*** markvoelker has quit IRC | 00:02 | |
*** tmcpeak has joined #openstack-security | 00:12 | |
*** salv-orlando has joined #openstack-security | 00:46 | |
*** salv-orlando has quit IRC | 00:55 | |
*** bpokorny has joined #openstack-security | 01:06 | |
*** jamielennox is now known as jamielennox|away | 01:08 | |
*** tkelsey has joined #openstack-security | 01:25 | |
*** tkelsey has quit IRC | 01:29 | |
*** tjt263 has joined #openstack-security | 01:52 | |
*** salv-orlando has joined #openstack-security | 01:54 | |
*** markvoelker has joined #openstack-security | 01:59 | |
*** markvoelker has quit IRC | 02:03 | |
*** salv-orlando has quit IRC | 02:06 | |
*** tmcpeak has quit IRC | 02:34 | |
*** alejandrito has quit IRC | 03:12 | |
*** SilkySloth has joined #openstack-security | 03:21 | |
*** bpokorny has quit IRC | 03:41 | |
*** bpokorny has joined #openstack-security | 03:42 | |
*** bpokorny has quit IRC | 03:42 | |
*** salv-orlando has joined #openstack-security | 03:52 | |
*** salv-orlando has quit IRC | 03:58 | |
*** Daviey has quit IRC | 03:59 | |
*** salv-orl_ has joined #openstack-security | 04:00 | |
*** markvoelker has joined #openstack-security | 04:00 | |
*** salv-orl_ has quit IRC | 04:04 | |
*** markvoelker has quit IRC | 04:04 | |
*** jamielennox|away is now known as jamielennox | 04:38 | |
openstackgerrit | Stanislaw Pitucha proposed openstack/anchor: Allow configurable signing backends https://review.openstack.org/201394 | 04:39 |
---|---|---|
*** Daviey has joined #openstack-security | 04:58 | |
*** salv-orlando has joined #openstack-security | 05:03 | |
*** salv-orlando has quit IRC | 05:06 | |
*** salv-orlando has joined #openstack-security | 05:11 | |
*** tkelsey has joined #openstack-security | 05:27 | |
*** tkelsey has quit IRC | 05:31 | |
*** ig0r_ has joined #openstack-security | 05:33 | |
openstackgerrit | Stanislaw Pitucha proposed openstack/anchor: Allow configurable signing backends https://review.openstack.org/201394 | 05:33 |
openstackgerrit | Stanislaw Pitucha proposed openstack/anchor: Move all plugins to stevedore https://review.openstack.org/208311 | 05:39 |
openstackgerrit | Stanislaw Pitucha proposed openstack/anchor: Move all plugins to stevedore https://review.openstack.org/208311 | 05:41 |
openstackgerrit | Stanislaw Pitucha proposed openstack/anchor: Allow configurable signing backends https://review.openstack.org/201394 | 05:41 |
*** SilkySloth has left #openstack-security | 05:48 | |
openstackgerrit | Stanislaw Pitucha proposed openstack/anchor: Move all plugins to stevedore https://review.openstack.org/208311 | 05:51 |
*** ig0r_ has quit IRC | 05:53 | |
*** ig0r_ has joined #openstack-security | 05:56 | |
*** markvoelker has joined #openstack-security | 06:01 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/security-doc: Imported Translations from Transifex https://review.openstack.org/208323 | 06:01 |
*** markvoelker has quit IRC | 06:05 | |
*** pcaruana has quit IRC | 06:09 | |
*** shohel has joined #openstack-security | 06:09 | |
*** browne1 has quit IRC | 07:04 | |
*** UnknownBoy has joined #openstack-security | 07:06 | |
*** UnknownBoy has quit IRC | 07:11 | |
*** salv-orlando has quit IRC | 07:22 | |
*** tjt263 has quit IRC | 07:25 | |
*** pcaruana has joined #openstack-security | 07:40 | |
*** rmarathu has joined #openstack-security | 07:45 | |
rmarathu | How to run bandit on python code which does not have python extension? | 07:46 |
*** shohel has quit IRC | 07:46 | |
*** salv-orlando has joined #openstack-security | 07:48 | |
*** jamielennox is now known as jamielennox|away | 07:57 | |
*** markvoelker has joined #openstack-security | 08:02 | |
*** markvoelker has quit IRC | 08:06 | |
*** alex_klimov has joined #openstack-security | 08:16 | |
*** tkelsey has joined #openstack-security | 08:29 | |
*** mihero has joined #openstack-security | 08:32 | |
openstackgerrit | Tim Kelsey proposed openstack/bandit: Bug fix for SQL tests https://review.openstack.org/207513 | 08:54 |
*** tjt263 has joined #openstack-security | 08:56 | |
openstackgerrit | Merged openstack/security-doc: Imported Translations from Transifex https://review.openstack.org/208323 | 09:03 |
*** tkelsey has quit IRC | 09:38 | |
*** tkelsey has joined #openstack-security | 09:41 | |
*** salv-orlando has quit IRC | 09:59 | |
*** shohel has joined #openstack-security | 10:00 | |
*** tkelsey has quit IRC | 10:02 | |
*** markvoelker has joined #openstack-security | 10:02 | |
*** markvoelker has quit IRC | 10:07 | |
*** alex_klimov has quit IRC | 10:08 | |
*** alex_klimov has joined #openstack-security | 10:09 | |
*** pcaruana has quit IRC | 10:57 | |
*** pcaruana has joined #openstack-security | 11:14 | |
*** edmondsw has joined #openstack-security | 11:31 | |
*** markvoelker has joined #openstack-security | 11:33 | |
*** markvoelker has quit IRC | 11:38 | |
*** markvoelker_ has joined #openstack-security | 11:54 | |
*** viraptor has quit IRC | 12:06 | |
*** tkelsey has joined #openstack-security | 12:17 | |
*** shohel has quit IRC | 12:25 | |
openstackgerrit | Tim Kelsey proposed openstack/bandit: Adding assert_used documentation https://review.openstack.org/207104 | 12:28 |
openstackgerrit | Tim Kelsey proposed openstack/bandit: Adding any_other_function_with_shell_equals_true documentation https://review.openstack.org/207099 | 12:33 |
*** daemontool_ has joined #openstack-security | 12:33 | |
*** tmcpeak has joined #openstack-security | 12:38 | |
openstackgerrit | Tim Kelsey proposed openstack/bandit: Adding documentation for configuration https://review.openstack.org/205501 | 12:40 |
openstackgerrit | Tim Kelsey proposed openstack/bandit: Bug fix for SQL tests https://review.openstack.org/207513 | 12:46 |
*** daemontool_ is now known as marzif | 12:46 | |
tkelsey | tmcpeak: you about? | 12:46 |
*** browne has joined #openstack-security | 12:57 | |
*** markvoelker_ has quit IRC | 13:02 | |
openstackgerrit | Tim Kelsey proposed openstack/bandit: Bug fix for SQL tests https://review.openstack.org/207513 | 13:02 |
*** markvoelker has joined #openstack-security | 13:04 | |
openstackgerrit | Tim Kelsey proposed openstack/bandit: Adding "execute_with_run_as_root_equals_true" documentation https://review.openstack.org/208470 | 13:12 |
*** browne has quit IRC | 13:13 | |
*** zul has joined #openstack-security | 13:21 | |
openstackgerrit | Tim Kelsey proposed openstack/bandit: Adding "hardcoded_bind_all_interfaces" documentation https://review.openstack.org/208475 | 13:21 |
*** ig0r_ has quit IRC | 13:26 | |
openstackgerrit | Tim Kelsey proposed openstack/bandit: Adding "hardcoded_password" documentation https://review.openstack.org/208479 | 13:29 |
*** singlethink has joined #openstack-security | 13:32 | |
*** ig0r__ has joined #openstack-security | 13:33 | |
openstackgerrit | Tim Kelsey proposed openstack/bandit: Adding "hardcoded_sql_expressions" documentation https://review.openstack.org/208480 | 13:35 |
*** sdake has joined #openstack-security | 13:41 | |
*** ig0r__ has quit IRC | 13:44 | |
openstackgerrit | Tim Kelsey proposed openstack/bandit: Adding "hardcoded_tmp_directory" documentation https://review.openstack.org/208482 | 13:44 |
*** h00327910__ has quit IRC | 13:48 | |
*** bknudson has quit IRC | 13:49 | |
*** browne has joined #openstack-security | 13:50 | |
*** singleth_ has joined #openstack-security | 13:52 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 13:54 | |
*** singlethink has quit IRC | 13:55 | |
*** browne has quit IRC | 14:08 | |
openstackgerrit | Tim Kelsey proposed openstack/bandit: Adding "hardcoded_password" documentation https://review.openstack.org/208479 | 14:11 |
*** bknudson has joined #openstack-security | 14:13 | |
*** ig0r__ has joined #openstack-security | 14:14 | |
*** sdake has quit IRC | 14:16 | |
*** sdake has joined #openstack-security | 14:24 | |
*** elmiko_ has joined #openstack-security | 14:32 | |
*** elmiko_ is now known as __elmiko | 14:32 | |
*** __elmiko is now known as _el_miko | 14:32 | |
*** _el_miko has left #openstack-security | 14:33 | |
*** voodookid has joined #openstack-security | 14:33 | |
tmcpeak | Daviey: around? | 14:34 |
tmcpeak | or elmiko | 14:34 |
Daviey | tmcpeak: here | 14:34 |
tmcpeak | cool - saw there was something going on last Thurs/Friday about somebody wanting to submit a change? | 14:34 |
elmiko | tmcpeak: hey | 14:34 |
tmcpeak | yo, just caught part of the logs from last week | 14:35 |
tmcpeak | and also a pull request on my personal Bandit repo :) | 14:35 |
sigmavirus24 | yeah that was someone trying bandit out at their job | 14:35 |
tmcpeak | awesome | 14:35 |
tmcpeak | we like that | 14:35 |
Daviey | Oh yeah | 14:36 |
sigmavirus24 | they wanted to add the right bug link to the README | 14:36 |
sigmavirus24 | but didn't want to sign the CLA etc | 14:36 |
tmcpeak | ahh ok | 14:36 |
Daviey | It was a trivial 2 line change saying "please use launchpad" | 14:36 |
sigmavirus24 | This is why the GitHub monoculture is really hurting OSS | 14:36 |
Daviey | (a bit better than that, but YKWIM) | 14:36 |
tmcpeak | yeah cool | 14:36 |
tmcpeak | any idea what the company is? | 14:37 |
Daviey | I asked the infra chaps if we could simply sponsor his commit from GH to Gerrit.. and it seems we need to talk to lawyers.. FML | 14:37 |
sigmavirus24 | Also they found what (I think might be a legitimate) bug in which when using bandit with -l{1,} and no issues are reported, it still exists with a non-zero status if lower issues were found | 14:37 |
tmcpeak | lol | 14:37 |
tmcpeak | sigmavirus24: oh, that's a good bug | 14:37 |
sigmavirus24 | yeah | 14:37 |
tmcpeak | ok cool, all that current on Launchpad? | 14:37 |
sigmavirus24 | they filed it for us | 14:37 |
tmcpeak | great | 14:38 |
elmiko | even if you don't want to sign the CLA and submit the patch, the next best approach imo is to post on bugs.launchpad.net | 14:38 |
sigmavirus24 | https://bugs.launchpad.net/bandit/+bug/1480014 | 14:38 |
openstack | Launchpad bug 1480014 in Bandit "bandit does not respect -level for exit code" [Undecided,New] | 14:38 |
Daviey | bug 1480014 | 14:38 |
*** voodookid has quit IRC | 14:38 | |
Daviey | gah, sigmavirus24 is faster | 14:38 |
tmcpeak | elmiko: yeah, agree | 14:38 |
sigmavirus24 | Daviey: that's not always a good thing ;) | 14:38 |
tmcpeak | cool ok | 14:38 |
tmcpeak | so I'm hoping we can push Bandit 0.13 by Weds | 14:38 |
tmcpeak | I have a simplish change I'd like to make to JSON output to include timestamp | 14:39 |
tmcpeak | and then wrap up bugs | 14:39 |
tmcpeak | and circle back on in flight reviews | 14:39 |
Daviey | sigmavirus24: BTW, I watched your pycon talk.. I found it really interesting.. Most of the requests mocking would have been useful to me last year when i was trying to do it.. but the vcr/betamax stuff was entirely new to me. | 14:39 |
tmcpeak | I spoke with tkelsey earlier and we decided to punt on docs to 0.14 | 14:39 |
tmcpeak | Daviey: link? | 14:40 |
sigmavirus24 | Daviey: yeah betamax is still young in my mind | 14:40 |
tmcpeak | I wanna watch :D | 14:40 |
sigmavirus24 | tmcpeak: google my name and "PyCon 2015" | 14:40 |
sigmavirus24 | =P | 14:40 |
tmcpeak | https://us.pycon.org/2015/schedule/presentation/344/ | 14:40 |
sigmavirus24 | yes that's it | 14:40 |
tmcpeak | LMGTFY | 14:40 |
Daviey | https://www.youtube.com/watch?v=YHbKxFcDltM | 14:40 |
tmcpeak | sweet | 14:40 |
sigmavirus24 | Also | 14:40 |
sigmavirus24 | I love how the chatter between myself and the session chair was recorded | 14:41 |
tmcpeak | lol yeah | 14:41 |
sigmavirus24 | If you didn't already know my opinions on Q&A at conference talks, you do now | 14:41 |
tmcpeak | "A brief and opinionated view of testing applications"… opinionated? who Ian? | 14:42 |
Daviey | One of the larger talks I did i tripped on the stage and face planted.. The editing of the video hid this bit :)[C | 14:42 |
tmcpeak | Daviey: lol, really? full faceplant? | 14:42 |
Daviey | tmcpeak: Yeah, i tripped on a cable... mid talk, walking across the stage. | 14:42 |
tmcpeak | eek, bummer | 14:42 |
Daviey | Everyone burst into laughter. | 14:42 |
tmcpeak | stuff of nightmares bro | 14:43 |
sigmavirus24 | Daviey: and this is why I don't try to multitask during talks | 14:43 |
sigmavirus24 | I have a hard enough time controlling my nerves so I don't skip 5 slides ahead with content | 14:43 |
* sigmavirus24 skipped almost 7 slides at PyTennessee in front of a much smaller crowd than at PyCon | 14:43 | |
tmcpeak | lol damn sigmavirus24 projects much? | 14:43 |
sigmavirus24 | tmcpeak: that's like not many of them | 14:44 |
sigmavirus24 | I just like screwing with people is all | 14:44 |
sigmavirus24 | "I didn't know this dude maintained X. I use X all the time!" | 14:44 |
elmiko | wait, sigmavirus24 is on the Xorg team too? | 14:44 |
elmiko | ;) | 14:44 |
sigmavirus24 | no | 14:44 |
sigmavirus24 | not even funny | 14:45 |
elmiko | hahaha | 14:45 |
sigmavirus24 | wayland or bust | 14:45 |
sigmavirus24 | lol | 14:45 |
elmiko | fair... | 14:45 |
Daviey | Not X Server, but X Files - this is sigmavirus24 - http://images.simplysyndicated.com/wp-content/uploads/2015/05/dirt-dave-and-gill.jpg | 14:45 |
sigmavirus24 | I need to get back to my C roots | 14:45 |
sigmavirus24 | also my chroots | 14:45 |
sigmavirus24 | *rimshot* | 14:45 |
elmiko | lol | 14:46 |
elmiko | Daviey: nice | 14:46 |
sigmavirus24 | Daviey: why am I scully and molder? | 14:50 |
Daviey | sigmavirus24: "Not X Server, but X Files" | 14:51 |
*** voodookid has joined #openstack-security | 14:51 | |
* sigmavirus24 suspects he needs more coffe | 14:51 | |
sigmavirus24 | *coffee | 14:51 |
tmcpeak | lol "because you don't sleep like a normal human being" | 14:55 |
*** barra204 has joined #openstack-security | 14:57 | |
*** bpokorny has joined #openstack-security | 14:57 | |
tmcpeak | sigmavirus24: legit talk | 15:07 |
sigmavirus24 | tmcpeak: did I say "I don't sleep like a normal human being" in my talk? | 15:08 |
sigmavirus24 | I don't even remember anymore | 15:08 |
tmcpeak | haha yeah | 15:08 |
sigmavirus24 | I wasn't lieing | 15:08 |
sigmavirus24 | or lying | 15:08 |
tmcpeak | well you implied you don't ;) | 15:08 |
sigmavirus24 | or whatever | 15:08 |
* sigmavirus24 needs coffee | 15:08 | |
sigmavirus24 | I legitimately will wake up in the middle of a night with a fix for a bug and write it down | 15:09 |
sigmavirus24 | That way I dont' forget | 15:09 |
*** ig0r__ has quit IRC | 15:09 | |
tmcpeak | that's legit - way to use the sleep. I usually don't write it down so that if I remember in the morning I determine it's good, and if I don't remember I decide it was probably crap | 15:09 |
*** barra204 has quit IRC | 15:09 | |
*** tkelsey has quit IRC | 15:10 | |
*** pcaruana has quit IRC | 15:13 | |
*** shakamunyi has joined #openstack-security | 15:14 | |
*** shakamunyi is now known as barra204 | 15:16 | |
*** barra204 has quit IRC | 15:26 | |
tmcpeak | quick poll (Daviey, sigmavirus24, browne, tkelsey): I'm planning to add a run timestamp to JSON Bandit output. Should the timestamp be generated as part of main bandit and made available to all reports, or should it be part of the JSON reporting module? I'm leaning towards making it available for all reports | 15:38 |
sigmavirus24 | +1 for all reports | 15:39 |
tmcpeak | great - thought so also, just wanted a sanity check | 15:39 |
sigmavirus24 | Also please use a timezone agnostic timestamp? | 15:39 |
tmcpeak | yeah, GMT | 15:39 |
sigmavirus24 | something like 2014-08-03T13:00:00Z | 15:39 |
tmcpeak | ok cool | 15:40 |
*** barra204 has joined #openstack-security | 15:40 | |
sigmavirus24 | That's one of the more common ISO8601 datetime formats | 15:40 |
sigmavirus24 | please to be using it | 15:40 |
sigmavirus24 | I should have the strformat somewhere in github3.py | 15:40 |
sigmavirus24 | tmcpeak: https://github.com/sigmavirus24/github3.py/blob/develop/github3/models.py#L22 | 15:41 |
sigmavirus24 | I really don't know why I thought that using a dunder variable for that was a good idea a few years ago | 15:41 |
sigmavirus24 | younger me was such an idiot | 15:41 |
tmcpeak | :D | 15:43 |
tmcpeak | I'll take any suggestions as long as they're prefaced with "pleased to be" :P | 15:43 |
tmcpeak | *please | 15:43 |
Daviey | tmcpeak: +1 for all reports | 15:52 |
*** openstackgerrit_ has joined #openstack-security | 15:53 | |
*** singleth_ has quit IRC | 16:01 | |
tmcpeak | cool | 16:02 |
*** ig0r_ has joined #openstack-security | 16:08 | |
*** sdake has quit IRC | 16:16 | |
openstackgerrit | Travis McPeak proposed openstack/bandit: Adding report timestamp https://review.openstack.org/208548 | 16:16 |
*** singlethink has joined #openstack-security | 16:17 | |
*** alex_klimov has quit IRC | 16:20 | |
sigmavirus24 | tmcpeak: added a comment/question | 16:20 |
tmcpeak | sigmavirus24: great point | 16:20 |
tmcpeak | might as well just throw it in report | 16:20 |
* tmcpeak will update | 16:21 | |
sigmavirus24 | or just "generated_at" | 16:21 |
sigmavirus24 | isntead of "results_generated_at" | 16:21 |
*** sdake has joined #openstack-security | 16:21 | |
sigmavirus24 | redundancies.redundancy.redundancy_found_at | 16:21 |
*** browne has joined #openstack-security | 16:21 | |
tmcpeak | sigmavirus24: good call, much cleaner to add to the report | 16:29 |
tmcpeak | Daviey: great point | 16:30 |
* sigmavirus24 responded to Daviey's point | 16:31 | |
Daviey | sigmavirus24: Hmm, if a project is using their own bandit.yaml and developer A choose to add/change the default value of Timestamp format in the project bandit.yaml, it isn't our job to stop them. | 16:36 |
Daviey | Oh, two runs from two separate projects | 16:36 |
sigmavirus24 | Daviey: one CI system, two projects, two sets of developers | 16:36 |
Daviey | Why would you want to compare separate projects by time? | 16:36 |
sigmavirus24 | Who said anything about comparing them by time | 16:37 |
sigmavirus24 | One CI system that performs analysis on the output would need to then read the bandit.yaml | 16:37 |
sigmavirus24 | Or be totally dynamic in how it analyzes the output | 16:37 |
sigmavirus24 | Part of the reason for all of these different formats is so tools can be built around that | 16:37 |
Daviey | sigmavirus24: I'd expect openstack projects not to change the default. | 16:37 |
sigmavirus24 | Daviey: openstack isn't the only user of bandit | 16:38 |
Daviey | exactly | 16:38 |
sigmavirus24 | It's not that this particular format is the best format ever, it's that not everything needs to be configurable | 16:38 |
Daviey | And if Davie's-non-openstack-super-secret-project chooses to use GMT+1.. that should be a knob i can twiddle | 16:38 |
*** sdake has quit IRC | 16:43 | |
* tmcpeak agrees - it should be configurable | 16:43 | |
tmcpeak | but doesn't have to be | 16:43 |
tmcpeak | sigmavirus24: some people won't like the format, some will want it more human readable | 16:44 |
tmcpeak | etc | 16:44 |
Daviey | well, i don't feel strongly enough to try and fight to the death over it.. but it does seem reasonable to allow format by user | 16:44 |
sigmavirus24 | This is a very common format, I don't see why relying on its popularity is a bad thing. When someone needs it to be configurable is when we can add it | 16:44 |
sigmavirus24 | We can only ever remove configuration options in big versions and that'll only be terrible | 16:45 |
sigmavirus24 | Let's merge this with a standard and see if anyone *needs* it to be configurable | 16:45 |
*** browne has quit IRC | 16:45 | |
openstackgerrit | Travis McPeak proposed openstack/bandit: Adding report timestamp https://review.openstack.org/208548 | 16:45 |
sigmavirus24 | If we want something human readable for the txt output we can do that too but right now we're only adding this to JSON so, the human readable argument doesn't hold water for me | 16:45 |
*** sdake has joined #openstack-security | 16:47 | |
tmcpeak | in my mind there can be some uses for wanting a different format, and we are definitely not forcing anybody to configure it | 16:47 |
tmcpeak | seems like win-win | 16:47 |
*** kutija has joined #openstack-security | 16:48 | |
sigmavirus24 | tmcpeak: I can imagine usecases for lots of things in bandit (and other similar tools) it doesn't make them appropriate | 16:48 |
sigmavirus24 | And if you wanted, bandit could punt on all of this by generated_at being a datetime and letting formatters determine how to format the string | 16:48 |
tmcpeak | sigmavirus24: that's also true | 16:49 |
*** ig0r_ has quit IRC | 16:49 | |
tmcpeak | hmm | 16:49 |
sigmavirus24 | I mean if we want to be flexible, let formatters figure it out | 16:50 |
tmcpeak | actually I like that better | 16:50 |
sigmavirus24 | subunit may have an expected format, CSV may as well, same for XML | 16:50 |
tmcpeak | yeah, this is true | 16:50 |
tmcpeak | ok I'm going to do that | 16:50 |
sigmavirus24 | XML's format may be <datetime><hour>12</hour><minute>23</minute>...</datetime> | 16:50 |
tmcpeak | formatters don't get config, so there won't be any way to change it | 16:50 |
tmcpeak | is that something we can live with? | 16:50 |
* sigmavirus24 is only being partially serious | 16:51 | |
tmcpeak | partially serious or not I think that makes sense | 16:51 |
sigmavirus24 | tmcpeak: I think formats should generate consistent things personally so it doesn't bother me | 16:51 |
sigmavirus24 | *partially serious about xml formatting things like that | 16:51 |
tmcpeak | allright well Daviey- since you initially suggested it, are you happy with this approach? | 16:51 |
tmcpeak | formatters basically hardcode the output format? | 16:52 |
tmcpeak | it makes sense to me | 16:52 |
sigmavirus24 | people can then write their own formatter with their own datetime format | 16:52 |
sigmavirus24 | so it's still configurable | 16:52 |
sigmavirus24 | it isn't yaml configurable, but then the format will always be deterministic | 16:52 |
tmcpeak | well writing their own formatter definitely raises the bar, but yeah, I see your point | 16:52 |
Daviey | tmcpeak: I think that makes more sense actually | 16:53 |
tmcpeak | ok cool | 16:53 |
* tmcpeak changes | 16:53 | |
Daviey | Having, /some/ way of configuring it is what matters.. and it probably belongs less in yaml | 16:53 |
*** ig0r_ has joined #openstack-security | 16:54 | |
*** ig0r_ has quit IRC | 16:55 | |
elmiko | hey doc folks =) | 17:00 |
elmiko | i know you're here Daviey, looks like on one else though... | 17:01 |
Daviey | elmiko: Oh, yes - thanks for the poke.. I forgot the time. | 17:01 |
*** pdesai has joined #openstack-security | 17:02 | |
elmiko | hi pdesai | 17:02 |
openstackgerrit | Travis McPeak proposed openstack/bandit: Adding report timestamp https://review.openstack.org/208548 | 17:03 |
pdesai | Hi elmiko | 17:03 |
pdesai | hi | 17:03 |
elmiko | ok, well maybe just 3 of us | 17:04 |
elmiko | any reports on the rst status? | 17:04 |
pdesai | aah | 17:04 |
*** ig0r_ has joined #openstack-security | 17:04 | |
elmiko | i see my bug got merged, do we have any others we should be pushing on? | 17:04 |
pdesai | i read through identity, databases, and messaging | 17:04 |
openstackgerrit | Travis McPeak proposed openstack/bandit: Adding report timestamp https://review.openstack.org/208548 | 17:05 |
pdesai | i had one, but havent checked its status | 17:05 |
Daviey | OT for the meeting: tmcpeak, do you have a pastebin of the default output - ETOOLAZY to run it. | 17:05 |
pdesai | i wanted to talk about, importing policy file in identity chapter | 17:05 |
elmiko | pdesai: yea, i see you marked some done. i need to do that with data processing | 17:05 |
tmcpeak | Daviey: will get | 17:05 |
elmiko | pdesai: cool, what issue did you want to bring up about the policy file? | 17:06 |
*** pcaruana has joined #openstack-security | 17:06 | |
pdesai | i dont find a solution for importing json payload and marking it as the json source at the same time | 17:06 |
elmiko | do you mean importing it to the doc? | 17:06 |
pdesai | yes, | 17:06 |
elmiko | hmm | 17:06 |
elmiko | i wonder if we could get away with embedding the content in a ".. code: json" block? | 17:07 |
Daviey | I can update about the RST theme, So we got the Contents on the left added.. but requires a release of 'openstackdocstheme'.. They are holding off cutting a release until this lands - https://review.openstack.org/#/c/208370/ .. Then RST appearance has everything we required. | 17:08 |
tmcpeak | Daviey: relevant excerpt of JSON output: http://paste.openstack.org/show/406776/ | 17:08 |
Daviey | tmcpeak: ta | 17:08 |
pdesai | i checked admin guide in rst and they have pasted policy file content instead of linking it to a file | 17:08 |
elmiko | Daviey: so, once we have a new openstackdocstheme release then we can incorporate that into our doc? | 17:08 |
elmiko | pdesai: yea, that's kinda what i was thinking | 17:09 |
pdesai | yeah | 17:09 |
Daviey | elmiko: we'll get it automagically.. just by adding another commit. | 17:09 |
Daviey | ie, rebuild | 17:09 |
elmiko | Daviey: awesome | 17:09 |
elmiko | pdesai: i'd say just embed the content directly in our rst file then | 17:09 |
pdesai | for now, we can live with copying content then, yup | 17:09 |
elmiko | +1 | 17:09 |
pdesai | thanks | 17:10 |
Daviey | How do we make sure it stays consistent ? | 17:10 |
elmiko | consistent between the docbook and rst version? | 17:11 |
Daviey | Oh sorry.. i thought this was about taking content from a project policy.json and putting it in RST | 17:11 |
pdesai | yup thats what it is :) | 17:11 |
Daviey | Yeah.. so, this feels like something that will suck trying to keep it consistent | 17:12 |
elmiko | it is, but i think it's just our local policy information carried in the projet. not an external file, is that accurate pdesai ? | 17:12 |
pdesai | yeah its just an example of how policy file looks like, we are anyways not going to copy entire policy file | 17:12 |
Daviey | It isn't like it changes rarely, https://github.com/openstack/nova/commits/master/etc/nova/policy.json | 17:12 |
pdesai | some snippet | 17:12 |
pdesai | will get into the guide | 17:12 |
Daviey | Oh | 17:13 |
Daviey | Ok, fair enough | 17:13 |
elmiko | yea, it's just our sample | 17:13 |
pdesai | yup | 17:13 |
Daviey | LGTM :) | 17:13 |
pdesai | do we want to discuss, list of pressing bugs, from sicarie? | 17:13 |
elmiko | so, i see that some of the bugs marked medium prio in the etherpad have reviews associated with them. i guess we should look through and make sure all the mediums are addressed | 17:14 |
elmiko | hehe, was just getting to that =) | 17:14 |
elmiko | i think this is our next issue, clean up the medium prio bugs | 17:14 |
pdesai | +1 to med bugs | 17:14 |
Daviey | agreed | 17:15 |
elmiko | ok, so i see a few that are still open. best thing would be for us each to grab one and just mark our name next to it | 17:15 |
elmiko | then, when you have a review past the link there | 17:15 |
elmiko | (standard stuff) | 17:15 |
pdesai | sure, yup sounds good | 17:16 |
elmiko | i'll go look at the ones sicarie posted and clean them up, if necessary | 17:16 |
elmiko | ok, cool | 17:16 |
pdesai | i am taking on identity from sicarie's list | 17:16 |
Daviey | Are these issues considered blocking to RST switcher-over, or just stuff that needs to be done at some point? | 17:16 |
*** dwyde has joined #openstack-security | 17:16 | |
elmiko | i think sicaire wanted the medium ones cleaned up before we switched over | 17:16 |
elmiko | he and i talked about making sure the bugs are clean while he is away | 17:17 |
Daviey | sicaire really is a stickler for detail, isn't he. | 17:17 |
elmiko | i'm guessing we will wait to switch over completely until he returns | 17:17 |
pdesai | when will be sicarie back? | 17:17 |
elmiko | well, the list of "very lows" is large hehe | 17:17 |
elmiko | he'll be back in 2 weeks | 17:18 |
pdesai | :) | 17:18 |
elmiko | but i don't think the very lows are blockers | 17:18 |
pdesai | no, i agree, very low can wait | 17:18 |
elmiko | ok, so, main focus is cleanup the mediums. i think that's about it for this week. | 17:19 |
pdesai | cool | 17:19 |
elmiko | either of you have topics to discuss? | 17:19 |
pdesai | nope | 17:19 |
Daviey | just a side note, i'm not quite sure how active i can be this week. | 17:19 |
elmiko | Daviey: ack, thanks for the heads up | 17:20 |
elmiko | i guess that's all for business this week. have a good one, and we'll stay in touch through the etherpad | 17:20 |
elmiko | #link https://etherpad.openstack.org/p/sec-guide-rst | 17:20 |
elmiko | ;) | 17:20 |
pdesai | yup thanks guys | 17:20 |
Daviey | elmiko: I'd rather stay in touch via gerrit reviews :) | 17:21 |
elmiko | Daviey: that works too =) | 17:21 |
openstackgerrit | Michael McCune proposed openstack/security-doc: Adding file permissions section https://review.openstack.org/207707 | 17:23 |
*** ig0r_ has quit IRC | 17:25 | |
*** salv-orlando has joined #openstack-security | 17:25 | |
*** browne has joined #openstack-security | 17:30 | |
*** ig0r_ has joined #openstack-security | 17:33 | |
openstackgerrit | Travis McPeak proposed openstack/bandit: Adding report timestamp https://review.openstack.org/208548 | 17:39 |
tmcpeak | sigmavirus24, browne, Daviey: ^ reviewsies? | 17:41 |
Daviey | tmcpeak: sorry, how do i customize the formatter? | 17:44 |
*** ig0r_ has quit IRC | 17:44 | |
* Daviey goes afk, will be back later. o/ | 17:46 | |
browne | tmcpeak: i'll take a look. got a meeting coming up here, so may be in an hour or so | 17:48 |
tmcpeak | ok cool | 17:48 |
tmcpeak | thank you | 17:48 |
*** rmarathu has quit IRC | 17:55 | |
openstackgerrit | Michael McCune proposed openstack/security-doc: Trying to add numbers and orders to commands https://review.openstack.org/207721 | 17:58 |
*** salv-orl_ has joined #openstack-security | 17:59 | |
*** salv-orlando has quit IRC | 18:01 | |
openstackgerrit | Michael McCune proposed openstack/security-doc: Trying to add numbers and orders to commands https://review.openstack.org/207721 | 18:02 |
sigmavirus24 | tmcpeak: left a comment explaining why python3.4 is failing | 18:02 |
openstackgerrit | Travis McPeak proposed openstack/bandit: Adding report timestamp https://review.openstack.org/208548 | 18:02 |
*** elo1 has joined #openstack-security | 18:03 | |
openstackgerrit | Travis McPeak proposed openstack/bandit: Adding report timestamp https://review.openstack.org/208548 | 18:03 |
tmcpeak | sigmavirus24: yeah got it, thank you | 18:03 |
tmcpeak | sigmavirus24: good catches (again) | 18:07 |
tmcpeak | I should probably re-up on coffee before I push more code | 18:07 |
sigmavirus24 | no worries | 18:07 |
*** openstackgerrit_ has quit IRC | 18:07 | |
sigmavirus24 | coffee is always a must | 18:07 |
* sigmavirus24 needs to figure out a way to have it such that a pot is always ready and fresh | 18:07 | |
sigmavirus24 | like a way to automate making pots of coffee | 18:08 |
sigmavirus24 | probably need a weight sensor to detect when the pot's empty | 18:08 |
sigmavirus24 | a hose to hook up to the water pipes so no one needs to refill anything | 18:08 |
sigmavirus24 | something to dump/refill coffee grounds/filter | 18:08 |
tmcpeak | how about a caffeine pouch IV | 18:10 |
openstackgerrit | Travis McPeak proposed openstack/bandit: Adding report timestamp https://review.openstack.org/208548 | 18:10 |
elmiko | sigmavirus24: move in to a starbucks? | 18:11 |
tmcpeak | nice stupid simple change now :) ^ | 18:11 |
tmcpeak | I'm glad I have nitty reviewers, that's how the crap code stays out | 18:11 |
sigmavirus24 | tmcpeak: sigmavirus24's razor =P | 18:11 |
tmcpeak | haha | 18:11 |
sigmavirus24 | each review removes a layer of skin and code | 18:11 |
tmcpeak | I like it! | 18:12 |
sigmavirus24 | elmiko: the closest starbucks to me is 25minutes away | 18:12 |
sigmavirus24 | Also, they always have shit WiFi | 18:12 |
tmcpeak | hence you should move :# | 18:13 |
elmiko | wow, you must be in the boonies! | 18:13 |
tmcpeak | haha | 18:13 |
sigmavirus24 | I am | 18:13 |
sigmavirus24 | Someone in the python users' group I run was removed from a Starbucks around here for using the bathroom too much | 18:13 |
sigmavirus24 | He had bought like 5 coffees over the course of 4 hours and used the bathroom a few times | 18:13 |
sigmavirus24 | So they called the cops and accused him of selling drugs | 18:13 |
tmcpeak | lol | 18:13 |
elmiko | wtf... | 18:14 |
sigmavirus24 | Yeah | 18:14 |
sigmavirus24 | I mean, I'm trusting that he isn't just bullshitting me | 18:14 |
sigmavirus24 | But I find it kind of believable | 18:14 |
sigmavirus24 | These midwesterners don't like "coasties" much | 18:14 |
tmcpeak | "nah man, you've got me all wrong. I'm not selling drugs, I'm selling dreams!" | 18:14 |
sigmavirus24 | He and I are both "coasties" (West and East respectively) | 18:15 |
tmcpeak | or something | 18:15 |
sigmavirus24 | tmcpeak: dreams that one day all software will be more secure | 18:15 |
sigmavirus24 | or something | 18:15 |
tmcpeak | :P | 18:15 |
sigmavirus24 | "one day, giant hacks like what happened to the government won't happen" "So you're saying you hacked the government?!" | 18:15 |
tmcpeak | a typical interpretation | 18:15 |
sigmavirus24 | Yep | 18:15 |
sigmavirus24 | This is why you don't talk to cops | 18:16 |
sigmavirus24 | Or I don't | 18:16 |
tmcpeak | or sleep :) | 18:16 |
elmiko | yea, one day those hacks won't happen.... an entirely new set of hacks will be happening ;) | 18:16 |
tmcpeak | btw goal is Bandit 0.13 by Weds, did I mention that? | 18:17 |
tmcpeak | I'm planning to cruise through LP and fix the things | 18:17 |
tmcpeak | I need this timestamp for some HP goodies I'm playing with ;) | 18:17 |
sigmavirus24 | mhm | 18:21 |
elmiko | pdesai: are you working on the identity page policy.json that didn't get fully migrated? (line 348 in the etherpad) | 18:25 |
openstackgerrit | Michael McCune proposed openstack/security-doc: Updating missing link in object storage section https://review.openstack.org/207706 | 18:28 |
pdesai | elmiko: yup | 18:32 |
elmiko | pdesai: ack, thanks for marking it =) | 18:33 |
elmiko | i think i've cleaned up the other reviews | 18:34 |
pdesai | thanks | 18:34 |
tmcpeak | sigmavirus24, browne, Daviey: for this https://bugs.launchpad.net/bandit/+bug/1480014 I'm thinking about an approach of filtering results before they get passed to reports | 18:38 |
openstack | Launchpad bug 1480014 in Bandit "bandit does not respect -level for exit code" [Medium,Confirmed] - Assigned to Travis McPeak (travis-mcpeak) | 18:38 |
tmcpeak | obviously this means that reports won't get all the issues | 18:38 |
tmcpeak | but really I think that's what we want | 18:38 |
tmcpeak | agrees? | 18:38 |
tmcpeak | whatever is set as a filter should be filtered at the highest level possible | 18:39 |
sigmavirus24 | tmcpeak: that makes sense to me | 18:39 |
tmcpeak | great | 18:39 |
tmcpeak | sigmavirus24: hmm, I think this conversation might have been had before | 18:43 |
tmcpeak | we do want to make all results available to formattesr | 18:44 |
tmcpeak | don't remember why... | 18:44 |
sigmavirus24 | lol | 18:44 |
sigmavirus24 | Not a problem with me | 18:44 |
tmcpeak | ok,, I' | 18:44 |
tmcpeak | I'm just going to refilter for sttatus code | 18:44 |
sigmavirus24 | perhaps we should keep track of filtered results and only exit non-zero if total results > filtered results? | 18:44 |
*** shakamunyi has joined #openstack-security | 18:46 | |
tmcpeak | I was thinking of giving the result store a method to determine how many non-filtered results there are | 18:46 |
tmcpeak | so pass it optional severity and confidence filter and return appropriate exit code based on that | 18:46 |
tmcpeak | hmm browne | 18:47 |
sigmavirus24 | tmcpeak: I'm concerned about large result sets | 18:47 |
tmcpeak | sigmavirus24: how so? | 18:47 |
sigmavirus24 | refiltering a second time could take a while and it'll slow down the tool | 18:47 |
tmcpeak | yeah, true | 18:48 |
tmcpeak | performance-wise it sucks | 18:48 |
sigmavirus24 | although | 18:48 |
tmcpeak | could obviously exit on first finding | 18:48 |
tmcpeak | but still | 18:48 |
sigmavirus24 | it shouldn't be too terrible unless there are probably >10000 results | 18:48 |
sigmavirus24 | or 100000 | 18:48 |
sigmavirus24 | the bulk of bandit's time right now is in the ast checking | 18:49 |
sigmavirus24 | (probably) | 18:49 |
* sigmavirus24 still wants to profile bandit | 18:49 | |
sigmavirus24 | so it's probably not a bad start | 18:49 |
tmcpeak | I think it is the easiest approach | 18:49 |
sigmavirus24 | yeah | 18:50 |
sigmavirus24 | my concerns lately have been computation complexity and relative performance of features in other places so I'm sorry they're bleeding over her | 18:52 |
tmcpeak | no worries, always good to have somebody paying attention | 18:52 |
*** zul has quit IRC | 19:11 | |
*** kutija_ has joined #openstack-security | 19:14 | |
*** kutija has quit IRC | 19:16 | |
*** singlethink has quit IRC | 19:19 | |
*** sdake has quit IRC | 19:28 | |
*** singlethink has joined #openstack-security | 19:35 | |
*** jhfeng has joined #openstack-security | 19:56 | |
openstackgerrit | Travis McPeak proposed openstack/bandit: Fixes exit code for filtered results https://review.openstack.org/208629 | 19:59 |
*** sdake has joined #openstack-security | 20:01 | |
*** singleth_ has joined #openstack-security | 20:02 | |
*** singlethink has quit IRC | 20:05 | |
tmcpeak | browne around? | 20:08 |
browne | tmcpeak: hi | 20:10 |
*** sdake_ has joined #openstack-security | 20:10 | |
tmcpeak | browne: hey, so this bug: https://bugs.launchpad.net/bandit/+bug/1479216 | 20:10 |
openstack | Launchpad bug 1479216 in Bandit "InvocationError with no reason" [Undecided,New] | 20:10 |
tmcpeak | I think is the exit code not working based on severity | 20:10 |
browne | ok, that makes sense i think | 20:10 |
tmcpeak | cool | 20:10 |
tmcpeak | I have a fix in for that | 20:10 |
tmcpeak | ready for review | 20:11 |
browne | ok, let me take a look | 20:11 |
*** pdesai has quit IRC | 20:11 | |
tmcpeak | browne: also your confidence filter work (when it's done) should use this function I've added | 20:11 |
browne | ok | 20:12 |
browne | so is 1480014 a dup of 1479216? | 20:12 |
tmcpeak | I think 1479216 is a side-effect of 1480014 | 20:13 |
*** sdake has quit IRC | 20:13 | |
openstackgerrit | Travis McPeak proposed openstack/bandit: Rewording subprocess without shell finding https://review.openstack.org/208637 | 20:18 |
tmcpeak | browne: blank line on 118 I did on purpose, helps readability IMO | 20:20 |
tmcpeak | I'll nuke it if you hate it though | 20:20 |
Daviey | tmcpeak: Is it really "dangerous system calls" that are the primary concern? | 20:24 |
tmcpeak | I think so, what other issue would there be with an escaped subprocess call? | 20:25 |
tmcpeak | Daviey: ^ | 20:25 |
openstackgerrit | Travis McPeak proposed openstack/bandit: Fixes exit code for filtered results https://review.openstack.org/208629 | 20:26 |
tmcpeak | browne: fixed | 20:26 |
Daviey | tmcpeak: Obviously not command injection, but unfiltered execution of user input? | 20:26 |
*** pdesai has joined #openstack-security | 20:28 | |
tmcpeak | Daviey: sure, yeah, good point | 20:29 |
openstackgerrit | Travis McPeak proposed openstack/bandit: Rewording subprocess without shell finding https://review.openstack.org/208637 | 20:30 |
tmcpeak | Daviey: done | 20:30 |
tmcpeak | sigmavirus24, browne mergies on this one? https://review.openstack.org/208548 | 20:31 |
browne | sure, i'll merge | 20:31 |
browne | unless there are any last minute objections | 20:31 |
tmcpeak | I think everybody is universally in love with that change at this point :D | 20:32 |
browne | :) | 20:32 |
browne | +W | 20:32 |
tmcpeak | so I think with these last two changes we should be good to go on 13 | 20:32 |
Daviey | If i could marry a changeset, that wouldn't be it.. but it would be lover on the side. | 20:32 |
tmcpeak | unless somebody is dying to get something else in | 20:33 |
tmcpeak | Daviey: this means a lot | 20:33 |
Daviey | tmcpeak: hmm, i really, really want to get my config change in.. | 20:33 |
openstackgerrit | Merged openstack/bandit: Adding report timestamp https://review.openstack.org/208548 | 20:33 |
tmcpeak | Daviey: config change? | 20:34 |
tmcpeak | oh, you mean moving everything out of banditl.yaml into sub configs? | 20:34 |
Daviey | https://review.openstack.org/#/c/203451/ | 20:34 |
Daviey | tmcpeak: no, not that | 20:34 |
tmcpeak | oh yeah | 20:34 |
tmcpeak | I thought this merged already :D | 20:34 |
Daviey | Yeah, i'd have liked to have.. but I was being lazy with my mocking and got called out on it. | 20:35 |
tmcpeak | haha ok | 20:35 |
browne | since so far i think everyone supplies their own bandit.yaml, it might not be urgent for 13 | 20:35 |
Daviey | Although, it isn't dire how it is.. Maybe I could suggest merging as is, and improving the mocking post release? | 20:36 |
tmcpeak | I agree with that statement | 20:36 |
*** ig0r_ has joined #openstack-security | 20:36 | |
Daviey | browne: Well, it is a problem for Debian | 20:36 |
browne | Daviey: what's the issue on Debian? | 20:36 |
Daviey | browne: Unless you have a suggestion how i can work around it? | 20:36 |
tmcpeak | hmmm, I'd like to get the Debian stuff squared away | 20:37 |
Daviey | browne: The Doc's we have say that we default to looking in /etc/bandit.yaml.. but in NO cirtucstamces do we ever look there. | 20:37 |
Daviey | And on a site wide install, we use site-packages/bandit/bandit.yaml or whatever. | 20:37 |
Daviey | the library directory | 20:37 |
Daviey | This isn't suitable for a distro really... | 20:37 |
browne | ok, so if they didn't supply their own bandit.yaml, it wouldn't load one at all on Debian, correct? | 20:38 |
Daviey | Yeah, errors out with no config found | 20:38 |
Daviey | (as i don't install the one into the python library path) | 20:39 |
Daviey | browne: but --help says we look in /etc/.. so really confusing | 20:39 |
tmcpeak | bknudson: you around? | 20:39 |
browne | ok, understood, would be a nice fix. we need to decide how to handle the -1 | 20:39 |
bknudson | tmcpeak: where else would I be? | 20:39 |
tmcpeak | haha | 20:40 |
sigmavirus24 | Daviey: are you part of the Debian OpenStack team or DPMT? | 20:40 |
tmcpeak | so we're debating the comments on this: https://review.openstack.org/#/c/203451/4/tests/test_config.py | 20:40 |
Daviey | sigmavirus24: I am part of debian openstack team.. but i try not to be too involved. Some hard to work with personalities there. | 20:40 |
tmcpeak | in your opinion how important is the mocking changes, as in do you think it's worthwhile to hold this change up until we get the right mocking in place | 20:40 |
Daviey | sigmavirus24: I was going to go straight to Ubuntu, but i felt like being a good netizen | 20:41 |
sigmavirus24 | Daviey: I was going to ask how you snuck an openstack project into DPMT | 20:41 |
bknudson | tmcpeak: the tests can always be fixed. | 20:41 |
bknudson | tmcpeak: I could propose the changes. | 20:41 |
tmcpeak | bknudson: ok great, specifically I'd like to propose getting 0.13.0 in like this and those improvements in next release | 20:41 |
Daviey | sigmavirus24: Well, i managed to sneak this past zigo. :) | 20:42 |
tmcpeak | everybody happy with that? | 20:42 |
sigmavirus24 | Daviey: also 90% sure zigo is going to be angry at openstack/searchlight | 20:42 |
bknudson | works for me. | 20:42 |
Daviey | sigmavirus24: Good. | 20:42 |
tmcpeak | cool, Daviey? you good with that? | 20:42 |
sigmavirus24 | Daviey: searchlight has a hard dependency on Elasticsearch which I somehow doubt Debian actually packages | 20:42 |
Daviey | bknudson: If i do the style things you picked up on.. Are you OK with the appdirs mocking coming later? | 20:43 |
bknudson | Daviey: sure | 20:43 |
tmcpeak | ok awesome, thanks bknudson and Daviey | 20:43 |
tmcpeak | +A here please: https://review.openstack.org/#/c/207080/ | 20:46 |
*** elo1 has quit IRC | 20:48 | |
openstackgerrit | Merged openstack/bandit: Adding a more informative help message for "-l" https://review.openstack.org/207080 | 20:50 |
*** ig0r__ has joined #openstack-security | 20:50 | |
*** dwyde has quit IRC | 20:50 | |
openstackgerrit | Merged openstack/bandit: Bug fix for SQL tests https://review.openstack.org/207513 | 20:50 |
*** ig0r_ has quit IRC | 20:50 | |
*** elo has joined #openstack-security | 20:56 | |
elmiko | hey all, we've run into an issue with the comments on an rsa public key. i'm not seeing anything about comments in rfc3447, is this addressed somewhere? | 21:00 |
sigmavirus24 | elmiko: alternatively this could be discussed in #cryptography-dev because I bet there are people in there who know that RFC really well | 21:03 |
elmiko | ooh nice | 21:03 |
elmiko | thanks! | 21:03 |
*** singlethink has joined #openstack-security | 21:04 | |
tmcpeak | browne: reapprove here por favor? https://review.openstack.org/#/c/208629/ | 21:06 |
tmcpeak | also browne, sigmavirus24: this one too please | 21:07 |
*** singleth_ has quit IRC | 21:08 | |
*** dwyde has joined #openstack-security | 21:10 | |
*** singleth_ has joined #openstack-security | 21:14 | |
*** singlethink has quit IRC | 21:16 | |
*** ig0r__ has quit IRC | 21:21 | |
*** jhfeng has quit IRC | 21:28 | |
openstackgerrit | Dave Walker proposed openstack/bandit: Actually default to /etc/ rather than just claim https://review.openstack.org/203451 | 21:28 |
*** jhfeng has joined #openstack-security | 21:29 | |
Daviey | bknudson: ^^ | 21:29 |
Daviey | elmiko: What comments issue are you looking at? | 21:29 |
elmiko | Daviey: https://github.com/pyca/cryptography/issues/2199 | 21:33 |
Daviey | elmiko: interesting, seen this in flight change - https://review.openstack.org/#/c/208661/ ? | 21:34 |
Daviey | only 5 mins old. :) | 21:34 |
elmiko | interesting, i think that came out of a discussion that a fellow sahara dev started in -nova | 21:34 |
Daviey | ah | 21:36 |
Daviey | elmiko: In a previous project, used conch.ssh.keys to do validation. Maybe logic there is useful? | 21:37 |
*** singleth_ has quit IRC | 21:37 | |
elmiko | Daviey: not sure, maybe for the nova folks. we just generated the key with ssh-keygen, it just so happened that we were using `-C "Generated by Sahara"` | 21:40 |
elmiko | who knew... | 21:40 |
Daviey | ah, i see | 21:41 |
Daviey | "This SSH Key is Proudly brought to you by the folks at Sahara." | 21:42 |
browne | the blame is on me for introducing cryptography to Nova crypto and breaking Sahara | 21:43 |
elmiko | haha | 21:47 |
elmiko | i did file a bug against cryptography on reaperhulk's suggestion though | 21:47 |
browne | elmiko: cool, it'll probably get fixed quickly | 21:47 |
elmiko | looks like it already did lol | 21:48 |
elmiko | https://github.com/pyca/cryptography/pull/2200 | 21:48 |
browne | damn, those guys are quick | 21:48 |
elmiko | totally! | 21:48 |
tmcpeak | Daviey: I think this is fairly tough to test the way things are currently set up | 21:51 |
*** pdesai has quit IRC | 21:51 | |
openstackgerrit | Dave Walker proposed openstack/bandit: Actually default to /etc/ rather than just claim https://review.openstack.org/203451 | 22:04 |
Daviey | bknudson: Fancy one last look pls? ^^ | 22:05 |
Daviey | elmiko / browne: Honestly, the responsiveness of that issue really does add weight to using crytpo'.io for the primitives in Anchor aswell IMO. | 22:06 |
Daviey | tmcpeak: Ok, fair enough | 22:07 |
tmcpeak | Daviey: cool | 22:08 |
Daviey | bknudson: So should i use "def __str__(self):" and simply return my mangled string? | 22:11 |
bknudson | Daviey: no, call super's __init__ with the string ... that's what it was doing before. | 22:12 |
Daviey | ah | 22:12 |
tmcpeak | Daviey: is this a typo? /Users/$PUSER}/Library/Application Support/bandit/bandit.yaml | 22:13 |
bknudson | I don't think you want to use __str__ due to unicode issues. | 22:13 |
browne | Daviey: agree | 22:13 |
Daviey | tmcpeak: yeah | 22:13 |
*** pdesai has joined #openstack-security | 22:13 | |
tmcpeak | coolio | 22:13 |
Daviey | tmcpeak: My fingers are too phat. | 22:14 |
tmcpeak | there is no too phat | 22:15 |
browne | phat = pretty hot and tempting | 22:15 |
browne | i don't think of fingers that way. :) | 22:15 |
tmcpeak | inappropriate response successfully filtered | 22:16 |
tmcpeak | sigmavirus24: +A here? | 22:17 |
tmcpeak | https://review.openstack.org/208629 | 22:17 |
tmcpeak | sigmavirus24: thanks, I also tested it | 22:20 |
tmcpeak | Daviey: I'm failing py27 unit tests on that | 22:21 |
openstackgerrit | Merged openstack/bandit: Fixes exit code for filtered results https://review.openstack.org/208629 | 22:21 |
sigmavirus24 | tmcpeak: I'm sure you did | 22:21 |
sigmavirus24 | I always like 2 or 3 factor verification tmcpeak | 22:21 |
Daviey | tmcpeak: huh? | 22:22 |
tmcpeak | on mac | 22:23 |
tmcpeak | hang on | 22:23 |
tmcpeak | pasties | 22:23 |
tmcpeak | http://paste.openstack.org/show/406799/ | 22:23 |
Daviey | oh fml | 22:23 |
tmcpeak | seems I'm only getting 3 configs | 22:23 |
Daviey | tmcpeak: can you print me the 3 configs? | 22:24 |
Daviey | tmcpeak: I was really just checking it wasn't an empty set, and 4 seemed to the minimum.. but i guess on mac it is 3... i cn bump it down to that | 22:24 |
tmcpeak | Daviey: sure, let me print the configs | 22:25 |
Daviey | ta | 22:25 |
Daviey | wow, i've had to rebase twice this evening... fast moving project! :) | 22:26 |
tmcpeak | gaggga | 22:27 |
tmcpeak | how the f do I extract information from tox | 22:27 |
tmcpeak | I can't print a list, I can't pdb | 22:27 |
tmcpeak | what in the blue f do I need to do to debug? ;) | 22:27 |
tmcpeak | I hate tox :'( | 22:27 |
tmcpeak | with a capital H | 22:27 |
openstackgerrit | Dave Walker proposed openstack/bandit: Actually default to /etc/ rather than just claim https://review.openstack.org/203451 | 22:28 |
*** dwyde has quit IRC | 22:29 | |
bknudson | tmcpeak: keystone has a tox -e debug that makes debug easier. | 22:31 |
Daviey | tmcpeak: Actually.. don't worry | 22:32 |
tmcpeak | bknudson: ahh | 22:32 |
Daviey | tmcpeak: elmiko ran a standalone snippet the other day for me on mac.. https://gist.github.com/Daviey/6edf198a996ba55a0167 | 22:32 |
tmcpeak | bknudson: you know if that allows pdb? | 22:32 |
tmcpeak | I'm lost without pdb | 22:33 |
bknudson | tmcpeak: yes, that's what it's for | 22:33 |
Daviey | tox should really do more to help... --verbose should work out of the box imo | 22:34 |
tmcpeak | Daviey: another paste coming | 22:35 |
tmcpeak | http://paste.openstack.org/show/406802/ | 22:35 |
tmcpeak | Daviey: ^ | 22:35 |
tmcpeak | Daviey: this apparently needs to be added | 22:37 |
tmcpeak | MacBook-Pro:bandit travismcpeak$ bandit -r ~/Documents/projects/OpenStack_projects/keystone | 22:37 |
tmcpeak | [bandit]INFOusing config: /usr/local/lib/python2.7/site-packages/bandit/config/bandit.yaml | 22:37 |
Daviey | tmcpeak: Hmm, no - i think that is desired behaviour | 22:37 |
tmcpeak | it most certainly isn't.. I installed Bandit and I have no config | 22:37 |
tmcpeak | when I pip install it it goes to the /usr/local directory | 22:37 |
Daviey | tmcpeak: sudo pip install ? | 22:37 |
tmcpeak | Daviey: I don't sudo pip install it normally, but yeah, same path | 22:39 |
tmcpeak | I believe it's a homebrew thing | 22:39 |
Daviey | ugh | 22:39 |
Daviey | tmcpeak: if you pip uninstall bandit | grep bandit.yaml ? | 22:40 |
tmcpeak | sec | 22:40 |
tmcpeak | as expected: /usr/local/lib/python2.7/site-packages/bandit/config/bandit.yaml | 22:41 |
tmcpeak | Daviey: so with brew it uses /usr/local instead of the mac directories | 22:41 |
tmcpeak | I'm basically using the brew version of Python rather than the Mac version | 22:42 |
Daviey | tmcpeak: Well.. it isn't supposed to do that.. | 22:42 |
Daviey | tmcpeak: It is supposed to treat that file differently... https://review.openstack.org/#/c/203451/7/setup.cfg | 22:42 |
Daviey | tmcpeak: site-packages is the bandit library path which is bad karma for configs.. | 22:43 |
Daviey | I'm quite naive with how Mac's handle config files | 22:43 |
tmcpeak | Daviey: yeah, honestly I'm puzzled too | 22:45 |
Daviey | tmcpeak: if you run this gist, what do you get? https://gist.github.com/Daviey/6edf198a996ba55a0167 | 22:46 |
Daviey | Any other mac people around? | 22:47 |
tmcpeak | lemme see | 22:48 |
Daviey | Oh actually | 22:48 |
Daviey | Your logging earler gives me that | 22:48 |
tmcpeak | ['./bandit.yaml', '/Users/travismcpeak/Library/Application Support/bandit/bandit.yaml', '/Library/Application Support/bandit/bandit.yaml'] | 22:48 |
tmcpeak | yeah, this is correct for what it's supposed to be by the appdir logic | 22:49 |
tmcpeak | the problem is that my setup isn't installing things there | 22:49 |
Daviey | I'm doing the right thing according to pbr doc's.. http://docs.openstack.org/developer/pbr/ | 22:50 |
Daviey | I might have to see if lifeless has an idea. | 22:50 |
tmcpeak | Daviey: yeah, an expert would be great on this. I'm not sure why my stuff is going to a different directory. I suspect homebrew but I'm not sure | 22:51 |
*** shakamunyi has quit IRC | 22:51 | |
Daviey | tmcpeak: I've sent him a PM, but he is /away. It is nearly 9:00am for him, so hopefully he'll be around soon. | 22:55 |
*** bknudson has quit IRC | 22:56 | |
tmcpeak | Daviey: ok cool | 22:58 |
tmcpeak | I'm curious :) | 22:58 |
Daviey | Oh bugger it, i'll dig into pbr code. | 22:59 |
Daviey | Why is it everytime i need to do something with pbr, i end up debugging it | 22:59 |
*** salv-orlando has joined #openstack-security | 22:59 | |
tmcpeak | lol | 23:00 |
Daviey | tmcpeak: Depending how interested you are... Do you want to try and validate that pbr's own unit tests pass on your platform? | 23:01 |
Daviey | (i won't blame you if you say no) | 23:01 |
tmcpeak | sure | 23:01 |
tmcpeak | Daviey: you mean cover? | 23:02 |
*** salv-orl_ has quit IRC | 23:02 | |
tmcpeak | this one: https://github.com/openstack-dev/pbr/blob/master/tox.ini#L25 | 23:03 |
Daviey | hmm | 23:04 |
tmcpeak | Daviey: cover passes, py27 fails with some gbdm thing that has nothing to do with pbr | 23:04 |
Daviey | that is surely just test coverage report | 23:04 |
tmcpeak | some strangeness on my system | 23:04 |
tmcpeak | (most likely unrelated strangeness) | 23:04 |
tmcpeak | as in I've seen it before | 23:04 |
tmcpeak | with things that don't care about my Python directory | 23:04 |
Daviey | tmcpeak: are you using a virtualenv? | 23:04 |
tmcpeak | tox does that | 23:05 |
Daviey | tmcpeak: but when you use bandit it is outside venv, right? | 23:06 |
tmcpeak | oh lol, I made a venv and unit tests worked | 23:06 |
tmcpeak | err py27 worked | 23:06 |
tmcpeak | Daviey: yeah, I run Bandit outside venv | 23:07 |
Daviey | tmcpeak: and it works inside a venv? | 23:07 |
Daviey | tmcpeak: So, you are using non venv pbr to create the package of bandit for pip.... How old is your pbr? | 23:08 |
tmcpeak | 1.1 | 23:08 |
Daviey | Ah | 23:10 |
tmcpeak | Daviey: ok so for me /usr/local/bin/python points to /usr/local/Cellar which is a homebrew directory | 23:12 |
tmcpeak | I've symlinked python to the homebrew version | 23:13 |
Daviey | I was just looking at pbr changelog, hoping that data_file support was added after 1.1... seems not | 23:13 |
Daviey | oh interesting | 23:14 |
sigmavirus24 | Daviey: "data_files" you mean? | 23:14 |
Daviey | yeah | 23:14 |
tmcpeak | so this seems like an issue with appdirs and Homebrew to me | 23:14 |
sigmavirus24 | Daviey: pbr has supported data_files for a while afaik | 23:14 |
*** voodookid has quit IRC | 23:14 | |
Daviey | Hmm | 23:14 |
Daviey | sigmavirus24: Yeah, 2013 | 23:14 |
Daviey | sigmavirus24: https://review.openstack.org/#/c/35730/12 | 23:14 |
Daviey | tmcpeak: I don't think appdirs is related to this... | 23:15 |
Daviey | tmcpeak: The issue is that data_files isn't being respected for some reason | 23:15 |
sigmavirus24 | uh | 23:15 |
sigmavirus24 | tmcpeak: did you install a wheel? | 23:15 |
sigmavirus24 | If so data_files has different behaviour when pip installing from a wheel than when doing python setup.py install iirc | 23:15 |
sigmavirus24 | The wheel should put the config file in something like /usr/local/etc/bandit.yaml or something | 23:16 |
sigmavirus24 | setup.py maybe puts it in /etc/bandit.yaml | 23:16 |
sigmavirus24 | or somewhere else that's slightly better | 23:16 |
sigmavirus24 | I would also bet that appdirs doesn't think /usr/local/ is where it should be looking for things | 23:16 |
Daviey | sigmavirus24: Well both of those locations would be respected | 23:17 |
sigmavirus24 | (on OSX) | 23:17 |
Daviey | sigmavirus24: As in, my branch would DTRT if it installed there | 23:17 |
sigmavirus24 | Yeah | 23:17 |
sigmavirus24 | I'm about to head out anyway, I just noticed this and thought I'd give some half-remembered tidbits | 23:17 |
Daviey | sigmavirus24: The issue is that, without data_files support (prior to my branch) the config file is installed into the python site-packages along with the rest of the module. | 23:17 |
sigmavirus24 | I'm sure lifeless would be more helpful since he's awake | 23:17 |
Daviey | And that is what we are seeing now | 23:17 |
tmcpeak | sigmavirus24: I just 'pip install .' from the source dir | 23:17 |
sigmavirus24 | Daviey: I understand that | 23:17 |
sigmavirus24 | tmcpeak: globally? | 23:18 |
sigmavirus24 | with what version of pip? | 23:18 |
*** pdesai has quit IRC | 23:18 | |
Daviey | lifeless responded... he seems to think it is wheels related i think | 23:18 |
tmcpeak | sigmavirus24: pip 6.0.6 from /usr/local/Cellar/python/2.7.9/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/pip-6.0.6-py2.7.egg (python 2.7) | 23:18 |
sigmavirus24 | Daviey: my point exactly | 23:18 |
sigmavirus24 | tmcpeak: hm I think that's too old to do wheel building and then caching of the built wheel | 23:19 |
Daviey | sigmavirus24: hmm, "[Wheel] Support is offered in pip >= 1.4 and setuptools >= 0.8." | 23:19 |
sigmavirus24 | Daviey: that's not the relevant bit | 23:20 |
sigmavirus24 | pip 6.1.0 (or 7.1.0 i honestly forget which) builds a wheel and sticks that into your user-level cache | 23:20 |
Daviey | Oh, i see | 23:20 |
sigmavirus24 | when a wheel is installed there is different behaviour around data_files than when you install a tarball | 23:21 |
Daviey | Does anyone else here have a mac that can help validate if this is a tmcpeak oddity or general issue? | 23:21 |
Daviey | sigmavirus24: So tmcpeak should try updating his pip version, and try again? | 23:21 |
tmcpeak | gmurphy does | 23:22 |
sigmavirus24 | Daviey: maybe, maybe not | 23:22 |
sigmavirus24 | Daviey: I don't know if that'll help to be honest | 23:23 |
tmcpeak | trying | 23:23 |
sigmavirus24 | I can check it out later. I have to run now | 23:23 |
* sigmavirus24 is on a mac | 23:23 | |
tmcpeak | cool | 23:23 |
*** sigmavirus24 is now known as sigmavirus24_awa | 23:24 | |
Daviey | sigmavirus24_awa: thanks | 23:24 |
tmcpeak | same thing | 23:24 |
tmcpeak | [bandit]ERRORno config found - tried: ./bandit.yaml, /Users/travismcpeak/Library/Application Support/bandit/bandit.yaml, /Library/Application Support/bandit/bandit.yaml | 23:24 |
tmcpeak | so I'm telling you, my Bandit doesn't install to /Library/* | 23:24 |
tmcpeak | it installs to /usr/local/* | 23:24 |
tmcpeak | appdir needs to know about that | 23:25 |
Daviey | tmcpeak: well somewhere in the stack that is a bug. I'd like to work out what is causing it.. if it is something to do with old versions of something, then I think we have little choice but to add that path to the search locations.. | 23:26 |
tmcpeak | yeah, that's ugly though, what if somebody is using python 3.x etc | 23:31 |
tmcpeak | but yeah, I agree | 23:31 |
tmcpeak | makes sense to figure this out | 23:31 |
Daviey | tmcpeak: Cellar is this, https://github.com/Psycojoker/cellar ? | 23:36 |
Daviey | saltstack related? | 23:36 |
tmcpeak | :') — http://brew.sh/ | 23:36 |
Daviey | oh | 23:37 |
Daviey | i'm pretty close to just adding the library path | 23:38 |
tmcpeak | Daviey: yeah gmurphy got the same as me | 23:39 |
tmcpeak | with homebrew | 23:39 |
tmcpeak | so it's not a weird tmcpeak env thing, it's a homebrew thing | 23:39 |
Daviey | Ah dammit | 23:39 |
tmcpeak | I'm fairly sure this is a failure in appdir to take brew into account | 23:40 |
tmcpeak | Daviey: I'm out for the day, we'll pick this back up tomorrow? | 23:42 |
Daviey | tmcpeak: Hmm.. the prior behaviour was to install the bandit.yaml along with the rest of bandit files.. which is the library path.. My branch changed it to use config locations | 23:42 |
Daviey | appdirs is responding with the env config locations | 23:43 |
Daviey | so i think it is brew sucking | 23:43 |
tmcpeak | haha | 23:43 |
Daviey | tmcpeak: sure.. I should probably go home. | 23:43 |
tmcpeak | you're a wildman Daviey ;) | 23:43 |
tmcpeak | cool, catch you tomorrow | 23:43 |
Daviey | Yeeee-Haaaa! | 23:43 |
tmcpeak | thanks for all the work on this | 23:43 |
Daviey | tmcpeak: Thanks for ruining my night | 23:43 |
Daviey | :) | 23:43 |
tmcpeak | it's what I do | 23:44 |
Daviey | tmcpeak: for your scrollback when you get back, https://bugs.launchpad.net/pbr/+bug/1481115 - feel free to add anything | 23:53 |
openstack | Launchpad bug 1481115 in PBR "data_files support seems non-functional with mac/homebrew" [Undecided,New] | 23:53 |
Daviey | sigmavirus24_awa: ^^ | 23:54 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!