Monday, 2015-06-29

« Sunday, 2015-06-28 Index Tuesday, 2015-06-30 »
*** tmcpeak has quit IRC00:19
*** jamielennox is now known as jamielennox|away00:26
*** jamielennox|away is now known as jamielennox00:30
*** markvoelker has joined #openstack-security01:30
*** markvoelker has quit IRC01:35
*** dave-mccowan has joined #openstack-security02:56
*** dave-mccowan has quit IRC03:15
*** sigmavirus24_awa is now known as sigmavirus2403:15
*** markvoelker has joined #openstack-security03:19
*** markvoelker has quit IRC03:23
*** sdake has joined #openstack-security03:32
*** sdake has quit IRC03:36
*** sigmavirus24 is now known as sigmavirus24_awa03:38
*** sigmavirus24_awa is now known as sigmavirus2403:39
*** sdake has joined #openstack-security03:39
*** sigmavirus24 is now known as sigmavirus24_awa03:49
*** sdake_ has joined #openstack-security03:58
*** sdake has quit IRC04:02
*** browne has joined #openstack-security04:22
*** markvoelker has joined #openstack-security05:08
*** markvoelker has quit IRC05:12
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Imported Translations from Transifex  https://review.openstack.org/19654306:01
openstackgerritMerged openstack/security-doc: Imported Translations from Transifex  https://review.openstack.org/19654306:24
*** browne has quit IRC06:43
*** markvoelker has joined #openstack-security06:56
*** markvoelker has quit IRC07:01
*** shohel has joined #openstack-security07:03
*** elo has joined #openstack-security07:15
*** shohel has quit IRC07:55
*** shohel has joined #openstack-security08:08
*** markvoelker has joined #openstack-security08:45
*** markvoelker has quit IRC08:50
*** shohel1 has joined #openstack-security09:33
*** shohel has quit IRC09:33
*** openstackgerrit has quit IRC09:53
*** openstackgerrit has joined #openstack-security09:53
*** sdake_ is now known as sdake10:01
*** shohel1 has quit IRC10:03
*** markvoelker has joined #openstack-security10:34
*** markvoelker has quit IRC10:40
*** markvoelker has joined #openstack-security11:35
*** markvoelker has quit IRC11:40
*** sdake has quit IRC11:43
*** dave-mccowan has joined #openstack-security11:49
*** markvoelker has joined #openstack-security11:55
*** bknudson has quit IRC12:16
*** edmondsw has joined #openstack-security12:27
*** bknudson has joined #openstack-security12:36
*** dave-mccowan has quit IRC12:36
*** dave-mccowan has joined #openstack-security13:06
*** dave-mcc_ has joined #openstack-security13:08
*** dave-mccowan has quit IRC13:11
*** dave-mcc_ has quit IRC13:24
*** singlethink has joined #openstack-security13:32
*** tmcpeak has joined #openstack-security13:32
*** edmondsw has quit IRC13:33
*** dave-mccowan has joined #openstack-security13:37
*** edmondsw has joined #openstack-security13:44
*** deepika has joined #openstack-security13:47
*** sigmavirus24_awa is now known as sigmavirus2413:58
*** nkinder has joined #openstack-security14:09
*** dave-mccowan has quit IRC14:20
*** jhfeng has joined #openstack-security14:23
*** localloop127 has joined #openstack-security14:24
*** dave-mccowan has joined #openstack-security14:34
*** voodookid has joined #openstack-security14:36
*** sdake has joined #openstack-security14:37
*** sdake_ has joined #openstack-security14:40
*** sdake has quit IRC14:43
*** localloop127 has quit IRC15:04
*** singlethink has quit IRC15:31
*** jhfeng has quit IRC15:33
*** browne has joined #openstack-security15:51
*** dave-mccowan has quit IRC16:01
*** localloop127 has joined #openstack-security16:03
*** singlethink has joined #openstack-security16:14
*** dave-mccowan has joined #openstack-security16:21
*** bpb_ has joined #openstack-security16:33
*** pdesai has joined #openstack-security16:57
*** sicarie has joined #openstack-security16:59
sicariehello17:00
elmikohi17:00
pdesaiHi everyone17:00
Davieyo/17:00
sicarieSo I see two tickets to be triaged, but first I’d like to put Daviey on the spot if he doesn’t mind :)17:01
Davieyuho17:01
DavieyWhat have i done?17:01
elmikohehe17:01
sicarieDaviey: in the meeting last week you brought up ticket info and triaging17:01
DavieyOh yes17:02
sicarieI’d be very interested to know what you’d like to see in a ‘traiged’ ticket17:02
sicarieI saw you and elmiko briefly discussed it17:02
elmikoyea, i've got some ideas too. based on our conversation17:02
sicarieCool, then we don’t have to put the new guy on the spot!17:02
sicarieelmiko: care to start?17:02
elmikook, sure17:02
sicarieDaviey: please jump in if you have something to say :)17:02
DavieyTo me, Triaged means that it has passed the barrier of acceptance that it is an issue and contains enough information to allow someone to fix it17:03
sicarie+117:03
elmikoi think one big issue is the need for more project domain-specific advice17:03
DavieySome of the triaged reports fail the second test17:03
sigmavirus24psst https://wiki.openstack.org/wiki/Bugs#Status17:03
* sigmavirus24 disappears just as quickly as he appeared17:04
sicariethanks sigmavirus24!17:04
elmikosigmavirus24: nice17:04
DavieyIe, I kinda think a triaged report should allow anyone from OSSG doc's to do a drive by fix.  So the subject matter notes are present on the bug report.17:04
sicarie“TriagedThe bug comments contain a full analysis on how to properly fix the issue”17:04
* Daviey wonders how similar it is to https://wiki.ubuntu.com/Bugs/Bug%20statuses17:05
sicarieelmiko: does that fit with your thoughts on domain-specific advice?17:05
elmikoi think we should try to fill out https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management and then look to those CPLs to help us with the areas that require more domain-specific advice17:05
elmikosicarie: yea definitely, if we could get CPLs to post comments it might help us to get further in the process17:05
sicarieSounds good17:06
elmikoeither that, or we will find bugs that *need* to be fixed by the CPLs or the project members17:06
DavieyEncouraging them to post rough notes that can be wordsmithed by this team later, if they prefer17:06
sicarieso we’e previously handled bug traige as a group - do we want to start from the top and go through them with these criteria, ensure they’re set accurately?17:06
sicarieOr should I do an initial pass and we can review next week?17:06
elmikoDaviey: +117:06
sicarieAnd then we can subscribe CPLs to bugs and pester them to assist?17:07
DavieyAn idea we were bouncing around during the week was grabbing an issue that we know requires SME input to progress17:07
elmikoworks for me sicarie17:07
DavieyIe, just target 1 each.17:07
sicarieDaviey: that sounds like a good plan once we know where we stand17:08
Davieyi jumped on bug 1329606, and emailed John Griffiths of Cinder17:08
openstackbug 1329606 in openstack-manuals "Security Guide does not document cinder wiping behavior" [High,Confirmed] https://launchpad.net/bugs/132960617:08
elmikoagreed, we can select 1 (minimum), and then try to reach out and get some assistance17:08
sicarieMy concern is that current bugs may not be set correctly17:08
sicarieSo we should level-set the current ~56 bugs and then start grabbing 1 each from there17:08
elmikosicarie: i think we should continue with what we've been doing as well17:08
elmikoi just feel we need to identify the process for getting outside help17:08
elmikobecause some of these need it17:09
sicarie+1 elmiko: I meant more do we want to review what’s there as a group to ensure they’re set to ‘traiged’ per the conventions? Or just on a going-forward basis?17:09
elmikogiven the number of new bugs, i'm ok with reviewing as a group17:09
sicarieDaviey and pdesai andy preference?17:10
sicarieandy == any17:10
pdesai+1 to group review17:10
Daviey+117:11
sicarieCool17:11
sicarieSo let’s hit RST migration and then we’ll hit the bugs again17:11
elmikosounds good17:11
sicariepdesai: care to talk about https://bugs.launchpad.net/openstack-manuals/+bug/146924817:11
openstackLaunchpad bug 1469248 in openstack-manuals "Create OpenStack Security Specs Repo" [Undecided,In progress] - Assigned to Priti Desai (priti-desai)17:11
pdesaiyup, we have a review request, +1 from most of you guys, Rob, Andreas17:12
pdesaiwaiting for it to get merged17:12
Davieypdesai: link?17:12
sicariehttps://review.openstack.org/#/c/19616517:12
Davieyta17:12
pdesaihttps://review.openstack.org/#/c/196165/17:12
pdesaii will create a repo based on the spec template17:13
pdesaihttps://github.com/openstack-dev/specs-cookiecutter17:13
* sicarie rushes to login and +117:13
elmikohehe17:13
pdesaialso started with setting up RST build process into our new security-doc-rst repo17:13
pdesaithere are changes needed in tox file and some new files to build rst files17:14
sicariepdesai: thanks for working this!17:14
pdesaisure17:14
sicarieIs there anything we can help with? You seem like you ahve it pretty well in hand17:15
Davieypdesai: Which tooling did the other teams use to migrate over?17:15
*** sigmavirus24 is now known as sigmavirus24_awa17:15
pdesaipandoc17:15
Davieyta17:15
sicarieDaviey: more info here as well: https://wiki.openstack.org/wiki/Documentation/Migrate17:15
DavieyUseful!17:16
pdesaibut pandoc doesnt comprehensively convert xml to rst when xml has links to section_ :(17:16
*** sdake has joined #openstack-security17:16
Davieypdesai: Is that sed'able?17:16
pdesaii am trying to propose "how to" for one chapter and we can follow the same process17:17
DavieySounds like you have a firm handle on this.17:17
pdesaidaviey: yup sed should work as well17:17
sicarieCool17:18
sicarieso pdesai please let us know if we can do anything - looks like this is moving along17:18
pdesaithanks guys for +1s, yeah i will keep bugging for the same, for few review requests17:19
sicarie+117:19
elmiko=)17:19
sicarieSo on that note, we should probably traige the bug associated with it17:19
sicariehttps://bugs.launchpad.net/openstack-manuals/+bug/146924817:19
openstackLaunchpad bug 1469248 in openstack-manuals "Create OpenStack Security Specs Repo" [Undecided,In progress] - Assigned to Priti Desai (priti-desai)17:19
*** sdake_ has quit IRC17:20
pdesaiyup definitely17:20
sicarieSo I think the only thing on this is importance as Priti is already working it17:20
elmikoi'd say high, since it's blocking progress17:20
sicarieI’d personally say high as we’re waiting on this for the bp submission17:20
elmikojinx ;)17:20
pdesai"117:20
pdesai+117:20
sicarie:X17:20
sicariewow that looks like an ANGRY smiley face in my irc window17:21
sicarie:#17:21
sicariehmm17:21
sicarieanyway17:21
elmikohaha17:21
pdesaihehe17:21
sicarieunless Daviey has any objection I’m setting that at high17:21
sicariepdesai: can you add notes to it on your next steps? (ie, what you just outlined)?17:21
pdesaisure17:21
sicariethanks!17:22
pdesaii will add that, sure17:22
Daviey(I have no objections)17:22
sicarieAwesome. Then there is one new bug that also needs to be addressed about encryption17:22
sicariehttps://bugs.launchpad.net/openstack-manuals/+bug/145954817:22
openstackLaunchpad bug 1459548 in openstack-manuals "contradictory info relating to Openstack support of volume encryption" [Undecided,Confirmed]17:22
sicarieSo this looks cinder-specific (phew - I didn’t want to get into the Swift/glance encryption specs :)17:23
sicarieSo reading through this the confusion is around17:24
elmikothe bug here is that it should be less ambiguous?17:24
sicarie“destruction of data is accomplished by securely deleting the encryption key.” and “destruction of data is as simple as throwing away the key."17:24
elmikohmm17:24
sicarieelmiko: I think so?17:24
sicarieso my initial response is ‘incomplete’ with a note asking that exact question17:25
elmikonot really destruction, but it's rendered useless17:25
sicarie+117:25
elmikounless cinder will destroy it without having a key17:25
sicarieI’m never a fan of leaving encrypted data around, even if you have gotten rid of the key17:25
elmikoright17:25
elmikoi'm ok with "incomplete" then adding a comment about our questions17:25
sicarie+117:25
sicariePriority?17:26
sicarielow?17:26
DavieySo is the disagrement between "throwing away" vs "securely deleteing the encryption key"?17:26
DavieyBoth are questionable advice TBH :)17:26
elmikoDaviey: i think so17:26
sicarieDaviey: exactly17:26
sicarieI think the question is around what the reporter meant17:26
sicarieAnd if they didn’t mean that wasn’t great advice, then I have a new bug :)17:26
elmikothe advice should talk about the implications of deleting the key, and talk about deleting the data. imo17:26
DavieyIs someone taking the triage of that now?17:27
elmikoyea17:27
sicarieDaviey: yes, that’s what we’re discussing17:27
Davieysuper17:27
sicarieI’m in the details right now17:27
elmikoi'm +1 for low17:27
DavieyI mean, is someone taking the following up action.. which i think elmiko just raised his hand ofr17:27
Davieyfor*17:27
elmikoyea, i'll add the comment17:27
sicarieDaviey: we hadn’t gotten to volunteers, frequently I take what I think I can handle and then volun-script poeple :)17:28
sicarieelmiko: thanks!17:28
DavieySo the importance is Medium and Incomplete IMO17:28
*** browne has quit IRC17:28
pdesai+1 for low, details can be covered by the new ch. on cinder, volume encryption17:29
sicarieDaviey: there are two states - the status will be incomplete and we’re discussing prirority now17:29
sicarieDaviey: any strong feelings on medium priority vs low?17:29
Davieysicarie: Just Medium as it is potentially giving poor security advice17:30
sicarieSo I can definitely understand that, but I think if the bug only covers the ambiguity then it’s a low priority bug, whereas a new bug on the quality of adice would be higher17:30
DavieyI'd suggest Worst Case Scenario, then lower as we learn more.. But i'm not passionate about it.17:31
sicariepdesai elmiko any strong feelings on medium?17:31
elmikoi'd have an objection to medium17:31
elmikoi don't17:31
elmikosorry17:31
elmikoalso, added a comment17:31
sicarieand from sigmavirus24_awa’s earlier link17:32
*** dontalton has joined #openstack-security17:32
sicarieMediumFailure of a significant feature, with workaround; Failure of a fringe feature, no workaround17:32
sicarievs low is insignificant bug or Small issue with an easy workaround17:32
sicarieelmiko: thanks!17:32
elmikosicarie: does that cover our concerns?17:32
sicarieelmiko: I think so17:33
elmikocool17:33
sicarieSo the more I hope this bug is relating to the ambiguity the more I want to put this at medium as well17:33
sicarieSo i’ll set it there and we can circle back around once we get more info17:33
elmikosounds good17:33
sicarieand on that, sorry for keeping everyone 3 min over17:33
sicariethanks Daviey pdesai and elmiko!17:34
pdesaino worries, thanks everyone17:34
DavieyThanks!17:34
*** singlethink has quit IRC17:34
DavieyJust as a comment about triage.. The way we used to handle it in Ubuntu Server, where we got several hundred bugs per week was..17:36
DavieyRota of people to bang through the bugs really quickly, setting the worst case scenario importance.. max 2 mins thought.17:36
DavieyThen, when they are all done.. Triage the status, sorting from Importance downwards17:36
DavieySetting Incomplete if we were waiting on the reporter / details17:37
DavieyComplete if the issue is known, and Triaged if we know how to fix it17:37
elmikomakes sense17:37
DavieyBut this isn't that.. and probably have different problems to deal with.17:38
sicarieDaviey: that definitely seems like a reasonable process as well17:39
sicarieI think we’re still doing it this way because 1) this is how it was when we started doing it and 2) haven’t had enough time to think about scaling/updating it :)17:40
sicarieIt’s definitely something I noted - if the bugs pick up, we definitely need a better approach17:40
DavieyYeah, i'm a noob to this effort, so don't listen too much to me :)17:40
elmikoimo, we should consider codifying this on a wiki *and* consider applying for an actual meeting time in an openstack-meeting-* channel17:40
elmikowe could use the meetbot functionality, and it seems like we on-boarding more folks17:41
sicarieelmiko: yeah, not sure why bdpayne was against that - I asked him at one point and he said no17:41
sicarieI think at the time it was a size thing17:41
elmikoyea, i could see that17:41
sicarieif we’ve got 4/5 regular contributors it probably makes sense to start looking at expanding and not putting so much noise in the security room17:41
elmikoi'm not saying we need to do it now, but i think we should talk about it with other openstack folks to learn more about the process.17:42
elmikosicarie: +1, plus getting the whole meetbot infra is a nice addition17:42
elmiko(eavesdrop, etc...)17:42
DavieyI had no idea this meeting was a thing, as it wasn't on the schedule17:42
sicarieone thing i’d love though is a bot that goes into the meeting rooms and announces the meetings related to that room (ie, in here would be bot announing security project on thurs and sec-guide on monday)17:42
sicarieDaviey: yes, and we’ve been asked by the doc team to codify it as well17:42
elmikoDaviey: right, another good point to help gather more help =)17:43
sicarie=117:43
sicarie+117:43
elmikosicarie: at the least we should start researching the process for getting these things17:43
sicarieelmiko: yep, I have a weekly, or bi-weekly depending on who does/doesn’t remember with loquacities (doc lead) so I’ll ask17:44
DavieyBTW, that example bug i looked at.. I had a response from the SME - http://pastebin.com/raw.php?i=zdZW3eY4  More than i hoped for!17:44
sicarieawesome17:45
elmikosicarie: +117:45
elmikoDaviey: that's good info, would be nice to have some of that illuminated in the guide.17:46
DavieyFWIW, #openstack-meeting-alt seemes to have the meeting slot free.17:46
elmikoit at least helps describe why deleting the keys is an acceptable workaround17:46
Davieyelmiko: Right, i've assigned that bug to me - i'll work it in there17:46
Daviey(AH, sorry - that is a different issue to the one we triaged in the meeting)17:46
elmikooh, oops. was just looking at the bug17:46
elmikojust looked at the clock, should we wrap up soon?17:48
*** singlethink has joined #openstack-security17:49
Davieyi'm going home, cya o/17:50
sicarieelmiko: sorry, I thought we’d already wrapped up and this was post-meeting discussion :)17:50
elmikohaha17:50
elmiko!17:50
elmikoDaviey: later17:50
sicariethanks Daviey!17:50
*** sigmavirus24_awa is now known as sigmavirus2418:03
*** sicarie has quit IRC18:07
*** shohel has joined #openstack-security18:19
*** browne has joined #openstack-security18:26
*** openstackgerrit has quit IRC18:30
*** openstackgerrit has joined #openstack-security18:30
*** pdesai has quit IRC18:31
*** singlethink has quit IRC18:38
*** singleth_ has joined #openstack-security18:38
*** pdesai has joined #openstack-security18:40
*** singleth_ has quit IRC18:43
*** jhfeng has joined #openstack-security18:46
*** deepika has quit IRC18:50
*** markvoelker_ has joined #openstack-security18:51
*** markvoelker has quit IRC18:52
*** dave-mccowan has quit IRC18:56
*** markvoelker_ has quit IRC18:57
*** markvoelker has joined #openstack-security18:57
*** shohel has quit IRC19:10
*** dave-mccowan has joined #openstack-security19:21
tmcpeakbrowne: could you have a look at chair6's latest change? we're just waiting on you for final approval19:29
brownetmcpeak: sure, looking at it now19:29
tmcpeakbrowne: awesome, thank you19:29
*** pdesai has quit IRC19:31
openstackgerritJamie Finnigan proposed stackforge/bandit: Address multiline node lineno inaccuracies  https://review.openstack.org/19576119:57
chair6@browne, @tmcpeak .. fixed ^19:58
sigmavirus24browne: I'll let you +A that if you're comfortable with it19:59
brownechair6: thx!19:59
* chair6 adds (expected, actual) to the list of conventions i mostly remember..20:00
sigmavirus24chair6: to be fair20:01
sigmavirus24that's only a testtools convention20:01
tmcpeakis there a reason behind it, or just convention?20:02
sigmavirus24stdlib unittest library doesn't care about it iirc20:02
sigmavirus24pytest doesn't care20:02
sigmavirus24nosetests might care but I don't think it does20:02
sigmavirus24testtools convention => openstack convention20:02
tmcpeakahh, ok20:03
chair6those few tests should be a reasonable pattern to use to add some more result/output-related tests beyond just the counts .. that stupid resstore = OrderedDict() call being at class instead of object level took me far too long to figure out..20:03
DavieyI think it comes from mandatory parameters coming first with functions, and having an expected is always something you require.  Think it is a Java Junit legacy thing mostly.20:04
sigmavirus24Daviey: that may be the history of why testtools adapted taht convention but https://hg.python.org/cpython/file/97a24bc714ec/Lib/unittest/case.py#l81220:06
sigmavirus24"first, second" aren't really descriptive parameter names =P20:06
sigmavirus24https://hg.python.org/cpython/file/97a24bc714ec/Lib/unittest/case.py#l900 etc20:07
Davieysigmavirus24: Use the src luke... But by that logic it is > if "bar" == foo <, which doesn't make sense then!20:09
openstackgerritMerged stackforge/bandit: Address multiline node lineno inaccuracies  https://review.openstack.org/19576120:23
tmcpeaksigmavirus24, browne, chair6: ^ with that it's PyPI time20:25
tmcpeakeverybody have one more sanity check if you could please?20:25
sigmavirus24Go go gadget twine20:25
sigmavirus24Oh20:25
tmcpeaksigmavirus24: actually I'm using whatever the Stackforge->PyPI linkage is20:26
tmcpeakTBD if that's twine20:26
sigmavirus24tmcpeak: 99% certain that's twine20:26
tmcpeakI certainly hope so :)20:26
*** dontalton has quit IRC20:26
*** Canaima_kawaii has joined #openstack-security20:30
Canaima_kawaiiHOLISSS20:31
*** Canaima_kawaii has left #openstack-security20:31
tmcpeakdamnit20:34
tmcpeak:\20:34
openstackgerritJamie Finnigan proposed stackforge/bandit: Downgrade hardcoded /tmp confidence  https://review.openstack.org/19685120:36
sigmavirus24tmcpeak: senpai noticed us20:37
chair6^ one more small tweak proposed after staring at that specific test a little too much last week, quite happy to abandon if folks don't agree or leave it for a future release20:37
*** browne has quit IRC20:41
sigmavirus24chair6: it seems reasonable20:42
*** edmondsw has quit IRC20:43
openstackgerritJamie Finnigan proposed stackforge/bandit: Downgrade hardcoded /tmp confidence  https://review.openstack.org/19685120:44
tmcpeakI'll take a look20:45
tmcpeakchair6: have to disagree.. I think it's at least a solid medium20:50
tmcpeakI've never seen a false positive on it20:50
tmcpeakdocstrings aren't included, I can't really think of anywhere you'd have "/tmp" and not be trying to use it that way20:50
Davieytmcpeak: It might make it more verbose (false positibe), but make Low more accurate IMO if /var/tmp/ and /dev/shm is added to that check?20:53
Davieychair6: ^20:54
chair6i just generally think that if all we're able to to is match a hardcoded string, where we have no context around how it's being used, we should probably call it low confidence20:54
Davieychair6: Do you have any reports handy where it was a false positive?20:56
tmcpeakchair6: I see your point, but in my usage I have seen it as the entry point to some pretty high severity issues.  I have also never seen a false positive from it20:57
tmcpeaksince docstrings are no longer processed, I can't think of a use case where somebody would have "/tmp" in a string and not be trying to use it that way20:57
chair6i do not, i just generally feel uncomfortable with 'medium' confidence for a hardcoded string match .. travis has more experience actually running this test in anger than i do20:57
tmcpeak:)20:58
chair6happy to drop it, figured it was worth asking about20:58
Davieychair6: But what are your thoughts on adding /var/tmp and /dev/shm to that plugin?20:58
tmcpeakyeah, TBH it's one of my favorite tests and I've seen it consistently at least find bad coding practices, if not security issues20:58
chair6daviey: makes sense to expand it to cover other common tmp locations..20:59
tmcpeakcould "/dev/shm" be a separate test?20:59
tmcpeakI guess it's the same idea20:59
Davieytmcpeak: why seperate?20:59
DavieyI can't think of a reason you'd want to use TMPFILE as a string rather than use tempfile.mkstemp()21:00
tmcpeakI don't know, I guess "shared memory" feels more like it's trying to accomplish IPC, but maybe I have the idea wrong21:00
tmcpeakDaviey: yeah, that's kind of my thought too21:01
DavieyMany apps use shm as a file system based IPC21:01
tmcpeakif we want to get into secure IPC usage, it feels like that could be a good separate module21:01
tmcpeaklike combined with other tests too21:01
tmcpeakbut I guess it's really all the same thing as /tmp21:01
tmcpeakyeah, I agree.. we should add those21:03
tmcpeaklet's do that after pin though… want some time to test and make sure we don't screw up Keystone and others21:05
tmcpeakchair6, Daviey, sigmavirus24: you guys have a few minutes for last minute testing? I can pin this version today21:05
* sigmavirus24 doesn't21:06
Davieycan do21:06
tmcpeaksigmavirus24: ok, no worries, Daviey: cool, thank you21:07
Davieytmcpeak: Hmm, i don't think i was seeing this last week... http://paste.openstack.org/show/326018/21:13
sigmavirus24hm21:14
DavieyIgnore me, i had multiple bandit's in my PYTHONPATH21:15
sigmavirus24Daviey: https://github.com/stackforge/bandit/blob/master/bandit/core/manager.py#L33 it's definitely there21:15
sigmavirus24tsk tsk Daviey =P21:15
tmcpeak:)21:22
chair6passes py27 and py34 tox tests, using py27 it completes runs against keystone/nova/trove/swift without failing.. thats all i've got time for right now21:23
tmcpeakchair6: awesome, thank you21:24
*** browne has joined #openstack-security21:25
tmcpeakbrowne: you're just in time :)21:26
tmcpeakfinal kick Bandit up to PyPI sanity testing21:27
brownewhat's up21:27
tmcpeakwe're trying to push a new Bandit version in PyPI today21:28
tmcpeakbrowne: want to give a last validation21:28
tmcpeakmake sure nothing stupid is wrong with the latest?21:28
browneok sure, let me check21:28
tmcpeakcool21:30
Davieyseems to wfm.21:34
tmcpeakDaviey: cool, thank you21:39
tmcpeaklooks good to me as well21:43
brownehmm, i got a keyerror when running on keystone21:43
tmcpeakbrowne: interesting21:44
brownehttp://paste.openstack.org/show/326023/21:44
tmcpeakI just ran on Keystone and didn't21:44
brownei'm running on Mac, which isn't valid though21:44
tmcpeakhmm, did you do a clean uninstall/reinstall? I've seen this before when installing Bandit over an older version that didn't have the stevedore extensions21:45
brownei did a pip uninstall, then ran python setup.py install21:45
tmcpeaktry pip uninstall bandit until you can't anymore and then "pip install ."21:45
tmcpeakthat should work too21:45
tmcpeaktry repeating pip uninstall bandit21:45
tmcpeakyou might have to do it a couple of times to get it completely clean21:45
browneyep, looks like i had a leftover /Library/Python/2.7/site-packages/bandit-0.9.0.post70-py2.7.egg-info21:46
tmcpeakwoah, 0.9.0, you're oldschool bro21:47
browneha21:47
brownelet me use a real env21:47
sigmavirus24^ is why I use virtualenvs for everything21:50
brownethat is wise21:50
sigmavirus24mktmpenv ; cd - ; pip install (stuff) ; do stuff ; deactivate21:51
sigmavirus24That's even faster now with pip 7.x and auto-wheel caching21:52
tmcpeakI'm opposite, I almost never remember to use venvs :)21:55
*** localloop127 has quit IRC21:55
*** bpb_ has quit IRC21:55
sigmavirus24There's only a couple things I don't install in venvs because I use it globally21:56
sigmavirus24Flake8 (and its dependencies) pip, virtualenv, and such21:57
tmcpeakI should probably get on board :)21:58
sigmavirus24pipsi should make it easier21:59
tmcpeakpipsi?22:00
*** sdake_ has joined #openstack-security22:01
sigmavirus24yeah it's a mitsuhiko thing22:01
sigmavirus24it installs everything into its own virtualenv that the tool enforces22:01
sigmavirus24I don't use it because I don't feel it's necessary22:01
sigmavirus24But i know some people who do22:01
sigmavirus24And they want to make it a PyPA project22:01
dstuffthttps://bpaste.net/show/7142e3466423 that's the only things I install globally22:02
dstufftvirtual environments ftw22:02
*** sdake has quit IRC22:04
*** bdpayne has joined #openstack-security22:06
tmcpeakbdpayne: what's up?22:12
tmcpeaklong time no see22:13
bdpaynehi!22:13
bdpaynejust sitting on the deck cranking out some slides22:13
bknudsonbdpayne is living the dream.22:14
* bdpayne tries22:14
bdpaynehow are you guys doing?22:14
tmcpeak:)22:14
tmcpeakpretty good22:14
bknudsonbdpayne: we fixed all the security in openstack22:14
tmcpeakyeah, all solved22:14
bdpayneoh nice work22:14
bdpaynewant to come on over to Netflix then? ;-)22:14
bknudsonwe added crypto22:14
tmcpeakat least 5 new cryptos now22:15
bdpayneyou mean bitcoin, right?22:15
bdpayneyou added bitcoin?22:15
bknudsonbitcoin and docker22:15
bdpayneexcellent22:15
bdpaynehow was Vancouver?22:16
bknudsonthe weather and the city were both really nice.22:16
bknudsonif you haven't been I'd put it on my list22:16
bdpayneyeah, I've been22:17
bdpaynewas sad to miss it22:17
bknudsonnext is tokyo22:17
*** jhfeng has quit IRC22:19
*** bknudson has quit IRC22:20
* elmiko waves at bdpayne22:21
bdpaynehey!22:21
elmikohow's netflix treating you?22:21
bdpaynevery nicely thus far22:22
elmikoawesome to hear =)22:22
bdpaynelots of work to do22:23
tmcpeakgotta love that stock, huh? :P22:23
bdpayneum, yeah22:23
elmikoi'll bet, saw a bunch of good netflix presos at spark summit22:23
bdpaynenotice how it's been doing really well since they hired me?22:23
elmikolol, nicely done sir22:23
bdpaynethanks, I do what I can22:23
tmcpeakhaha22:24
brownetmcpeak: bandit LGTM, i say ship it22:24
tmcpeakbrowne: cool, I'm glad you said that because… https://pypi.python.org/pypi/bandit/0.12.022:24
browneha!22:24
brownenp22:24
*** sdake has joined #openstack-security23:02
*** voodookid has quit IRC23:03
*** sdake_ has quit IRC23:05
*** markvoelker has quit IRC23:13
*** edmondsw has joined #openstack-security23:24
*** bdpayne has quit IRC23:43
*** markvoelker has joined #openstack-security23:51
*** edmondsw has quit IRC23:51
« Sunday, 2015-06-28 Index Tuesday, 2015-06-30 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!