
tmcpeakexamples/os-exec.py17:03
dwydeos.exec(‘l’) is a syntax error, but os.spawn(‘l’) matches on master :-)17:03
tmcpeaksyntax error?17:04
dwydemust have to do with the way Python parses for the exec statement17:04
tmcpeakwow17:05
tmcpeakyou're right, syntax error17:05
tmcpeaksick17:05
tmcpeakok cool, carry on :)17:06
tmcpeakthis is obviously moderately broken at least17:06
dwydecool17:07
dwydei actually did just run into a problem17:07
dwydewhich is that the bad_name_sets are a list17:08
tmcpeakwhich file?17:08
tmcpeakoh, bandit.yaml17:08
dwydeyep17:08
dwydeso it’s hard to find the one I want with @takes_config in a plugin17:08
tmcpeakyeah, shouldn't they be?17:08
tmcpeakif xxx in config: ?17:08
dwydeit could be a dict, keyed by the names like “pickle”17:09
dwyderight now it’s a list of dicts17:09
tmcpeakhmm17:10
tmcpeakyeah17:10
tmcpeaksee what you mean17:10
tmcpeakoriginal idea was just that we would iterate through, not try to find17:10
tmcpeakit's a pain in the ass to find the right dict in the list17:10
tmcpeakis that the general idea of what you're saying? :)17:10
dwydeyes :-)17:10
tmcpeakwell, I think it's safe to say you're giving blacklist_functions the most love it's had in at least 6 months, so fix away17:11
dwydehaha17:11
dwydeokay, I’ll see what the reviewers say17:12
tmcpeakI'm really curious why that exec statement is a syntax error though17:13
*** hyakuhei has quit IRC17:13
dwydeit’s got to be in the grammar, since os.print(‘l’) is the same: SyntaxError17:14
tmcpeakis os.print a thing?17:18
tmcpeakyeah, it's just invalid python17:19
dwydeno, but you’d expect it to be an AttributeError17:19
tmcpeakjust flat out no existe os.exec17:21
tmcpeakI'm not sure why those are listed as params in that blacklist check17:21
tmcpeakfletcher: around?17:26
fletcherhi17:26
fletcherreading17:26
tmcpeakhey, was it you that was really interested in getting docs into pinned version?17:26
tmcpeaknot docs but better test explanations?17:26
fletcherYah, i was interesting in having comprehensives docs/ to explain why we are flagging things17:27
fletcherI haven't made much progress though, so maybe now isn't the time17:27
tmcpeakcool, you get anywhere with that?17:27
tmcpeakyeah17:27
fletcherim thinking I'll just hijack a bunch of the OSSG stuff17:27
tmcpeakI'm itching to pull the trigger on the version pin :)17:27
tmcpeak+117:27
tmcpeakthat's what it's there for17:27
fletcherI agree, i want to pip install so I can depend on behavior17:27
tmcpeakok cool17:28
fletcherwhen we shooting for?17:28
tmcpeakI'll shoot a follow up version pin email today17:28
tmcpeakunless I hear any objections maybe Tuesday?17:28
fletcherSo does that mean I have until EOD Monday to get a docs review out if I want them included in the pinned version?17:28
tmcpeakno, if you're planning to get a review out for that and you really want them in pinned version we'll wait :)17:29
tmcpeakI don't want to cut off before anybody's prized feature, but at the same time I'd like to get *some* reasonable version of bandit in PyPI17:30
fletcherNo no, I don't want to hold off pinning based on this17:31
fletcher:)17:31
tmcpeakcool17:31
fletcherBut if I can get some things done (merged over from OSSG) before the deadline, that'd be good, imo17:31
*** browne has quit IRC17:34
tmcpeakfletcher: ok, after decide to draw our line, I'm going to spend a half day or so testing the crap out of it17:34
tmcpeakmaking sure nothing seems broken17:34
tmcpeakthen we'll push to PyPI17:34
fletcherthat'd be awesome17:35
fletcherjust trying abusing syntax and see what bandit blows up on17:35
tmcpeakyeah, and also run it on *all the code*17:35
fletcherIf you end up running big batches of it, it would be interesting to wrap thte calls in a benchmark function17:36
fletcherso we can verify performance changes on pinned versions17:36
fletchermight be heavy haneded, idk17:36
tmcpeakyeah, good point17:37
tmcpeakalthough to be fair, performance is lower down on my list of things I care about for Bandit17:38
tmcpeakI'd rather have, for example, code readability than performance.  Would definitely rather have accuracy, etc17:38
fletcherI agree; probably only a concern if we ever get to real DFD/taint analysis17:38
*** hyakuhei has joined #openstack-security17:44
*** hyakuhei has quit IRC17:46
dwydehuh, the qualname field in the config’s blacklist_functions gets parsed as a string with commas in it17:49
dwydethen the plugin splits on comma17:50
dwydebecause YAML needs square brackets to be a list17:50
*** sicarie has quit IRC18:03
*** browne has joined #openstack-security18:07
*** dwyde has quit IRC18:11
*** bdpayne has joined #openstack-security18:13
*** salv-orl_ has quit IRC18:28
*** voodookid has quit IRC18:32
*** hyakuhei has joined #openstack-security18:36
*** markvoelker has quit IRC18:39
*** markvoelker has joined #openstack-security18:40
*** hyakuhei has quit IRC18:41
*** markvoelker has quit IRC18:44
openstackgerritMerged openstack/security-doc: Updated from global requirements  https://review.openstack.org/16222518:53
tmcpeakdwyde: any idea what the timeframe would be for your changes?18:54
tmcpeakdwyde: yeah, I initially intended for it to be a comma separated string, I guess list would have been a better choice18:58
tmcpeakreally I intended for each blacklist function to be one, then the need presented itself for more than one in some cases but not most, hence the string with comma separators if necessary18:59
*** bpokorny_ has joined #openstack-security19:01
*** markvoelker has joined #openstack-security19:03
*** bpokorny has quit IRC19:04
*** bpokorny has joined #openstack-security19:35
*** dwyde has joined #openstack-security19:37
*** bpokorny_ has quit IRC19:38
dwydetmcpeak: I can have a change request of just adding entries blacklist_functions today19:43
dwydethe deeper changes (plugins) would probably be Monday or Tuesday19:43
*** salv-orlando has joined #openstack-security19:52
*** _et has joined #openstack-security19:58
*** bpokorny_ has joined #openstack-security20:00
*** bpokorn__ has joined #openstack-security20:01
*** bpokorny has quit IRC20:03
*** amrith is now known as _amrith_20:04
*** dwyde has left #openstack-security20:04
*** dwyde has joined #openstack-security20:05
*** bpokorny_ has quit IRC20:05
*** salv-orlando has quit IRC20:11
tmcpeakdwyde: sounds good20:15
*** sicarie has joined #openstack-security20:24
openstackgerritDavid Wyde proposed stackforge/bandit: Add tests for subprocesses and deserialization  https://review.openstack.org/16196720:49
*** dwyde has quit IRC21:03
*** dwyde has joined #openstack-security21:18
*** salv-orlando has joined #openstack-security21:36
*** sicarie has quit IRC21:59
*** AlejandroOMG has joined #openstack-security22:03
*** AlejandroOMG has quit IRC22:04
*** bpokorny has joined #openstack-security22:21
*** bpokorn__ has quit IRC22:25
*** dave-mccowan has quit IRC22:28
*** hyakuhei has joined #openstack-security22:48
*** salv-orlando has quit IRC22:53
*** hyakuhei has quit IRC22:54
*** dave-mccowan has joined #openstack-security23:38
openstackgerritDavid Wyde proposed stackforge/bandit: Add tests for subprocesses and deserialization  https://review.openstack.org/16196723:46
*** dwyde has left #openstack-security23:49
« Thursday, 2015-03-05 Index Saturday, 2015-03-07 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!