Wednesday, 2015-08-05

*** zul has joined #openstack-security		00:09
*** jmckind has quit IRC		00:11
*** elmiko has quit IRC		00:21
*** salv-orlando has joined #openstack-security		00:59
*** salv-orlando has quit IRC		01:04
*** tmcpeak has quit IRC		01:20
*** tjt263 has joined #openstack-security		01:51
*** pdesai has joined #openstack-security		01:52
*** elo has quit IRC		02:01
*** tmcpeak has joined #openstack-security		02:02
*** sdake_ has quit IRC		02:04
*** sdake has joined #openstack-security		02:04
*** salv-orlando has joined #openstack-security		02:05
*** zul has quit IRC		02:09
*** salv-orlando has quit IRC		02:12
*** pdesai has quit IRC		02:39
*** tmcpeak has quit IRC		04:05
*** salv-orlando has joined #openstack-security		04:10
*** salv-orlando has quit IRC		04:22
*** janonymous has quit IRC		04:32
*** pcaruana has quit IRC		04:59
*** salv-orlando has joined #openstack-security		05:21
*** salv-orlando has quit IRC		05:23
openstackgerrit	OpenStack Proposal Bot proposed openstack/security-doc: Imported Translations from Transifex https://review.openstack.org/208819	06:01
*** shohel has joined #openstack-security		06:26
*** browne has quit IRC		06:34
*** pcaruana has joined #openstack-security		06:36
openstackgerrit	Merged openstack/security-doc: Imported Translations from Transifex https://review.openstack.org/208819	06:38
*** b10n1k has joined #openstack-security		06:40
*** salv-orlando has joined #openstack-security		06:41
*** alex_klimov has joined #openstack-security		06:52
*** browne has joined #openstack-security		07:30
*** salv-orlando has quit IRC		07:38
*** b10n1k has quit IRC		07:39
*** b10n1k has joined #openstack-security		07:39
*** browne has quit IRC		07:40
openstackgerrit	Stanislaw Pitucha proposed openstack/anchor: Implement new API format https://review.openstack.org/190473	08:09
openstackgerrit	Stanislaw Pitucha proposed openstack/anchor: Move all plugins to stevedore https://review.openstack.org/208311	08:09
openstackgerrit	Stanislaw Pitucha proposed openstack/anchor: Allow configurable signing backends https://review.openstack.org/201394	08:09
*** tkelsey has joined #openstack-security		08:15
*** barra204 has quit IRC		08:25
*** salv-orlando has joined #openstack-security		08:39
*** salv-orlando has quit IRC		09:36
*** salv-orlando has joined #openstack-security		10:34
*** h00327910__ has quit IRC		10:58
*** jmckind_ has joined #openstack-security		11:08
*** tmcpeak has joined #openstack-security		12:07
*** jmckind_ has quit IRC		12:15
*** alejandrito has joined #openstack-security		12:19
*** edmondsw has joined #openstack-security		12:34
*** salv-orlando has quit IRC		12:37
*** salv-orlando has joined #openstack-security		12:45
*** hyakuhei has joined #openstack-security		13:02
*** elmiko has joined #openstack-security		13:03
*** zul has joined #openstack-security		13:05
*** edmondsw has quit IRC		13:05
*** browne has joined #openstack-security		13:06
*** alejandrito has quit IRC		13:10
*** sdake has quit IRC		13:21
*** dave-mccowan has joined #openstack-security		13:23
*** singlethink has joined #openstack-security		13:25
*** viraptor has quit IRC		13:26
*** bknudson has joined #openstack-security		13:28
*** dave-mcc_ has joined #openstack-security		13:28
*** dave-mccowan has quit IRC		13:29
*** dave-mccowan has joined #openstack-security		13:31
tmcpeak	happy days bknudson! :) http://www.theverge.com/2015/8/5/9099451/ibm-apple-enterprise-macbooks	13:32
*** dave-mcc_ has quit IRC		13:33
bknudson	tmcpeak: I'll be the other half	13:33
*** jmckind has joined #openstack-security		13:33
tmcpeak	I figured… I do love me my macbook though	13:33
bknudson	unless I can install linux on it	13:33
tmcpeak	you most certainly can	13:33
*** jmckind has quit IRC		13:34
tmcpeak	I mean really it runs a free-BSD derivative anyway	13:34
*** jmckind has joined #openstack-security		13:34
misc	well, apple had some crappy uefi firmware working good only with their os in the past	13:39
misc	so running linux correctly is not something I would take for granted	13:40
*** singleth_ has joined #openstack-security		13:46
*** singlethink has quit IRC		13:49
tmcpeak	misc really? I'm fairly sure bootcamp has smoothed that out	13:50
*** salv-orlando has quit IRC		13:53
*** singlethink has joined #openstack-security		13:54
tmcpeak	browne, Daviey, sigmavirus24, tkelsey today is the day	13:55
tmcpeak	https://review.openstack.org/#/c/203451/ , https://review.openstack.org/#/c/209179/ , https://review.openstack.org/#/c/209082/ , https://review.openstack.org/#/c/208637/	13:55
tmcpeak	these are the 4 that need to land	13:55
tmcpeak	then run through and test projects which are using gate and other misc testing	13:55
tmcpeak	then merge	13:55
tmcpeak	13 up up and away	13:55
*** sigmavirus24_awa is now known as sigmavirus24		13:56
browne	https://review.openstack.org/#/c/208637/ has two +2. ready to merge?	13:57
*** singleth_ has quit IRC		13:57
tmcpeak	browne: yep	13:57
browne	done	13:57
tmcpeak	sweet	13:57
tmcpeak	sigmavirus24, tkelsey: can you do this? https://review.openstack.org/#/c/209179/	13:58
sigmavirus24	tmcpeak: what do you mean?	14:00
openstackgerrit	Merged openstack/bandit: Rewording subprocess without shell finding https://review.openstack.org/208637	14:00
tmcpeak	sigmavirus24, browne, tkelsey: I've tested this, if you guys can also test we should be good to merge: https://review.openstack.org/#/c/203451/	14:00
tmcpeak	sigmavirus24: approvsies	14:00
browne	i have comments on that one	14:00
tmcpeak	oooh	14:01
tmcpeak	browne: which?	14:01
browne	203451	14:01
*** shohel1 has joined #openstack-security		14:01
tmcpeak	ahh ok	14:01
browne	But its not a dealbreaker	14:02
*** shohel has quit IRC		14:02
tmcpeak	browne: good point	14:02
tmcpeak	Daviey: fix?	14:02
*** edmondsw has joined #openstack-security		14:02
openstackgerrit	Merged openstack/bandit: Convert README to rst https://review.openstack.org/209082	14:03
browne	ha, merge conflict. let me rebase https://review.openstack.org/#/c/209179/	14:04
tmcpeak	great	14:04
browne	same with https://review.openstack.org/#/c/203451 now	14:04
openstackgerrit	Eric Brown proposed openstack/bandit: Update README with latest changes https://review.openstack.org/209179	14:05
tmcpeak	tkelsey, sigmavirus24: +A por favor: https://review.openstack.org/#/c/209179/	14:06
*** hyakuhei has quit IRC		14:06
tmcpeak	great, so I think we're just waiting on Daviey for this	14:07
tmcpeak	https://review.openstack.org/#/c/203451/	14:07
tmcpeak	meanwhile if you guys have a chance can you do some stability testing?	14:08
*** hyakuhei has joined #openstack-security		14:10
browne	tmcpeak: sure. also, when you push to pypi, isn't there also supposed to be a wheel for py3? I see only py2 for bandit 12.0	14:11
tmcpeak	browne: I'm not actually doing the push to PyPI openstack CI does it	14:11
sigmavirus24	browne: it should be one universal wheel	14:11
tmcpeak	we should get universal wheel automatically if we have Py2 and Py3 compatibility	14:12
sigmavirus24	not exactly	14:12
sigmavirus24	I know what's probablyw rong	14:12
sigmavirus24	Sending a review now	14:12
tmcpeak	sweet	14:12
*** hyakuhei has quit IRC		14:12
browne	ok if its universal, why does it state py2?	14:12
browne	sigmavirus24: cool	14:12
openstackgerrit	Ian Cordasco proposed openstack/bandit: Build universal wheels for PyPI https://review.openstack.org/209527	14:13
sigmavirus24	browne: because we didn't have ^	14:13
tmcpeak	looks simple enough :D	14:13
browne	sigmavirus24: you're quick!	14:13
tmcpeak	30 secs for sigmavirus24, 2 hours of painful googling for me	14:14
sigmavirus24	browne: I know that trick all too well	14:14
*** hyakuhei has joined #openstack-security		14:15
browne	next time we have to time sigmavirus24	14:15
*** hyakuhei has quit IRC		14:15
tmcpeak	:)	14:15
*** shohel has joined #openstack-security		14:19
*** shohel1 has quit IRC		14:19
*** hyakuhei has joined #openstack-security		14:22
*** singleth_ has joined #openstack-security		14:25
*** singlethink has quit IRC		14:28
tmcpeak	bknudson: thanks to you keystone still has the honor of being the only project using voting Bandit checks	14:30
tmcpeak	allright my testing looks goo	14:31
tmcpeak	d	14:31
tmcpeak	as soon as Daviey can get that small change done and rebase I'll do a final sanity check and we should be gtg	14:32
*** hyakuhei has quit IRC		14:34
Daviey	tmcpeak: ok, in meetings until later.. will do it today. promise.	14:36
bknudson	tmcpeak: change is slow	14:37
tmcpeak	Daviey: ok cool	14:38
tmcpeak	when that's done we're gtg	14:38
openstackgerrit	Merged openstack/bandit: Update README with latest changes https://review.openstack.org/209179	14:40
openstackgerrit	Merged openstack/bandit: Build universal wheels for PyPI https://review.openstack.org/209527	14:44
*** voodookid has joined #openstack-security		15:11
*** voodookid1 has joined #openstack-security		15:23
*** voodookid has quit IRC		15:23
*** voodookid1 has quit IRC		15:28
*** bpokorny has joined #openstack-security		15:29
*** dwyde has joined #openstack-security		15:31
*** shakamunyi has joined #openstack-security		15:35
*** voodookid has joined #openstack-security		15:40
*** yaya has joined #openstack-security		15:46
*** sdake has joined #openstack-security		15:50
*** singleth_ has quit IRC		15:57
*** yaya has quit IRC		16:00
*** salv-orlando has joined #openstack-security		16:06
*** singlethink has joined #openstack-security		16:06
*** yaya_ has joined #openstack-security		16:08
*** shohel has quit IRC		16:11
* sigmavirus24 waves to yaya_		16:22
*** browne has quit IRC		16:23
*** pcaruana has quit IRC		16:26
* yaya_ waves to sigmavirus24		16:27
sigmavirus24	tmcpeak: yaya_ is thinking about becoming more involved with bandit	16:27
tmcpeak	yaya_: oh great!	16:28
tmcpeak	we'd love that	16:28
tmcpeak	let me know how I/we can help	16:28
tmcpeak	also involved as in developer, user, or both?	16:29
*** openstackgerrit_ has joined #openstack-security		16:30
yaya_	both most likely	16:30
tmcpeak	yaya_ awesome, how familiar are you with Bandit already and what's your background?	16:34
*** jhfeng has joined #openstack-security		16:40
*** alex_klimov has quit IRC		16:46
*** dwyde has quit IRC		16:47
*** yaya_ has quit IRC		16:49
*** sdake has quit IRC		16:58
*** openstackgerrit_ has quit IRC		17:05
*** tjt263 has quit IRC		17:12
*** browne has joined #openstack-security		17:14
*** tkelsey has quit IRC		17:20
*** openstackgerrit_ has joined #openstack-security		17:24
*** pdesai has joined #openstack-security		17:32
*** yaya has joined #openstack-security		17:33
*** openstackgerrit_ has quit IRC		17:34
yaya	tmcpeak: sorry I had to leave briefly	17:36
tmcpeak	no worries	17:36
yaya	so I’m a sec engineer for rackspace and I’ve used Bandit fairly recently but not not quite extensively yet. I am looking into getting more involved into the upstream sec community but I don’t yet have any clear plans as to how to go about that so I guess Bandit is my starting point …	17:38
tmcpeak	yaya: oh cool	17:39
tmcpeak	well one thing is to attend the security meetings on Thurs	17:39
tmcpeak	that could give you a good sense of the projects we have in flight	17:39
yaya	yup	17:39
yaya	sigmavirus24 already sent me an invite	17:40
tmcpeak	great	17:40
yaya	:)	17:40
tmcpeak	are you on michaelxin's team?	17:40
tmcpeak	or in some way related to him	17:40
tmcpeak	?	17:40
yaya	yes	17:40
*** jhfeng has quit IRC		17:40
tmcpeak	ahh ok cool	17:40
tmcpeak	I think some of your guys are also working on an API fuzzing tool	17:40
tmcpeak	yaya we have a midcycle coming up too	17:41
yaya	yes michael and a couple of others have been working on sec cafe	17:41
tmcpeak	not sure if it's an option for you to go but that's a great way to get involved	17:42
tmcpeak	you'll come out with more projects than you know what to do with	17:42
*** dwyde has joined #openstack-security		17:42
yaya	sounds interesting	17:43
yaya	how do I stay in the loop?	17:43
tmcpeak	details here: https://etherpad.openstack.org/p/security-liberty-midcycle	17:43
tmcpeak	maybe speak to your management and see if there is budget	17:43
tmcpeak	best way though is just hang out here and drop by our weekly meetings	17:43
tmcpeak	f you want to get your feet wet with Bandit try running against some projects, look at findings	17:44
tmcpeak	Daviey: still swamped in meetings? :)	17:45
tmcpeak	not to pester	17:46
Daviey	tmcpeak: Yeah, will be free in 1hr	17:48
tmcpeak	Daviey: ok cool, thank you	17:49
Daviey	tmcpeak: Oh, i'll bang it out now	17:50
tmcpeak	even better :)	17:50
tmcpeak	yeah should be quick - small text change and a rebase	17:50
openstackgerrit	Dave Walker proposed openstack/bandit: Actually default to /etc/ rather than just claim https://review.openstack.org/203451	17:55
Daviey	tmcpeak: rebase done aswell	17:55
tmcpeak	Daviey: awesome, thank you!	17:57
tmcpeak	I'm going to do some last minute validation and make sure this last change didn't break things and then 13 is shipping out	17:57
*** hyakuhei has joined #openstack-security		17:57
Daviey	Schweet	17:58
tmcpeak	browne, sigmavirus24: approvies por favor? https://review.openstack.org/#/c/203451/	17:59
browne	+2	18:01
*** jmckind_ has joined #openstack-security		18:03
tmcpeak	browne: what's your platform? are you able to test it?	18:03
tmcpeak	sigmavirus24: you want to put the +A on it?	18:05
*** jmckind has quit IRC		18:05
sigmavirus24	tmcpeak: way ahead of yo	18:05
sigmavirus24	*you	18:05
sigmavirus24	well not very far	18:05
sigmavirus24	but	18:05
tmcpeak	awesome	18:05
*** singlethink has quit IRC		18:10
tmcpeak	damn is zuul backed up again?	18:14
*** pdesai1 has joined #openstack-security		18:16
Daviey	sigmavirus24: I used githubs own url shortener, so it seemed reasonable	18:17
sigmavirus24	tmcpeak: yeah	18:17
sigmavirus24	since yesterday	18:17
sigmavirus24	Daviey: url shorteners are the devil	18:17
sigmavirus24	The real URL sometimes has context in it so that when the shortener breaks (as so many do) things can still be googled about it	18:17
sigmavirus24	And hopefully archives can be found	18:18
tmcpeak	plus that by 95% of rick-rolls are caused by URL shorteners	18:18
Daviey	sigmavirus24: http://bringvictory.com/	18:18
*** pdesai has quit IRC		18:19
sigmavirus24	Daviey: firewall blocked that	18:19
Daviey	shame	18:19
tmcpeak	I may or may not have been a victim :\	18:19
Daviey	tmcpeak: Question is, are 95% of users of url shortners also victims of rickrolls?	18:20
tmcpeak	that sounds reasonable	18:20
*** elo has joined #openstack-security		18:21
Daviey	I tend not to open random urls on corp network :)	18:21
browne	tmcpeak: my platofrm of choice is Ubuntu 14	18:22
tmcpeak	ahh cool	18:23
Daviey	browne: you have my sympathies	18:25
browne	Daviey: ha, why? I like Ubuntu	18:26
Daviey	Stockholm syndrome	18:26
tmcpeak	sigmavirus24: do something! can you use your clout, influence, bribery, threats, etc to get this moved through Zuul?	18:26
browne	its not my dev env. i have a macbook.	18:26
sigmavirus24	tmcpeak: who do you think I am?	18:28
tmcpeak	you've got mega projects juice	18:28
sigmavirus24	o_O	18:28
tmcpeak	you're like the underboss of the internet, aren't you?	18:29
* sigmavirus24 backs into the darkness slowly		18:29
tmcpeak	:#	18:29
*** sdake has joined #openstack-security		18:32
*** pdesai has joined #openstack-security		18:33
elmiko	lol	18:35
*** pdesai1 has quit IRC		18:36
openstackgerrit	Merged openstack/bandit: Actually default to /etc/ rather than just claim https://review.openstack.org/203451	18:36
jelle	oh nice, does that change also install it to /etc/bandit?	18:36
tmcpeak	jelle: yeah it will try to	18:37
jelle	tmcpeak: cool	18:37
jelle	that will fix a packaging issue in Arch Linux I think ;)	18:37
tmcpeak	jelle: awesome!	18:37
jelle	since the config file ended up somewhere in /usr/lib/python2.7	18:37
jelle	:p	18:37
tmcpeak	well it should be up on pip very shortly	18:37
jelle	the new release?	18:37
tmcpeak	yep	18:37
jelle	cool, I'll update the package in our repos then ;)	18:38
tmcpeak	great	18:38
tmcpeak	hmmm	18:46
*** openstackgerrit has quit IRC		18:46
tmcpeak	I do this new Bandit version stuff just infrequently enough to forget how it's done each time	18:46
*** openstackgerrit has joined #openstack-security		18:46
tmcpeak	ahh, there it is!	18:47
tmcpeak	https://pypi.python.org/pypi/bandit/0.13.0	18:47
tmcpeak	thanks sigmavirus24, browne, tkelsey, Daviey, bknudson and all others	18:48
tmcpeak	another release out the door :)	18:49
browne	yay!	18:49
* sigmavirus24 ^5s tmcpeak		18:49
bknudson	tmcpeak: and this will not break keystone.	18:49
tmcpeak	bknudson: it will not. If I test one thing it's keystone ;)	18:49
sigmavirus24	oh right	18:50
sigmavirus24	we never added gates to bandit to test it against consumers we knwo about	18:50
sigmavirus24	e.g., keystone,	18:50
tmcpeak	not yet :(	18:50
tmcpeak	could be a cool activity for midcycle	18:50
tmcpeak	actually I'm going to add that to plans	18:50
tmcpeak	sigmavirus24: you've got to hitchhike out there or something	18:51
browne	tmcpeak: do you have an etherpad of the plans?	18:51
tmcpeak	browne: hyakuhei started throwing it together https://etherpad.openstack.org/p/security-liberty-midcycle	18:51
browne	cool	18:52
hyakuhei	There’s also the sprints page	18:52
tmcpeak	speak of the devil	18:52
hyakuhei	https://wiki.openstack.org/wiki/Sprints/SecurityLibertySprint	18:52
browne	btw, my flight and hotel is booked. i'll be there	18:52
hyakuhei	Excellent!	18:53
hyakuhei	I also did a bunch of work on the Security Project WIKI page but it’s pretty crap right now	18:53
hyakuhei	If anyone wants to tart it up further please feel free!	18:53
hyakuhei	http://wiki.openstack.org/wiki/Security	18:54
tmcpeak	browne: awesome!	18:55
tmcpeak	just sent out a notification to dev about new Bandit	18:55
tmcpeak	of course I instructed people to use the 'Security' tag in response but I forgot the tag myself	18:56
tmcpeak	:#	18:56
tmcpeak	I so smart	18:56
hyakuhei	SMRAT!	18:56
hyakuhei	https://www.dropbox.com/s/wzdfnfxuf70qfbj/Screenshot%202015-08-05%2019.57.30.png?dl=0	18:57
tmcpeak	if that's a rickroll I'll be upset	18:57
tmcpeak	sigmavirus24: looks like universal wheel worked too :)	18:59
jelle	hrrm actually facing an issue after python setup.py install	19:00
sigmavirus24	tmcpeak: woot woot	19:01
tmcpeak	jelle: what's up?	19:01
*** yaya has quit IRC		19:02
jelle	tmcpeak: missing appdir	19:02
tmcpeak	oh noz, did we forget to add that to our requirements?	19:02
jelle	oh let me check	19:02
tmcpeak	hmm jelle: it's there	19:02
tmcpeak	it should be installed	19:02
jelle	then it's my fault	19:02
tmcpeak	thank god	19:02
jelle	:-)	19:02
tmcpeak	I hate instantly having to release the x.x.1	19:02
*** yaya has joined #openstack-security		19:08
sigmavirus24	tmcpeak: that's what they're there for	19:09
tmcpeak	insta-release?	19:09
tmcpeak	yep, just about	19:09
*** pdesai1 has joined #openstack-security		19:12
*** pdesai has quit IRC		19:12
openstackgerrit	Andreas Jaeger proposed openstack/security-doc: Adding file permissions section https://review.openstack.org/207707	19:16
*** yaya has quit IRC		19:18
openstackgerrit	Andreas Jaeger proposed openstack/security-doc: Fix list-tables in Object Storage https://review.openstack.org/209638	19:22
*** yaya has joined #openstack-security		19:24
*** sigmavirus24 is now known as sigmavirus24_awa		19:24
*** sigmavirus24_awa is now known as sigmavirus24		19:24
*** dwyde has quit IRC		19:27
*** dwyde has joined #openstack-security		19:29
Daviey	tmcpeak: Hey, are you doing the release management bug handling stuff?	19:35
tmcpeak	Daviey: I'm not sure what you mean but the answer is I'm probably not	19:44
tmcpeak	I'd like to get some better versioning, a more refined release management flow, etc but it always falls under the waterline of things I'll work on today :\	19:44
Daviey	tmcpeak: there is tooling to close bugs that this release fixed and upload tarballs etc	19:45
tmcpeak	oooh	19:47
tmcpeak	yeah, we're not using any :)	19:47
Daviey	tmcpeak: Also tooling to list changes this release did	19:47
tmcpeak	I'm integrated with openstack-ci so I tag a version and it automatically pushes to PyPI that's about it	19:47
Daviey	IIRC there is also one to generate emails	19:47
Daviey	openstack-infra/release-tools	19:47
tmcpeak	Daviey: that would be really cool	19:47
tmcpeak	I should carve off a few hours to poke around	19:47
tmcpeak	doing it manually sucks	19:47
tmcpeak	although I don't do it often enough to automate	19:47
Daviey	well it's already been done.. just need to run the tools	19:48
tmcpeak	even better :D	19:48
*** jmckind_ has quit IRC		20:08
*** jmckind has joined #openstack-security		20:11
*** jmckind has quit IRC		20:12
*** jmckind has joined #openstack-security		20:13
*** jmckind has quit IRC		20:13
*** jmckind has joined #openstack-security		20:14
*** jmckind has quit IRC		20:15
*** jmckind has joined #openstack-security		20:16
*** jmckind has quit IRC		20:19
*** hyakuhei has quit IRC		20:23
*** hyakuhei has joined #openstack-security		20:33
*** sigmavirus24 is now known as sigmavirus24_awa		20:36
*** sigmavirus24_awa is now known as sigmavirus24		20:36
openstackgerrit	Dave Walker proposed openstack/bandit: Add info: License, Source, Bugs and Docs to README https://review.openstack.org/209666	20:47
*** yaya has quit IRC		20:48
*** pdesai has joined #openstack-security		20:58
*** pdesai1 has quit IRC		20:59
*** pdesai2 has joined #openstack-security		20:59
*** pdesai1 has joined #openstack-security		21:00
*** pdesai2 has quit IRC		21:00
*** pdesai has quit IRC		21:02
*** jmckind has joined #openstack-security		21:07
*** dave-mccowan has quit IRC		21:08
tmcpeak	browne: good catch on HTTPS ;)	21:10
*** pdesai has joined #openstack-security		21:15
browne	tmcpeak: eagle eyes	21:17
*** pdesai1 has quit IRC		21:18
*** alex_klimov has joined #openstack-security		21:18
tmcpeak	that's good, I've been the opposite - all the typos get by me :)	21:19
tmcpeak	I think I need electroshock therapy or something	21:19
browne	ha	21:19
browne	bandit approved in cinder	21:20
tmcpeak	legit!	21:20
openstackgerrit	Dave Walker proposed openstack/bandit: Add info: License, Source, Bugs and Docs to README https://review.openstack.org/209666	21:22
Daviey	Yeah, normally using https is something i pick up on.. but i diff gud by copy and pasting.	21:25
Daviey	browne: Is it ironic to have (or not have) bandit gate support on bandit itself?	21:26
*** b10n1k has quit IRC		21:27
tmcpeak	BoB	21:27
browne	Daviey: its like inception	21:28
browne	would it ever find any issues you think?	21:28
*** kcaj has left #openstack-security		21:28
Daviey	you'd hope it would find the samples..	21:28
*** pdesai has quit IRC		21:28
browne	Daviey: that's true. that might be interesting	21:29
Daviey	#noqa_butreallynoqa	21:29
tmcpeak	if it does find things not in samples I'll be bummed	21:29
Daviey	surely i am not the only one that tests changes with $ bandit -r bandit/ (but don't read the output)	21:30
*** jmckind has quit IRC		21:31
dwyde	bandit loaded the config with `yaml.load` back in March — found that by bandit-ception :-)	21:32
Daviey	Hmm	21:32
Daviey	it looks like we have a real missuse of assert in utils?	21:32
*** pdesai has joined #openstack-security		21:33
Daviey	Usage of xml.etree.cElementTree is ok as we aren't parsing.	21:33
tmcpeak	Daviey: crap, really?	21:36
tmcpeak	:(	21:36
tmcpeak	assert	21:36
Daviey	https://github.com/openstack/bandit/blob/master/bandit/core/utils.py#L102	21:37
Daviey	I mean, it isn't a big deal..	21:37
tmcpeak	onoz	21:38
Daviey	funnily enough, that is from Genesis commit.	21:38
openstackgerrit	Sean McGinnis proposed openstack/bandit: Fix takes_config in try_catch_pass plugin https://review.openstack.org/209679	21:42
*** zul has quit IRC		21:45
*** smcginnis has joined #openstack-security		21:52
smcginnis	Wondering if anyone can answer some bandit questions.	21:53
smcginnis	Is there a reference or knowledge base somewhere that describes what to do for items flagged by bandit?	21:53
smcginnis	Ideally something like: reason it may be an issue, recommendations for alternatives, conditions where it may not be an issue, etc.	21:54
tmcpeak	smcginnis: we have secure development guidelines here:	21:54
*** b10n1k has joined #openstack-security		21:54
tmcpeak	https://security.openstack.org/#secure-development-guidelines	21:54
tmcpeak	smcginnis: also in next version we're introducing comprehensive documentation of all plugins	21:55
smcginnis	tmcpeak: Great, thanks!	21:56
tmcpeak	np	21:56
smcginnis	tmcpeak: Would be great if bandit would output a code for each type of issue that could be referenced in the guidelines, kind of like hacking check codes.	21:56
tmcpeak	smcginnis: it's definitely on our radar :)	21:56
tmcpeak	I'd expect something like that in the next release or two	21:56
smcginnis	tmcpeak: Sweet.	21:57
smcginnis	While I'm at it, having an html output report like the unit test coverage report would be cool too. :)	21:57
tmcpeak	smcginnis: yeah for sure, that should be a fairly easy formatter to generate too	21:58
tmcpeak	smcginnis: would you mind adding as a "bug" in Launchpad?	21:58
tmcpeak	that's where we track all the things	21:58
smcginnis	tmcpeak: Sure!	21:58
tmcpeak	smcginnis: awesome, thank you	21:58
tmcpeak	biab	21:58
smcginnis	Nice work to all that have worked on bandit. Very happy to see something like that.	21:58
browne	smcginnis: check codes is exactly what i'd prefer too	21:59
smcginnis	browne: I could see a lot of benefit in being able to reference specific topics that way.	21:59
browne	smcginnis: feel free to open blueprints on these things	21:59
*** hyakuhei has quit IRC		22:00
*** edmondsw has quit IRC		22:00
*** dwyde has quit IRC		22:11
*** alex_klimov has quit IRC		22:18
openstackgerrit	Brant Knudson proposed openstack/bandit: Clean up test_config https://review.openstack.org/209689	22:24
*** sigmavirus24 is now known as sigmavirus24_awa		22:27
*** bknudson has quit IRC		22:33
*** voodookid has quit IRC		23:09
*** pdesai has quit IRC		23:22
*** pdesai has joined #openstack-security		23:30
*** sdake has quit IRC		23:56

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!