Wednesday, 2015-01-28

« Tuesday, 2015-01-27 Index Thursday, 2015-01-29 »
*** voodookid has quit IRC00:01
*** salv-orlando has joined #openstack-security00:27
*** gabriela has joined #openstack-security00:27
*** valver has joined #openstack-security00:29
*** valver has quit IRC00:29
*** gabriela has quit IRC00:34
*** valver has joined #openstack-security00:46
*** nkinder has joined #openstack-security00:46
*** tmcpeak has quit IRC00:56
*** valver has quit IRC00:58
*** salv-orlando has quit IRC01:30
*** tmcpeak has joined #openstack-security01:40
*** tmcpeak has quit IRC01:45
*** bdpayne_ has quit IRC01:46
*** mohitsharma has joined #openstack-security01:58
*** jursey has joined #openstack-security02:01
*** bdpayne has joined #openstack-security02:17
*** salv-orlando has joined #openstack-security02:21
*** mohitsharma has quit IRC02:33
*** mohitsharma has joined #openstack-security02:36
openstackgerritLana Brindley proposed openstack/security-doc: Some minor bug fixes in the Dashboard chapter  https://review.openstack.org/14905603:16
*** salv-orlando has quit IRC03:23
*** mohitsharma has quit IRC04:02
*** mohitsharma has joined #openstack-security04:05
*** salv-orlando has joined #openstack-security04:24
*** jursey has quit IRC05:33
*** mohitsha_ has joined #openstack-security06:00
*** mohitsharma has quit IRC06:03
*** mohitsha_ has quit IRC06:30
*** mohitsharma has joined #openstack-security07:11
*** mohitsharma has quit IRC07:40
*** mohitsharma has joined #openstack-security07:41
*** jamielennox is now known as jamielennox|away08:09
*** bdpayne has quit IRC08:40
*** bdpayne has joined #openstack-security08:45
*** bdpayne has quit IRC09:15
*** mohitsharma has quit IRC09:53
*** mohitsharma has joined #openstack-security09:57
*** lionelz has joined #openstack-security10:35
*** zenwalker_ru has joined #openstack-security10:37
*** zenwalker_ru has quit IRC10:39
*** openstackgerrit has quit IRC10:50
*** openstackgerrit has joined #openstack-security10:50
*** mohitsharma has quit IRC12:39
*** mohitsharma has joined #openstack-security12:55
*** lionelz has quit IRC13:24
*** lionelz has joined #openstack-security13:27
*** lionelz has quit IRC13:32
*** bknudson has joined #openstack-security13:35
*** lionelz has joined #openstack-security13:35
*** lionelz has quit IRC13:40
*** lionelz has joined #openstack-security13:44
*** lionelz has quit IRC13:48
*** lionelz has joined #openstack-security13:52
*** lionelz has quit IRC13:57
*** lionelz has joined #openstack-security14:00
*** lionelz has quit IRC14:05
*** lionelz has joined #openstack-security14:08
*** lionelz has quit IRC14:13
*** lionelz has joined #openstack-security14:17
*** lionelz has quit IRC14:21
*** lionelz has joined #openstack-security14:25
*** salv-orlando has quit IRC14:26
*** salv-orlando has joined #openstack-security14:26
*** mvangund has joined #openstack-security14:27
*** lionelz has quit IRC14:30
*** lionelz has joined #openstack-security14:33
*** lionelz has quit IRC14:38
*** lionelz has joined #openstack-security14:41
*** lionelz has quit IRC14:46
*** lionelz has joined #openstack-security14:49
*** lionelz has quit IRC14:54
*** lionelz has joined #openstack-security14:58
*** tmcpeak has joined #openstack-security15:01
*** mohitsharma has quit IRC15:02
*** mohitsharma has joined #openstack-security15:02
*** lionelz has quit IRC15:02
*** salv-orlando has quit IRC15:02
*** mohitsharma has quit IRC15:03
*** lionelz has joined #openstack-security15:06
*** lionelz has quit IRC15:11
*** bdpayne has joined #openstack-security15:11
*** lionelz has joined #openstack-security15:14
*** lionelz has quit IRC15:19
*** ChanServ sets mode: +o bdpayne15:24
*** bdpayne_ has joined #openstack-security15:24
*** bknudson has quit IRC15:27
*** bdpayne has quit IRC15:28
*** tkelsey has joined #openstack-security15:42
*** bknudson has joined #openstack-security15:47
*** salv-orlando has joined #openstack-security15:58
*** tkelsey has quit IRC15:59
*** salv-orlando has quit IRC16:03
*** amrith is now known as _amrith_16:06
*** _amrith_ is now known as amrith16:07
*** salv-orlando has joined #openstack-security16:30
*** bknudson has quit IRC16:41
*** tkelsey has joined #openstack-security17:05
*** chair6 has quit IRC17:07
*** chair6 has joined #openstack-security17:20
*** salv-orlando has quit IRC17:28
*** salv-orlando has joined #openstack-security17:29
*** salv-orlando has quit IRC17:34
*** openstackgerrit has quit IRC18:14
*** openstackgerrit has joined #openstack-security18:14
*** bknudson has joined #openstack-security18:30
*** jursey has joined #openstack-security18:41
*** tkelsey has quit IRC19:17
*** bpokorny has joined #openstack-security19:27
*** salv-orlando has joined #openstack-security20:09
*** jursey has quit IRC20:20
*** mvangund is now known as singlethink20:52
bdpayne_hey there elmiko21:02
elmikobdpayne_: hey =)21:02
bdpayne_I'm not seeing nathan in here atm21:02
elmikomaybe give him 5min?21:03
bdpayne_yeah21:03
* bdpayne_ takes this time to eat lunch21:03
elmikoooh, a luxury ;)21:03
bdpayne_brb21:04
*** sicarie has joined #openstack-security21:06
bdpayne_there he is21:07
sicarieSorry.21:07
elmikono worries21:07
sicarie I'm on my phone as my client is timing out21:07
bdpayne_ok21:08
bdpayne_so I'll get us rolling21:08
bdpayne_Let's just work through some more tickets from https://bugs.launchpad.net/openstack-manuals/+bugs?field.tag=sec-guide21:08
elmikoi added a bug for data processing chapter21:08
bdpayne_one sec while I figure out where we left off21:08
bdpayne_ok, I think we are here: https://bugs.launchpad.net/openstack-manuals/+bug/134224021:09
bdpayne_this is just a general statement that the nova intro needs better wording21:10
bdpayne_I actually think it looks find21:10
bdpayne_The Compute service (nova) is one of the more complex OpenStack services. It runs in many locations throughout the cloud and interacts with a variety of internal services. For this reason, most of our recommendations regarding best practices for Compute service configuration are distributed throughout this book. We provide specific details in the sections on Management, API Endpoints, Messaging, and Database.21:10
elmikoi'm gonna update the chapter in the title, looks like it's now chap 8.21:11
bdpayne_I'm inclined to close this one as invalid21:11
sicarieI have a bug against that chapter as a whole as well21:11
bdpayne_unless you guys have a thought on how that should be improved21:11
elmikoi'm unsure as to what the reporter is looking for out of that paragraph21:11
sicarie As with the ossns/ossas against nova I think this whole chapter can use more detail21:12
bdpayne_sure, the chapter as a whole can be improved21:12
bdpayne_this bug is just about the text that I pasted21:12
sicarie Possibly to link to those second?21:12
sicarieSecond -》sections21:12
bdpayne_?21:13
bdpayne_link to those sections from the intro?21:13
elmikosicarie: ok, that's concrete i can dig that21:13
sicarieYeah I'm not sure either21:13
bdpayne_ok, I'll close this one then21:13
elmikomaybe instead of closing mark as needs info21:13
elmikoand ask the reporter to give more feedback?21:13
openstackgerritMerged openstack/security-doc: Some minor bug fixes in the Dashboard chapter  https://review.openstack.org/14905621:14
elmikoyay21:14
bdpayne_ok21:14
bdpayne_moved it to invalid, needs info21:15
bdpayne_"After reading the intro, it is not clear what the reported is looking to be changed.  Please provide more specific details about your concern."21:15
sicarie+121:15
elmikohopefully we'll get a response =)21:15
bdpayne_https://bugs.launchpad.net/openstack-manuals/+bug/134233821:15
bdpayne_yeah, that's always the tricky part21:15
bdpayne_ok with this one it sounds like it may be fixed, checking now21:16
*** kombatkoala has joined #openstack-security21:17
bdpayne_ok, so not entirely fixed21:17
*** sicarie has left #openstack-security21:17
bdpayne_thoughts?21:17
*** kombatkoala is now known as sicarie21:17
bdpayne_I'm not too worried about providing links as references21:17
elmikoyea me neither, seems appropriate if you have that issue21:18
sicarie+121:18
bdpayne_ok, so perhaps this one gets closed?21:18
elmiko+121:18
sicarieIt was definitely something that I was confused about as well, but I spoke to someone in the docs room and they said raw urls are fine, etc...21:19
sicarieSo yeah, I'm good with that being closed21:19
bdpayne_ok21:19
bdpayne_https://bugs.launchpad.net/openstack-manuals/+bug/134234521:20
sicarieWill this fit in with a possible Barbican section?21:20
bdpayne_I think that this is a good suggestion21:20
elmikoseems like a valid bug to me21:20
bdpayne_I think it is distinct from Barbican21:20
bdpayne_b/c it is about managing the cert db at the OS level21:21
elmikoyea, agreed about different than barbican21:21
sicarieRight21:21
sicarieI guess i was thinking more a general cert section, under whcih barbican would have a heading/description21:21
elmikoalmost borders on a discussion of DogTag/Anchor/etc...21:21
bdpayne_ok, and Medium feel right to you guys on this one?21:21
elmiko+1 medium21:22
sicarieyeah21:22
bdpayne_I think Medium is right21:22
bdpayne_so yeah, TLS is broad21:22
bdpayne_there's TLS in general21:22
bdpayne_which covers TLS for network communication, TLS setup, etc21:22
bdpayne_there's TLS backend stuff which would be Barbican / Anchor / etc21:22
bdpayne_I think that we've largely covered the former in this book so far21:22
bdpayne_and could use more on the latter21:23
bdpayne_could one of you file a ticket on the need for that?21:23
elmikosure, i can take that21:23
bdpayne_thanks21:23
bdpayne_https://bugs.launchpad.net/openstack-manuals/+bug/134299321:23
bdpayne_oh look21:24
bdpayne_I didn't see that Priti had uploaded this21:24
bdpayne_so I think that this would be a very nice addition21:24
bdpayne_perhaps as an appendix21:24
bdpayne_I think Medium is right for this too21:25
bdpayne_thoughts?21:25
elmikothat would be a nice addition21:25
sicarie+1 - dynamic creation would be cool21:25
elmikoi wonder if it would be appropriate to have checklists per chapter, then a master list generated from those?21:25
bdpayne_yeah, that would be super nice21:26
bdpayne_yeah, or perhaps call outs at places where there's a checklist item defined21:26
elmikothat might work even better21:26
bdpayne_and then a collection of them at the end21:26
bdpayne_I'll need to read up on docbook for this a bit21:26
bdpayne_and/or sync with Andreas21:26
elmikoi'm ok with medium on this one21:26
sicarieyep21:26
bdpayne_ok, let's do 2 more21:27
bdpayne_https://bugs.launchpad.net/openstack-manuals/+bug/134352321:27
sicarieIs the chapter still accurate?21:28
bdpayne_I'm +1 on this one21:28
sicarieI'm guessing no - it doesn't look to be the new format21:28
bdpayne_chapter num is wrong21:28
bdpayne_fixed it21:28
bdpayne_ok, and medium feels good here to me21:29
elmikoi'd almost go to high, just because grammatical errors and all21:29
bdpayne_I'd be ok with that21:29
bdpayne_this is also kind of low handing fruit21:29
sicarieYep, I'll ping her about this - she got two things dropped on her this weekend, but it's on her list21:29
elmikounless this is just a strong opinion, i'm still reading the parts in question21:29
elmikoyea21:29
bdpayne_I think high is good21:30
elmiko+121:30
bdpayne_ok, last one is the one that actually needs to be triaged21:30
bdpayne_https://bugs.launchpad.net/openstack-manuals/+bug/141521821:30
elmiko;)21:30
sicarieMeh, opinion21:31
sicarie:)21:31
sicarie+1, Medium?21:31
bdpayne_so... confirmed21:31
bdpayne_Medium21:31
bdpayne_... medium works with me21:31
elmikoyea medium is fine with me. i really want to get it in for kilo, but it's taking awhile :/21:31
bdpayne_sure21:31
sicarieOnce you get the content, I'd be more than happy to help draft a section or two in format21:31
bdpayne_ok, so we're in good shape21:32
bdpayne_we should have these all triaged by the mid-cycle meetup21:32
elmikosicarie: thanks, i'll hit you up when i get there21:32
elmikocool21:32
bdpayne_perhaps I asked this before... but are you both coming to the meetup?21:32
sicarieYes21:32
elmikounfortunately no21:32
sicarieand I'm signed up for the docs track :)21:33
bdpayne_ok good to know21:33
bdpayne_for planning and such21:33
sicarieelmiko too bad!21:33
bdpayne_so thanks again, another productive session21:33
elmikoi'd like to, but i'm not sure it will fit in our travel budget... yet ;)21:33
sicarieSorry again for being late - I have a new client now that allegedly is free21:33
bdpayne_I need to run, but I'll catch you later!21:34
sicariebye!21:34
elmikobdpayne_: later21:34
elmikosicarie: no prob, i'm just hacking away anyways =)21:34
*** bpokorny has quit IRC21:47
*** bpokorny_ has joined #openstack-security21:47
elmikobdpayne_, sicarie, https://bugs.launchpad.net/openstack-manuals/+bug/1415656 i hope that's enough for a start21:57
bdpayne_lgtm21:58
openflyis anyone working on porting OSSN's to yaml as well?21:58
bdpayne_^^ is a good question for nkinder21:59
openflyalso is there any interest in submitting some code to gnuplot the yaml we have for ossas?21:59
bdpayne_what does it plot?21:59
openflyright now just some basic stats... like vulns per project / per release21:59
bdpayne_sounds useful22:00
openflymight be nice to integrate it into to stackalyticsw actually to compare against code count / devs22:00
bdpayne_yeah22:00
openflyis stackalytics on review yet?22:00
bdpayne_if/when we move to a more structured format for the OSSNs, we could probably just drop such a tool into a tool directory in the security-doc repo22:01
nkinderopenfly: there has been some discussion of different parse-able formats22:01
openflyhttps://stackalytics.readthedocs.org/en/latest/22:02
nkinderI think the addition/design of a tool would really drive the format change22:02
openflynkinder yeah i'd assume it'd be a bit tough to pick a format22:02
openflyespecially for the ossns22:02
nkinderopenfly: I'm all ears for ideas, but the format change would go in tandem with the development of a tool.22:06
nkinderopenfly: A tool ideas I've thought of is a OSSN monitor tool that operators can use to search for OSSNs that affect their deployment.22:06
nkindermonitor and notify basically22:07
openflyyeah i thought of that a while back22:08
openflyi came to the conclusion that what openstack really needs is a light weight flexible metadata api22:08
openflyglance tried to do that... but ... glance is the wrong pplace for that22:08
openflyif hp ever got off their asses and open sourced their cmdb... that'd be a good place to start22:09
*** sicarie has quit IRC22:09
openflythe reality is from an operator standpoint you need to keep a local catalogue and probably feed it from multiple sources... and tie it into cmdb assets22:09
openfly=/22:09
openflynon-trivial22:09
openflybut at the very least...  a parseable list of our alerts is a good starting point22:11
openflymuch love to the yaml repo of OSSAs22:12
*** salv-orlando has quit IRC22:12
openstackgerritPatrick Amor proposed openstack/security-doc: Fix awkward sentence in Verified Boot section  https://review.openstack.org/15100622:18
*** bknudson has quit IRC22:29
*** salv-orlando has joined #openstack-security22:34
*** bknudson has joined #openstack-security22:51
*** jursey has joined #openstack-security22:53
tmcpeaktest22:56
*** sarnold007 has joined #openstack-security23:04
*** openstackgerrit has quit IRC23:06
*** openstackgerrit has joined #openstack-security23:06
sarnold007knudson: I am working on this bandit spec/blueprint and I am trying to get a bit more context on what is expected23:07
tmcpeakbknudson: ^23:07
sarnold007oops23:07
bknudsonsarnold007: need an example spec?23:08
tmcpeakbknudson: is a spec needed?23:08
tmcpeakwe really aren't altering any code of other projects, we're just proposing to use Bandit as a gate process23:09
bknudsontmcpeak: I don't know if a spec is required or not.23:09
tmcpeaksarnold007 and I read and it doesn't seem one is23:09
bknudsongreat, now I get ims from jursey.23:09
tmcpeakoh, dammit23:09
tmcpeakbdpayne_: around?23:09
bknudsonwe should give this channel a different name.23:09
tmcpeaksomehow he's back23:10
tmcpeakwas banned23:10
bknudsonsarnold007: here's the current openstack-specs: https://review.openstack.org/#/q/project:openstack/openstack-specs,n,z23:12
tmcpeakbknudson: sarnold007 was going to work on a spec but we can't remember who asked for it or why23:13
tmcpeakthought it was you, but maybe not23:13
bknudsonI suggested is since I think it's the best way to get feedback from the community23:13
sarnold007bknudson: ok, I have seen those, however it is still unclear to me what is exactly needed23:13
tmcpeakoh cool23:13
tmcpeak:) at least we remembered that right23:14
bknudsonsarnold007: you can always wait and maybe nobody will ask for one.23:14
sarnold007ok super, well. its done anyway.23:14
bknudsontmcpeak: sarnold007: have you been working with infra to get jobs set up or anything?23:14
tmcpeakbknudson: I have, Bandit has the required requirements checking job23:14
bknudsonI haven't seen a change in keystone for it.23:14
tmcpeakit's about to get into global requirements, which will be required for Keystone to use it23:15
tmcpeaknext step is getting it into Keystone23:15
tmcpeaknot into, but used with23:15
bknudsonis it on pypi?23:15
*** bdpayne_ has quit IRC23:15
bknudsonhttps://pypi.python.org/pypi/bandit/0.0.1 !23:16
tmcpeakhmm, crap23:16
tmcpeakthat's not us23:16
tmcpeakthe current step we're on is getting versioning and into pypi, then we can pin the version and get it merged in global reqs23:16
bknudsontmcpeak: might need a new name.23:18
tmcpeakbandit_sec or something?23:18
bknudsonoslo.bandit23:19
tmcpeakbknudson: yeah, do you know if there is any requirement to fly the oslo flag?23:19
bknudsontmcpeak: no, we have all sorts of things that don't have oslo in the name.23:19
tmcpeakbknudson: oh, I mean can I just call myself oslo whatever or will there be some process to approve that23:20
bknudsontmcpeak: oh, sorry... I don't know. Probably ask the oslo folks if they wouldn't like it.23:21
tmcpeakwish that other bandit project would delist :)23:21
tmcpeakbknudson: ok cool, thanks.  I'll poke at that23:21
tmcpeaksarnold007: probably hold off on spec for now.  Thank you for your effort thus far23:22
tmcpeaksarnold007: if it looks required we'll have you dust it off23:22
bknudsontmcpeak: it didn't find any potential security problems in keystone.23:22
tmcpeakawesome23:22
tmcpeakbknudson: then it's a perfect gate.  If anything new gets developed in it will flag it, otherwise stay quiet23:23
tmcpeakI should say anything new with a security issue :)23:23
bknudsontmcpeak: there's no bandito23:25
bknudsonon pypi23:25
bknudsonhttps://www.google.com/search?q=bandit+synonym&ie=utf-8&oe=utf-823:25
bknudsonmight be culturally insensitive, though23:26
tmcpeakbknudson: lol23:26
bknudsontmcpeak: how about rustler?23:28
tmcpeakbknudson: hmm, sounds cool23:28
tmcpeakI'll have to get chair6 to weigh in, it's his baby23:28
*** sarnold007 has quit IRC23:29
*** singlethink has quit IRC23:52
*** salv-orlando has quit IRC23:59
« Tuesday, 2015-01-27 Index Thursday, 2015-01-29 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!