Wednesday, 2015-02-11

*** voodookid has quit IRC00:07
*** markvoelker has quit IRC00:17
*** bdpayne_ has joined #openstack-security00:33
*** bdpayne_ has quit IRC00:33
*** bdpayne has quit IRC00:36
*** markvoelker has joined #openstack-security00:52
*** markvoelker has quit IRC00:56
*** markvoelker_ has joined #openstack-security00:56
*** singlethink has quit IRC01:04
*** tmcpeak has quit IRC01:13
*** tmcpeak has joined #openstack-security01:41
*** bpokorny_ has quit IRC01:53
*** tmcpeak has quit IRC02:12
openstackgerritBrian Moss proposed openstack/security-doc: Updated SSL to TLS
*** tmcpeak has joined #openstack-security02:53
*** tmcpeak has quit IRC02:57
*** ljfisher has quit IRC03:12
*** ljfisher has joined #openstack-security03:12
*** ljfisher has quit IRC03:13
*** _amrith_ is now known as amrith03:47
*** JAHoagie has joined #openstack-security04:34
*** vozcelik has joined #openstack-security04:35
*** vozcelik has quit IRC04:37
*** vozcelik has joined #openstack-security04:38
*** amrith is now known as _amrith_04:56
*** JAHoagie has quit IRC05:17
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Imported Translations from Transifex
openstackgerritMerged openstack/security-doc: Imported Translations from Transifex
*** markvoelker_ has quit IRC07:28
*** fev3r101 has joined #openstack-security07:57
*** fev3r101 has quit IRC07:58
*** vozcelik has quit IRC09:10
*** _amrith_ is now known as amrith12:04
*** tmcpeak has joined #openstack-security12:32
*** markvoelker has joined #openstack-security12:51
*** amrith is now known as _amrith_13:41
*** bknudson has joined #openstack-security13:49
*** ljfisher has joined #openstack-security14:06
*** dave-mccowan has joined #openstack-security14:13
*** dave-mccowan has quit IRC14:18
*** jursey has quit IRC15:10
*** voodookid has joined #openstack-security15:14
*** singlethink has joined #openstack-security15:15
*** voodookid has quit IRC15:19
*** voodookid has joined #openstack-security15:32
ljfishertmcpeak I think you suggested a tox test env to run for bandit, but alas, I’ve forgotten. :) I’ve got py27 and pep8.  What were you running as a matter of practice?15:47
tmcpeakljfisher: let me check15:48
tmcpeaktox -e pep8,py27,cover should do it15:50
ljfisherkk.  did that too15:50
tmcpeakshould be good then15:50
ljfishermore bandit review coming15:51
*** _amrith_ is now known as amrith15:52
openstackgerritLucas Fisher proposed stackforge/bandit: Make func, class name definitions fully qualified
*** bpokorny has joined #openstack-security16:11
tmcpeakljfisher: I'm reviewing too, hold off on making Tim's changes for a few mins, ok?16:21
*** singlethink has quit IRC16:21
tmcpeakljfisher: I've never seen this '{}' thing you're doing in the logs16:25
ljfishercould you give me a line number16:26
ljfisherhmm, so tox doesn’t run pep8 on tests I see16:27
tmcpeakbandit/core/ 14316:27
ljfisherLike ‘%’ but different.16:28
tmcpeakljfisher: ahh ok16:28
ljfisherI belive ‘%’ might go away in py3??16:28
tmcpeakyou learn something new 'ery day :)16:29
ljfisherboth of us!16:29
tmcpeakljfisher: did you rename the test_util file or something?16:38
ljfisherperils of copy and paste16:38
tmcpeakljfisher: I think it's in the wrong place16:39
ljfisherhow so?16:39
tmcpeakoh nevermind16:40
tmcpeakit's unit tests for the utilities16:40
ljfisheras tim pointed out there is some cruft I left in there since I thought it would be useful at some point…16:40
chair6sadly when i started writing bandit i was still in-between py2/py3 headspace, so used %s everywhere .. i'm all about the {}s now but bandit hasn't caught up :)16:45
tmcpeakpy2 for lyf16:46
*** singlethink has joined #openstack-security16:47
ljfishertmcpeak what do you think about replaceing the lines changing the namespace with small until functiosn like extend_namespace() and narrow_namespace()16:50
tmcpeakljfisher: I like it16:50
ljfisherI think that will convey the point without too many repeated comments16:50
tmcpeakyeah, that's a nice approach16:51
tmcpeakhey ljfisher: isn't the missing end test also missing a's
tmcpeakI guess it doesn't matter16:56
ljfisheryeah, but the code should never get there16:58
tmcpeakyeah, true16:58
tmcpeakthis looks like a cool change16:58
tmcpeakgood stuff16:58
bknudsonstr.format has been around forever.17:23
tmcpeaknew to me :) — personally I think % is more readable but I acknowledge this is oldschool17:24
bknudsonif someone used str.format over % I'd complain in most cases.17:25
tmcpeakwell as chair6 and ljfisher mentioned, I guess it's the future17:25
bknudsonwhere is it the future?17:26
bknudsonlogging uses %-style formatting:
tmcpeakapparently it can use the curly braces too?17:29
bknudsonyou can pass any string you want to it, but it's more efficient to pass replacements as separate arguments, then you have to use %17:29
bknudsonfor example, from the docs: logger.warning('Protocol problem: %s', 'connection reset')17:30
bknudsonis more efficient than logger.warning('Protocol problem: %s' % 'connection reset')17:30
bknudsonsince the latter builds the string even if logging is disabled.17:31
tmcpeakooh, interesting17:31
tmcpeakefficient from a performance standpoint17:31
bknudsonif it's a large string it can make a difference.17:31
bknudsonor in a loop.17:32
tmcpeakI'm just catching up to the '90s apparently.  I didn't even know {} was a thing17:32
openstackgerritLucas Fisher proposed stackforge/bandit: Make func, class name definitions fully qualified
tmcpeakwell the mid 2000's17:32
ljfishertmcpeak I went with more mimicing os.path.{join,split} for namespaces. See if you think it is any clearer.17:33
tmcpeakljfisher: cool, I'll check it out17:33
bknudsonwe went with the .format() type of strings in keystone for the mapping rules... otherwise for logging, etc., it's %.17:34
tmcpeakbknudson: how come on the logging?  reason I'm asking is because we're in the process of reviewing a change for Bandit17:35
tmcpeakis it just a style thing?17:35
bknudsontmcpeak: for logging we use %-style so that the parameters because it's more efficient.17:35
bknudsonI don't think anyone would even consider using .format for logs, and if they did it would be inconsistent with the rest of the code.17:36
tmcpeakbknudson: ok cool17:36
tmcpeakljfisher: ^17:36
tmcpeakwant to convert the logs back to % ? :)17:36
bknudsonfor logging we use %-style because it's more efficient ... the parameters are separate so that the string isn't formatted if logging is disabled.17:37
tmcpeakyeah, that makes sense17:37
tmcpeakI can see how it would add up17:37
tmcpeakand might as well get into a good habit17:37
bknudsonwe actually had a lot of places in keystone that used '%s' % 'whatever' in logs and someone went through and fixed them to '%s', 'whatever'.17:38
bknudsonmight even have a hacking check for it now?17:39
tmcpeakyeah, I'm pretty sure we're using "%s", %val17:39
ljfisheraren’t the log functions more efficient because you pass the fmt str and args separately to the log function? The log function could use % or .format() and be just as efficient.  It is just the log function chose the % formatting.17:45
tmcpeakbknudson: ^ ?18:03
*** sicarie has joined #openstack-security18:15
*** singlethink has quit IRC18:18
bknudsonthe python logging functions use % formatting.18:32
*** bdpayne has joined #openstack-security18:33
*** sicarie has quit IRC18:35
*** singlethink has joined #openstack-security18:47
openstackgerritLucas Fisher proposed stackforge/bandit: Make func, class name definitions fully qualified
*** sicarie has joined #openstack-security19:15
elmikobdpayne: you around?19:57
ljfisherelmiko I have a meeting with him in a few minutes19:59
bdpayneheh, hey!20:00
elmikoljfisher: no rush, we'll be having a meeting in about an hour in here.20:00
bdpayneljfisher is correct, but I can chat later :-)20:00
elmikok, we'll catch up during the sec-doc meeting20:00
openstackgerritTyler Britten proposed openstack/security-doc: Reworded the sentence to make it clearer and less choppy
*** singlethink has quit IRC20:07
*** amrith is now known as _amrith_20:07
openstackgerritTyler Britten proposed openstack/security-doc: Reworded the sentence to make it clearer and less choppy
openstackgerritLucas Fisher proposed stackforge/bandit: Make func, class name definitions fully qualified
openstackgerritMerged stackforge/bandit: Make func, class name definitions fully qualified
openstackgerritMichael McCune proposed openstack/security-doc: Adding data processing chapter
sicarie+1 elmiko20:57
bdpaynesicarie elmiko hey there21:00
bdpayneso looks like elmiko has been busy21:01
elmikoyup, finally all came together21:01
bdpayneso I'll review that in the next day or so21:02
bdpayneI try to review new changes daily21:02
bdpayneok, so we can get rolling here21:02
bdpaynetoday we start with
openstackLaunchpad bug 1261735 in openstack-manuals "Chapter 40. Hypervisor Selection in OpenStack Security Guide - havana" [Wishlist,Confirmed]21:02
bdpaynehey, thanks ircbot21:02
sicarieThat's a nice feature21:03
elmikosgordon's comments seem spot on21:03
sicarieI'd almost say incomplete, but wishlist is a good category, IMO21:03
elmikoyea, wishlist maybe makes more sense. unless the bug author truly has more info about hyper-v21:04
*** bpokorny has quit IRC21:04
bdpayneyeah, these feels reasonable to me for a wishlist21:04
openstackLaunchpad bug 1342368 in openstack-manuals "Security Guide - Conventions for referring to people involved in cloud" [Wishlist,Triaged]21:05
elmikodoes the openstack glossary provide any guidance on what to use?21:05
bdpayneI agree this would be nice, and I agree that it is a wishlist item21:05
sicarieYep, or do the other manuals have something established?21:05
elmikoif we know what term to use i would place this at a medium21:06
elmikoi think it's a nice effort though21:06
bdpayneI'm not sure what the other guides use21:06
bdpayneperhaps I can take that as an action item to find out21:06
elmikouses the term operator21:06
elmiko"The person responsible for planning and maintaining an OpenStack installation."21:07
sicariemaintaining would include ops/admin so if operator is the standard, let's go for it21:07
*** bpokorny has joined #openstack-security21:08
bdpayneI think that operator and admin have different meanings, personally21:08
bdpaynebut, I can explore this with the doc team a bit21:08
elmikoi guess the question is, are there multiple roles we need to address21:08
bdpayneI think that there are21:08
bdpayneso it would be nice to flush this out21:08
bdpaynebut I don't think that it is making the guide harder to understand21:08
bdpaynewhich is why I think wishlist makes sense21:09
elmikoalso, we should make sure to update the glossary once we reach consensus21:09
openstackLaunchpad bug 1342406 in openstack-manuals "Chapter 13. Database access control in OpenStack Security Guide -> Nova Conductor - current - summary of risks/benefits" [Wishlist,Confirmed] - Assigned to Malini Bhandaru (malini-k-bhandaru)21:09
bdpayneI think this is a good suggestion21:09
bdpayneI think wishlist makes sense as well21:10
elmikodefinitely sounds like an improvement, but not urgetn21:10
openstackLaunchpad bug 1342421 in openstack-manuals "Chapter 30. Messaging security in OpenStack Security Guide -> Message queue process isolation and policy - current - more details need for namespaces and zeromq" [Wishlist,Confirmed]21:10
openstackgerritTyler Britten proposed openstack/security-doc: Reworded the sentence to make it clearer and less choppy
elmikothat seems like it could be a deep issue21:12
bdpayneyeah, network namespaces are all kinds of annoying21:12
bdpayneI wonder if that's even the right suggestion here21:12
bdpayneas in, should we be recommending it21:13
bdpayneit does have some nice properties21:13
bdpaynebut... yeah21:13
elmikoit seems very specific to an installation though, like if you need it you will know21:13
bdpaynealas... on this ticket... assuming we keep network namespaces, I agree that a diagram woudl be useful21:13
elmikoi think something high level, like the diagram, would definitely help21:13
bdpayneyeah, so let's keep this ticket21:14
elmikonot sure how deep we should get into the discussion from there though21:14
bdpayneok, so I put "Idea here should be to provide a high level diagram, but not get too deep into the discussion of network namespaces, which is probably best left to other guides. We do think that a diagram would be useful here."21:15
openstackLaunchpad bug 1342430 in openstack-manuals "Chapter 40. Hypervisor selection in OpenStack Security Guide -> Selection Criteria - current - generalize selection criteria" [Wishlist,Confirmed]21:15
*** singlethink has joined #openstack-security21:16
elmiko+1 to the idea, i think it would really help21:16
bdpayneyeah, seems reasonable21:16
bdpayneI'm ok with wishlist here21:16
elmikoi have a question, how will we move from wishlist to an action item?21:17
sicarieI'd say wishlist, but mostly because I think the decision on hypervisor is mostly up to ops - security is usually "this is what we're going with, harden it"21:17
bdpaynesicare that can really depend21:18
openstackgerritTyler Britten proposed openstack/security-doc: Reworded the sentence to make it clearer and less choppy
elmikowell, this one seems to me like it would be really useful. i could see elevating the priority, but i'm curious how do we decide to take something from a wishlist item to a blueprint/review?21:18
bdpayneelmiko I think that the items on wishlist are actionable21:18
elmikook, thanks. my misunderstanding21:18
bdpaynewe could certainly bump it up21:18
bdpayneI think the idea is just to sort the urgency of everything21:19
elmikogot it21:19
bdpaynewhere, to me, wishlist is more of an enhacement to what is already there21:19
elmikomakes sense21:19
elmikowe don't really have a spec process for sec-doc either, so maybe wishlist makes sense for things we'd like to see21:19
openstackLaunchpad bug 1343480 in openstack-manuals "Fix references provided as lists of URLs" [Wishlist,Triaged]21:19
bdpayneI think it is generally up to the person doing the work to spec it out21:20
bdpaynebut we can certainly add more definition in the bugs21:20
sicarieOh +1 on this one21:20
bdpaynewhich, this one that I just linked could probably benefit from21:20
bdpayneyeah, this would be nice to do21:21
sicarieThe compute chapter (what there is of it) is rife with this21:21
bdpaynebut the reporter should really have provided more specific details ;-)21:21
sicarieI think there might be a few n the Dashboard chapter too21:21
sicarieI can fill those in21:21
elmikoi like this one, might be difficult to maintain for some things.21:21
sicarieShould I throw them all into this bug, or track them individually?21:21
elmikoalso, i may have just added a bunch of links i need to fix ... ;)21:21
bdpayneok, added the comment "Would be nice to fill out this ticket with details of where we need to make this fixes.  Perhaps even break this into multiple tickets.  That will help to make this more actionable."21:22
elmikosicarie: maybe by chapter?21:22
bdpayneyeah, I'd prefer separate bugs per chapter for this cleanup21:22
bdpaynethat would be nice21:22
bdpayneand more tractable21:22
sicariesounds good21:22
elmikohonestly though, for bigger changes we could almost go to the file resolution and make reviews for each chapter/section document21:22
bdpaynesicare you want to take the task of breaking this out into multiple tickets?21:23
openstackLaunchpad bug 1347057 in openstack-manuals "Security Guide - New Chapter on Vulnerability Management" [Wishlist,Triaged]21:23
sicarie+1 for wishlist - good idea, but will be interesting to expand on vuln mgmt in a generalized sense21:24
bdpayneI think my comment from last July still holds21:24
bdpayneperhaps I'll aim to get Travis to flush out these ideas a bit next week21:24
elmiko+1 seems like a really nice addition21:24
bdpayneok... last one!
openstackLaunchpad bug 1418661 in openstack-manuals "Example TLS / SSL potentially insecure " [Undecided,New]21:25
bdpayneI suggest taking this as a high21:25
bdpayneactually, critical21:26
elmikoyea, i'd say high at a minimum21:26
sicarieYeah, definitely dont' want to be giving inaccurate/insecure info21:26
bdpayneand I'll assign this to myself21:26
bdpayneI should do a little work from time to time21:26
*** singlethink has quit IRC21:26
bdpayneok, so we have now walked through all of the bugs21:27
bdpayneso next week is the mid-cycle meetup, so let's skip this IRC meeting21:27
sicarieIf we have a minute, I have a few that aren't tagged sec-guide yet21:27
elmikoworks for me21:27
sicarieSounds good21:27
bdpaynebut perhaps we should resume the following week to plan out our next steps post meetup21:27
elmikoi'm up for that21:28
bdpayneI'm hoping that sicarie and I will have some time to put together a game plan for us going forward next week21:28
elmikounfortunately i won't be at the meetup =(21:28
bdpayneelmiko feel free to send ideas along as well21:28
bdpayneemail, etc is fine21:28
elmikocool, thanks21:28
bdpaynesicarie can you tag the other bugs with sec-guide?21:28
sicarieyep, going through now21:28
sicarieFor some reason I didn't realize I could edit that stuff until last week21:29
sicariePlus I'm trying not to edit/set priority on my own stuff21:29
bdpaynesicarie I'm going to need to run so perhaps we can review those remaining ones next week21:30
sicarieSounds good to me21:31
elmikoi have some questions about the Bob case study for when we have more time to talk21:31
elmikomaybe it will be a good topic to bring up in vancouver though21:31
bdpaynesure... or email or here and I can read later21:31
bdpayneok that's all for today... thanks!21:32
elmikotake care =)21:32
*** singlethink has joined #openstack-security21:35
*** tmcpeak has quit IRC22:07
*** tmcpeak has joined #openstack-security22:25
*** ljfisher has quit IRC22:43
openstackgerritMichael McCune proposed openstack/security-doc: Adding data processing chapter
*** singlethink has quit IRC22:59
*** singlethink has joined #openstack-security23:01
*** singlethink has quit IRC23:06
openstackgerritMichael McCune proposed openstack/security-doc: Adding data processing chapter
openstackgerritMichael McCune proposed openstack/security-doc: Adding data processing chapter
elmikosicarie: hey23:18
sicarieelmiko Hi!23:19
elmikoi'm a little confused about the whole capitalization issue23:19
elmikooh, and thanks for the comments!23:19
sicarieFound my other two questions, was about to submit it  but you keep dropping patches on my notes :)23:19
elmikohaha, sorry23:19
sicarieYeah, i'm not sure either I think bdpayne needs to come back23:19
elmikoi'm suspecting that you, and another who pointed it out, are correct though. those probably should be capitalized23:20
elmikoi'm having some issues with when to use capitalization of the service name23:20
bdpaynewhat's the question?23:20
elmikoif i'm talking about "the Data processing service" the capitalization is obvious23:21
elmikoif i say, "so-and-so interacts with data processing" do i capitalize?23:21
bdpaynefirst see
elmikogot it open =)23:22
bdpaynegenerally cap is needed when saying OpenStack Blah but not when saying blah23:22
bdpayneif that makes sense23:22
bdpayneso OpenStack Data Processing Service23:22
elmikoi think so23:22
bdpayneor data processing service23:22
sicariegood to know23:22
bdpayneperhaps I'm leading you a touch astray here23:22
bdpayneif you are saying data processing service and really referencing _the_ _OpenStack_ data processing service, then it should be Data Processing Service23:23
sicarieto be fair, elmiko, he is going to have to review and +2/-2 to have the chapter merged :)23:23
bdpayneif you are talking about some generic data processing service, then no caps23:23
elmikosicarie: good point23:23
elmikobdpayne: ok, i probably have it backwards in a few places then23:23
bdpaynebut yeah, perhaps best to wait 24-48 hours for some reviews and then take a pass at cleanup23:24
bdpaynethat helps reduce church with the larger CR23:24
elmikoagreed, i'll hold off for now. just wanted to correct some whitespace and tox errors23:24
sicarieelmiko: I added another comment about logging details, but it looks very good!23:25
elmikosicarie: thanks =)23:25
elmikobdpayne: and thanks for the consult23:25
bdpaynesure, np23:25
elmikog'night folks23:26
*** sicarie has left #openstack-security23:36
*** singlethink has joined #openstack-security23:47

Generated by 2.14.0 by Marius Gedminas - find it at!