Wednesday, 2014-08-27

« Tuesday, 2014-08-26 Index Thursday, 2014-08-28 »
tmcpeakbdpayne: hmm, crazy00:10
tmcpeakguess we need some master of IRC to help us sort this out00:10
*** fishcried has quit IRC00:24
*** gnef has joined #openstack-security00:28
*** tmcpeak has quit IRC00:37
*** bdpayne has quit IRC01:05
*** amrith has joined #openstack-security01:16
amrithtmcpeak ... yt?01:17
*** MARYLEIN has joined #openstack-security01:33
*** MARYLEIN has quit IRC01:35
*** voodookid has joined #openstack-security02:26
*** voodookid has quit IRC02:33
*** jamielennox|away has quit IRC02:37
*** jamielennox|away has joined #openstack-security02:37
*** jamielennox|away has quit IRC02:42
*** jamielennox|away has joined #openstack-security02:42
*** dmccowan has quit IRC02:53
*** bdpayne has joined #openstack-security02:54
*** jamielennox|away has quit IRC02:59
*** jamielennox|away has joined #openstack-security03:00
*** bdpayne has quit IRC03:01
*** gnef has quit IRC03:02
*** jamielennox|away has quit IRC03:38
*** jamielennox|away has joined #openstack-security03:39
*** bdpayne has joined #openstack-security04:03
*** voodookid has joined #openstack-security04:09
*** voodookid has quit IRC04:27
*** bdpayne has quit IRC05:36
*** bdpayne has joined #openstack-security05:48
*** jamielennox|away has quit IRC06:10
*** jamielennox|away has joined #openstack-security06:11
*** bdpayne has quit IRC06:18
*** jamielennox|away has quit IRC07:38
*** jamielennox|away has joined #openstack-security07:39
*** jamielenz has joined #openstack-security09:33
*** jamielennox|away has quit IRC09:36
*** jamielennox|away has joined #openstack-security10:07
*** jamielenz has quit IRC10:09
*** kr4sh has joined #openstack-security10:13
*** franco has joined #openstack-security10:14
francociao ciao10:15
*** franco has left #openstack-security10:15
*** kr4sh has quit IRC10:26
*** dmccowan has joined #openstack-security12:00
*** dmccowan_ has joined #openstack-security12:10
*** dmccowan has quit IRC12:11
*** dmccowan_ is now known as dmccowan12:11
*** nkinder has quit IRC13:03
*** voodookid has joined #openstack-security13:05
*** bknudson has quit IRC13:22
*** bknudson has joined #openstack-security13:41
*** voodookid has quit IRC13:41
*** nkinder has joined #openstack-security13:53
*** dmccowan has quit IRC14:00
*** dmccowan has joined #openstack-security14:13
*** voodookid has joined #openstack-security14:40
*** openstackgerrit has joined #openstack-security14:54
*** nkinder has quit IRC15:22
*** gmurphy has quit IRC15:22
*** nkinder has joined #openstack-security15:22
*** gmurphy has joined #openstack-security15:22
*** paulmo has joined #openstack-security15:27
*** paulmo1 has quit IRC15:29
*** paulmo has quit IRC15:32
*** fungi has quit IRC15:34
*** openstack has joined #openstack-security16:19
*** bdpayne has joined #openstack-security16:21
*** bknudson has quit IRC16:26
*** nkinder has quit IRC16:37
*** nkinder has joined #openstack-security16:39
*** bdpayne has quit IRC16:46
*** voodookid has quit IRC16:59
*** voodookid has joined #openstack-security17:00
tmcpeaknkinder: if you get a chance will you take a look at this patch? https://review.openstack.org/#/c/117174/117:02
tmcpeakactually for that matter any of you17:03
tmcpeakif you've got a minute17:03
*** bdpayne has joined #openstack-security17:11
tmcpeakbdpayne: you got time to throw a second pair of eyes on this: https://review.openstack.org/#/c/117174/17:17
*** ptd has joined #openstack-security17:23
bdpaynesure, I'll take a look now tmcpeak17:26
tmcpeakbdpayne: awesome, thank you sir17:26
tmcpeakbdpayne: FYI we've decided to address insecure temp files separately17:26
bdpayneok17:26
bdpaynebut still before the release?17:27
tmcpeakthe commitment is to do as much as we can17:27
tmcpeakamrith is the author of the patch btw17:27
tmcpeakamrith: you around?17:27
amrithtmcpeak, yes17:34
amrithhow's u?17:34
tmcpeakamrith: good, I've got bdpayne taking a look as well17:34
tmcpeakamrith: your changes are good, I'm just trying to decide if there is a good way to clean up that other part I mentioned on the review17:34
amriththanks travis17:34
amrithmuch appreciate17:34
amrithI have some ideas17:35
tmcpeakamrith: I'm glad you're taking this on17:35
amrithand some prototypes for that17:35
tmcpeakoh cool17:35
amrithno worries, happy to help17:35
bdpayneso I've made some comments on that CR17:35
amrithyou'll be paying for it right ;)17:35
amrithwhere do I send the bill?17:35
tmcpeakbdpayne: oh cool17:35
bdpayneamrith it looks like your CR, so feel free to ping me if you have questions17:35
amrithbdpayne, just reading your comments17:36
amrithone second17:36
amrithso tmcpeak ... maybe best to forward bdpayne the email thread so he understands the context?17:36
tmcpeakamrith: yeah, agree17:37
amrithok, will do that17:37
tmcpeakbdpayne: I've also brought up the rootwrap thing, the issue is how much we are comfortable changing before code freeze17:37
tmcpeakbdpayne: I'm not very familiar with how the whole process works17:38
bdpaynesure17:38
amrithbdpayne, this is just one step in (hopefully) the right direction17:38
bdpayneyeah, I think that makes sense17:38
tmcpeakbdpayne: there are things I'd really like to have fixed before release, but I don't know how prioritization works17:38
amrithI think this fix has uncovered some other areas for improvement17:38
bdpayneI'm just providing some comments... largely from an outsider perspective17:38
tmcpeakbdpayne: awesome17:38
tmcpeakbdpayne: I appreciate the second look17:38
bdpaynenp17:39
tmcpeakamrith: maybe we could synch up with Nikhil and set priorities on this stuff17:39
amrithtmcpeak, I notice you sent the review to a couple of others17:39
amriththanks for doing that17:39
amriththe more eyes on it, the better17:39
tmcpeakamrith: sure, those guys are similar to Bryan, not familiar with this issue but very experienced security guys17:40
amrithI think it will produce more ideas and suggestions for improvement. again some that we can do right away, others that may take a little more time.17:40
amrithgiven the juno freeze.17:40
tmcpeakwhen is the Juno freeze btw17:40
amrithI think it is two weeks.17:40
tmcpeakhmm17:40
amriththere's a lot of stuff in flight in trove17:42
amrithand that's the reason for the concern at this stage.17:43
tmcpeakI see17:43
amrithbut yes, we should sync with Nikhil and the other core team members.17:43
tmcpeakamrith: my only concern is if some of this stuff would generate an advisory17:43
amriththat is a good point and I noticed that there was a decision not to?17:44
tmcpeakI believe the original issue found would have if it had been released17:44
tmcpeakyeah, so if it got released in Juno, and then I found the same issue it would have generated an advisroy17:44
tmcpeakadvisory17:44
tmcpeakamrith: what's your involvement in Trove btw, do you know anybody who could answer if any security reviews have been done on it?17:45
amrithI'm one of the contributors to trove. There is a Trove team meeting (IRC, #openstack-meeting-alt) in 24 minutes. I'm sure someone there could answer. Or Nikhil can, he's the PTL.17:46
tmcpeakoh ok cool17:47
tmcpeakI'll sit in on that17:47
tmcpeakI believe I met Nikhil once in Seattle, cool guy17:47
amrithmay be better to ping nikhil directly.17:47
amrithSlickNik on IRC17:48
tmcpeakcool17:48
tmcpeakpinging now17:48
*** SlickNik has joined #openstack-security17:49
amrithok17:49
*** ptd has quit IRC17:58
*** chair6_ is now known as chair617:59
*** bknudson has joined #openstack-security18:21
bknudsonI've got a question for the team here... maybe someone is familiar with openssl cms.18:23
bknudsonwe use cms in keystone for the token sig.18:24
bknudsonaccording to the docs for openssl cms, the digest algorithm defaults to sha118:24
bknudsonhttps://www.openssl.org/docs/apps/cms.html (see the -md option)18:24
bknudsonwhy I try running the command myself it shows algorithm is sha118:25
bknudsondigestAlgorithms: algorithm: sha1 (1.3.14.3.2.26)18:25
bknudsonso I think that this is inadequate based on NIST 800-131A.18:25
*** tmcpeak has quit IRC18:32
*** nkinder has quit IRC20:28
*** nkinder has joined #openstack-security20:45
*** tmcpeak has joined #openstack-security20:56
*** tmcpeak has quit IRC21:13
*** dmccowan has quit IRC21:14
*** tmcpeak has joined #openstack-security21:15
*** paulmo has quit IRC21:33
*** nkinder has quit IRC21:39
*** tmcpeak has quit IRC22:19
*** tmcpeak has joined #openstack-security22:21
*** dmccowan has joined #openstack-security23:07
*** jamielennox|away is now known as jamielennox23:10
*** voodookid has quit IRC23:20
« Tuesday, 2014-08-26 Index Thursday, 2014-08-28 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!