| *** dave-mccowan has quit IRC | 01:21 | |
| *** sigmavirus24 is now known as sigmavirus24_awa | 01:40 | |
| *** dave-mccowan has joined #openstack-security | 02:51 | |
| *** sdake has joined #openstack-security | 04:30 | |
| *** dave-mccowan has quit IRC | 04:44 | |
| *** amit213 has joined #openstack-security | 05:00 | |
| *** tmcpeak has quit IRC | 05:00 | |
| *** browne has quit IRC | 06:36 | |
| openstackgerrit | OpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/197863 | 07:23 |
|---|---|---|
| *** VivCheri has joined #openstack-security | 07:27 | |
| openstackgerrit | Merged openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/197863 | 07:36 |
| *** airen has joined #openstack-security | 07:45 | |
| openstackgerrit | Stanislaw Pitucha proposed stackforge/anchor: Implement saving certificate in memory https://review.openstack.org/197433 | 08:17 |
| *** jamielennox is now known as jamielennox|away | 08:20 | |
| *** jamielennox|away is now known as jamielennox | 08:41 | |
| *** openstackgerrit has quit IRC | 09:19 | |
| *** openstackgerrit has joined #openstack-security | 09:20 | |
| *** shohel has joined #openstack-security | 10:13 | |
| *** VivCheri has quit IRC | 10:13 | |
| *** dave-mccowan has joined #openstack-security | 12:30 | |
| *** edmondsw has joined #openstack-security | 12:42 | |
| *** singlethink has joined #openstack-security | 13:32 | |
| *** tmcpeak has joined #openstack-security | 13:42 | |
| *** jian5397 has joined #openstack-security | 13:45 | |
| *** VivCheri has joined #openstack-security | 13:50 | |
| *** singleth_ has joined #openstack-security | 13:54 | |
| VivCheri | Good evening. | 13:54 |
| elmiko | good morning =) | 13:55 |
| jian5397 | goo morning | 13:55 |
| jian5397 | good morning | 13:55 |
| *** jian5397 is now known as michaelxin | 13:55 | |
| michaelxin | vivcheri: where are you? | 13:56 |
| *** sigmavirus24_awa is now known as sigmavirus24 | 13:56 | |
| VivCheri | michaelxin: why do you ask ? :) | 13:56 |
| VivCheri | VivCheri: I am in India. | 13:57 |
| michaelxin | got it. Thanks. | 13:57 |
| *** singlethink has quit IRC | 13:57 | |
| michaelxin | just curious | 13:57 |
| VivCheri | ok :) | 13:58 |
| *** localloop127 has joined #openstack-security | 14:02 | |
| openstackgerrit | Tim Kelsey proposed stackforge/bandit: Adding a test for partial paths in exec functions https://review.openstack.org/197180 | 14:02 |
| *** browne has joined #openstack-security | 14:11 | |
| *** voodookid has joined #openstack-security | 14:36 | |
| *** VivCheri has quit IRC | 14:42 | |
| *** timkennedy has joined #openstack-security | 14:43 | |
| *** shohel has quit IRC | 14:45 | |
| *** VivCheri has joined #openstack-security | 14:54 | |
| openstackgerrit | Tim Kelsey proposed stackforge/bandit: Adding a test for partial paths in exec functions https://review.openstack.org/197180 | 14:58 |
| openstackgerrit | Tim Kelsey proposed stackforge/bandit: Adding a test for partial paths in exec functions https://review.openstack.org/197180 | 15:01 |
| *** shohel has joined #openstack-security | 15:07 | |
| *** dwyde has joined #openstack-security | 15:13 | |
| *** michaelxin has quit IRC | 15:16 | |
| sigmavirus24 | I think bkudson mentioned this already, but someone wants us to use oslo.rootwrap in Glance: https://review.openstack.org/#/c/186201/ I added a bunch of you for reviews =P | 15:28 |
| tmcpeak | sigmavirus24: I'm not as up on rootwrap and the evils of it as I should be, is the idea that basically people suck at using filters? | 15:32 |
| sigmavirus24 | I'm not entirely sure | 15:32 |
| sigmavirus24 | I think it's meant to be the lesser of two evils | 15:33 |
| tmcpeak | I mean, it's fairly prevalent, and I think in theory it could be used securely. I'd rather at least have the option for filters than people just "sudo this" and "sudo that"'ing all over the place | 15:33 |
| sigmavirus24 | yeah | 15:34 |
| tmcpeak | next midcycle I"m going to spend some time with bknudson and browne and the other rootwrap experts and finally understand what's up | 15:34 |
| tmcpeak | I'd like a day to just poke at it | 15:34 |
| *** singleth_ has quit IRC | 15:37 | |
| browne | as i recall rootwrap really sucks when they use the blank CommandFilter. basically it permits that command to run with any argument. RegExpFilter should be preferred | 15:38 |
| elmiko | tmcpeak: yea, my experience was that filters usually messed our users up | 15:39 |
| tmcpeak | ahh ok cool | 15:40 |
| tmcpeak | hmm, yeah that's what we ended up with here. https://security.openstack.org/guidelines/dg_use-oslo-rootwrap-securely.html | 15:41 |
| tmcpeak | at some point it would be interesting to dig in, and find some examples of suck and some examples of not-suck | 15:41 |
| *** tkelsey has joined #openstack-security | 15:45 | |
| tmcpeak | elmiko: https://bugs.launchpad.net/python-swiftclient/+bug/1470740 | 15:46 |
| openstack | Launchpad bug 1470740 in python-swiftclient "swiftclient disclose token in debug logs" [Undecided,New] | 15:46 |
| tmcpeak | see comment here :) | 15:46 |
| sigmavirus24 | thanks for the link tmcpeak | 15:47 |
| tmcpeak | ;) | 15:47 |
| elmiko | interesting... | 15:47 |
| tmcpeak | looks like we need to just say "DEBUG may log all the things" | 15:47 |
| tmcpeak | add all affected projects and versions | 15:47 |
| elmiko | ok, so one more re-write on 0049 then? | 15:48 |
| elmiko | tristanC: thanks! ;) | 15:48 |
| tmcpeak | elmiko: yeah :( sorry man, this one is turning out epic | 15:48 |
| elmiko | haha totes | 15:48 |
| tmcpeak | that's cool though man, if you're going to write a note it might as well be an epic one | 15:49 |
| elmiko | sure, why not. then at least we don't have to write one like this again | 15:49 |
| elmiko | hopefully.... | 15:49 |
| tristanC | elmiko: you're welcome ;) | 15:50 |
| tmcpeak | the fun part is going to be listing out all of the projects | 15:50 |
| tmcpeak | tristanC: would you recommend listing all of the projects, since this could be in any of them? | 15:50 |
| elmiko | oh man... | 15:50 |
| tmcpeak | also what projects do we list? I'm not up on the big tent manifesto as much as I should be | 15:51 |
| * Daviey regrets looking at the backscroll, and decides to put the kettle on instead. | 15:51 | |
| elmiko | there should be a way for use to have an ossn that applies to all services | 15:51 |
| elmiko | Daviey: lol! | 15:52 |
| tristanC | a starting list could be: https://bugs.launchpad.net/ossa/?field.searchtext=debug&search=Search&field.status%3Alist=WONTFIX&field.assignee=&field.bug_reporter=&field.omit_dupes=on&field.has_patch=&field.has_no_package= | 15:52 |
| tmcpeak | yeah, maybe just "all" ? or something, nkinder: ^ | 15:52 |
| tmcpeak | tristanC: but just because it doesn't exist in a project now doesn't mean it wouldn't in the future if it's not a security bug, it doesn't seem like we necessarily have a firm stance on this one way or the other | 15:53 |
| elmiko | this seems like a good candidate for an "all", although if need be i'll hit the list that tristanC is suggesting | 15:53 |
| tristanC | "all" seems fine, but then operators will yell that they need debug mode in prod so... | 15:53 |
| Daviey | If operators *need* to use Debug in prod, then openstack logging is busted. | 15:54 |
| tmcpeak | tristanC: at which point we yell that they're going to get popped and then the cycle goes around again | 15:54 |
| elmiko | can we just say, "if you use debug mode then the security group says https://www.youtube.com/watch?v=5c2etjMl3WM" ? | 15:55 |
| tmcpeak | ^ if this is a rick-roll I'm going to be upset | 15:55 |
| elmiko | lol | 15:55 |
| Daviey | Is there a Tempest job to look for strings that shouldn't be logged? | 15:55 |
| nkinder | tmcpeak: just escaped from a meeting. Let me read the backscroll... | 15:57 |
| tmcpeak | okies | 15:58 |
| nkinder | elmiko, tmcpeak: we have an example of "all services" in the heartbleed or poodle OSSN IIRC | 15:58 |
| nkinder | elmiko, tmcpeak: https://wiki.openstack.org/wiki/OSSN/OSSN-0039 | 15:59 |
| elmiko | nkinder: awesome, thanks | 16:00 |
| * elmiko heads off back to the re-write dungeon | 16:00 | |
| tmcpeak | oh yeah, cool, that's right | 16:00 |
| tmcpeak | nkinder: I even wrote one of them ;) https://wiki.openstack.org/wiki/OSSN/OSSN-0045 — I have the memory of a sparrow apparently | 16:01 |
| sigmavirus24 | I have it on my todo list to write one for glance | 16:01 |
| nkinder | tmcpeak: lol. I know how you feel. | 16:02 |
| tmcpeak | yeah, I should pick another up soon too | 16:02 |
| *** singlethink has joined #openstack-security | 16:11 | |
| *** dwyde has quit IRC | 16:11 | |
| *** dwyde has joined #openstack-security | 16:11 | |
| *** dwyde has quit IRC | 16:16 | |
| *** dwyde has joined #openstack-security | 16:16 | |
| *** singleth_ has joined #openstack-security | 16:31 | |
| *** singlethink has quit IRC | 16:35 | |
| *** deepika has joined #openstack-security | 16:45 | |
| *** deepika has quit IRC | 16:46 | |
| *** mvaldes has joined #openstack-security | 16:46 | |
| *** deepika has joined #openstack-security | 16:47 | |
| *** jian5397 has joined #openstack-security | 16:52 | |
| *** gmurphy_ is now known as gmurphy | 16:57 | |
| *** jian5397 is now known as michaelxin | 17:01 | |
| *** mvaldes has left #openstack-security | 17:02 | |
| *** singlethink has joined #openstack-security | 17:05 | |
| *** singleth_ has quit IRC | 17:08 | |
| *** dwyde has quit IRC | 17:27 | |
| *** dwyde has joined #openstack-security | 17:58 | |
| *** michaelxin has quit IRC | 17:59 | |
| *** VivCheri has quit IRC | 18:19 | |
| *** elo1 has joined #openstack-security | 18:19 | |
| *** browne has quit IRC | 18:20 | |
| openstackgerrit | Tim Kelsey proposed stackforge/bandit: Adding a test for partial paths in exec functions https://review.openstack.org/197180 | 18:20 |
| *** elo has quit IRC | 18:23 | |
| *** sdake_ has joined #openstack-security | 18:58 | |
| *** sdake has quit IRC | 19:00 | |
| *** sdake has joined #openstack-security | 19:01 | |
| *** sdake_ has quit IRC | 19:04 | |
| *** rbrooker has joined #openstack-security | 19:25 | |
| *** deepika has quit IRC | 19:45 | |
| *** tkelsey has quit IRC | 19:51 | |
| *** jian5397 has joined #openstack-security | 20:09 | |
| *** edmondsw has quit IRC | 20:14 | |
| *** browne has joined #openstack-security | 20:16 | |
| *** localloop127 has quit IRC | 20:19 | |
| *** singleth_ has joined #openstack-security | 20:25 | |
| *** timkennedy has quit IRC | 20:25 | |
| *** jian5397 is now known as michaelxin | 20:28 | |
| *** singlethink has quit IRC | 20:29 | |
| *** dwyde has quit IRC | 20:43 | |
| *** michaelxin has quit IRC | 21:44 | |
| *** tkelsey has joined #openstack-security | 21:48 | |
| *** tkelsey has quit IRC | 21:53 | |
| openstackgerrit | Merged stackforge/bandit: Adding a test for partial paths in exec functions https://review.openstack.org/197180 | 21:56 |
| *** singlethink has joined #openstack-security | 22:09 | |
| *** singleth_ has quit IRC | 22:12 | |
| *** sdake has quit IRC | 22:22 | |
| *** sdake has joined #openstack-security | 22:22 | |
| *** elo1 has quit IRC | 22:41 | |
| *** shohel has quit IRC | 22:42 | |
| *** amit213 has quit IRC | 22:42 | |
| *** woodrow has quit IRC | 22:42 | |
| *** shohel has joined #openstack-security | 22:43 | |
| *** sdake has quit IRC | 22:43 | |
| *** sdake has joined #openstack-security | 22:44 | |
| *** woodrow has joined #openstack-security | 22:45 | |
| *** sdake has quit IRC | 22:46 | |
| *** sdake has joined #openstack-security | 22:50 | |
| *** sdake has quit IRC | 22:51 | |
| *** voodookid has quit IRC | 22:53 | |
| *** singlethink has quit IRC | 22:56 | |
| *** shohel has quit IRC | 22:59 | |
| *** security-admin has joined #openstack-security | 23:17 | |
| *** elo has joined #openstack-security | 23:23 | |
| *** sdake has joined #openstack-security | 23:37 | |
| *** Ripon has joined #openstack-security | 23:42 | |
| *** tmcpeak has quit IRC | 23:51 | |
| *** browne has quit IRC | 23:51 | |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!