Friday, 2015-04-10

« Thursday, 2015-04-09 Index Saturday, 2015-04-11 »
*** teh_slack has quit IRC00:04
*** teh_slack has joined #openstack-security00:04
*** edmondsw has quit IRC00:08
*** Kennan has joined #openstack-security00:14
Kennanhi :tmcpeak?00:14
Kennanthere?00:14
Kennanor :nkinder there?00:15
nkinderKennan: I'm here.  What's up?00:15
KennanI followed your https://wiki.openstack.org/wiki/Security/Projects/Bandit00:15
Kennanand download keystone code00:15
Kennanand issue command like this00:15
Kennantox -e bandit00:16
Kennanbut it exception as such mesg00:16
KennanValueError: ('Expected version spec in', 'bandit~=0.10.0', 'at', '~=0.10.0')00:16
Kennan:nkinder do you know what's wrong with keystone set with bandit ?00:16
nkinderKennan: let me see if that occurs for me too00:16
Kennankeystone https://github.com/openstack/keystone/blob/master/tox.ini00:16
Kennandeps = bandit~=0.10.000:17
Kennancommands = bandit -c bandit.yaml -r keystone -n5 -p keystone_conservative00:17
nkinderKennan: yeah, I get that too.  It doesn't like that version dependency00:22
nkinderKennan: I removed the "~=0.10.0" portion and pip installed bandit in a virtualenv, and it runs00:23
Kennanso you mean keystone set wrong with 0.10.0 that ?00:23
nkinderKennan: I'm not sure yet00:24
KennanOK. then you know, :nkinder I am working for magnum, and we thought keystone works with bandit,00:25
Kennanbut seems keystone not work well with bandit00:26
nkinderIt does, but I think the version specifier is messed up00:26
dave-mccowanKennan, tmcpeak put new instructions up https://wiki.openstack.org/wiki/Security/Projects/Bandit#Gate_Testing_with_Bandit00:27
nkinderKennan: what version of pip are you using?00:27
dave-mccowanKennan, he now recommends a different method for specifying version00:27
*** jamielennox|away is now known as jamielennox00:28
Kennan:nkinder I tried that command tox -e bandit in ubuntu 14.04 system00:28
Kennan:dave-mccowan Let me check your link00:28
nkinderKennan: Ok, but it seems like something isn't liking the ~= version specifier from PEP 440 (https://www.python.org/dev/peps/pep-0440/)00:29
KennanOK. :nkinder I am not sure if keystone folks make wrong change or not00:29
Kennan:dave-mccowan use tox.ini to specify that bandit version00:30
nkinderKennan: for example, try "pip install bandit~=0.10.0"00:30
Kennankeystone folks :dave-mccowan00:30
*** salv-orlando has quit IRC00:31
Kennan:nkinder so you mean pip version not match ? or pip not support such ~= as version00:31
nkinderKennan: I think it doesn't find a "compatible version", which is what ~= means00:33
nkinderpip shows that 0.10.1 is in PyPi00:33
nkinderI'm guessing that whatever needs to be defined to list it as "compatible" was missed, which broke what Keystone is doing in tox.ini00:33
nkinderso this is a problem in bandit, not Keystone I think00:34
tmcpeakok what's up?00:34
tmcpeakjust getting caught up here00:34
nkindertmcpeak: keystone uses bandit~=0.10.000:34
nkindertmcpeak: that fails now00:34
tmcpeakit should use bandit==0.10.000:34
tmcpeakI don't know what ~= means00:34
nkindercompatible version (see PEP 440)00:34
Kennanbut https://pypi.python.org/pypi?%3Aaction=search&term=bandit&submit=search is 0.10.100:34
tmcpeakbandit==0.10.0 is what will be in upstream (because of version pin)00:34
tmcpeaklet's set that00:34
KennanI think ~= means find 0.10.* like that ? or00:35
Kennannot sure00:35
tmcpeakyeah, so we want to keep updating Bandit, but don't want to break anybody's stuff00:35
tmcpeakso let's pin versoin00:35
tmcpeakbandit==0.10.0 should work as expected00:35
Kennanif we specify 0.10.0 could it find in https://pypi.python.org/pypi?%3Aaction=search&term=bandit&submit=search00:35
Kennan?00:35
Kennanit seems bandit is 0.10.1 in pip00:35
tmcpeakboth are in pip00:35
tmcpeakpip install bandit==0.10.0 should work fine00:36
nkinderKennan: it's compatible version - https://www.python.org/dev/peps/pep-0440/#compatible-release00:36
tmcpeaknkinder: I'm surprised it would work before and not now00:37
Kennan:nkinder yes, just not sure why can not work with compatible version00:37
tmcpeakwe have not pushed any new tagged bandit version00:37
nkinderand that's why I wonder if this is newer and the pip version matters00:37
dstufft~= is new00:37
dstufftin pip 600:37
dstufftand setuptools 800:37
nkinderyeah, that's what I'm getting at00:37
tmcpeakwell we're not implementing any method of defining compatible releases yet, so pip would have no way of knowing what that means00:38
nkinderI'm on F20 right now, which is a bit older00:38
tmcpeakdstufft: ah, is it?00:38
Kennantest@magnum-VirtualBox:~/keystone$ pip --version00:38
Kennanpip 6.0.6 from /usr/local/lib/python2.7/dist-packages (python 2.7)00:38
nkindertmcpeak: no, it would00:38
Kennanmy pip is 6.0.600:38
Kennanstill not work00:38
tmcpeakif we release 0.10.2, how does it know whether that is "compatible"00:38
dstuffttmcpeak: if you do ~=0.10.2 it'l match anything in 0.10.* that is >= 0.10.200:39
KennanI just not know why they not set it like >= or something else , but ~=00:39
tmcpeakKennan: at any rate, please set bandit==0.10.0 in your project.. you'll get the expected behavior00:39
tmcpeakahh ok00:39
dstufftif you do ~=0.10 it'll do anything in the 0.* series that is >= 0.1000:39
tmcpeakso it will automatically take any new versions00:39
tmcpeakthat's not the behavior we want for gates00:39
tmcpeakwe want to stay at a known stable version, so bandit updates don't introduce unforseen consequences in everybody's gate00:40
dstufftthe idea behind it is, for projects that use something semver-esque, you can define a range of acceptable versions based on that projects stable version policies00:40
tmcpeakdstufft: ah ok, makes sense00:40
dstufftyea, if you want pinning you want ==00:40
KennanOK. So guys, what's the proper way to do that ? why ~= not work now, I am confused00:41
dstufftKennan: define not work00:41
dstufftwhat does it do00:41
tmcpeakKennan: we want to pin to a specific version.  I'm not sure why 0.10.1 is causing problems, but we have tested extensively for 0.10.0, so that's what we are trying to pin to00:41
tmcpeakpinning to a specific version means setting: bandit==0.10.000:41
tmcpeakI'd never seen that ~= thing before, but now with an understanding of what it does, I can say that is *not* the setting we want for gates right now00:42
tmcpeakbknudson: you around?00:42
nkinderKennan: just set it to ==, or use >= if you want00:42
nkinderIt's a single character tox.ini change00:42
bknudsontmcpeak: where would I go?00:42
KennanOK. :tmcpeak, I would do that first ==, if anyone solved ~= issue, pls let me know00:42
dstuffttmcpeak: dec of 2014 is when pip released that had ~=, so it's real new00:43
bknudsoneveryone loves ~=00:43
tmcpeakbknudson: lols, ok.  Kennan is saying bandit~=0.10.0 is causing problems.. from my understanding of the ~= behavior from dstufft, we want to set bandit==0.10.000:43
tmcpeakso we don't automatically pull new Bandit versions00:43
tmcpeakwe want to be using the extensively tested version in the gates00:43
bknudsonthat's what the global-requirements change is proposing, ==00:44
bknudsonso use that.00:44
tmcpeakyep00:44
bknudsonpip should support ==00:44
tmcpeakbknudson: can you update the keystone example, Bandit is pointing people to that00:44
tmcpeakyeah, == is fine00:44
bknudsontmcpeak: update the example where?00:44
Kennan:bknudson00:45
Kennanhttps://github.com/openstack/keystone/blob/master/tox.ini00:45
KennanI just execute tox -e bandit00:45
Kennanit failed with ~=00:45
tmcpeakoh… this is getting updated anyway, isn't it?00:45
bknudsony, the change is https://review.openstack.org/#/c/171772/00:45
tmcpeakahhh ok00:46
tmcpeakcool00:46
tmcpeakso this will be cleared up anyway once this patch goes through00:46
bknudsonwhich uses bandit==0.10.000:46
Kennanok. That sounds good00:46
Kennan:bknudson it would work for that00:46
bknudsondec 2014 is like a year ago in dog months.00:47
tmcpeakhaha00:47
tmcpeakok cool00:47
tmcpeakthis seems sorted, thanks Kennan, dave-mccowan, nkinder, bknudson, dstufft00:47
tmcpeakKennan: if you have any issues reach out to one of us, we'll get it figured out00:48
Kennanthanks :tmcpeak00:48
Kennanand all guys00:48
bknudsonthere's an 0.10.1 release?00:48
bknudsonwhy aren't we proposing that for global-requirements?00:48
tmcpeakyeah, 0.10.0 didn't include a config file, which doesn't affect gates, but makes it a pain for people that want to pip install and run it00:49
tmcpeakbknudson: actually yeah, we probably should00:49
brownei can update https://review.openstack.org/#/c/167126/ to use 0.10.100:49
tmcpeak0.10.1 should be the same00:49
tmcpeakbrowne: yeah, please do00:49
browneok, will do00:50
tmcpeak0.10.1 has all the same bandit goodness 0.10.0 had, plus better config file checking00:50
tmcpeakbrowne: awesome, thanks!00:50
brownedone00:51
tmcpeaksweet!00:51
Kennan:tmcpeak do you suggest we use bandit in client check ? like glanceclient keystoneclient ?00:51
brownestill has a -2 until liberty is open00:51
tmcpeakok cool00:52
tmcpeakKennan: I think that Bandit can be useful in most/all projects, as it will at least point out insecure coding practices, regardless of the impact00:52
tmcpeakallright, I'm off.. catch you all tomorrow :)00:53
Kennanok. Thanks00:53
*** bpokorny has quit IRC01:22
*** salv-orlando has joined #openstack-security01:31
*** salv-orlando has quit IRC01:37
*** browne has quit IRC02:12
*** sdake has joined #openstack-security02:26
*** browne has joined #openstack-security02:44
*** sdake_ has joined #openstack-security02:54
*** sdake has quit IRC02:57
*** markvoelker has quit IRC03:35
*** elmiko has quit IRC03:41
*** elmiko has joined #openstack-security03:42
*** salv-orlando has joined #openstack-security03:46
*** salv-orlando has quit IRC03:53
*** markvoelker has joined #openstack-security04:06
*** markvoelker has quit IRC04:12
*** sdake_ has quit IRC04:27
*** sdake has joined #openstack-security05:14
*** sdake has quit IRC05:14
*** sdake has joined #openstack-security05:14
*** sdake_ has joined #openstack-security05:25
*** sdake has quit IRC05:29
*** sdake_ has quit IRC05:55
*** dave-mccowan has quit IRC06:00
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Imported Translations from Transifex  https://review.openstack.org/17147206:00
*** markvoelker has joined #openstack-security06:09
*** markvoelker has quit IRC06:14
*** markvoelker has joined #openstack-security07:10
openstackgerritMerged openstack/security-doc: Imported Translations from Transifex  https://review.openstack.org/17147207:11
*** markvoelker has quit IRC07:15
*** salv-orlando has joined #openstack-security07:20
*** jamielennox is now known as jamielennox|away07:20
*** teh_slack has quit IRC07:44
*** browne has quit IRC07:50
*** salv-orlando has quit IRC07:58
*** salv-orlando has joined #openstack-security08:03
*** markvoelker has joined #openstack-security08:11
*** salv-orlando has quit IRC08:11
*** salv-orlando has joined #openstack-security08:12
*** markvoelker has quit IRC08:16
*** salv-orlando has quit IRC08:37
*** slacker has joined #openstack-security08:44
*** slacker has quit IRC08:59
*** tmcpeak1 has joined #openstack-security09:03
*** tmcpeak has quit IRC09:05
*** slacker has joined #openstack-security09:11
*** markvoelker has joined #openstack-security09:12
*** markvoelker has quit IRC09:17
*** salv-orlando has joined #openstack-security09:38
*** salv-orlando has quit IRC09:42
*** salv-orlando has joined #openstack-security09:43
*** aswadr has joined #openstack-security09:54
*** Kennan2 has joined #openstack-security10:04
*** Kennan has quit IRC10:04
*** Kennan has joined #openstack-security10:08
*** Kennan2 has quit IRC10:08
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals  https://review.openstack.org/17236510:09
*** markvoelker has joined #openstack-security10:13
*** markvoelker has quit IRC10:17
*** dave-mccowan has joined #openstack-security10:53
*** salv-orlando has quit IRC10:56
*** salv-orlando has joined #openstack-security11:10
*** markvoelker has joined #openstack-security11:13
*** markvoelker has quit IRC11:18
*** browne has joined #openstack-security11:52
*** markvoelker has joined #openstack-security12:11
*** sdake has joined #openstack-security12:31
*** sdake_ has joined #openstack-security12:32
*** bknudson has quit IRC12:33
*** sdake has quit IRC12:36
*** markvoelker has quit IRC12:43
*** markvoelker has joined #openstack-security12:44
*** sdake_ has quit IRC12:47
*** bknudson has joined #openstack-security12:56
*** browne has quit IRC13:07
*** browne has joined #openstack-security13:09
*** edmondsw has joined #openstack-security13:18
*** singlethink has joined #openstack-security13:26
*** Kennan2 has joined #openstack-security14:11
*** Kennan has quit IRC14:13
*** sicarie has joined #openstack-security14:13
*** Kennan has joined #openstack-security14:15
*** Kennan2 has quit IRC14:16
*** sdake_ has joined #openstack-security14:49
*** sdake has joined #openstack-security14:58
*** sdake_ has quit IRC15:02
*** voodookid has joined #openstack-security15:08
*** bpokorny has joined #openstack-security15:13
*** tmcpeak1 has quit IRC15:17
*** tmcpeak has joined #openstack-security15:17
*** tmcpeak has quit IRC15:18
*** tmcpeak has joined #openstack-security15:18
*** browne has quit IRC15:55
*** singlethink has quit IRC16:11
*** sdake_ has joined #openstack-security16:16
*** sdake has quit IRC16:20
*** bpokorny_ has joined #openstack-security16:35
*** bpokorny has quit IRC16:38
*** browne has joined #openstack-security16:42
*** singlethink has joined #openstack-security16:43
*** dave-mccowan has quit IRC18:18
*** dave-mccowan has joined #openstack-security18:42
*** elmiko has quit IRC20:25
*** elmiko has joined #openstack-security20:26
*** aswadr has quit IRC20:39
*** bpokorny has joined #openstack-security20:57
*** bpokorny_ has quit IRC20:59
openstackgerritMerged openstack/security-doc: Security Guide links invalid  https://review.openstack.org/17192221:03
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals  https://review.openstack.org/17236521:10
*** bpokorny_ has joined #openstack-security21:29
*** bpokorny has quit IRC21:32
*** Guest95667 has joined #openstack-security22:02
*** bknudson has quit IRC22:09
*** Guest95667 has quit IRC22:13
*** markvoelker has quit IRC22:40
*** singlethink has quit IRC22:40
*** tmcpeak has quit IRC22:41
*** voodookid has quit IRC23:21
*** NightShades has joined #openstack-security23:23
NightShadesHello everyone23:28
*** edmondsw has quit IRC23:28
*** sicarie has left #openstack-security23:29
*** markvoelker has joined #openstack-security23:39
*** NightShades has left #openstack-security23:45
*** bpokorny_ has quit IRC23:57
« Thursday, 2015-04-09 Index Saturday, 2015-04-11 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!