Thursday, 2016-01-14

« Wednesday, 2016-01-13 Index Friday, 2016-01-15 »
*** ccie6747 has quit IRC00:00
*** salv-orl_ has quit IRC00:31
*** salv-orlando has joined #openstack-security00:34
*** _et_ has joined #openstack-security00:37
*** salv-orlando has quit IRC00:45
*** salv-orlando has joined #openstack-security00:46
*** hyakuhei has joined #openstack-security00:48
openstackgerritMerged openstack/security-doc: Adding link for SELinux policies  https://review.openstack.org/26656700:53
*** edmondsw has quit IRC00:55
*** bpokorny has quit IRC01:05
openstackgerritEric Brown proposed openstack/bandit: Pretty up the plugin documentation  https://review.openstack.org/26725401:09
openstackgerritEric Brown proposed openstack/bandit: Pretty up the plugin documentation  https://review.openstack.org/26725401:11
*** browne has quit IRC01:13
*** elo has quit IRC01:21
openstackgerritvenkatamahesh proposed openstack/security-doc: Fix rst markups  https://review.openstack.org/25884601:49
*** winterIsLeaving has quit IRC01:58
*** elo has joined #openstack-security02:11
*** browne has joined #openstack-security02:16
*** jmckind has quit IRC02:33
*** elo has quit IRC02:42
*** hyakuhei has quit IRC02:51
*** dstanek has quit IRC02:52
*** dstanek has joined #openstack-security02:53
*** Windir has quit IRC02:53
*** Windir has joined #openstack-security02:54
*** bpokorny has joined #openstack-security02:55
*** bpokorny has quit IRC03:07
openstackgerritvenkatamahesh proposed openstack/security-doc: Fix rst markups  https://review.openstack.org/25884603:23
*** sonuk has joined #openstack-security03:24
*** yuanying_ has quit IRC03:34
*** tjt263 has quit IRC03:34
openstackgerritEric Brown proposed openstack/bandit: Update readme with latest changes  https://review.openstack.org/26728103:40
*** yuanying has joined #openstack-security03:46
*** yuanying_ has joined #openstack-security03:56
*** browne1 has joined #openstack-security03:57
*** yuanying has quit IRC03:59
*** browne has quit IRC04:00
*** yuanying_ has quit IRC04:00
*** winterIsLeaving has joined #openstack-security04:00
*** yuanying has joined #openstack-security04:06
*** yuanying has quit IRC04:07
*** yuanying_ has joined #openstack-security04:07
*** salv-orl_ has joined #openstack-security04:10
*** entPop has joined #openstack-security04:10
*** salv-orlando has quit IRC04:12
*** winterIsLeaving has quit IRC04:13
*** winterIsLeaving has joined #openstack-security04:22
*** entPop has quit IRC04:23
*** entPop has joined #openstack-security04:26
*** winterIsLeaving has quit IRC04:28
*** winterIsLeaving has joined #openstack-security04:32
*** entPop has quit IRC04:35
*** winterIsLeaving has quit IRC04:39
*** bpokorny has joined #openstack-security04:41
*** _et_ has quit IRC04:42
*** winterIsLeaving has joined #openstack-security04:50
*** bpokorny has quit IRC05:00
*** winterIsLeaving has quit IRC05:07
*** winterIsLeaving has joined #openstack-security05:10
openstackgerritChristopher J Schaefer proposed openstack/bandit: Improved unit test coverage for baseline module.  https://review.openstack.org/26731205:54
openstackgerritChristopher J Schaefer proposed openstack/bandit: Improved unit test coverage for baseline module.  https://review.openstack.org/26731206:05
*** winterIsLeaving has quit IRC06:11
openstackgerritChristopher J Schaefer proposed openstack/bandit: Improved unit test coverage for baseline module  https://review.openstack.org/26731206:11
openstackgerritChristopher J Schaefer proposed openstack/bandit: Improved unit test coverage for baseline module  https://review.openstack.org/26731206:24
*** markvoelker has quit IRC06:42
*** browne1 has quit IRC06:52
*** elo has joined #openstack-security07:09
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals  https://review.openstack.org/26735507:22
*** salv-orl_ has quit IRC07:53
*** salv-orlando has joined #openstack-security07:53
openstackgerritMerged openstack/security-doc: Updated from openstack-manuals  https://review.openstack.org/26735508:34
*** markvoelker has joined #openstack-security08:43
*** markvoelker has quit IRC08:48
*** salv-orlando has quit IRC08:57
*** salv-orlando has joined #openstack-security08:58
*** salv-orlando has quit IRC09:05
*** salv-orlando has joined #openstack-security09:05
*** ig0r_ has joined #openstack-security09:17
*** jamielennox is now known as jamielennox|away09:18
*** ig0r_ has quit IRC09:41
*** markvoelker has joined #openstack-security09:44
*** markvoelker has quit IRC09:49
*** salv-orl_ has joined #openstack-security10:10
*** salv-orlando has quit IRC10:12
*** lexholden has joined #openstack-security10:56
*** FlayvaFlayy has joined #openstack-security11:31
*** d0ugal has quit IRC11:40
*** markvoelker has joined #openstack-security11:45
*** markvoelker has quit IRC11:49
*** FlayvaFlayy has quit IRC11:54
*** lexholden has quit IRC11:56
*** d0ugal has joined #openstack-security11:58
*** lexholden has joined #openstack-security12:01
*** lexholden has quit IRC12:11
*** markvoelker has joined #openstack-security12:45
*** markvoelker has quit IRC12:50
mhaydenthursday is my meeting day, so i might not be in the room too often today13:16
*** markvoelker has joined #openstack-security13:25
*** browne has joined #openstack-security13:26
*** _et_ has joined #openstack-security13:37
*** edmondsw has joined #openstack-security13:39
*** ninag has joined #openstack-security13:41
*** avarner has joined #openstack-security13:47
*** avarner has quit IRC13:47
*** dslev has joined #openstack-security13:48
*** browne has quit IRC13:48
*** hyakuhei has joined #openstack-security13:52
*** dslev_ has joined #openstack-security13:54
*** dslev has quit IRC13:57
*** hyakuhei has quit IRC13:59
*** dslev_ has quit IRC14:00
*** dslev has joined #openstack-security14:16
*** avarner has joined #openstack-security14:31
*** jmckind has joined #openstack-security14:32
*** _et_ has quit IRC14:36
*** tmcpeak has joined #openstack-security14:38
*** hyakuhei has joined #openstack-security14:38
*** browne has joined #openstack-security14:39
*** jhfeng has joined #openstack-security14:40
openstackgerritRobert Clark proposed openstack/anchor: Updated the Docker readme so that port 5016 is used for anchor  https://review.openstack.org/26761414:47
*** tkelsey has joined #openstack-security14:48
hyakuheitkelsey: https://review.openstack.org/#/c/267614/ pleasy weasy14:51
hyakuheiAs it’s just a README change please consider a +w too14:51
*** avarner has quit IRC14:51
openstackgerritTravis McPeak proposed openstack/bandit: DUMMY COMMIT - DO NOT MERGE  https://review.openstack.org/26762414:54
*** jhfeng has quit IRC14:54
*** dave-mccowan has joined #openstack-security14:58
elmikohyakuhei: i dunno... sounds fishy15:00
hyakuheilulz15:00
*** dave-mcc_ has joined #openstack-security15:00
elmikohyakuhei: have you checked out kubernetes much?15:01
hyakuheiNot recently - I check out conference talks on it now and again - I’m down with the koolaid, I’ve just not drunk any yet.15:01
elmikoi've been messing with it recently, very neat15:02
elmikolooking at that dockerfile made me think about it15:02
*** dave-mccowan has quit IRC15:04
*** _et_ has joined #openstack-security15:05
*** sigmavirus24_awa is now known as sigmavirus2415:07
dave-mcc_A Cinder reviewer asked for Security Project's guidance on backporting this fix to Nova and Cinder: https://review.openstack.org/#/c/266680/15:08
*** cjschaef has joined #openstack-security15:09
openstackgerritChristopher J Schaefer proposed openstack/bandit: Improved unit test coverage for baseline module  https://review.openstack.org/26731215:10
elmikodave-mcc_: gorka has a good question on that review, it seems more like a performance backport than a security one15:15
dave-mcc_elmiko no, it's a security fix.  the cache (which should only be used in the copy_key operation) is being used always.  weird stuff can happen: expired credentials are cached and reused, a second user can use the first user's cached credentials, ...15:17
elmikoah, ok15:18
elmikodave-mcc_: thanks for the clarification =)15:18
michaelxin qhttps://talkgadget.google.com/hangouts/_/gz43wqtwiit4lu7uupm55yd3oma?authuser=0&hl=en15:19
michaelxinelmiko: morning15:19
michaelxinhttps://talkgadget.google.com/hangouts/_/gz43wqtwiit4lu7uupm55yd3oma?authuser=0&hl=en15:19
michaelxinWe have a big crowd today.15:19
michaelxinSome Baribican members joined up.15:19
elmikomichaelxin: thanks! i have meetings all morning but i will join when i get free =)15:20
michaelxinelmiko: Sure.15:20
*** hyakuhei has quit IRC15:32
*** loinvspredator has joined #openstack-security15:34
loinvspredator:)15:34
*** hyakuhei has joined #openstack-security15:36
*** loinvspredator has left #openstack-security15:39
tmcpeaktkelsey: https://review.openstack.org/#/c/267125/15:39
hyakuheitkelsey: https://review.openstack.org/#/c/267614/15:40
tmcpeaktkelsey: https://review.openstack.org/#/c/267202/15:40
*** jhfeng has joined #openstack-security15:44
sigmavirus24http://undeadly.org/cgi?action=article&sid=20160114142733 for interested parties15:44
openstackgerritMerged openstack/bandit: Allow list of tests specified on command line  https://review.openstack.org/26712515:48
openstackgerritMerged openstack/bandit: Proper B5xx test numbering  https://review.openstack.org/26720215:48
*** tjt263 has joined #openstack-security15:50
*** hyakuhei has quit IRC15:53
openstackgerritIan Cordasco proposed openstack/bandit: Remove unnecessary absolute_import logic  https://review.openstack.org/26719215:56
*** jhfeng has quit IRC15:57
*** jhfeng has joined #openstack-security15:59
*** jhfeng has quit IRC16:00
*** pdesai1 has joined #openstack-security16:00
*** dg_ has joined #openstack-security16:01
openstackgerritIan Cordasco proposed openstack/bandit: Remove unnecessary absolute_import logic from modules  https://review.openstack.org/26719216:02
openstackgerritIan Cordasco proposed openstack/bandit: Move cli modules into their own submodule  https://review.openstack.org/26719016:02
*** jhfeng has joined #openstack-security16:03
*** salv-orlando has joined #openstack-security16:09
openstackgerritEric Brown proposed openstack/bandit: Enable pep8 testing on tests  https://review.openstack.org/26767116:10
*** mvaldes has joined #openstack-security16:10
*** jhfeng has quit IRC16:12
*** salv-orl_ has quit IRC16:13
sigmavirus24mvaldes: examples/yaml_load.py16:20
sigmavirus24https://bugs.launchpad.net/bandit/+bug/150849016:20
openstackLaunchpad bug 1508490 in Bandit "False positive when yaml.load is used with "Loader=yaml.SafeLoader"" [Medium,Confirmed] - Assigned to Tim Kelsey (tim-kelsey)16:20
*** diazjf has joined #openstack-security16:20
diazjfBYOK etherpad: https://etherpad.openstack.org/p/cEA79A5fG116:20
*** hyakuhei has joined #openstack-security16:24
*** jhfeng has joined #openstack-security16:24
diazjfhttps://etherpad.openstack.org/p/cEA79A5fG116:24
michaelxin https://etherpad.openstack.org/p/cEA79A5fG116:24
*** edtubill has joined #openstack-security16:27
michaelxinsigmavirus24: Ian, are you still working on Glance project?16:28
sigmavirus24Yes, I am16:28
michaelxinsigmavirus24: Do you happen to know whether Glance is using any encryption?16:29
michaelxinhttps://wiki.openstack.org/wiki/EncryptionInOpenstack#Glance16:29
michaelxinIt says that Glance is not doing any encryption.16:29
sigmavirus24michaelxin: we're working on image signing but otherwise, not really16:29
michaelxinIs it still accurate?16:29
michaelxinJust signing?16:30
sigmavirus24https://specs.openstack.org/openstack/glance-specs/specs/liberty/image-signing-and-verification-support.html Is the only thing i know of16:30
hyakuheiI put a ? by glance because it probably makes the least sense to encrypt out of all the basic IaaS services.16:31
michaelxinsigmavirus24: Thanks.16:32
michaelxinhyakuhei: +116:32
sigmavirus24michaelxin: that's been updated16:32
michaelxinsigmavirus24: Thanks. You are the man! :-)16:34
*** sonuk has quit IRC16:34
openstackgerritEric Brown proposed openstack/bandit: Pretty up the plugin documentation  https://review.openstack.org/26725416:34
openstackgerritMerged openstack/anchor: Updated the Docker readme so that port 5016 is used for anchor  https://review.openstack.org/26761416:36
*** dg_ has quit IRC16:36
brownehttps://www.youtube.com/watch?v=wf-BqAjZb8M16:38
michaelxinhttp://undeadly.org/cgi?action=article&sid=20160114142733&mode=expanded16:42
hyakuheirofl. Just yesterday tmcpeak was saying how there hasn’t been a serious SSH vulnerability for a long time….16:44
hyakuheiUntil you are able to patch affected systems, the recommended workaround is to use16:44
hyakuhei# echo 'UseRoaming no' >> /etc/ssh/ssh_config16:44
hyakuhei^ That could be an excellent example use case for the ansible work later today16:45
tmcpeakhyakuhei: wowwww16:45
*** hyakuhei has quit IRC16:50
*** hyakuhei has joined #openstack-security16:51
openstackgerritTim Kelsey proposed openstack/bandit: Adding a test for test id on test plugins  https://review.openstack.org/26770016:53
tmcpeakhyakuhei: got us set up for 5:30, they'd like me to call with a definite count later in the day16:53
tkelseysigmavirus24 browne https://review.openstack.org/#/c/267700/16:54
hyakuheiI don’t think we can get there for 5:30 unless we leave early16:54
michaelxinThe image sharing is using md5 by default for Glance.16:54
michaelxinGlance already supports computing checksums of images when an image is uploaded, and this checksum is stored with the image. This same hash (which by default is MD5) will be used for the signature verification.16:55
michaelxinThis is sad.16:55
tmcpeakhyakuhei: it says 15 mins without traffic, when I call I can tell them we might be more like 5:4516:55
michaelxintmcpeak: Have fun.16:56
tmcpeak:|16:56
michaelxinI wish that I could go16:56
hyakuheitmcpeak: cool16:56
hyakuheimichaelxin: your kids will understand man.16:57
tmcpeak+116:57
michaelxinhyakuhei: Thanks.16:57
michaelxinDo try the chinese liquor16:57
michaelxin:-)16:57
michaelxinIt is for brave men.16:57
tmcpeaktkelsey is enthusiastic about it16:58
*** salv-orlando has quit IRC16:58
tkelseydamn right!16:58
tkelsey:D16:58
*** salv-orlando has joined #openstack-security16:58
*** dslev has quit IRC16:58
michaelxin+316:59
*** hyakuhei has quit IRC16:59
*** tkelsey has quit IRC16:59
*** tkelsey has joined #openstack-security17:01
tkelseytmcpeak: https://review.openstack.org/#/c/267700/17:01
*** hyakuhei has joined #openstack-security17:02
*** salv-orlando has quit IRC17:03
*** salv-orlando has joined #openstack-security17:04
openstackgerritTim Kelsey proposed openstack/bandit: Adding a test for test id on test plugins  https://review.openstack.org/26770017:05
*** dslev has joined #openstack-security17:06
*** dslev has quit IRC17:09
openstackgerritEric Brown proposed openstack/bandit: Enable pep8 testing on tests  https://review.openstack.org/26767117:09
elmikohyakuhei: i think we may have not sent a clear enough message about the ossp meeting being cancelled today17:11
hyakuheioh poop17:11
elmikoyea, couple folks showed up. i think it's all good now though, we are meeting next week right?17:11
hyakuheiwelp. I guess it’s a bit late to fix things now.17:11
hyakuheiYeah next week as normal17:12
elmikoyea, i tolkd them what was up17:12
elmikook, great17:12
hyakuheiCheers buddy, you’re a hero17:12
elmikohehe, right back at ya ;)17:12
michaelxinelmiko: Thanks.17:14
michaelxinWe are break into two groups.17:15
michaelxinOne group is hacking bandit.17:15
michaelxinAnother group is working on bring your own key.17:15
openstackgerritDave McCowan proposed openstack/bandit: Allow list of tests to skip to be specified on command line  https://review.openstack.org/26771317:15
michaelxinYou can find details at https://etherpad.openstack.org/p/cEA79A5fG117:15
*** pdesai1 has quit IRC17:16
elmikomichaelxin: cool, thanks!17:16
elmikomichaelxin: i think we can skip the hangout for this afternoon (at least for me), my schedule is kinda crazy today :/17:17
michaelxinelmiko: sure.17:17
michaelxinfeel free to jum on the hangout now.17:17
michaelxindisscussion just started.17:17
michaelxinhttps://talkgadget.google.com/hangouts/_/gz43wqtwiit4lu7uupm55yd3oma?authuser=0&hl=en17:18
elmikonice whiteboards at rackspace ;)17:19
elmikomichaelxin: angle back up a little17:19
tmcpeaktkelsey: https://review.openstack.org/#/c/267179/17:25
*** salv-orlando has quit IRC17:29
*** salv-orlando has joined #openstack-security17:29
elmikomichaelxin: i got dropped...17:33
michaelxinelmiko: can you try again?17:36
elmikotrying now17:36
michaelxinI can restart it.17:36
michaelxinlet me do that17:36
michaelxinrestarted.17:37
michaelxinelmiko: Would you please try again17:37
*** jhfeng has quit IRC17:39
openstackgerritChristopher J Schaefer proposed openstack/bandit: Improved unit test coverage for baseline module  https://review.openstack.org/26731217:42
openstackgerritChristopher J Schaefer proposed openstack/bandit: Improved unit test coverage for baseline module  https://review.openstack.org/26731217:45
openstackgerritChristopher J Schaefer proposed openstack/bandit: Improved unit test coverage for baseline module  https://review.openstack.org/26731217:46
*** diazjf has quit IRC17:50
*** jhfeng has joined #openstack-security17:50
*** jhfeng has quit IRC17:51
tmcpeakall: https://en.wikipedia.org/wiki/Shang_Tsung17:54
tmcpeakelmiko = https://en.wikipedia.org/wiki/Shang_Tsung17:54
sigmavirus24tmcpeak: elmiko http://www.thesilmarillionmovie.com/wp-content/uploads/2014/02/thorin_silmarillion_movie56.jpg17:55
*** edtubill has quit IRC17:56
*** edtubill has joined #openstack-security17:57
elmikotmcpeak, sigmavirus24, lol17:58
*** jmckind has quit IRC18:00
*** jhfeng has joined #openstack-security18:02
*** jhfeng has quit IRC18:02
*** ccie6747 has joined #openstack-security18:10
*** sigmavirus24 is now known as sigmavirus24_awa18:15
*** sigmavirus24_awa is now known as sigmavirus2418:19
mhaydensigmavirus24: finally finished up with meetings -- someone said something about ansible stuff?18:20
*** diazjf has joined #openstack-security18:21
*** edtubill has quit IRC18:21
mhaydenmichaelxin: hah, just saw your email18:22
* mhayden is wandering down to the room18:23
browneCannot resolve file path for module sys18:28
sigmavirus24https://hydra.nixos.org/build/27120534/nixlog/1/raw18:30
sigmavirus24browne: ^18:30
elmikohyakuhei: when are you guys starting the threat analysis conversation?18:30
*** jhfeng has joined #openstack-security18:30
hyakuheiI’m hoping to do that in the AM tomorrow so that Doug Chivers can join us18:31
elmikook, awesome. i left a bunch of comments for him18:31
*** bpokorny has joined #openstack-security18:32
elmikomichaelxin: gonna go afk for a few, i'll try to stay connected to the hangout and just rejoin when i get back18:32
openstackgerritTim Kelsey proposed openstack/bandit: Adding a test for test id on test plugins  https://review.openstack.org/26770018:34
hyakuheihey mhayden I updated cathead to actually work with recent versions of anchor https://review.openstack.org/26776218:40
hyakuheiCathead is obviously not production ready but it’s simple enough to iterate on if you wanted to and can be configured to perform various actions when it grabs a fresh certificate etc18:41
mhaydenORLY18:41
mhaydenis that "cat-head" or "ca-thead"?18:41
tmcpeakit's cath-eee-ahd18:42
mhaydenfancy18:42
chair6https://en.wikipedia.org/wiki/Cathead18:42
chair6tmcpeak might be fancy, but according to google, it's "cat-head"18:43
openstackgerritIan Cordasco proposed openstack/bandit: Add script to test bandit against projects at gate  https://review.openstack.org/26702918:43
mhaydenhyakuhei / tmcpeak: i found a good logo for it -> https://cdn.shopify.com/s/files/1/0224/1915/products/realistic-tabby-kitty-cat-head-shaped-vinyl-animal-photo-print-clutch-bag-dotoly_1024x1024.jpg?v=139869120018:43
tmcpeakwelp, that's considerably less fun18:43
chair6https://www.google.com/search?q=cathead&tbm=isch18:43
tmcpeakmhayden: ship it!18:43
mhaydenjust needs a green rectangle ;)18:44
tmcpeakthis'll do: http://www.thisiswhyimbroke.com/images/realistic-cat-head-mask.jpg18:44
* hyakuhei shudders.18:44
mhaydenNOPE18:45
mhaydenNOPE18:45
mhaydencan't sleep now18:45
mhaydenthanks18:45
*** diazjf has quit IRC18:47
*** bpokorny_ has joined #openstack-security18:49
*** bpokorny_ has quit IRC18:50
*** bpokorny_ has joined #openstack-security18:51
sigmavirus24http://www.openwall.com/lists/oss-security/2016/01/14/7 > tmcpeak18:52
sigmavirus24mhayden: http://www.openwall.com/lists/oss-security/2016/01/14/718:52
*** bpokorny has quit IRC18:53
mhaydensigmavirus24: thank goodness i use telnet18:53
*** bpokorny_ has quit IRC18:55
openstackgerritMerged openstack/bandit: Adding a test for test id on test plugins  https://review.openstack.org/26770018:55
*** bpokorny has joined #openstack-security18:56
*** hyakuhei has quit IRC18:57
*** bpokorny has quit IRC19:01
*** diazjf has joined #openstack-security19:03
*** jmckind has joined #openstack-security19:05
elmikogiven that we have anchor and cathead, the next ship themed project name needs to Jibboom, imo. https://en.wikipedia.org/wiki/Jibboom19:06
openstackgerritIan Cordasco proposed openstack/bandit: Add script to test bandit against projects at gate  https://review.openstack.org/26702919:06
*** hyakuhei has joined #openstack-security19:10
*** jmckind_ has joined #openstack-security19:13
sigmavirus24tkelsey: so... if some of the projects we're adding to our gate are already failing, can we make them non-voting until they start passing?19:13
sigmavirus24tkelsey: specifically I think sahara is failing /cc elmiko19:13
tkelseysigmavirus24: humm, seems like a good way to do it19:13
elmikosigmavirus24: +1, sahara probably won't be passing till close to mitaka final release (hopefully)19:14
tkelseyyeah, makes sense, then we can turn them green as we go19:14
elmikoi have a little more research to do about our usage of pickle and telnet19:14
*** jmckind has quit IRC19:16
hyakuheiAny thoughts on the best place to host a security blog?19:19
elmikocan we have, blog.security.openstack.org?19:20
elmikoor security.openstack.org/blog19:20
elmikoprobably though, we should talk with the doc folks about the best places19:20
elmikoand for the styling as well19:20
sigmavirus24review of https://review.openstack.org/267066 would be helpful19:21
elmikosigmavirus24: done19:21
sigmavirus24Thanks elmiko19:21
elmikothanks to you as well sir =)19:22
sigmavirus24Now to get infra to look at that and review it19:22
hyakuheiThe openstack people don’t want to host a security blog elmiko19:24
hyakuheiI was pondering something like this: http://jekyllbootstrap.com/19:25
elmikoyea, jekyll is nice and easy. i'm curious should be steer away from using the official openstack theme though?19:25
*** jhfeng has quit IRC19:26
elmikowe could certainly make a project with rst docs for the blog posts and go that route19:26
sigmavirus24hyakuhei: jekyll would be easy19:26
sigmavirus24elmiko: we could do a blog ins phinx too19:26
elmikohyakuhei: or, are you saying we should host at jekyllbootstrap.com?19:26
sigmavirus24*sphinx19:27
sigmavirus24elmiko: I don't think they host blogs there19:27
sigmavirus24it would be something.github.io potentially19:27
hyakuheiWe have an openstack-security org in github I think19:27
elmikosigmavirus24: my reasoning for staying to rst/sphinx is that we can reuse the openstacktheme19:27
hyakuheiyeh https://github.com/openstack-security19:27
sigmavirus24elmiko: I get that. I don't know if we want to19:27
sigmavirus24Or if we would be allowed to19:27
elmikoso, openstack-security.github.io then?19:27
hyakuheiSo hopefully a openstack-security.hgithub.com19:27
elmikosigmavirus24: ah, ok19:27
hyakuheiyeh19:27
sigmavirus24So https://github.com/openstack-security/openstack-security.github.io powers openstack-security.github.io19:28
elmikoi don't have an objection to that19:28
elmikoyea, i have a github pages blog =)19:28
hyakuheiWe have some content there at the moment that is now replicated elsewhere19:28
hyakuheiexcellent19:28
elmikohyakuhei: do you envision us using the github review process for submissions?19:28
sigmavirus24Yeah no objection from me either19:28
hyakuheielmiko: that or reviewable yeah19:28
sigmavirus24elmiko: possibly reviewable.io I think hyakuhei said19:28
hyakuhei^19:29
elmikoah, cool19:29
elmikosounds good to me, ship it!19:29
sigmavirus24there's also gerrithub.io but I think reviewable.io is nicer19:29
sigmavirus24We can also have Travis CI build stuff to make sure there are no build errors19:29
hyakuheiOk, so I’ll try the bootstrap and see if I can JFDI19:29
elmikoi've used gerrithub, have not tried reviewable19:29
hyakuheimeanwhile, let me know what your github ID’s are.19:29
elmikoelmiko >.<19:29
sigmavirus24hyakuhei: same as irc nick19:29
sigmavirus24mvaldes: also http://logs.openstack.org/47/267747/1/check/gate-bandit-linters/c65d34e/console.html#_2016-01-14_18_26_08_93419:32
*** jhfeng has joined #openstack-security19:39
sigmavirus24┐('~`)┌19:39
sigmavirus24http://docs.openstack.org/developer/openstack-ansible-security/19:40
browne¯\_(ツ)_/¯19:40
hyakuheihttp://openstack-security.github.io/19:41
hyakuheiwhoo19:41
*** mvaldes has quit IRC19:42
sigmavirus24(☞゚ヮ゚)☞19:43
elmikohaha, awesome19:46
elmikohyakuhei: sweet, _119:46
elmikoer +1 even19:46
hyakuheiOk, so reviewable is plugged into it too19:48
*** jhfeng has quit IRC19:50
*** ccie6747 has quit IRC19:51
*** jmckind has joined #openstack-security19:56
*** jhfeng has joined #openstack-security19:57
sigmavirus24elmiko: seriously, did you like gerrithub?19:58
*** jmckind_ has quit IRC19:59
elmikosigmavirus24: i haven't used it enough to have a strong opinion. it was passable.19:59
sigmavirus24mhm19:59
elmikolooking at reviewable.io, i've got some learning to do ;)19:59
openstackgerritMerged openstack/bandit: Changing config generator to display options  https://review.openstack.org/26717920:00
sigmavirus24elmiko: it's a lot like gerrit but made for the modern web20:00
elmikosigmavirus24: cool, first thing i need to do is figure out how to see openstack-security.gh.io ... lol20:00
elmikois there a layover for reviewable that can be seen from within github?20:01
* elmiko claps20:02
openstackgerritMichael Dong proposed openstack/syntribos: modified SQL tests  https://review.openstack.org/26779520:02
openstackgerritEric Brown proposed openstack/bandit: Enable pep8 testing on tests  https://review.openstack.org/26767120:06
*** Ryan_Lane has joined #openstack-security20:06
Ryan_Lanewith bandit is it possible to return more than one issue per check?20:07
elmikoRyan_Lane: do you mean, per test that is run, or for each overall run?20:07
Ryan_LaneI'm iterating over a list of args and would like to return an issue on each arg that has an issue20:07
elmikoah, that may be question for tkelsey, tmcpeak, sigmavirus24, browne ^^20:08
tkelseyhey Ryan_Lane sorry we don't support that just yet :( it would be handy to have though20:09
Ryan_LaneI guess I could iterate over the args and combine them into a single issue, but I was hoping to just return a list of issues20:09
Ryan_LaneL'(20:09
Ryan_Laneerr :'(20:09
elmikoi smell a bandit feature... ;)20:09
tkelseyheh yeah, its would be nice to have. We can put it on our backlog though :)20:09
Ryan_LaneI'm writing a plugin right now ;)20:09
tkelseyelmiko: +120:09
tkelseyRyan_Lane: awesome20:10
elmiko\o/ Ryan_Lane++20:10
Ryan_Laneit's a check for hardcoded passwords20:10
Ryan_LaneI know there's already a plugin for this... but this one does different things20:10
elmikoah, cool20:10
sigmavirus24Ryan_Lane: what kind of different things?20:10
Ryan_Laneit doesn't just look at targets and report back possible bad strings20:11
*** jmckind_ has joined #openstack-security20:11
Ryan_Laneit checks every string20:11
Ryan_Laneand looks at its entropy20:11
Ryan_Lanethen bumps confidence and severity different directions based on different conditions20:11
tkelseyRyan_Lane: so we had some tests that looked at every string, but they were really noisy ... so would be interesting to see how yours turns out20:12
Ryan_Laneso if the targets have things like "key, password, secret, etc" in it, it gets a +1 to confidence. if the caller is considered a safe source, it gets a -1 to confidence20:12
Ryan_Laneif it's a flagged string (like re.compile('^AKIA')), it gets a 3/3 for confidence/severity20:13
Ryan_Laneor "BEGIN RSA PRIVATE KEY"20:13
*** jmckind has quit IRC20:13
Ryan_LaneI'm fighting the noise with large numbers of regexes that match common things like imports, filenames, etc.20:13
openstackgerritDave McCowan proposed openstack/security-doc: Add OSSN-0063  https://review.openstack.org/26780020:20
openstackgerritIan Cordasco proposed openstack/bandit: Improved unit test coverage for baseline module  https://review.openstack.org/26731220:21
openstackgerritIan Cordasco proposed openstack/bandit: Move cli modules into their own submodule  https://review.openstack.org/26719020:21
openstackgerritIan Cordasco proposed openstack/bandit: Remove unnecessary absolute_import logic from modules  https://review.openstack.org/26719220:21
sigmavirus24Let's approve https://review.openstack.org/#/c/267190/5 so we can stop rebasing that entire dependency chain tmcpeak  :P20:22
tmcpeaksigmavirus24: sounds good20:22
sigmavirus24cjschaef: I took care of your patch in that chain too20:22
cjschaefawesome, I was just working to figure that out20:22
tmcpeaktkelsey: https://review.openstack.org/#/c/267190/520:23
openstackgerritOpenStack Proposal Bot proposed openstack/anchor: Updated from global requirements  https://review.openstack.org/25554620:30
sigmavirus24browne: https://github.com/ansible/ansible/issues/1387320:33
*** jhfeng has quit IRC20:34
openstackgerritDave McCowan proposed openstack/bandit: Allow list of tests to skip to be specified on command line  https://review.openstack.org/26771320:38
*** jhfeng has joined #openstack-security20:39
openstackgerritMerged openstack/bandit: Move cli modules into their own submodule  https://review.openstack.org/26719020:43
openstackgerritMerged openstack/bandit: Improved unit test coverage for baseline module  https://review.openstack.org/26731220:43
openstackgerritMerged openstack/bandit: Remove unnecessary absolute_import logic from modules  https://review.openstack.org/26719220:43
*** timkennedy1 has joined #openstack-security20:43
elmikohave fun tonight gang, i'm signing out. see ya in the morning =)20:44
sigmavirus24Later elmiko20:45
sigmavirus24Enjoy your evening20:45
elmikolikewise sigmavirus24!20:45
*** timkennedy has quit IRC20:47
sigmavirus24https://twitter.com/jcpoulard/status/30508499738625228820:50
openstackgerritDave McCowan proposed openstack/security-doc: Add OSSN-0063  https://review.openstack.org/26780020:50
sigmavirus24tmcpeak: " Merge "Remove unnecessary absolute_import logic from modules""20:51
openstackgerritMichael Dong proposed openstack/syntribos: modified SQL tests  https://review.openstack.org/26779520:51
sigmavirus24tmcpeak: "git reset --hard origin/master"20:53
sigmavirus24browne: git clean -Xf20:54
openstackgerritEric Brown proposed openstack/bandit: Enable pep8 testing on tests  https://review.openstack.org/26767120:56
openstackgerritMatt Valdes proposed openstack/bandit: Split yaml blacklist check into its own file  https://review.openstack.org/26774720:58
tmcpeaksigmavirus24: https://review.openstack.org/#/c/267671/420:59
*** mvaldes has joined #openstack-security21:00
*** ccneill has joined #openstack-security21:00
sigmavirus24tkelsey: python -m testtools.run  TestId21:00
ccneillo/ is there still a google hangout going on?21:01
ccneillmy voice is still shot, but I can at least listen along..21:01
sigmavirus24ccneill: mvaldes said he'd be happy to let you do a hang out with us21:02
sigmavirus24we're all being very quiet21:02
ccneillcool, well if anyone has a second to catch me up on all that I've missed, I just started a hangout: https://hangouts.google.com/call/or4zlquyu32nqycra4ruzz4qvya21:05
*** bpokorny has joined #openstack-security21:05
sigmavirus24hyakuhei: where did you put the twitter theme?21:08
sigmavirus24into assets or _theme_packages?21:08
mvaldesccneill: there are minimal session notes in the etherpad21:08
sigmavirus24ccneill: mute :P21:08
ccneillhaha will do21:08
mvaldesto catch  up a bit21:09
mvaldesmcdong is going over syntribos atm21:09
sigmavirus24hyakuhei: found the docs21:09
ccneillcool cool. link to the etherpad? I'm on my personal laptop right now21:09
mvaldeshttps://etherpad.openstack.org/p/security-mitaka-midcycle21:10
ccneill<321:10
*** timkennedy has joined #openstack-security21:11
*** timkennedy1 has quit IRC21:15
sigmavirus24hyakuhei: https://github.com/openstack-security/openstack-security.github.io/tree/master/_theme_packages looks a bit ... odd21:17
sigmavirus24but it built locally just fine for me21:17
*** jhfeng has quit IRC21:17
hyakuheiYeah, it works locally for me too but not upstream21:18
openstackgerritMerged openstack/bandit: Enable pep8 testing on tests  https://review.openstack.org/26767121:18
hyakuheiI get an error from github in my email that points to https://help.github.com/articles/page-build-failed-missing-submodule/21:18
Ryan_Laneis anchor going to be usable outside of the openstack ecosystem?21:22
ccneillmvaldes: is there current/planned support for xunit?21:24
ccneillcan't remember if the cafe runner supports it out of the box21:25
*** jhfeng has joined #openstack-security21:25
hyakuheiRyan_Lane: Yup21:26
Ryan_Lanehow does it compare to lemur?21:26
*** jhfeng has quit IRC21:26
hyakuheiIt plays nice with OpenStack (oslo logging, keystone tokens) but it’s not tightly coupled21:26
hyakuheiNo idea21:26
hyakuheiAh yeah, Lemur and Anchor are completely different projects, Lemur is really about managing certs.21:26
Ryan_Lanehm. what's anchor's main purpose?21:26
Ryan_Lanemaintaining internal PKI infrastructure?21:27
hyakuheiTo issue short life certificates in an automated way.21:27
Ryan_Lanegotcha21:27
elmikosigmavirus24, hyakuhei, how are you guys building ghpages stuff locally, because iirc, they have a different version of jekyll running at gh than what is available in the ruby gem stuff21:27
*** jhfeng has joined #openstack-security21:27
hyakuheijekyll serve21:27
sigmavirus24elmiko: oh that might be the problem21:27
elmikodid you get jekyll from the gems?21:27
sigmavirus24elmiko: yes21:27
elmiko(it's probably too new)21:27
Ryan_Lane@hyakuhei does it have the ability to also rotate the CA often?21:27
Ryan_Lanelike ephemeral overlapping CAs?21:27
elmiko1sec, i have a container project that build ghpages stuff. i'll grab the link21:27
Ryan_Laneslack is ruining me. I use @ in irc now :(21:27
hyakuheiIt’s very light weight so you could do that pretty trivially yeah.21:27
mvaldesccneill: there can be :)21:27
hyakuheiIt supports running multiple roots21:27
ccneillmvaldes: haha somehow I knew you'd say that..21:27
browneRyan_Lane: Slack is the best21:27
sigmavirus24tkelsey: python -m testtools.discover [--list-tests maybe?]21:27
Ryan_Lane:D21:27
elmikosigmavirus24, hyakuhei, check this project out https://github.com/Starefossen/docker-github-pages21:28
hyakuheilemur might make more sense as a anchor client21:29
*** sonuk has joined #openstack-security21:30
Ryan_Lanehyakuhei: hm. so you specify a ca and how long it's valid for?21:31
Ryan_Laneso I could specify two CAs with 24 hour vailidity and it'll re-generate each CA every 24 hours?21:32
Ryan_Lanethen clients request certs from the service?21:32
ccneillmvaldes: would you tell jgibbs I like the bandit+syntribos idea a lot? O:-)21:32
hyakuheiGenerally speaking it’s the ceritficates it provides that are ephemeral rather than the CA21:32
hyakuheibecause swapping out the root on every box in your infra is going to get messy21:32
Ryan_Lanewell, that's the idea of having multiple overlapping CAs21:33
ccneillmvaldes: not super interesting for ints/floats in python maybe, but regexes might be fun :)21:33
Ryan_Laneensure you always have the current and new CAs, then when your cert is about to expire, request a new cert from the new CA21:33
tkelseysigmavirus24: FYI "python -m testtools.run discover --list"21:33
Ryan_Lanehyakuhei: the basic idea is that I don't trust any node and want CAs to be short lived, like certs21:34
Ryan_Laneso if anyone that had access to the CA leaves, it doesn't matter. it's going to expire soon anyway21:34
hyakuheiSo you could rotate CAs within within Anchor easily enough21:34
hyakuheiand as it supports multiple CAs you can have overlap21:35
hyakuheiwhich you’ll need21:35
*** timkennedy1 has joined #openstack-security21:35
Ryan_Lanecool. would I need to make a new backend, or just do occasionally restarts?21:35
Ryan_Lanerestarts would be non-fun :)21:35
Ryan_Laneanother fun use of this is ssh-ca21:36
Ryan_Lanehave an electron client that lives on your clients that connects to a web service protected by SSO. when it's launched, it goes through the sso flow and downloads a short-lived cert21:37
*** timkennedy has quit IRC21:37
hyakuheiSo the blog theme works now, it required the addition of a .gitmodules file.21:38
sigmavirus24hyakuhei: that was going to be my guess21:39
hyakuheiEasy to say after the fact ;)21:39
*** shakamunyi has quit IRC21:40
openstackgerritEric Brown proposed openstack/bandit: Update readme with latest changes  https://review.openstack.org/26728121:40
elmikohyakuhei: nice!21:41
hyakuheiIf anyone has good photos from this week could you send them over to me please?21:45
*** diazjf has quit IRC21:45
*** jhfeng has quit IRC21:45
openstackgerritMatt Valdes proposed openstack/bandit: Split yaml blacklist check into its own file  https://review.openstack.org/26774721:46
*** jamielennox|away is now known as jamielennox21:49
openstackgerritMerged openstack/bandit: Split yaml blacklist check into its own file  https://review.openstack.org/26774721:58
*** winterIsLeaving has joined #openstack-security21:59
openstackgerritEric Brown proposed openstack/bandit: Update readme with latest changes  https://review.openstack.org/26728122:00
openstackgerritMerged openstack/bandit: Pretty up the plugin documentation  https://review.openstack.org/26725422:02
elmikosigmavirus24, hyakuhei, so is the site building locally for you guys?22:04
hyakuheiyup, seems to be building on Github too22:05
elmikoyea, saw that gh was working22:06
elmikocool22:06
sigmavirus24elmiko: it is22:07
sigmavirus24elmiko: 'gem install github-pages'22:07
elmikosigmavirus24: i'll try that again, i had huge issues getting my personal site to work with that stuff22:07
elmikohence, why i went with the docker solution22:07
openstackgerritDave McCowan proposed openstack/bandit: Allow list of tests to skip to be specified on command line  https://review.openstack.org/26771322:07
elmikosigmavirus24: do you know if ruby has something like python virtualenvs?22:08
sigmavirus24elmiko: rvm, chruby, ruby-env22:08
sigmavirus24 *rbenv22:08
elmikois there a "winner" amongst those? (ruby noob here)22:09
*** salv-orl_ has joined #openstack-security22:09
dave-mcc_hyakuhei rob, will you please chime in on this review: https://review.openstack.org/#/c/266680/    there's some debate on if this should be backported.22:09
sigmavirus24elmiko: depends on who you ask22:10
hyakuheisure22:10
elmikosigmavirus24: gotcha, i'll mess around then ;)22:10
sigmavirus24elmiko: I prefer rvm but it's a bunch of bash hacks that fubar your path22:11
sigmavirus24rbenv is the parent of pyenv (if you've ever used that)22:11
elmikohmm, that sounds undesirable22:11
sigmavirus24never buggered with chruby22:11
openstackgerritEric Brown proposed openstack/bandit: Add missing automodule doc for yaml_load  https://review.openstack.org/26783922:11
*** salv-orlando has quit IRC22:12
hyakuheitmcpeak: https://github.com/openstack-security/openstack-security.github.io22:13
*** timkennedy has joined #openstack-security22:15
sigmavirus24https://github.com/blog#continued-worktree-improvements22:18
*** timkennedy1 has quit IRC22:18
hyakuheidave-mcc_: done.22:19
sigmavirus24https://review.openstack.org/267713 tkelsey22:24
*** dave-mcc_ has quit IRC22:25
openstackgerritMerged openstack/bandit: Allow list of tests to skip to be specified on command line  https://review.openstack.org/26771322:26
*** ccneill has quit IRC22:26
openstackgerritEric Brown proposed openstack/bandit: Update readme with latest changes  https://review.openstack.org/26728122:31
hyakuheielmiko: Can you attempt to get a post up on the blog please? Doesn’t have to be any more than a hello world. I’m having local issues.22:31
elmikohyakuhei: ack, mtg currently, but i'll give it a shot in about 20mn22:36
hyakuheiDanke22:36
Davieyhyakuhei: a summary of the week would be really interesting aswell :)22:44
hyakuheiWe’ve already cut an internal one (HP propaganda) so we’ll share something similar more widely tomorrow :)22:45
Davieyhyakuhei: well hopefully content heavy, not marketing heavy. :)22:45
hyakuheiThey’re not the same thing?22:46
DavieyOh You.22:46
*** ninag has quit IRC22:53
elmikohyakuhei: https://openstack-security.github.io/test/2016/01/14/security-is-fun/22:53
*** ninag has joined #openstack-security22:54
*** jmckind_ has quit IRC22:54
hyakuheielmiko: oh cool. What did you do to make the theme work?22:54
hyakuheiWhen I try to create a page it doesn’t set the theme correctly.22:55
elmikoweird..22:56
elmikodid you set the layout to post?22:56
hyakuheiYeah I think so, I’m just going to copy yours from now on anyway :D22:56
elmikohaha, fair22:56
sigmavirus24https://github.com/heiswayi/the-plain22:57
*** ninag has quit IRC22:58
*** hyakuhei has quit IRC22:58
*** tmcpeak has quit IRC22:59
*** browne has quit IRC22:59
*** sigmavirus24 is now known as sigmavirus24_awa22:59
*** cjschaef has quit IRC22:59
*** tkelsey has quit IRC23:02
*** mvaldes has quit IRC23:04
*** sonuk has quit IRC23:05
*** bpokorny_ has joined #openstack-security23:17
*** bpokorny has quit IRC23:20
*** ccneill has joined #openstack-security23:24
Ryan_Laneis it possible to disable a specific bandit check on a line of code? I see a lot of the tests have test numbers associated with them23:25
*** Mainus has joined #openstack-security23:26
*** ninag has joined #openstack-security23:28
*** ccneill has quit IRC23:28
DavieyRyan_Lane: Add #nosec to the line23:30
*** Mainus has quit IRC23:30
*** ninag has quit IRC23:32
Ryan_LaneDaviey: that disables all bandit checks23:32
Ryan_LaneI'd like to disable only one particular check23:33
DavieyRyan_Lane: Ah, i don't think you can do that.... jut disable the entire test for everything, or the entire line for each test.23:34
Ryan_Lanefor instance, something like #no-b10323:34
Ryan_Laneor #nosec-b10323:34
Ryan_Laneor something along those lines23:34
elmikoi like that Ryan_Lane has come up with 2 features already =)23:46
Ryan_Lanewell, I'm at a point where I have some false-positives that look like they would actually be real secrets and would like to mark them as not secrets :)23:48
Ryan_Lanebut I don't want to disable other checks, because maybe it has some other security flaw23:49
elmikoyea, makes sense23:49
Ryan_Lanereally liking bandit for the most part so far, though :)23:51
elmiko\o/23:51
Ryan_Lanebasically just an easy way to walk through an AST23:51
« Wednesday, 2016-01-13 Index Friday, 2016-01-15 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!