Monday, 2015-03-09

*** tmcpeak has quit IRC		00:11
*** amrith is now known as _amrith_		00:11
*** tmcpeak has joined #openstack-security		00:17
*** dave-mccowan has quit IRC		02:02
*** Krast has joined #openstack-security		02:32
*** tmcpeak has quit IRC		02:44
*** browne has joined #openstack-security		02:49
*** dave-mccowan has joined #openstack-security		03:19
*** dave-mccowan has quit IRC		04:07
*** elo2 has joined #openstack-security		07:35
*** elo2 has quit IRC		07:45
*** elo2 has joined #openstack-security		07:57
*** browne has quit IRC		08:28
*** tmcpeak has joined #openstack-security		10:46
*** hyakuhei has joined #openstack-security		10:47
*** hyakuhei_ has joined #openstack-security		11:02
*** hyakuhei has quit IRC		11:02
*** hyakuhei_ is now known as hyakuhei		11:02
*** _amrith_ is now known as amrith		11:10
*** markvoelker has joined #openstack-security		11:13
*** elo2 has quit IRC		11:15
*** hyakuhei has quit IRC		11:24
*** hyakuhei has joined #openstack-security		11:28
*** markvoelker has quit IRC		11:47
*** markvoelker has joined #openstack-security		11:48
*** hyakuhei has quit IRC		11:49
*** hyakuhei has joined #openstack-security		11:49
*** markvoelker has quit IRC		11:52
*** hyakuhei has quit IRC		12:22
*** hyakuhei has joined #openstack-security		12:25
*** amrith is now known as _amrith_		12:42
*** hyakuhei has quit IRC		12:51
*** hyakuhei has joined #openstack-security		13:03
*** bknudson has left #openstack-security		13:03
*** bknudson has joined #openstack-security		13:24
*** singlethink has joined #openstack-security		13:41
openstackgerrit	Dave Belcher proposed stackforge/bandit: Buf fixes in node visitor and sql injection test https://review.openstack.org/162636	13:51
*** _amrith_ is now known as amrith		13:52
*** salv-orlando has joined #openstack-security		14:05
*** markvoelker has joined #openstack-security		14:11
*** markvoelker has quit IRC		14:18
*** markvoelker has joined #openstack-security		14:19
*** hyakuhei has quit IRC		14:19
*** hyakuhei has joined #openstack-security		14:21
*** markvoelker has quit IRC		14:23
*** voodookid has joined #openstack-security		14:23
*** markvoelker has joined #openstack-security		14:24
*** rkgudboy has joined #openstack-security		14:24
*** voodookid has quit IRC		14:28
*** voodookid has joined #openstack-security		14:42
*** rkgudboy has quit IRC		14:53
*** bpokorny has joined #openstack-security		14:56
*** edmondsw has joined #openstack-security		15:02
*** dwyde has joined #openstack-security		15:04
*** dave-mccowan has joined #openstack-security		15:05
*** dave-mccowan has quit IRC		15:09
*** dave-mccowan has joined #openstack-security		15:09
*** dave-mcc_ has joined #openstack-security		15:10
*** dave-mccowan has quit IRC		15:13
*** bpokorny_ has joined #openstack-security		15:17
*** bpokorny has quit IRC		15:20
*** browne has joined #openstack-security		15:21
openstackgerrit	Dave Belcher proposed stackforge/bandit: Buf fixes in node visitor and sql injection test https://review.openstack.org/162636	15:29
*** edmondsw has quit IRC		15:29
*** markvoelker has quit IRC		15:30
*** markvoelker has joined #openstack-security		15:31
*** markvoelker has quit IRC		15:35
*** edmondsw has joined #openstack-security		15:35
*** markvoelker has joined #openstack-security		15:38
*** markvoelker has quit IRC		15:43
*** markvoelker has joined #openstack-security		15:44
*** markvoelker has quit IRC		15:49
*** dave-mcc_ has quit IRC		15:49
openstackgerrit	Dave Belcher proposed stackforge/bandit: Buf fixes in node visitor and sql injection test https://review.openstack.org/162636	15:54
openstackgerrit	Dave Belcher proposed stackforge/bandit: Buf fixes in node visitor and sql injection test https://review.openstack.org/162636	15:56
*** amrith has left #openstack-security		16:00
*** browne has quit IRC		16:21
*** salv-orlando has quit IRC		16:22
openstackgerrit	Dave Belcher proposed stackforge/bandit: Fixes for node_visitor, sql injection and hardcoded password tests https://review.openstack.org/162675	16:34
openstackgerrit	Dave Belcher proposed stackforge/bandit: Fixes for node_visitor, sql injection and hardcoded password tests https://review.openstack.org/162675	16:40
openstackgerrit	Dave Belcher proposed stackforge/bandit: Fixes for node_visitor, sql and hardcoded password tests https://review.openstack.org/162675	16:41
openstackgerrit	Dave Belcher proposed stackforge/bandit: Fixes for node_visitor, sql and hardcoded password tests https://review.openstack.org/162675	16:46
openstackgerrit	Dave Belcher proposed stackforge/bandit: Fixes for node_visitor, sql and hardcoded password tests https://review.openstack.org/162675	16:48
*** Krast has quit IRC		16:55
*** sicarie has joined #openstack-security		16:56
*** Krast has joined #openstack-security		16:56
*** dwyde has quit IRC		16:57
openstackgerrit	Dave Belcher proposed stackforge/bandit: Fixes for node_visitor, sql and hardcoded password tests https://review.openstack.org/162675	16:58
*** pdesai has joined #openstack-security		17:00
elmiko	i see sicarie and pdesai, are we doing the meeting now or is it affected by DST as well?	17:01
sicarie	I think bdpayne may have been	17:01
pdesai	not sure	17:02
elmiko	it did bring up an item issue though, we should edit https://wiki.openstack.org/wiki/Meetings#Documentation_team_meeting to add out meeting =)	17:02
pdesai	any of you have expertise using inkscape?	17:02
elmiko	i do	17:02
*** bdpayne has joined #openstack-security		17:03
pdesai	Inkscape natively does not support Open Sans fonts, is there any way i can import those fonts ?	17:03
*** browne has joined #openstack-security		17:03
elmiko	mine picks up all the fonts i've added to the system	17:03
sicarie	and bdpayne arrives!	17:03
elmiko	so, if you add an open sans to the system you should be able to use it in inkscape	17:03
bdpayne	hey guys	17:04
elmiko	hey	17:04
bdpayne	sorry I'm a little late :-)	17:04
bdpayne	what did I miss?	17:04
elmiko	no worries	17:04
pdesai	hey	17:04
elmiko	i was asking about DST and our meeting time	17:04
elmiko	also, we should probably add ourselves to https://wiki.openstack.org/wiki/Meetings#Documentation_team_meeting	17:04
elmiko	and pdesai had some questions about inkscape	17:05
bdpayne	oh right... so for DST, I'd vote to adjust the meeting tor DST so that it is still at 10a pacific	17:05
bdpayne	give that we are mostly in the US, that is probably the easiest option for everyone	17:05
sicarie	I just ping'd Doug and he's logging in - was complaining about DST	17:06
bdpayne	s/give/given/	17:06
*** dg_ has joined #openstack-security		17:06
dg_	hello	17:06
sicarie	welcome!	17:06
bdpayne	yeah, figured he'd be the one to object ;-)	17:06
elmiko	bdpayne: make sense for now, but if we grow we should probably adjust to setting out meeting time in UTC, so no DST	17:06
bdpayne	yeah	17:06
sicarie	+1	17:06
bdpayne	also, Re posting the meeting on the wiki... I'd actually advocate for keeping it on the smaller side for the very near term	17:07
bdpayne	let us get into a groove a little bit	17:07
elmiko	i'm ok with that	17:07
bdpayne	and then we can perhaps switch to a UTC time, posting on the wiki, and perhaps even meeting in a real meeting room	17:07
bdpayne	so with that, good morning / evening everyone!	17:08
elmiko	yea, standard time, meeting room, agenda wiki, etc...	17:08
dg_	sorry Im late, thought this meeting was in an hours time!	17:08
*** edmondsw has quit IRC		17:08
dg_	elmiko minutes...	17:08
elmiko	dg_: no worries, it was a real question =)	17:08
bdpayne	no worries, we're just gettting started	17:08
elmiko	exactly...	17:08
bdpayne	agenda items?	17:08
bdpayne	1) triage bugs	17:09
bdpayne	2) planning for L release	17:09
bdpayne	what else?	17:09
elmiko	i think we covered my question ;)	17:09
bdpayne	excellent	17:09
bdpayne	pdesai you get your questions answered?	17:10
sicarie	Taking a look at #link https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide	17:10
sicarie	I think we're good on Triage for this week	17:10
bdpayne	indeed, we do look good on tirage	17:10
bdpayne	nice to be caught up :-)	17:10
bdpayne	ok, so let's talk a bit about the L release	17:10
pdesai	yup, was struggling with changing fonts using inkscape	17:10
bdpayne	at the meetup, we decided it would be good to have releases of the book that fall in line with the 6-month openstack release cycle	17:11
bdpayne	and we decided that doing it for this May would be too fast	17:11
bdpayne	so we should start with the L release	17:11
bdpayne	L = Liberty, I believe	17:11
bdpayne	So, what do we need to do to get there?	17:12
elmiko	when you say "release", are you meaning like a tagged official product?	17:12
bdpayne	yeah... so the idea would be that the book would be updated to work with the openstack software released with L	17:12
bdpayne	so if we need to adjust config settings or whatever, we would keep that up to date and in sync	17:12
bdpayne	stuff like that	17:12
elmiko	great idea, +1	17:12
bdpayne	also, trying to keep up to date with new security features that we should be pointing people at, etc	17:13
sicarie	So I still see Computer and Networking as the two largest glaring needs	17:13
elmiko	we might need to do some outreach to the various project teams to get help	17:13
bdpayne	right, so let me start recording these ideas	17:13
bdpayne	a) We need to fill out the core openstack services chapters (e.g., Computing and Networking)	17:13
bdpayne	b) We need to have a way to reach out to the various teams and/or have them reach back to us to stay informed.	17:14
sicarie	+1 was just writing something like that	17:14
bdpayne	On (b), we should leverage the docimpact field in commits as well... you guys familiar with that?	17:14
elmiko	maybe, c) review all config examples?	17:14
pdesai	nope	17:14
bdpayne	agreed on (c)	17:15
elmiko	as for (b), we might leverage the security liaison list as well	17:15
bdpayne	for docimpact, this is a tag that devs can put on their CRs to indicate that the change impacts the documentation	17:15
bdpayne	security liaison list?	17:15
sicarie	elmiko: do you have a link to the list?	17:15
elmiko	yea, sec	17:16
pdesai	(c) is little tricky and depends on when the config changes are released, may be along with the release	17:16
elmiko	https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management	17:16
bdpayne	ah, so that's the VMT	17:17
bdpayne	they are a little different	17:17
elmiko	pdesai: yea, i was thinking something along the lines of ensuring that config examples were still valid (e.g. no deprecated values)	17:17
bdpayne	they are basically just there for CVE reporting	17:17
elmiko	ah, ok. i thought it might be a starting point for contact	17:17
bdpayne	on (c), I think we should begin by identifying where in the guide today we have stuff that may be impacted on a per release basis	17:17
*** dave-mccowan has joined #openstack-security		17:17
bdpayne	build up a checklist of the things that we'd need to check on every 6 months	17:18
elmiko	that's a nice first step	17:18
pdesai	agree on the first step	17:18
bdpayne	longer term, I'd love to see people on the book effort that specialize in certain projects... so we could have one person that does all of Nova and Keystone, another that does Networking, etc.	17:19
elmiko	+1	17:19
bdpayne	but there will always be a need for someone to make sure that it is all getting done	17:19
bdpayne	;-)	17:19
sicarie	+1 to the specializiation as well	17:19
bdpayne	ok, so I think there are two immediate actions we can take	17:20
bdpayne	Action 1 -- File tickets for filling out the missing core chapters / pieces... and start writing that stuff.	17:20
sicarie	There currently exists tickets for nova, neutron, and one other area Im forgetting off the top of my head	17:21
bdpayne	Action 2 -- File tickets for identifying what pieces will require updating per release cycles and start identifying that stuff.	17:21
bdpayne	sicarie, excellent	17:21
sicarie	Let me stop multitasking and find them :)	17:21
bdpayne	On Action 2 -- could we just put comments in the docbook source?	17:21
pdesai	Action 2 can be documented in the book itself as an appendix	17:21
pdesai	yup	17:21
bdpayne	I like comments that are easily searchable (perhaps all include a certain keyword)	17:22
elmiko	that would be nice	17:22
bdpayne	grep 'keywork' *.xml	17:22
bdpayne	or keyword, whatever ;-)	17:22
elmiko	would be interesting if we could have an appendix that only gets generated for "debug" builds or something	17:22
bdpayne	Anyone want to take starting one of these action itmes?	17:23
bdpayne	elmiko, that could be handy	17:23
pdesai	keyword could be the release name itself	17:23
elmiko	i can look into making the index or keywords or w/e	17:23
*** salv-orlando has joined #openstack-security		17:23
elmiko	pdesai: good idea	17:23
sicarie	bdpayne: feel free to give me whatever anyone doesn't volunteer for	17:23
bdpayne	I think keyword should be indpendent of release	17:23
bdpayne	the idea being that we need to check all of these places for every release	17:24
sicarie	it looks like there's no 'over-arching' ticket for the networking chapter, but there are 3-4 smaller tickets on possible gaps	17:24
elmiko	bdpayne: ok, so something along the lines of "dev-update-checklist"?	17:24
bdpayne	elmiko Ok, let give you Action 2 and sicarie gets Action 1	17:24
openstackgerrit	Merged stackforge/bandit: Fixes for node_visitor, sql and hardcoded password tests https://review.openstack.org/162675	17:24
elmiko	works for me	17:24
sicarie	+1	17:24
bdpayne	pdesai can continue working on her existing massive changes :-)	17:25
pdesai	:)	17:25
sicarie	They're looking really good!	17:25
bdpayne	anything else to discuss today?	17:25
elmiko	just to be sure i've got this straight. i will start with a bug, then we can create a patch from there?	17:25
bdpayne	elmiko yeah, one or more bugs	17:25
bdpayne	just a nice way to track the work	17:25
elmiko	yea	17:25
elmiko	this almost borders on a blueprint for the doc ;)	17:25
bdpayne	eh, yeah	17:26
bdpayne	but I don't think doc does blueprints	17:26
elmiko	yea	17:26
bdpayne	but specing it out in a bug and getting feedback there first is probably a good plan	17:26
elmiko	+1	17:26
pdesai	+1	17:26
bdpayne	ok, thanks all	17:27
elmiko	thanks!	17:27
sicarie	Cool, thanks!	17:27
pdesai	thanks !!!	17:27
bdpayne	that's a wrap for today then	17:27
*** dave-mccowan has quit IRC		17:30
*** dave-mccowan has joined #openstack-security		17:34
*** salv-orlando has quit IRC		17:36
*** hyakuhei has quit IRC		17:52
*** dwyde has joined #openstack-security		17:54
*** dave-mccowan has quit IRC		17:56
*** hyakuhei has joined #openstack-security		17:56
*** bpokorny has joined #openstack-security		18:03
*** bpokorny_ has quit IRC		18:06
*** dave-mccowan has joined #openstack-security		18:07
*** hyakuhei has quit IRC		18:12
*** dave-mccowan has quit IRC		18:15
*** hyakuhei has joined #openstack-security		18:38
*** sicarie has left #openstack-security		18:38
*** mgagne is now known as mgagne_PHL		18:42
*** hyakuhei has quit IRC		18:45
*** salv-orlando has joined #openstack-security		18:46
*** salv-orlando has quit IRC		18:51
*** dave-mccowan has joined #openstack-security		18:53
*** dg_ has quit IRC		18:54
*** salv-orlando has joined #openstack-security		18:55
*** dave-mccowan has quit IRC		18:58
*** salv-orlando has quit IRC		19:00
*** salv-orlando has joined #openstack-security		19:00
*** tkelsey has joined #openstack-security		19:30
tmcpeak	elmiko: you around?	19:33
elmiko	tmcpeak: hey	19:34
*** tkelsey has quit IRC		19:50
*** tkelsey has joined #openstack-security		19:51
openstackgerrit	David Wyde proposed stackforge/bandit: Add tests for subprocesses and deserialization https://review.openstack.org/161967	19:52
*** hyakuhei has joined #openstack-security		20:09
*** hyakuhei has quit IRC		20:13
openstackgerrit	Merged stackforge/anchor: Fixing several issues in Anchor startup https://review.openstack.org/161301	20:16
tmcpeak	dwyde: you around?	20:18
dwyde	tmcpeak: am now	20:33
tmcpeak	cool, so I'm not sure I understand what you're asking on wildcard injection	20:34
tmcpeak	despite my response	20:34
tmcpeak	dwyde: ^	20:34
*** bpokorny_ has joined #openstack-security		20:34
dwyde	so if I have a top-level config named for the plugins	20:35
openstackgerrit	Merged stackforge/anchor: Adding functional testing https://review.openstack.org/161821	20:35
dwyde	like subprocess_popen_with_shell_equals_true	20:35
dwyde	then I can just do @takes_config on that plugin	20:35
dwyde	and I think that’s what you suggested I do	20:35
tmcpeak	yeah	20:35
dwyde	but if i want to share 3 top-level configs with the wildcard_injection plugin, I don’t think that’s possible	20:36
*** bpokorny has quit IRC		20:37
tmcpeak	oh, you're saying the same 3 items used by shell_injection and wildcard_injection?	20:37
dwyde	yes	20:37
tmcpeak	yeah, framework isn't set up for sharing config between different plugins	20:37
tmcpeak	if they really should be shared we can move them into the same plugin	20:37
tmcpeak	in my mind though wildcard injection and shell injection are separate vulns though	20:38
tmcpeak	and should be separate plugins	20:38
dwyde	agreed	20:38
tmcpeak	and actually, wildcard injection is probably static	20:38
tmcpeak	I wouldn't even see the use in anybody configuring that plugin	20:38
tmcpeak	so could just leave them as a list in the plugin itself	20:38
tmcpeak	for those that care about wildcard injection they should always check all 4 of those, for those that don't care they should just run a profile that doesn't include it	20:39
dwyde	i’m just confused about how to include all the process-calling functions in the wildcard injection plugin	20:40
tmcpeak	ahh I see	20:40
tmcpeak	hmmm	20:41
tmcpeak	good question	20:41
tmcpeak	was going to suggest wildcard injection could become a string check, but the problem is how to detect parameterized wildcard injection vectors	20:42
tmcpeak	hmmmm	20:44
tmcpeak	what about if you move wildcard injection into shell injection, then it can have access to the full shell injection list	20:44
tmcpeak	actually this makes sense	20:45
tmcpeak	we have a "processes" file, which contains a plugin called something like "called_process"	20:45
tmcpeak	called_process forks out and runs tests for shell injection and wildcard injection	20:45
*** dave-mccowan has joined #openstack-security		20:45
tmcpeak	since both inherit processes, they have access to the full config of "ways to call processes"	20:46
tmcpeak	dwyde: ^ does this make sense?	20:46
dwyde	mostly :-)	20:47
tmcpeak	:( but then we have no good way to disable one or the other	20:47
tmcpeak	we lose the granularity of having those as separate plugins	20:47
dwyde	right	20:48
dwyde	you don’t like my solution of just explicitly passing a config section name to each plugin that needs it?	20:50
tmcpeak	it works?	20:50
tmcpeak	if so, then yeah. After this discussion I really like it :)	20:50
dwyde	haha okay	20:50
tmcpeak	thanks man	20:51
dwyde	sure, thanks for helping review my changes	20:51
tmcpeak	yeah, you've done some good stuff	20:51
tmcpeak	thanks for the work :)	20:51
dwyde	:-)	20:51
*** dave-mccowan has quit IRC		20:58
*** tkelsey has quit IRC		20:59
openstackgerrit	Merged stackforge/bandit: Add tests for subprocesses and deserialization https://review.openstack.org/161967	21:09
*** fletcher has joined #openstack-security		21:34
*** openstack has joined #openstack-security		22:25
*** bknudson has quit IRC		22:28
*** dwyde has quit IRC		22:33
*** singlethink has quit IRC		22:43
*** bpokorny has joined #openstack-security		22:47
*** bpokorny_ has quit IRC		22:50
*** voodookid has quit IRC		23:15
*** openstack has joined #openstack-security		23:24
*** pdesai has quit IRC		23:26
*** bpokorny_ has joined #openstack-security		23:30
*** bpokorny has quit IRC		23:33

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!