Thursday, 2014-07-24

tmcpeak1nkinder chair6: you guys around?00:30
nkindertmcpeak1: yep, but about to go pick up my kids00:30
nkindertmcpeak1: what's up?00:30
tmcpeak1wondering about the apache license00:30
tmcpeak1any downside?00:30
nkindertmcpeak1: nah, it's the same license as the rest of OpenStack00:30
tmcpeak1nkinder: ok cool, thank you00:31
nkindertmcpeak1: that should make approval easier, given you're allowed to contribute to OpenStack itself.00:31
nkindertmcpeak1: anything else quick before I run?00:31
nkindertmcpeak1: congrats on your first code patch to glance by the way!00:31
tmcpeak1nkinder: nope, go for it00:32
tmcpeak1nkinder: thank you00:32
tmcpeak1nkinder: thanks!00:32
openstackgerritA change was merged to openstack/security-doc: Add link to management security domain to security guide
openstackgerritA change was merged to openstack/security-doc: Cleaning up grammer and wording, avoiding 2nd person
openstackgerritA change was merged to openstack/security-doc: Smoothing awkward sentence structure around incident response
*** bdpayne has quit IRC00:45
*** jhoan has joined #openstack-security01:35
*** jhoan has left #openstack-security01:49
*** tmcpeak1 has quit IRC01:53
*** tmcpeak has joined #openstack-security01:54
*** tmcpeak has quit IRC01:58
*** tmcpeak has joined #openstack-security02:44
*** tmcpeak1 has joined #openstack-security02:56
*** tmcpeak has quit IRC03:00
*** tmcpeak1 has quit IRC03:01
*** tmcpeak has joined #openstack-security03:19
*** bdpayne has joined #openstack-security03:41
*** tmcpeak has quit IRC04:24
*** tmcpeak has joined #openstack-security04:25
*** tmcpeak has quit IRC04:29
*** bdpayne has quit IRC04:37
*** bdpayne has joined #openstack-security04:54
*** voodookid has joined #openstack-security05:47
*** bdpayne has quit IRC05:54
openstackgerritOpenStack Proposal Bot proposed a change to openstack/security-doc: Imported Translations from Transifex
*** voodookid has quit IRC06:17
*** bdpayne has joined #openstack-security06:25
*** bdpayne has quit IRC08:26
*** marzif has joined #openstack-security11:34
*** nkinder has quit IRC13:13
*** bknudson has joined #openstack-security13:53
*** nkinder has joined #openstack-security13:58
*** tmcpeak has joined #openstack-security14:06
*** paulmo has joined #openstack-security14:25
*** voodookid has joined #openstack-security14:27
*** voodookid has quit IRC14:41
*** bdpayne has joined #openstack-security14:42
*** bdpayne has quit IRC14:44
*** paulmo1 has joined #openstack-security15:01
*** voodookid has joined #openstack-security15:02
*** paulmo has quit IRC15:03
*** bdpayne has joined #openstack-security15:59
*** bdpayne has quit IRC16:03
*** paulmo1 has quit IRC16:05
*** paulmo has joined #openstack-security16:06
*** bdpayne has joined #openstack-security16:21
*** mxin_ has joined #openstack-security16:21
*** bdpayne has quit IRC16:33
*** sicarie has joined #openstack-security16:38
*** tmcpeak has quit IRC16:43
*** tmcpeak has joined #openstack-security16:45
tmcpeakI may be a bit of a noop today at the meeting, have a demo running simultaneously that I actually have to present for at some point16:57
nkindertmcpeak: blasphemy! ;)16:58
tmcpeaknkinder: lol16:58
*** bdpayne has joined #openstack-security17:00
*** marzif has quit IRC17:12
openstackgerritA change was merged to openstack/security-doc: Imported Translations from Transifex
*** Priti has joined #openstack-security17:15
*** tmcpeak has quit IRC17:49
*** tmcpeak has joined #openstack-security17:50
*** tmcpeak has quit IRC18:00
*** sicarie has quit IRC18:00
*** sicarie has joined #openstack-security18:07
*** Priti has quit IRC19:18
*** tmcpeak has joined #openstack-security19:19
tmcpeakany of you fine folks going to OpenStack birthday in SF and/or security meetup the day after?19:24
*** tmcpeak1 has joined #openstack-security19:41
*** tmcpeak has quit IRC19:41
*** AndChat|673521 has joined #openstack-security20:10
nkindertmcpeak1: what day is it on?20:24
bdpaynenkinder do you know if the oslo bug in the vuln spreadsheet was found via bandit?20:32
nkinderbdpayne: I think it was the hacking/pep8 checks, not bandit20:33
tmcpeak1nkinder: the birthday is Wednesday20:33
bdpayneis that code available for me to run?20:33
nkinderbdpayne: hyakuhei's cleantox repo in github has it20:34
tmcpeak1bdpayne: the spreadsheet vulns were found with pep8 checks20:34
tmcpeak1bdpayne: cleantox is the source of truth for those checks20:34
nkindertmcpeak1: I'm going to be on vacation on wednesday (coming back thursday)20:35
bdpaynealso, it says openstack common, but doesn't reference the project name20:35
bdpaynethere are serveral oslo repos20:35
tmcpeak1nkinder: damn, ok, well hopefully you can be at the security meetup?20:35
nkinderbdpayne: oslo.common I'm guessing?  Not sure20:35
bdpayneno such thing20:35
tmcpeak1bdpayne: I believe it may be incubator20:36
nkinderbdpayne: yeah, I guess I'm thinking of the common stuff that's sync'd from various oslo repos (incubator most likely)20:36
nkinderbdpayne: I was off working on bandit when those scans were done20:36
tmcpeak1bdpayne: I did the oslo one20:36
tmcpeak1bdpayne: guess I forgot to mention the repo20:36
bdpayneno worries, you're telling me now :-)20:37
bdpaynetmcpeak1 so what's the nicest way to run this20:40
tmcpeak1tox -epep820:40
tmcpeak1actually I think you can just do tox20:40
tmcpeak1bdpayne: ^20:40
bdpayneI assume I need to configure it to point at the oslo code?20:40
tmcpeak1bdpayne: we took the rest of the stuff out of the tox.ini, so 'tox' should do it for you20:40
tmcpeak1bdpayne: yes, so there is some script in there, that will grab code from github repos20:41
tmcpeak1but you can just run your own git clone20:41
bdpaynethat script doesn't get osla20:41
tmcpeak1key is that the code is a subdir of the cleantox dir20:41
tmcpeak1right, you'll have to modify it or just do your own git clone20:42
bdpayneok, just making sure I wasn't missing something20:42
bdpaynejust trying to repo your steps20:42
tmcpeak1bdpayne: nope, we started with those and then added more projects later20:42
sicarietmcpeak1 Does it really have a problem with python-pbr v0.7?20:42
tmcpeak1in fact, to take out the noise don't run that script if you're only looking at oslo20:43
tmcpeak1sicarie: I'm not sure, what's the context?20:43
tmcpeak1sicarie: is it giving you a PEP error for it?20:43
bdpayne(1000's of lines of error messages)20:43
tmcpeak1bdpayne: lol20:43
tmcpeak1bdpayne: rm all the dirs that aren't oslo and run it20:44
tmcpeak1shouldn't be all that bad20:44
sicarieDownloading/unpacking pbr>=0.6,!=0.7,<1.0 (from -r /home/ndillon/bin/git/cleantox/requirements.txt (line 1))20:44
tmcpeak1we have suppressed most of the style checks20:44
bdpayneah, so that helped ;-)20:44
bdpayneI forgot I had a virtualenv in there20:44
tmcpeak1sicarie: hmmm, not sure20:44
tmcpeak1sicarie: that was probably just copied over from whichever project we stole this tox environment from20:45
sicarie  Could not find any downloads that satisfy the requirement pbr>=0.6,!=0.7,<1.0 (from -r /home/ndillon/bin/git/cleantox/requirements.txt (line 1))20:45
sicarieYeah, that's why I was wondering ifi I could just edit requirements.txt to remove !=0.720:45
sicarieOr if that was in there for a reason and would break something20:45
tmcpeak1sicarie: you could try it :)20:45
tmcpeak1sicarie: my venv is using .8 and it seems to be working fine20:46
sicarieHmmm, .8 wasn't in my repo, looks like I get to find new repos20:46
sicarietmcpeak1 thanks!20:46
tmcpeak1sicarie: sure, let me know how it goes20:46
*** AndChat|673521 has quit IRC20:59
openstackgerritKATO Tomoyuki proposed a change to openstack/security-doc: Use the right name and add the glossterm.
*** voodookid has quit IRC22:03
*** nkinder has quit IRC22:13
*** nkinder has joined #openstack-security22:26
*** paulmo has quit IRC22:35
*** mxin_ has quit IRC22:51
openstackgerritMike Lange proposed a change to openstack/security-doc: Added sections 1.2 and 1.3
tmcpeak1how do you guys read this ugly S.O.B?22:54
tmcpeak1user_and_pass = ({22:54
tmcpeak1            ' --password=%(password)s -u %(user)s '22:54
tmcpeak1            '2>/tmp/mysqldump.log' %22:54
tmcpeak1             'user': ADMIN_USER_NAME})22:54
tmcpeak1my thought is that it's setting a string where two parameters should be getting passed22:54
tmcpeak1password and user22:54
tmcpeak1or is it setting a dictionary because of the curly brace22:55
tmcpeak1but the first ':' I see is in the last line22:55
tmcpeak1so the last part is pretty self-explanatory22:56
tmcpeak1'user': ADMIN_USER_NAME})22:57
tmcpeak1 sets a dictionary item 'user' to ADMIN_USER_NAME22:57
chair6it's using %-based string formatting with named parameters22:57
tmcpeak1shouldn't there be 2 though?22:57
tmcpeak1where's password22:57
chair6i don't know :)22:58
tmcpeak1or is password just implicit somehow22:58
chair6yeah, looks weird22:58
tmcpeak1ugly ugly22:58
*** bdpayne_ has joined #openstack-security22:58
chair6i don't think that should execute22:59
tmcpeak1chair6: ok cool, as long as I'm not the only one23:00
tmcpeak1yeah, it doesn't look right23:00
chair6seventh:~ finnigaj$ python23:00
chair6Python 2.7.8 (default, Jul 13 2014, 17:11:32)23:00
chair6[GCC 4.2.1 Compatible Apple LLVM 5.1 (clang-503.0.40)] on darwin23:00
chair6Type "help", "copyright", "credits" or "license" for more information.23:00
chair6>>> user_and_pass = ({' --password=%(password)s -u %(user)s 2>/tmp/mysqldump.log' % 'user': ADMIN_USER_NAME})23:00
chair6Traceback (most recent call last): File "<stdin>", line 1, in <module>23:00
chair6NameError: name 'ADMIN_USER_NAME' is not defined23:01
chair6>>> ADMIN_USER_NAME='adminuser'23:01
chair6>>> user_and_pass = ({' --password=%(password)s -u %(user)s 2>/tmp/mysqldump.log' % 'user': ADMIN_USER_NAME})23:01
chair6Traceback (most recent call last): File "<stdin>", line 1, in <module>23:01
chair6TypeError: format requires a mapping23:01
chair6looks broken to me..23:01
tmcpeak1chair6: awesome23:01
*** nkinder has quit IRC23:01
tmcpeak1ok, so this might just be a flat out bug in addition to security flaw23:01
*** bdpayne has quit IRC23:02
chair6tweaked it a little...23:02
chair6>>> user_and_pass = (' --password=%(password)s -u %(user)s 2>/tmp/mysqldump.log' % {'user': ADMIN_USER_NAME, 'password':'secret'})23:02
chair6>>> user_and_pass23:02
chair6' --password=secret -u adminuser 2>/tmp/mysqldump.log'23:02
chair6^ that's more like what i'd expect to see..23:02
tmcpeak1chair6: yeah, that I would understand23:03
tmcpeak1chair6: was just wondering if there was some nifty (disgusting) Python trick where you could recreationally leave off the format string params23:03
tmcpeak1chair6: maybe I better double check the source to see if that's actually in there23:04
tmcpeak1chair6: maybe I fell asleep on the keyboard somehow23:04
tmcpeak1chair6: yeah keyboard robbers strike again23:07
tmcpeak1here is the actual code23:07
tmcpeak1user_and_pass = (23:07
tmcpeak1            ' --password=%(password)s -u %(user)s '23:07
tmcpeak1            '2>/tmp/mysqldump.log' %23:07
tmcpeak1            {'password': get_auth_password(),23:07
tmcpeak1             'user': ADMIN_USER_NAME})23:07
tmcpeak1which is fine :)23:07
tmcpeak1false alarm23:08
tmcpeak1I'm starting to accumulate unnecessary stress by leaving the code open in IDE while I'm apparently screwing around with other stuff23:08
chair6haha, that looks better :)23:10
tmcpeak1ok, two possible venues for shell injection on this trove/backup strategy23:29
tmcpeak1double the possibility for good times!23:30
*** sicarie has quit IRC23:40
*** jhoan has joined #openstack-security23:44
*** jhoan has left #openstack-security23:44
tmcpeak1anybody know where all the config files are for devstack?23:46
tmcpeak1I guess maybe it's per project23:49
tmcpeak1in /etc it seems23:50

Generated by 2.14.0 by Marius Gedminas - find it at!