Thursday, 2021-02-18

« Wednesday, 2021-02-17 Index Friday, 2021-02-19 »
*** macz_ has quit IRC02:04
*** priteau has quit IRC02:59
*** gouthamr has quit IRC02:59
*** gouthamr has joined #openstack-security03:01
*** gouthamr has quit IRC03:01
*** gouthamr has joined #openstack-security03:02
*** gouthamr has quit IRC03:02
*** star_cloud has quit IRC03:03
*** gouthamr has joined #openstack-security03:03
*** gouthamr has quit IRC03:03
*** gouthamr has joined #openstack-security03:04
*** gouthamr has quit IRC03:04
*** gouthamr has joined #openstack-security03:04
*** gouthamr has quit IRC03:04
*** gouthamr has joined #openstack-security03:05
*** gouthamr has quit IRC03:05
*** gouthamr has joined #openstack-security03:06
*** gouthamr has quit IRC03:06
*** gouthamr has joined #openstack-security03:07
*** gouthamr has quit IRC03:07
*** gouthamr has joined #openstack-security03:11
*** gouthamr has quit IRC03:11
*** gouthamr has joined #openstack-security03:17
*** gouthamr has quit IRC03:17
*** gouthamr has joined #openstack-security03:22
*** gouthamr has quit IRC03:22
*** gouthamr has joined #openstack-security03:28
*** gouthamr has quit IRC03:28
*** gouthamr has joined #openstack-security03:32
*** gouthamr has quit IRC03:32
*** rcernin has quit IRC03:36
*** gouthamr has joined #openstack-security03:38
*** gouthamr has quit IRC03:38
*** gouthamr has joined #openstack-security03:43
*** gouthamr has quit IRC03:43
*** gouthamr has joined #openstack-security03:49
*** gouthamr has quit IRC03:49
*** gouthamr has joined #openstack-security03:53
*** gouthamr has quit IRC03:53
*** gouthamr has joined #openstack-security03:59
*** gouthamr has quit IRC03:59
*** rcernin has joined #openstack-security04:16
*** gouthamr has joined #openstack-security04:25
*** gouthamr has quit IRC04:26
*** gouthamr has joined #openstack-security05:00
*** gouthamr has quit IRC05:00
*** macz_ has joined #openstack-security05:10
*** gyee has quit IRC05:15
*** macz_ has quit IRC05:15
*** gouthamr has joined #openstack-security05:26
*** macz_ has joined #openstack-security05:48
*** macz_ has quit IRC05:52
*** gouthamr has joined #openstack-security06:00
*** macz_ has joined #openstack-security06:09
*** macz_ has quit IRC06:14
*** macz_ has joined #openstack-security07:53
*** macz_ has quit IRC07:57
*** rcernin has quit IRC07:58
*** rcernin has joined #openstack-security08:02
*** rcernin has quit IRC08:07
*** macz_ has joined #openstack-security08:14
*** macz_ has quit IRC08:19
*** rcernin has joined #openstack-security08:49
*** rcernin has quit IRC08:53
*** macz_ has joined #openstack-security08:55
*** macz_ has quit IRC09:00
*** macz_ has joined #openstack-security09:16
*** macz_ has quit IRC09:21
*** macz_ has joined #openstack-security09:58
*** macz_ has quit IRC10:03
*** macz_ has joined #openstack-security10:19
*** macz_ has quit IRC10:24
*** macz_ has joined #openstack-security10:40
*** macz_ has quit IRC10:45
*** macz_ has joined #openstack-security11:01
*** macz_ has quit IRC11:05
*** priteau has joined #openstack-security11:35
*** macz_ has joined #openstack-security11:42
*** macz_ has quit IRC11:47
*** macz_ has joined #openstack-security12:24
*** macz_ has quit IRC12:29
*** macz_ has joined #openstack-security13:06
*** macz_ has quit IRC13:10
*** macz_ has joined #openstack-security13:27
*** macz_ has quit IRC13:31
*** macz_ has joined #openstack-security13:47
*** macz_ has quit IRC13:52
*** macz_ has joined #openstack-security14:29
*** macz_ has quit IRC14:34
*** macz_ has joined #openstack-security14:50
*** macz_ has quit IRC14:54
*** dave-mccowan has joined #openstack-security15:11
*** macz_ has joined #openstack-security16:56
*** macz_ has quit IRC17:01
*** macz_ has joined #openstack-security17:17
*** macz_ has quit IRC17:22
*** macz_ has joined #openstack-security18:09
*** macz_ has quit IRC18:14
*** macz_ has joined #openstack-security18:30
*** macz_ has quit IRC18:35
*** xarlos has joined #openstack-security18:47
fungigagehugo: ooh, i should have brought it up in the meeting, but google has been making a big splash about these new guidelines and they include a shout out to our work! https://github.com/google/oss-vulnerability-guide/blob/main/guide.md#acknowledgements19:58
fungi"Thank you to the wider security and open source communities whose work informed this guide, including the OpenStack Vulnerability Management Process..."19:58
fungi(we got top billing)19:58
*** gyee has joined #openstack-security20:18
gagehugoawesome20:45
*** rcernin has joined #openstack-security23:03
*** rcernin has quit IRC23:11
*** rcernin has joined #openstack-security23:12
* gouthamr applauds - that's pretty cool 8)23:18
gouthamrthe VMT process has been so well thought about and documented23:19
gouthamrthanks for your work on that \o/23:19
portdirectfungi - gagehugo is about to learn no good deed goes unpunished :)23:21
portdirectsorry gagehugo  - kinda put you on the spot here internally ;)23:21
gagehugosigh23:22
portdirectbut congrats fungi, gouthamr, gagehugo and everyone else whos worked on this - really nice work23:22
portdirectwhile im here, can i moan about oslo.privsep?23:22
gouthamr^ barely did anything, i followed the process and bugged fungi a ton :)23:22
portdirector perhaps just my understanding of it23:22
portdirecti see a few projects seem to be moving to it now23:23
fungimoan freely23:23
portdirectbut in a containerised world - it may be scoreing an own goal (unless im missing somthing)23:23
portdirectas we now need to add SYS_ADMIN to our containers, just so that they can drop the privileges we had to give them...23:24
fungiseems like that should be something it can autodetect and turn into a noop, yeah23:24
fungilike don't try to drop privileges if SYS_ADMIN isn't available23:25
fungithat's generally a sign the deployer has already thought about this problem23:25
portdirectconfused me when i moved to victoria - and had to grant sys_admin to glance of all things :)23:26
fungii think it's probably worth a broader discussion on the ml. having to increase your permission exposure to satisfy a subsystem geared toward reducing that exposure is counterproductive23:27
portdirectyeah - I'll collect my thoughts and get somthing out either tomorrow, or start of next week23:27
portdirectthx23:27
fungithough i can't immediately think of a reason why it shouldn't be fixable in oslo.privsep23:27
fungibut it's been a long time since i looked in there23:28
portdirect^^ pretty sure somthing like what you suggested is whats required23:28
fungifolks much more in tune with its internals than me will probably be quick to point out where my suggestion is naive ;)23:29
portdirectif no SYS_ADMIN and/or a config to the effect of 'i_manage_my_own_capabilities_thank_you_please'23:29
fungii recall having the privilege-dropping discussion very early in the design for it, and i suggested folks look at the (then somewhat novel) privilege separation openbsd put in opensshd, but yeah that was a long time ago and since then we've got these nice wrapper controls around fine-grained privilege control in our systems23:31
fungiso it's certainly reasonable to assume that an operator has taken advantage of those fine tools to craft their own privilege policies external to our software23:32
« Wednesday, 2021-02-17 Index Friday, 2021-02-19 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!