Friday, 2015-03-13

« Thursday, 2015-03-12 Index Saturday, 2015-03-14 »
*** markvoelker has quit IRC00:03
*** ljfisher has quit IRC00:04
*** markvoelker has joined #openstack-security00:08
*** dave-mccowan has quit IRC00:33
*** dave-mccowan has joined #openstack-security00:50
*** bdpayne has quit IRC00:51
*** bpokorny has quit IRC01:07
*** dave-mccowan has quit IRC01:33
*** tkelsey has joined #openstack-security02:46
*** tkelsey has quit IRC02:50
*** bdpayne has joined #openstack-security03:05
*** bdpayne has quit IRC03:06
*** tmcpeak has quit IRC03:09
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Imported Translations from Transifex  https://review.openstack.org/16408106:06
*** markvoelker has quit IRC06:11
*** markvoelker has joined #openstack-security06:12
*** markvoelker has quit IRC06:16
*** markvoelker has joined #openstack-security06:42
*** markvoelker has quit IRC06:47
*** browne has quit IRC06:57
*** tkelsey has joined #openstack-security07:17
*** jamielennox has quit IRC07:31
*** jamielennox has joined #openstack-security07:34
*** jamielennox has quit IRC07:39
*** markvoelker has joined #openstack-security07:43
*** markvoelker has quit IRC07:48
*** jamielennox|away has joined #openstack-security07:55
*** jamielennox|away is now known as jamielennox07:55
openstackgerritMerged openstack/security-doc: Imported Translations from Transifex  https://review.openstack.org/16408108:04
*** openstackgerrit has quit IRC08:21
*** openstackgerrit has joined #openstack-security08:21
*** markvoelker has joined #openstack-security08:44
*** markvoelker has quit IRC08:48
*** tkelsey has quit IRC09:04
*** tkelsey has joined #openstack-security09:11
*** markvoelker has joined #openstack-security09:45
*** markvoelker has quit IRC09:49
*** tmcpeak has joined #openstack-security10:42
*** markvoelker has joined #openstack-security10:46
*** markvoelker has quit IRC10:50
*** jamielennox has quit IRC10:55
*** jamielennox|away has joined #openstack-security11:02
*** jamielennox|away is now known as jamielennox11:02
*** jamielennox has quit IRC11:14
*** jamielennox|away has joined #openstack-security11:24
*** jamielennox|away is now known as jamielennox11:24
*** dave-mccowan has joined #openstack-security11:32
*** markvoelker has joined #openstack-security11:46
*** markvoelker has quit IRC11:51
*** ljfisher has joined #openstack-security11:58
*** markvoelker has joined #openstack-security12:07
openstackgerritMerged stackforge/bandit: Update the config file, and use yaml.safe_load()  https://review.openstack.org/16398112:20
*** bknudson has joined #openstack-security12:21
openstackgerritMerged stackforge/bandit: Wildcard injection requires a shell  https://review.openstack.org/16399112:25
*** markvoelker has quit IRC13:16
*** markvoelker has joined #openstack-security13:17
*** ljfisher has quit IRC13:39
*** dave-mccowan has quit IRC13:42
openstackgerritMerged stackforge/bandit: Correct supported Python versions in setup.cfg  https://review.openstack.org/16400013:50
*** ljfisher has joined #openstack-security13:51
*** singlethink has joined #openstack-security13:53
*** dave-mccowan has joined #openstack-security13:56
*** sicarie has joined #openstack-security14:08
*** voodookid has joined #openstack-security15:00
*** dwyde has joined #openstack-security15:05
*** bknudson has quit IRC15:13
*** browne has joined #openstack-security15:18
*** bpokorny has joined #openstack-security15:39
*** bknudson has joined #openstack-security15:45
*** browne has quit IRC16:11
elmikohey all, are there any guidelines for launchpad about when we should categorize security related bugs as private or public?16:13
*** dwyde has quit IRC16:19
gmurphyhmm.. not sure actually.. if it is security related as in it *could* be a vulnerability then click the private security tag to engage the vmt. then we figure out if something is a vulnerability or just security hardening etc.16:20
gmurphybut afaik that isn't written down anywhere..16:21
elmikogmurphy: so, if it's hardening would that be less weight towards making it private?16:23
gmurphyi think the general point of view is that we want to fix as much things as possible in the open. however if you are unsure if something could be a vulnerability feel free to engage the vmt first we don't bite.16:25
elmikohehe, ok16:27
gmurphyelmiko: also it depends on the security support status of the project etc16:27
elmikoi marked it as public when i submitted, but i don't think it's major.16:27
elmikothis is for sahara16:27
gmurphyonce public = always public16:27
elmikok16:27
gmurphyif it is a vuln we can still issue an advisory16:28
elmikolike i said, this is minor (imo) but i was curious in general16:28
gmurphyyeah16:28
gmurphyit is probably something we need to have a clearer message about16:28
elmikoagreed16:28
elmikothanks for the advice, gotta run16:28
*** browne has joined #openstack-security17:07
*** dwyde has joined #openstack-security17:12
*** auraka has joined #openstack-security17:19
*** auraka has quit IRC17:25
*** bdpayne has joined #openstack-security17:31
openstackgerritDavid Wyde proposed stackforge/bandit: Remove Python 2.6 from setup.cfg  https://review.openstack.org/16427617:37
*** tkelsey has quit IRC17:41
*** ljfisher has quit IRC19:13
openstackgerritTravis McPeak proposed stackforge/bandit: Tweaking severity for a couple of plugins  https://review.openstack.org/16431719:35
openstackgerritMerged stackforge/bandit: Remove Python 2.6 from setup.cfg  https://review.openstack.org/16427619:36
tmcpeakdwyde: you around?19:40
dwydetmcpeak: yep19:40
tmcpeakso for the shell injection plugin, we have an info now for subprocess call without a subshell19:41
tmcpeakwhat are we looking for there?19:41
dwydehmm19:42
dwydeit often doesn’t matter, but i can cook up a stretch example or two19:43
tmcpeakthe problem is there isn't any way to configure it, so shell injection will bundle that warning19:43
tmcpeakerr info19:43
dwydeah19:43
tmcpeakI'm going to chop it unless you object :)19:43
dwydei don’t feel particularly strongly19:44
tmcpeakok cool19:44
tmcpeakwe can put it back later… Keystone is showing some results for that so until we can configure it properly we'll have to leave it out for now19:45
dwydemakes sense :-)19:45
openstackgerritTravis McPeak proposed stackforge/bandit: Tweaking severity for a couple of plugins  https://review.openstack.org/16431719:45
tmcpeakcool, thank you19:45
dwydefor consistency, should it be removed from the injection_shell.py plugin?19:47
dwydewhich I think is the only other place that config setting is used19:47
tmcpeakdwyde: what do you mean?19:51
tmcpeakthat's where I removed it from, injection_shell :)19:51
openstackgerritTravis McPeak proposed stackforge/bandit: Tweaking severity for a couple of plugins  https://review.openstack.org/16431719:51
dwydetmcpeak: start_process_with_no_shell in that file19:51
tmcpeakdwyde: you mean just get rid of the whole no_shell thing?19:52
tmcpeakin bandit.yaml too?19:52
tmcpeakthat one I don't have as much problem with because it is configurable19:52
dwydeah, you mean they can disable it in a profile19:53
tmcpeakdwyde: yeah, as long as it is configurable, it's ok.  Let people who want to run with everything cranked up do so, but can also be used for a sanity check in a gate19:54
dwydegotcha19:55
*** ljfisher has joined #openstack-security19:57
dwydetmcpeak: this may be overly picky, but then maybe it makes sense to make a separate function/plugin for subprocess with `shell != True`, for consistency19:58
dwydenot exactly a blocker though :-)19:58
tmcpeakdwyde: how come?19:59
tmcpeakoh, because they aren't related to shell injection?19:59
dwydea separate @checks(‘Call’) function in that file20:00
dwydeso people can enable/disable as they please20:00
dwydebut if Bandit catches spawn* and exec*, maybe it should also catch subprocess non-shell calls20:00
tmcpeakcouldn't we just add that to the "shell" section then?20:02
tmcpeaklike add subprocess.Popen in there?20:02
dwydethen it gets flagged with ERROR, right?20:02
dwyderegardless of whether shell=True20:03
tmcpeakdwyde: yeah, you're right20:05
tmcpeakdwyde: isn't subprocess with shell != True fine though?20:05
tmcpeakI mean, sometimes you just gotta call subprocess, do it safely and such :)20:05
dwydeprobably? maybe you’re calling a script that has a shell injection or some other vulnerability, though20:07
dwydein my personal opinion, the three main ways to get hurt in Python are subprocesses, pickle, and eval/input20:07
tmcpeakdwyde: yeah, that's true.. how can we make it configurable though20:07
dwydeprofile with exclude?20:07
tmcpeakbut profiles only operate on a plugin level20:08
tmcpeakoh, you're saying move it out to a separate plugin?20:08
tmcpeakI'm ambivalent :)  I'll approve it if you do the work :P20:09
dwydetmcpeak: haha, okay20:09
tmcpeakljfisher chair6: I need validation20:10
tmcpeakhttps://review.openstack.org/16431720:10
dwydei mean, the real work is in setting up a config profile for that project that doesn’t want to flag non-shell process calls20:10
tmcpeaktell me I'm doing a good job and everything will be ok, por favor20:11
tmcpeakdwyde: yeah, that's pretty easy and can be done once20:11
tmcpeakfor Keystone I'm just creating an explicit "include" set, so that even if new things are added we don't change it up on them20:11
dwydetmcpeak: oh, cool20:13
ljfishertmcpeak: you can write a better commit message than that :) At least tell me why you are tweaking this so months from know we know what you were thinking.20:26
tmcpeakljfisher: ok, fair enough20:26
ljfisherotherwise I think it is fine. you ran through all the tests I take it20:27
openstackgerritDavid Wyde proposed stackforge/bandit: Make subprocess without `shell=True` into a plugin  https://review.openstack.org/16433920:28
openstackgerritTravis McPeak proposed stackforge/bandit: Tweaking severity for a few plugins  https://review.openstack.org/16431720:28
tmcpeakljfisher: done20:28
tmcpeakljfisher: yeah20:28
tmcpeakdwyde: hang on, you'll have to rebase20:31
tmcpeakljfisher: approves?20:31
tmcpeakchair6: approves?20:31
ljfisherso that tells me what but not why. The what can be conveyed by the code but the why is important and isn’t captured in the code. Like I can guess because I know what we have been doing.20:32
ljfisherdoes that make sense?20:32
ljfisherthe why is in your head and we all know it is crazy in there :)20:32
tmcpeakljfisher: fair enough20:32
tmcpeakone sec20:32
ljfisherso a sentence: Changing severity to reduce usless messages or remove noise or because it is inaccurate20:33
ljfisheryou might scan https://wiki.openstack.org/wiki/GitCommitMessages sometime, because it helps everyone else know what is going on.20:34
openstackgerritTravis McPeak proposed stackforge/bandit: Tweaking severity for a few plugins  https://review.openstack.org/16431720:34
tmcpeakljfisher: you and your good practices, bring back tkelsey :)20:35
tmcpeakljfisher: one more look please20:35
ljfisherok, I’ll take that.20:35
tmcpeakljfisher: say it with a +2 ;)20:37
ljfisherso pushy :)20:38
ljfisherI don’t know why you want tkelsey. I went through several revisions with him on stuff like this.20:38
ljfisher:)20:38
tmcpeakhaha20:38
tmcpeakdepends if he's feeling cheery20:38
chair6i'm seeing 3 faililng tox tests..20:40
tmcpeakwut?20:40
ljfisherso no more trusting tmcpeak20:40
*** ljfisher has quit IRC20:40
tmcpeakchair6: dammit, you're right20:40
tmcpeakforgot to install again20:40
*** ljfisher has joined #openstack-security20:41
tmcpeakthis doesn't make sense, I haven't even touched wildcard injection20:41
dwydethe wildcard injection example includes shell injection20:42
dwydemy changes will fix your failures, I believe20:42
*** ljfisher has quit IRC20:43
tmcpeakallright, almost got it sorted20:44
tmcpeakright as ljfisher gave up20:44
openstackgerritTravis McPeak proposed stackforge/bandit: Tweaking severity for a few plugins  https://review.openstack.org/16431720:45
tmcpeakchair6: allright20:45
tmcpeakfixed20:45
tmcpeaknow dwyde will have to fix them back :\20:46
tmcpeakthis "python setup.py develop" thing tkelsey showed us was great until I learned it couldn't be trusted20:46
tmcpeaknow I have to get back in the habit of doing a reinstall… every… single… time20:46
tmcpeakI should just set up a cronjob to 'python setup.py install' every 15 seconds from my current working directory and pipe output and stderr to /dev/null20:47
dwydei thought about doing “python setup.py develop” and specifying a plugin directory in my config20:47
dwydebut the config keeps changing!20:47
tmcpeakdwyde: I got bit with a really really strange issue that took me 1+ hour and ukbelch chimed in and made me 'python setup.py install' and it all of a sudden worked20:48
dwydetmcpeak: i know the feeling20:51
tmcpeakok, now we need ljfisher back20:52
tmcpeakI guess I could just approve it myself, since nothing changed since he approved it other than it now passes tests20:52
tmcpeakis that janky?20:52
dwydejudge, jury, and executioner :-)20:54
tmcpeakhaha, yeah20:55
tmcpeakallright, I'm just going to do it21:00
tmcpeakljfisher meant to approve :)21:01
tmcpeakthen we can get dwyde going21:01
tmcpeakallright dwyde: push away21:02
*** dave-mccowan has quit IRC21:02
tmcpeakI'll be back on later for approves and all that21:04
tmcpeakcongratulations dwyde: it appears you might get the last patch for this version of Bandit21:04
dwydetmcpeak: i feel so special :-)21:05
tmcpeaklol21:05
tmcpeakglad you've been making all these contributions, you're doing great work.  Keep it up!21:06
dwydethanks! i’ve been enjoying it21:07
*** tkelsey has joined #openstack-security21:18
*** tkelsey has quit IRC21:22
*** singlethink has quit IRC21:27
*** singlethink has joined #openstack-security21:30
*** singlethink has quit IRC21:33
*** singlethink has joined #openstack-security21:33
*** bknudson has quit IRC21:35
*** bknudson has joined #openstack-security21:41
*** dave-mccowan has joined #openstack-security21:48
openstackgerritDoug Chivers proposed stackforge/anchor: Added a check for the use of the default user/secret.  https://review.openstack.org/16435321:56
openstackgerritDoug Chivers proposed stackforge/anchor: Added a check for the use of the default user/secret  https://review.openstack.org/16435322:12
openstackgerritDoug Chivers proposed stackforge/anchor: Added a check for the use of the default user/secret  https://review.openstack.org/16435322:22
openstackgerritMerged stackforge/bandit: Tweaking severity for a few plugins  https://review.openstack.org/16431722:24
openstackgerritDavid Wyde proposed stackforge/bandit: Make subprocess without `shell=True` into a plugin  https://review.openstack.org/16433922:24
openstackgerritDavid Wyde proposed stackforge/bandit: Make subprocess without `shell=True` into a plugin  https://review.openstack.org/16433922:35
*** dwyde has quit IRC22:41
*** singlethink has quit IRC22:45
openstackgerritDoug Chivers proposed stackforge/anchor: Removes CA Certificte and CRL signing from the default config.  https://review.openstack.org/16436622:46
*** voodookid has quit IRC22:48
*** markvoelker has quit IRC22:56
*** browne has quit IRC23:03
*** sicarie has left #openstack-security23:07
*** tkelsey has joined #openstack-security23:19
*** tkelsey has quit IRC23:23
*** bdpayne has quit IRC23:41
*** bdpayne has joined #openstack-security23:41
*** dave-mccowan has quit IRC23:54
*** markvoelker has joined #openstack-security23:57
« Thursday, 2015-03-12 Index Saturday, 2015-03-14 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!