Thursday, 2016-01-21

Ryan_Lane	thanks	00:00
Ryan_Lane	needs work with the regexes and safe functions, but I think it's a good start	00:00
*** bpokorny_ has joined #openstack-security		00:00
*** dave-mccowan has joined #openstack-security		00:03
*** bpokorny has quit IRC		00:04
tmcpeak	Ryan_Lane: I'm going to have a play with it now	00:05
Ryan_Lane	cool :) feel free to send in PRs	00:05
Ryan_Lane	we do require a CLA, though	00:05
Ryan_Lane	the joys of the law	00:06
*** elo has joined #openstack-security		00:06
Ryan_Lane	also feel free to open issues :)	00:06
*** ccneill_ has joined #openstack-security		00:14
tmcpeak	Ryan_Lane: cool, running against a bunch of things	00:15
tmcpeak	will hopefully find bugs, issues, or both	00:15
*** austin987 has quit IRC		00:15
Ryan_Lane	cool :)	00:16
tmcpeak	Ryan_Lane: have you seen this one? AttributeError: 'Name' object has no attribute 's'	00:16
Ryan_Lane	nope	00:16
Ryan_Lane	I'm probably not skipping names somewhere	00:17
tmcpeak	Ryan_Lane: jk, that's actually not your issue :P	00:17
Ryan_Lane	ah. heh	00:17
tmcpeak	it's got to do with tkelsey's refactor	00:17
Ryan_Lane	I ran against 0.17.0	00:18
Ryan_Lane	you'll likely see a bunch of warnings about not being able to determine the entropy	00:18
*** ccneill_ has quit IRC		00:18
Ryan_Lane	very large strings will trigger that. I haven't decided what to do about that	00:19
Ryan_Lane	I currently mark it as 0 entropy, because if it's that large, it's probably not a secret.	00:19
*** woodrow has joined #openstack-security		00:22
*** elo has quit IRC		00:23
tmcpeak	how large?	00:25
Ryan_Lane	not sure. pretty large, though	00:25
Ryan_Lane	it also throws errors on unicode	00:25
Ryan_Lane	which is generally unlikely to be a secret	00:25
tmcpeak	we'd want to make sure it catches RSA private keys etc	00:25
Ryan_Lane	I flag those immediately	00:26
tmcpeak	ahh cool	00:26
Ryan_Lane	anything that matches a flagged regex gets 3/3 confidence/severity	00:26
*** elo has joined #openstack-security		00:26
tmcpeak	cool, makes sense as long as regex's are tight enough	00:27
Ryan_Lane	yep. they're a bit loose right now	00:28
Ryan_Lane	ah. you mean for flags?	00:28
Ryan_Lane	yeah, the flags are pretty good right now	00:28
Ryan_Lane	the discounts, not so much.	00:29
*** austin987 has joined #openstack-security		00:31
*** jhfeng has joined #openstack-security		00:34
*** jhfeng has quit IRC		00:37
*** ccneill_ has joined #openstack-security		00:37
tmcpeak	ahh ok, so loose discounts would lead to false negatives?	00:39
tmcpeak	a general design goal of Bandit has been to reduce false negatives as much as possible. If anything false positives can be sifted through and filtered out. That being said, you're free to write it whichever way is most useful to you :)	00:40
*** jhfeng has joined #openstack-security		00:41
*** markvoelker_ has quit IRC		00:41
*** jhfeng has quit IRC		00:45
*** bpokorny_ has quit IRC		00:55
*** bpokorny has joined #openstack-security		00:55
*** bpokorny has quit IRC		01:01
*** salv-orlando has quit IRC		01:09
Ryan_Lane	tmcpeak: yeah	01:16
Ryan_Lane	the ideal is to have the discounts as accurate as possible	01:17
tmcpeak	cool, that's the kind of thing we could tweak with time too	01:17
Ryan_Lane	the issue here is that secrets are generally high entropy, which makes them difficult to identify	01:17
Ryan_Lane	so it's easier to filter out the crap you can	01:17
Ryan_Lane	and everything you can't match gets a higher confidence	01:18
tmcpeak	yeah, that makes sense	01:18
Ryan_Lane	we also go with the approach you folks had in the original test where it checks the targets	01:18
tmcpeak	I guess with the hardcoded password stuff we're going to miss stuff by definition. High quality results are more likely to find issues than a bunch of low quality results that will eventually be disabled	01:18
Ryan_Lane	indeed	01:18
*** elo has quit IRC		01:19
Ryan_Lane	that was my thought process. our devs aren't going to be willing to sift through a bunch of false negatives in the hopes of finding something	01:19
Ryan_Lane	so, yeah. ideally going to tighten the discount regexs enough to where they don't weed out legitimate secrets	01:20
Ryan_Lane	and have enough to where we can filter out likely known good strings	01:20
Ryan_Lane	I've also been considering adding scikit to this	01:20
Ryan_Lane	but I need my girlfriend to teach me how to use it effectively for this particular case. I'm only good at the really basic use-case for that :D	01:21
tmcpeak	oooh, that would be cool	01:22
Ryan_Lane	yeah. the idea would be to build a model that we can tweak	01:22
Ryan_Lane	use svm for classification	01:22
tmcpeak	we'd need a training set from somewhere too	01:22
Ryan_Lane	yep. we'll likely need to generate that ;)	01:23
tmcpeak	could be a huge manual slog.. would be easier if we could feed it a password set	01:23
tmcpeak	passwords and non password strings	01:24
Ryan_Lane	ah. true	01:24
tmcpeak	that would be cool	01:24
Ryan_Lane	yep	01:24
tmcpeak	looks pretty simple to implement something like that: http://scikit-learn.org/stable/auto_examples/classification/plot_digits_classification.html	01:26
*** elo has joined #openstack-security		01:27
Ryan_Lane	yeah, doing something with bag of words is easy	01:27
tmcpeak	I read this book over the break where he was doing everything in Excel :P	01:27
Ryan_Lane	:D	01:27
Ryan_Lane	hm. does setuptools work correctly if you pip install -e ?	01:28
Ryan_Lane	to a git+https remote?	01:28
tmcpeak	yeah, it doesn't look like it	01:29
* Ryan_Lane grumbles		01:29
Ryan_Lane	it works if you git clone then pip install -e .	01:29
Ryan_Lane	I guess I'll need to publish this to pypi :(	01:29
tmcpeak	oh you know what?	01:29
tmcpeak	I think it's because we're now discarding all tests without IDs	01:29
tmcpeak	you'll need to add some IDs	01:30
Ryan_Lane	oh?	01:30
tmcpeak	maybe test with 9xx	01:30
Ryan_Lane	ok	01:30
Ryan_Lane	maybe a different letter prefix?	01:30
Ryan_Lane	be- maybe?	01:30
tmcpeak	true	01:30
tmcpeak	what's the e for?	01:31
tmcpeak	extension?	01:31
Ryan_Lane	extension	01:31
Ryan_Lane	maybe bp	01:31
Ryan_Lane	for plugin?	01:31
tmcpeak	yeah, we should come up with some way to make sure plugins don't step on eachother	01:31
tmcpeak	BPxx sounds good for now	01:31
tmcpeak	as a temporary	01:31
tmcpeak	we should probably have a list of assignments on the wiki or something	01:32
Ryan_Lane	more of an issue when it's possible to do something like # nosec-BP100	01:32
tmcpeak	yeah, you nosec out somebody else's plugin by accident, etc	01:32
Ryan_Lane	yep	01:32
tmcpeak	allright I'm off for the night, catch you later	01:35
Ryan_Lane	see ya	01:35
*** tmcpeak has quit IRC		01:35
*** elo has quit IRC		01:52
*** elo has joined #openstack-security		01:54
*** ccneill_ has quit IRC		02:05
*** eric_lopez has joined #openstack-security		02:10
*** elo has quit IRC		02:12
*** bpokorny has joined #openstack-security		02:48
*** eric_lopez has quit IRC		03:07
*** tricksters has joined #openstack-security		03:08
*** agireud has quit IRC		03:11
*** agireud has joined #openstack-security		03:15
*** bpokorny_ has joined #openstack-security		03:17
*** bpokorny has quit IRC		03:21
*** _et_ has quit IRC		03:21
*** bpokorny_ has quit IRC		03:22
*** browne has quit IRC		03:25
*** tricksters has quit IRC		03:26
*** elo has joined #openstack-security		03:26
*** agireud has quit IRC		03:27
*** eric_lopez has joined #openstack-security		03:46
*** elo has quit IRC		03:46
*** agireud has joined #openstack-security		03:52
*** austin987 has quit IRC		04:10
*** eric_lopez has quit IRC		04:15
*** browne has joined #openstack-security		04:18
*** browne has quit IRC		04:28
*** browne has joined #openstack-security		04:29
*** bpokorny has joined #openstack-security		04:38
*** browne has quit IRC		04:40
*** markvoelker has joined #openstack-security		05:07
*** markvoelker has quit IRC		05:12
*** markvoelker has joined #openstack-security		05:12
*** yuanying has joined #openstack-security		05:32
*** yuanying_ has quit IRC		05:36
*** dave-mccowan has quit IRC		05:57
*** markvoelker_ has joined #openstack-security		06:01
*** markvoelker has quit IRC		06:05
*** markvoelker has joined #openstack-security		06:05
*** markvoelker_ has quit IRC		06:06
*** bpokorny has quit IRC		06:12
*** liverpooler has quit IRC		06:19
openstackgerrit	venkatamahesh proposed openstack/security-doc: Fix rst markups https://review.openstack.org/258846	06:25
*** agireud has quit IRC		07:04
openstackgerrit	KATO Tomoyuki proposed openstack/security-doc: Fix rst markups https://review.openstack.org/258846	07:15
*** agireud has joined #openstack-security		07:16
*** rcernin has joined #openstack-security		07:20
*** shohel has joined #openstack-security		07:21
*** ccneill has joined #openstack-security		07:24
*** ccneill has quit IRC		07:41
*** shohel has quit IRC		07:50
*** shohel has joined #openstack-security		07:52
*** liverpooler has joined #openstack-security		07:54
*** liverpooler has quit IRC		07:55
*** liverpooler has joined #openstack-security		07:55
*** austin987 has joined #openstack-security		07:59
*** agireud has quit IRC		08:35
*** agireud has joined #openstack-security		08:47
*** agireud has quit IRC		09:05
*** agireud has joined #openstack-security		09:09
*** markvoelker has quit IRC		09:12
*** markvoelker has joined #openstack-security		09:42
*** markvoelker has quit IRC		09:48
*** openstackgerrit has quit IRC		10:02
*** openstackgerrit has joined #openstack-security		10:02
*** markvoelker has joined #openstack-security		10:39
*** markvoelker has quit IRC		10:44
*** markvoelker has joined #openstack-security		11:34
*** markvoelker has quit IRC		11:39
*** dave-mccowan has joined #openstack-security		12:17
*** markvoelker has joined #openstack-security		12:29
openstackgerrit	Tim Kelsey proposed openstack/bandit: Adding some test coverage for config_generator https://review.openstack.org/270772	12:34
*** markvoelker has quit IRC		12:35
*** jamielennox is now known as jamielennox\|away		13:07
*** markvoelker has joined #openstack-security		13:24
*** alejandrito has joined #openstack-security		13:26
*** markvoelker has quit IRC		13:29
*** markvoelker has joined #openstack-security		13:50
*** markvoelker has quit IRC		13:53
*** markvoelker has joined #openstack-security		13:53
*** ninag has joined #openstack-security		13:53
*** markvoelker has quit IRC		13:57
*** markvoelker has joined #openstack-security		13:59
*** edmondsw has joined #openstack-security		14:08
*** alejandrito has quit IRC		14:26
*** dslev has joined #openstack-security		14:39
*** jmckind has joined #openstack-security		14:42
openstackgerrit	Tim Kelsey proposed openstack/bandit: Fixing a bug and cleaning up in blacklisting code https://review.openstack.org/270838	14:48
*** avarner has joined #openstack-security		14:49
*** liverpooler has quit IRC		14:50
*** sigmavirus24_awa is now known as sigmavirus24		15:03
elmiko	hey sigmavirus24, i really appreciate your comments on https://review.openstack.org/#/c/258846	15:03
elmiko	do you think it's worth holding this review up to get it broken up more? (i'm leaning towards giving it +2 with a strongly worded comment about future patches)	15:06
*** cjschaef has joined #openstack-security		15:06
openstackgerrit	Tim Kelsey proposed openstack/bandit: Cleaning code https://review.openstack.org/270852	15:11
*** jhfeng has joined #openstack-security		15:15
*** shohel has quit IRC		15:18
*** tmcpeak has joined #openstack-security		15:26
*** cjschaef has quit IRC		15:26
*** cjschaef has joined #openstack-security		15:26
openstackgerrit	Tim Kelsey proposed openstack/bandit: Fixing a bug and cleaning up in blacklisting code https://review.openstack.org/270838	15:29
*** wenwei has quit IRC		15:30
*** markvoelker has quit IRC		15:38
*** jmckind has quit IRC		15:41
*** jmckind has joined #openstack-security		15:43
*** diazjf has joined #openstack-security		16:00
*** markvoelker has joined #openstack-security		16:01
*** rcernin has quit IRC		16:09
elmiko	sigmavirus24: any thoughts about that review?	16:10
sigmavirus24	elmiko: beyond the -1 I left?	16:10
elmiko	yea, like, should we work to get it broken up?	16:11
elmiko	i'm at a loss here, i totally agree with what you said, but i don't want to be overly nit-picky since KATO seems ok with it	16:11
elmiko	but i mean, everything you said + no bug in the commit message... i dunno, i feel like consistency/self-control is being lost on this patch	16:12
sigmavirus24	elmiko: exactly	16:12
elmiko	and given the content of the patch i don't feel it's worth getting into some giant breakdown about it... /sigh	16:13
elmiko	sicarie: ping	16:14
tmcpeak	giant breakdowns are always fun :D	16:15
elmiko	heh	16:16
*** browne has joined #openstack-security		16:29
*** ccneill_ has joined #openstack-security		16:42
*** bpokorny has joined #openstack-security		16:44
*** rcernin has joined #openstack-security		16:49
*** ccneill_ is now known as ccneill		16:49
*** bpokorny has quit IRC		16:51
*** bpokorny has joined #openstack-security		16:52
openstackgerrit	Henry Yamauchi proposed openstack/bandit: Broken link in file mako_templates.py https://review.openstack.org/270918	16:53
*** bpokorny has quit IRC		16:53
*** mvaldes has joined #openstack-security		16:55
*** tkelsey has joined #openstack-security		16:57
sicarie	elmiko: hello	17:01
elmiko	sicarie: hey, lets talk in the ossp meeting	17:02
sicarie	sure, but i'm only going to be in it for the first 30	17:02
sicarie	so maybe after if the sec-guide isn't hit yet?	17:02
elmiko	k	17:05
*** edtubill has joined #openstack-security		17:06
*** salv-orlando has joined #openstack-security		17:10
*** hyakuhei_ has joined #openstack-security		17:19
*** austin987 has quit IRC		17:23
*** sigmavirus24 is now known as sigmavirus24_awa		17:27
openstackgerrit	Tim Kelsey proposed openstack/bandit: This fixes the blacklist to look like a plugin so we can filter it https://review.openstack.org/270932	17:36
*** austin987 has joined #openstack-security		17:38
openstackgerrit	Merged openstack/bandit: Adding some test coverage for config_generator https://review.openstack.org/270772	17:38
openstackgerrit	Tim Kelsey proposed openstack/bandit: This fixes the blacklist to look like a plugin so we can filter it https://review.openstack.org/270932	17:53
tmcpeak	Ryan_Lane: out of curiosity how did you find out about Bandit	17:56
hyakuhei_	This is an interesting project, with some (but not completel) overlap with Anchor	18:01
*** dg_ has joined #openstack-security		18:01
tkelsey	o/ all	18:01
elmiko	later tkelsey	18:01
dg_	hey	18:01
hyakuhei_	https://www.vaultproject.io/docs/secrets/pki/index.html	18:02
elmiko	hyakuhei_: we had some discussions about that and overlaps with barbican	18:02
*** wayward710 has joined #openstack-security		18:02
elmiko	seems interesting	18:02
tmcpeak	tkelsey: laters	18:02
hyakuhei_	Yeah, so it’s probably always going to want some Keystone auth in front of it	18:02
hyakuhei_	Which could be Barbican	18:02
hyakuhei_	It could even be Anchor	18:02
hyakuhei_	Interesting project all the same	18:02
*** sicarie has quit IRC		18:03
hyakuhei_	Vault in general is interesting	18:03
ccneill	question: anyone using Qubes OS? https://www.qubes-os.org/	18:03
ccneill	sorry, totally off topic lol	18:03
elmiko	hyakuhei_: yea, definitely	18:03
elmiko	ccneill: seen it, but have not tried it	18:03
ccneill	just been seeing lots of buzz about it, and it sounds like an interesting concept	18:04
tmcpeak	it looks interesting but I haven't played with it	18:04
elmiko	similarly off-topic, you may find this interesting https://blog.docker.com/2016/01/unikernel/	18:05
ccneill	https://twitter.com/csoghoian/status/687043879967797248	18:05
hyakuhei_	Interesing, didn’t realize Rutkowska was behind it.	18:05
hyakuhei_	Might take another look at qubes	18:05
ccneill	elmiko: thanks for the link, I've been meaning to figure out what this unikernel business is	18:06
hyakuhei_	Wait…	18:06
hyakuhei_	“Qubes brings to your personal computer the security of the Xen Project hypervisor”	18:06
elmiko	ccneill: np, looks cool too	18:06
hyakuhei_	Nevermind	18:06
ccneill	hyakuhei_: haha what makes you say that?	18:07
hyakuhei_	Stastically Xen gets more big vulns than KVM	18:07
ccneill	granted Xen has its share of issues security-wise, but I doubt they'd be as relevant in the personal computer space	18:07
hyakuhei_	but mainly I’m just being snarky	18:07
elmiko	lol	18:07
ccneill	haha gotcha	18:07
hyakuhei_	and I’ve got a lot of time for the invisible-things tema	18:07
hyakuhei_	*team	18:07
hyakuhei_	Right, I’m out - got to walk the doggies.	18:10
ccneill	o/	18:10
*** hyakuhei_ is now known as hyakuhei_afk		18:11
elmiko	later ccneill	18:11
Ryan_Lane	hyakuhei_afk: it's similar to barbican, yeah	18:11
Ryan_Lane	it would have been nice if openstack did a project closer to AWS's KMS, rather than closer to something like vault, keywhiz or confidant	18:12
hyakuhei_afk	I think there’s space for both	18:12
hyakuhei_afk	I mean, Vault is a soft-HSM	18:12
hyakuhei_afk	Barbican is an abstraction to real HSMs	18:12
*** tkelsey has quit IRC		18:12
Ryan_Lane	then, for instance, support could be added to confidant to use the KMS like service in openstack	18:12
hyakuhei_afk	Different security models for a start	18:12
Ryan_Lane	KMS is like the HSM	18:12
hyakuhei_afk	Vault says if you loose access to disk then you’re boned	18:12
Ryan_Lane	well, I'm not saying you should use vault :)	18:13
hyakuhei_afk	(integrity/confidentialty wisE)	18:13
Ryan_Lane	vault is.... an odd beast	18:13
elmiko	how so?	18:13
hyakuhei_afk	I’m very happy that people are investing money in these areas	18:13
Ryan_Lane	confidant only handles the storage and access control of secrets	18:13
Ryan_Lane	the encryption is done via KMS	18:13
Ryan_Lane	so confidant can be completely stateless	18:14
Ryan_Lane	I'm also adding something to confidant right now where confidant doesn't even have access to decrypt the secrets	18:14
Ryan_Lane	it's only used as storage/access control/revision history/api	18:15
Ryan_Lane	but that's possible because there's an encryption service ;)	18:15
Ryan_Lane	vault combines encryption, storage and access control	18:15
*** hyakuhei_afk has quit IRC		18:15
Ryan_Lane	keywhiz is likely the closest analog to barbican	18:16
elmiko	not familiar with keywhiz	18:16
Ryan_Lane	made by square. written in java	18:16
Ryan_Lane	uses HSMs by default	18:16
Ryan_Lane	barbican could probably pretty easily just expose a KMS-like interface	18:17
elmiko	i don't know the internal of KMS	18:18
Ryan_Lane	one of the nicest things about KMS is that it exposes an API endpoint for random	18:18
Ryan_Lane	so you can use KMS as your seed rather than pollinate in ubuntu	18:18
elmiko	interesting, do you have a doc link?	18:18
Ryan_Lane	elmiko: http://docs.aws.amazon.com/kms/latest/APIReference/Welcome.html	18:19
elmiko	Ryan_Lane: tyvm!	18:19
Ryan_Lane	http://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateRandom.html	18:19
Ryan_Lane	yw	18:19
elmiko	so tough to keep track of all these moving parts lol	18:19
Ryan_Lane	the best feature for sure, though, is the ability to do RBAC on its AAD (which is what it calls encryption context)	18:20
elmiko	interesting	18:20
Ryan_Lane	so one user can encrypt using a key, if the AAD has specific data and another user could decrypt using the key, if the AAD has specific data	18:20
elmiko	that's cool	18:20
Ryan_Lane	yep	18:20
Ryan_Lane	it's basically giving you primitives you can use to build more interesting things	18:21
elmiko	yea, totally	18:21
Ryan_Lane	https://azure.microsoft.com/en-us/services/key-vault/	18:22
Ryan_Lane	azure has a similar service	18:22
elmiko	which i love about the higher level abstractions that are starting to occur in the cloud world	18:22
Ryan_Lane	indeed	18:22
Ryan_Lane	what I really want next is a PKI service. so that the cloud service can hold a CA and I can just get certs	18:23
Ryan_Lane	anchor is looking really nice for that ;)	18:23
elmiko	yea, that seems necessary for just about any secure cloud work	18:23
elmiko	Ryan_Lane: we were curious, how did you learn about bandit?	18:25
*** jmckind has quit IRC		18:25
Ryan_Lane	elmiko: our security lead found it	18:25
Ryan_Lane	asking him	18:25
Ryan_Lane	he thinks someone at dropbox mentioned it	18:26
elmiko	very cool, thanks	18:26
elmiko	tmcpeak: ^^	18:26
Ryan_Lane	yw	18:26
elmiko	we've been working on increasing our outreach efforts as a group and it always helps to learn how folks outside the openstack community are finding things like bandit	18:26
Ryan_Lane	openstack security specifically, or openstack as a whole?	18:27
Ryan_Lane	openstack itself is screwed because the vast majority of its services aren't usable on their own	18:28
Ryan_Lane	(I was a former openstack user committee member)	18:28
elmiko	good point	18:28
elmiko	ah, very cool	18:28
elmiko	yea, i mean, when you buy into openstack there is a certain level of kool-aid drinking that occurs	18:28
Ryan_Lane	every conference I'd talk to people making new projects that sounded like they'd be great on their own and I'd ask them "is this going to be usable outside of the ecosystem?"	18:29
elmiko	would be interesting to see if certain parts of the openstack core could be abstracted to allow for other implementations	18:29
Ryan_Lane	and their answer was along the lines of "what's the point?"	18:29
elmiko	yea, it's tough	18:29
elmiko	although, i think projects like swift have handled this well, no?	18:30
*** mvaldes has quit IRC		18:30
Ryan_Lane	yeah. swift does this well. but they have a company behind it that is selling it as its own product	18:30
Ryan_Lane	I think designate also does this ok, but it took forever for it to be added as an incubated project	18:31
Ryan_Lane	(I tried pushing that through for incubation 3 times)	18:31
elmiko	wow	18:32
tmcpeak	Ryan_Lane, elmiko: awesome :) looks like Bandit is getting some great traction then	18:32
Ryan_Lane	yeah :)	18:32
elmiko	i would think that removing the project-id stuff from many projects will be problematic, in some ways this is painting ourselves into a corner	18:33
elmiko	Ryan_Lane: fwiw, i work a bunch on the sahara project (data processing service), and i think it would be pretty difficult, if not impossible, to make it more generic by removing the openstack dependency	18:38
Ryan_Lane	yeah. nova is another example of a service that would be difficult to be standalone ;)	18:39
elmiko	yea	18:39
Ryan_Lane	not saying all of them should be, but a lot of them could be.	18:39
*** tkelsey has joined #openstack-security		18:39
elmiko	i could see that	18:39
*** edmondsw has quit IRC		18:41
*** tkelsey has quit IRC		18:44
*** bpokorny has joined #openstack-security		18:44
*** ccneill has quit IRC		18:50
*** ccneill has joined #openstack-security		18:58
*** sigmavirus24_awa is now known as sigmavirus24		19:02
*** jmckind has joined #openstack-security		19:04
*** elo has joined #openstack-security		19:18
*** dg_ has quit IRC		19:24
*** edmondsw has joined #openstack-security		19:29
openstackgerrit	Merged openstack/bandit: Broken link in file mako_templates.py https://review.openstack.org/270918	19:36
openstackgerrit	OpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/271002	19:38
*** jmckind has quit IRC		19:39
*** jmckind has joined #openstack-security		19:39
*** jmckind_ has joined #openstack-security		19:41
*** jmckind_ has quit IRC		19:41
*** salv-orlando has quit IRC		19:42
*** jmckind has quit IRC		19:44
openstackgerrit	Merged openstack/bandit: Fixing a bug and cleaning up in blacklisting code https://review.openstack.org/270838	20:01
openstackgerrit	Merged openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/271002	20:04
*** hyakuhei_ has joined #openstack-security		20:06
*** elo has quit IRC		20:09
*** markvoelker has quit IRC		20:11
*** jhfeng has quit IRC		20:12
*** jhfeng has joined #openstack-security		20:13
*** alejandro12 has joined #openstack-security		20:19
*** alejandro12 has left #openstack-security		20:23
*** jhfeng has quit IRC		20:24
*** jhfeng has joined #openstack-security		20:29
*** hyakuhei_ has quit IRC		20:30
*** markvoelker has joined #openstack-security		20:31
*** hyakuhei has joined #openstack-security		20:41
*** jhfeng has quit IRC		20:43
*** yarkot has joined #openstack-security		20:45
*** hyakuhei has quit IRC		20:45
*** jamielennox\|away is now known as jamielennox		20:47
*** dslev has quit IRC		21:00
*** tkelsey has joined #openstack-security		21:05
*** salv-orlando has joined #openstack-security		21:11
*** yarkot has quit IRC		21:18
*** dslev has joined #openstack-security		21:19
*** mvaldes has joined #openstack-security		21:33
*** markvoelker has quit IRC		21:39
*** alejandro12 has joined #openstack-security		21:39
*** alejandro12 has left #openstack-security		21:40
*** markvoelker has joined #openstack-security		21:41
*** tkelsey has quit IRC		21:46
*** tmcpeak has quit IRC		21:51
*** tmcpeak has joined #openstack-security		21:53
*** tmcpeak has quit IRC		21:54
*** dslev has quit IRC		21:59
*** markvoelker has quit IRC		22:04
*** jhfeng has joined #openstack-security		22:10
*** cjschaef has quit IRC		22:13
*** dslev has joined #openstack-security		22:14
openstackgerrit	Henry Yamauchi proposed openstack/bandit: Misspelling in main developers doc title https://review.openstack.org/271055	22:15
*** diazjf has quit IRC		22:23
*** markvoelker has joined #openstack-security		22:24
*** dslev has quit IRC		22:34
*** tmcpeak has joined #openstack-security		22:40
tmcpeak	sigmavirus24: ping	22:40
sigmavirus24	pong	22:40
tmcpeak	how are you guys handling multiple .flake8 files?	22:40
sigmavirus24	tmcpeak: can you give a bit more context	22:41
tmcpeak	like if I point a few projects at flake8, each has it's own .flake8 file - do you have the logic to apply each flake8 file to the project it's associated with?	22:41
tmcpeak	or do you just somehow use one of them?	22:41
tmcpeak	so flake8 a/bunch/of/projects	22:41
tmcpeak	lots of those projects have .flake8 files in them	22:41
sigmavirus24	tmcpeak: like if I cloned keystone, glance, and nova and tried to run flake8 against all of them at once?	22:42
tmcpeak	yeah	22:42
sigmavirus24	we don't presently handle that very well	22:43
sigmavirus24	we wouldn't pick up any of those config files actually	22:43
tmcpeak	ok cool, yeah it would be nasty to implement that logic in Bandit too	22:43
sigmavirus24	well	22:43
sigmavirus24	you need to understand that each of those directories is meant to have it's own Style Guide (in flake8 parlance)	22:43
sigmavirus24	Which means a lot of headaches and mental gymnastics	22:43
sigmavirus24	and not every-time s omeone specifies multiple directories does it mean that	22:44
tmcpeak	right	22:44
openstackgerrit	Merged openstack/bandit: Misspelling in main developers doc title https://review.openstack.org/271055	22:45
tmcpeak	so what do you recommend for Bandit?	22:45
sigmavirus24	tmcpeak: operate under the assumption that someone's only ever going to run it against one project and if you find multiple issue a warning and quit	22:47
sigmavirus24	that said	22:47
sigmavirus24	what flake8 does presently is look for the longest common path to those directories	22:47
sigmavirus24	it starts there looking for a directory	22:47
tmcpeak	quit or issue a warning that multiple were found and just pick the first one we got?	22:47
sigmavirus24	I can show you exactly the code that does that	22:47
sigmavirus24	tmcpeak: if you don't quit you'll do the wrong thing	22:47
sigmavirus24	because it will cause people to wonder why running bandit on just one project works when it doesn't when running it against more than one	22:48
tmcpeak	so if projects have a bunch of .bandit files I can no longer actually scan a big directory at all	22:48
tmcpeak	(sigh) I guess I need a flag to make it not do all of this	22:48
tmcpeak	but yeah, you're right, it will do the wrong thing	22:49
tmcpeak	so sigmavirus24 I error out if I find multiple .bandit files, but I can also put a command line flag that will make it ignore the .bandit files?	22:51
tmcpeak	does that seem reasonable?	22:52
tmcpeak	sigmavirus24: ^	22:52
sigmavirus24	tmcpeak:	22:53
sigmavirus24	just make -c override that error	22:53
sigmavirus24	as in	22:53
sigmavirus24	You're giving me explicit direction what config file to use for this run, I will ignore other config files I find even if I find more than one	22:54
sigmavirus24	make sense?	22:54
sigmavirus24	(instead of adding yet another config option)	22:54
tmcpeak	hmm well that clashes with our existing -c	22:54
tmcpeak	I'd prefer to call it something else, but makes sense	22:54
tmcpeak	those config files are totally different - existing config is going away, is YAML format, etc. This one is ini file format, etc	22:55
tmcpeak	I'll come up with some other thing to call it and you guys can make suggestions on the patch	22:56
tmcpeak	sigmavirus24: thanks for the input	22:57
*** mvaldes has quit IRC		23:23
*** sigmavirus24 is now known as sigmavirus24_awa		23:34
*** rcernin has quit IRC		23:47
*** edtubill has quit IRC		23:49
*** edmondsw has quit IRC		23:55
*** bpokorny_ has joined #openstack-security		23:58
*** bpokorny_ has quit IRC		23:58
*** bpokorny_ has joined #openstack-security		23:59

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!