Monday, 2015-03-23

*** nkinder has joined #openstack-security00:13
*** markvoelker has joined #openstack-security00:17
*** markvoelker has quit IRC00:22
*** elo has joined #openstack-security00:46
*** elo has quit IRC00:56
*** browne has joined #openstack-security01:14
*** markvoelker has joined #openstack-security01:18
*** markvoelker has quit IRC01:23
*** tmcpeak has quit IRC02:03
*** markvoelker has joined #openstack-security02:19
*** tkelsey has joined #openstack-security02:19
*** markvoelker has quit IRC02:23
*** tkelsey has quit IRC02:24
*** bdpayne has quit IRC02:59
*** dave-mccowan has quit IRC04:02
*** pcaruana has quit IRC05:07
*** bdpayne has joined #openstack-security05:26
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Imported Translations from Transifex
*** browne has quit IRC06:26
*** jamielennox is now known as jamielennox|away06:28
*** bdpayne has quit IRC06:32
openstackgerritRajesh Asanabada proposed openstack/security-doc: Reframed the sentence in Authentication methods
*** pcaruana has joined #openstack-security06:58
openstackgerritRajesh Asanabada proposed openstack/security-doc: Reframed the sentence in Authentication methods
*** JAHoagie has joined #openstack-security08:13
*** markvoelker has joined #openstack-security08:24
*** markvoelker has quit IRC08:28
*** JAHoagie has quit IRC08:28
*** tkelsey has joined #openstack-security08:31
openstackgerritRajesh Asanabada proposed openstack/security-doc: Reframed the sentence in Authentication methods
openstackgerritRajesh Asanabada proposed openstack/security-doc: Reframed the sentence in Authentication methods
*** markvoelker has joined #openstack-security09:24
*** markvoelker has quit IRC09:29
openstackgerritRajesh Asanabada proposed openstack/security-doc: Reframed the sentence in Authentication methods
*** ukbelch has joined #openstack-security09:49
*** ukbelch has quit IRC09:51
*** markvoelker has joined #openstack-security10:25
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals
*** markvoelker has quit IRC10:30
*** tmcpeak has joined #openstack-security10:43
*** markvoelker has joined #openstack-security11:26
*** markvoelker has quit IRC11:30
*** markvoelker has joined #openstack-security11:46
openstackgerritMerged openstack/security-doc: Updated from openstack-manuals
openstackgerritMerged stackforge/bandit: Fixed -n flag processing
*** dave-mccowan has joined #openstack-security12:21
*** dave-mccowan has quit IRC13:00
*** dave-mccowan has joined #openstack-security13:00
openstackgerritTravis McPeak proposed stackforge/bandit: Fixing a bug with files listing when a file was skipped
openstackgerritTravis McPeak proposed stackforge/bandit: Fixing a bug with files listing when a file was skipped
*** ljfisher has joined #openstack-security13:28
*** JAHoagie has joined #openstack-security13:30
*** singlethink has joined #openstack-security13:46
*** salv-orlando has joined #openstack-security13:50
*** voodookid has joined #openstack-security14:35
openstackgerritMerged stackforge/bandit: Fixing a bug with files listing when a file was skipped
*** voodookid has quit IRC14:40
*** JAHoagie has quit IRC14:47
*** voodookid has joined #openstack-security14:54
*** dwyde has joined #openstack-security14:56
*** developer has joined #openstack-security15:02
*** bdpayne has joined #openstack-security15:09
*** bpokorny has joined #openstack-security15:14
*** developer is now known as SnowDust15:15
*** bdpayne has quit IRC15:33
*** rkgudboy has joined #openstack-security15:44
*** rkgudboy has quit IRC15:46
*** rkgudboy has joined #openstack-security15:47
*** rkgudboy has quit IRC15:47
*** rkgudboy has joined #openstack-security15:48
*** rkgudboy has quit IRC15:54
*** SnowDust has quit IRC16:02
*** JAHoagie has joined #openstack-security16:03
*** bdpayne has joined #openstack-security16:18
*** bpb__ has joined #openstack-security16:29
*** JAHoagie has quit IRC16:33
*** bdpayne has quit IRC16:37
*** JAHoagie has joined #openstack-security16:53
*** browne has joined #openstack-security16:54
*** sicarie has joined #openstack-security16:58
*** ljfisher has quit IRC16:58
sicarieelmiko: are you around?17:00
elmikosicarie: yup =)17:00
sicarieCool, priti is not going to be able to make it this week17:00
*** bdpayne has joined #openstack-security17:00
sicarieAh, and we get bdpayne for at least one more meeting!17:00
sicarieSo taking a look at the bugs:
bdpaynehey there :-)17:01
sicarieThere are two bugs to triage17:01
sicarieThe first is interesting:
openstackLaunchpad bug 1432796 in openstack-manuals "Validate Checklists - Should cover entire chapter" [Undecided,New] - Assigned to Priti Desai (priti-desai)17:02
sicarieThere is some overlap (as mentioned in the comments) with the other checklist bug17:02
* bdpayne doesn't see any comments17:03
sicarieSorry, description17:03
sicarieThe description mentions:
openstackLaunchpad bug 1342993 in openstack-manuals "Adding Security Checklist in Security Guide" [High,In progress] - Assigned to Priti Desai (priti-desai)17:03
bdpayneso, it may make sense to have a review like this for each chapter?17:03
bdpayneperhaps different bugs?17:03
*** JAHoagie has quit IRC17:03
sicarieAnd it looks like Priti is using 1342993 to track it - the submissions are “partial-bug” in the commit message17:04
brownetmcpeak: so is Bandit getting pushed to PyPi this week?17:04
elmikois this bug (1432796) about making sure that the checklists are in the specified format?17:04
sicarieI think so, but if so I think that would be handled in 134299317:04
sicarieAs we have one in-flight, and the others are yet to be created17:04
bdpaynebtw, can either of you actually mark these bugs as triaged?17:05
sicarieSo personally, I’d set this to wishlist until I can circle back with Priti and see what she meant here17:05
bdpaynesicarie makes sense to me17:05
elmikoi'm ok with that, or maybe incomplete is more accurate17:05
sicarieelmiko: yes, that’s probably better17:05
sicariebdpayne: I cannot - nor can I change the importance17:06
elmikosicarie: i can change it17:06
bdpayneok, we should try to fix that this week :-)17:06
*** dwyde has quit IRC17:07
bdpayneelmiko so you can mark it as triaged / incomplete?17:07
bdpaynegive it a shot now17:07
sicarieelmiko: great! Do you want to go ahead and set it for now? I’m adding my comment now17:07
elmikogreat, was gonna say we need a comment ;)17:07
bdpayneelmiko can you set the importance too?17:07
elmikobdpayne: no17:07
bdpayneok, I've set that17:08
bdpayneI'll see if we can get that sorted here in the next day or two17:08
elmikohehe, patchwork ACLs17:08
sicarieSo the second is an extension of the checklists again:
openstackLaunchpad bug 1432803 in openstack-manuals "Add checklists in Appendix" [Undecided,New]17:09
sicarieI think this is a pretty good idea - especially if we can get the automated docbook tooling to generate them17:09
sicarieat the same time, we only have one17:09
sicarieSo I’d say low?17:09
elmikothat seems appropriate17:10
sicarieelmiko: could you do the honors for low / triaged?17:10
elmikointeresting i can't set "Triaged" for status17:11
elmikonor can i adjust importance17:11
* bdpayne did it17:11
sicarie+1 bdpayne!17:11
sicarieAnd congrats on the talk, btw!17:11
elmikodid bdpayne get accepted for a talk at summit?17:12
elmikonice =)17:12
elmikomine got turned down =(17:12
sicarieI did want to call out a sec-guide bug that is getting fixed/merged elsewhere17:13
openstackLaunchpad bug 1311067 in openstack-manuals "Common guide for policy.json file" [High,In progress] - Assigned to Bernd Bausch (berndbausch)17:13
sicarieWith initial submission:
sicarieJust glanced through it, looks like good material, I added myself as a reviewer so I can link to it in the sec-guide (as it looks to be fixed elsewhere)17:14
tmcpeakbrowne: yep, last minute check if you can please17:14
sicarieIt looks like there are a couple more bugs in-flight; I have a few structural changes going through17:15
sicarieI did have three big items I wanted to take a look at17:15
elmikoi've been trying to keep up on reviews, but for some of the domain specific stuff i'm a little out of my depth17:15
tmcpeakbrowne: thank you!17:15
*** ljfisher has joined #openstack-security17:15
sicarieelmiko: you’ve been awesome, you’ve been beating me to the punch on most of these17:16
sicarieThe first is the Compute chapter:
openstackLaunchpad bug 1412975 in openstack-manuals "Security Guide - Compute Section" [Low,Confirmed] - Assigned to N Dillon (sicarie)17:16
elmikoaww shucks... ;)17:16
sicarieI threw up a rough outline of what I’m thinking, but elmiko is totally right on the domain-specific stuff - it takes a lot of time to research17:16
sicarieSo any comments on that are welcome17:17
elmikoat a cursory glance, it looks nice. i'll add it to my list for review.17:17
sicarieI’ve also been looking to overhaul the case studies17:18
sicarieMake sure they’re sane and good examples , preferably good contrasts as well, and detail on decision-making17:18
sicarieSo I have an initial etherpad on that:
bdpayneall nice ideas :-)17:18
sicarieAgain, any input is appreciated17:18
sicarieI need to link that to the bug17:19
sicarieone sec17:19
sicarieFinally, there are three sections that really need work17:19
* bdpayne likes the comment Re fedramp in the etherpad17:19
elmikoi really like the idea of laying out more information about what Alice and Bob are trying to do and what their studies should illustrate17:20
sicarieelmiko: precisely17:20
elmikois there a link i can check out about the fedramp compliance stuff?17:20
sicarieYeah, I apologize if I got snarky towards the end - I think I cleaned up most of those comments17:21
sicarieThe end of last week was rough for me :)17:21
elmikohehe, i know the feeling17:21
sicarieelmiko: I believe there’s a chapter on it in the sec guide :)17:21
elmikolol, well know i feel sheepish.17:21
sicarieSo especially being non-US, I’d love to get local regulation links and views in there as well17:21
elmikobdpayne: thanks17:22
sicariePossibly with Bob and how he has to conform to compliance?17:22
sicarieaka, if you don’t want to know about fedramp, I don’t blame you17:22
sicarieI’d really like to get some good contrasts going between Alice and Bob and what their implementations look like in the end17:23
elmikothat would be interesting, are you talking about a full-stack kind of perspective?17:23
sicarieYeah, I think I am? It seems like the case studies are good places to holistically look at the impacts of each chapter17:24
sicarieHow they impact the controls and environment17:24
sicarieAnd non-case study specific, there are three chapters that I wasn’t able to edit when I tried to do my cover-to-cover review17:25
sicarieIdentity, Dashboard, and Network17:25
sicarieThese three need a bit of work both around content, grammar, and file structure within the repo17:26
elmikoi take it the grammar and file structure can be addressed more generally? (no domain specific knowledge needed)17:26
elmikosounds good17:26
sicariePlus, Identity is a bit more generalized at this point - there’s not too much Keystone-specific stuff in the chapter, a lot of federation, etc....17:27
bdpayneok, I need to run to another meeting17:27
elmikotake care17:27
sicariebdpayne: thanks for stopping by!17:27
bdpaynethanks guys for pushing this effort forward17:27
bdpaynesounds like you are working on all the right things :-)17:28
sicarieThe Network chapter is the one I’m concerned may have outdated (ie, incorrect) info17:28
*** bdpayne has quit IRC17:28
elmikoyea, networking stuff iterates quickly as well17:28
sicarieAnd with the reorganization going on there at the moment...17:29
sicarieActually, I think that’s mostly settled17:29
elmikoare there bugs for the grammar and file structure issues up yet?17:29
elmikok, so we need to get on those17:29
sicarieelmiko: if you wanted to do that, it would be awesome17:29
elmikoi can read through identity section again and generate a grammer bug17:30
elmikoas for structure i might need to understand a little better17:30
sicarieSweet! Another issue I noticed (I don’t remember if it was Identity or Dashboard) at one point there was 3 pages of a dump of a huge config file?17:30
sicarieStuff like that can be called out specifically17:31
sicarieOh, sure, so most of the detail was in the ch_identity file17:31
sicariethere were a few section_ files17:31
sicariebut the ch_identity and ch_dashboard files are HUGE17:31
elmikoahh, ok17:31
elmikoso we need better segregation/separation17:31
sicarieSo getting the intro and sections in the to ch_file, and everything else out in its own section_files17:31
sicarieelmiko: precisely17:31
elmikook, i'll take a look at identity and generate bugs for grammar and structure17:32
sicarieAnd I have to run as well17:32
elmikok, are you gonna be at summit?17:32
sicarieProbably not :(17:32
elmikoaww =(17:32
elmikook, we'll talk more later or next week =)17:32
sicarieSounds good!17:33
elmikonp, thanks for chairing =)17:33
*** JAHoagie has joined #openstack-security17:45
*** sicarie has quit IRC17:47
*** dwyde has joined #openstack-security17:53
*** JAHoagie has quit IRC17:59
*** JAHoagie has joined #openstack-security18:03
*** dave-mccowan has quit IRC18:37
openstackgerritMerged stackforge/anchor: Adding more no-cover pragmas on OpenSSL error handling code
brownetmcpeak: I did some more tests of Bandit.  LGTM18:48
tmcpeakbrowne: awesome, thanks!18:49
tmcpeakversion pin coming in about 2 hours unless somebody finds something18:49
tmcpeakljfisher, dwyde: want to do a last pass?18:49
dwydetmcpeak: sounds good18:51
brownetmcpeak: cool18:52
tmcpeakcool, thank you18:52
tmcpeakljfisher, dwyde, browne: you guys in favor of 0.9.5 or 1.0?18:54
browneprobably 0.9 for me18:56
dwydetmcpeak: 0.9.5, mostly because a bunch of deep changes have happened in the last week or two18:56
tmcpeakbrowne, dwyde: so a couple of things, first of all it's currently 0.9.0, so have to go up a little18:57
ljfishertmcpeak, I think you are good.  +1 on 0.9.518:57
tmcpeakalso, ukbelch points out that 0.9.5 would mean it's an incremental release18:57
tmcpeakand we should do 0.10.0 if we go up :)18:57
tmcpeakwhich just sounds messed up to me18:57
tmcpeakdwyde: we should be stable though, have tested with a lot of the deep changes18:59
dwydetmcpeak: true18:59
dwydemore stable than KDE 4.0, anyway :-)18:59
tmcpeakljfisher, browne, dwyde: I'm incline towards 1.0 for the psychological impact, don't think most are going to want to run a "beta" version of something18:59
tmcpeakdwyde: lol, this is true18:59
tmcpeaksome of planned features could go in 1.1, etc?19:00
dwydetmcpeak: I’m good with 1.019:01
tmcpeakdwyde: cool19:01
tmcpeakljfisher, browne: ok on 1.0?19:01
tmcpeakfrom now on we can do versioning in a sensible way :)19:01
ljfisherif 0.9.5 is incremental, then 0.10 is fine also. Plenty of people use plenty of projects that haven’t hit 1.0. :) I more look at is as how many of the features we want to do going to break the interface both for running bandit and for processing the output. Marking with 1.0 kinds of says we won’t change that.19:03
ljfisherat least for awhile19:03
tmcpeakljfisher: that's a good point19:03
*** raginbajin has quit IRC19:04
tmcpeakok, here's what I'm going to do… majority wins, ljfisher, dwyde, browne, chair6, tkselsey, ukbelch, fletcher, and myself all get a vote19:04
*** raginbajin has joined #openstack-security19:04
tmcpeakchair6 breaks ties19:04
tmcpeak0.10.0 or 1.019:04
ljfisherDo we have this running as a gate yet or code to do so?19:05
tmcpeakljfisher: no, we need pinned version to do any of that19:05
tmcpeakat least if it's an openstack gate19:05
ljfisherSo I can’t say 1.0 until we go through that exercise and it works as is. Stuff like that always causes issues to fall out.19:06
tmcpeakljfisher: fair enough19:06
tmcpeakukbelch votes 1.019:06
tmcpeaktkelsey votes 0.1019:07
tmcpeakdwyde: got it19:09
tmcpeakukbelch flip-flopped so now he voted 0.10 also19:10
*** dwyde has quit IRC19:21
tmcpeakchair6 voted 0.10, so it will be 0.10 :)19:32
*** hyakuhei has joined #openstack-security19:47
*** dwyde has joined #openstack-security19:50
*** dave-mccowan has joined #openstack-security19:55
*** ljfisher_ has joined #openstack-security20:07
dwydetmcpeak: no new bugs to report — LGTM :-)20:08
tmcpeakdwyde: cool! thanks for checking20:09
*** ljfisher has quit IRC20:09
*** ljfisher has joined #openstack-security20:11
*** ljfisher_ has quit IRC20:12
brownei like 0.120:15
*** ljfisher_ has joined #openstack-security20:21
*** ljfisher has quit IRC20:23
*** ljfisher_ is now known as ljfisher20:23
tmcpeakbrowne: cool20:25
tmcpeakallright, here it goes20:25
*** ljfisher_ has joined #openstack-security20:35
*** ljfisher has quit IRC20:37
*** ljfisher has joined #openstack-security20:40
*** ljfisher_ has quit IRC20:41
*** hyakuhei has quit IRC20:41
*** ljfisher_ has joined #openstack-security20:43
*** ljfisher has quit IRC20:44
*** ljfisher_ is now known as ljfisher20:44
*** jamielennox|away is now known as jamielennox21:02
tmcpeakall: bandit is live in pypi :)21:11
*** hyakuhei has joined #openstack-security21:20
*** tkelsey has quit IRC21:24
tmcpeakyeah, looks like it's missing config file at least, but at least we have something up :)21:25
tmcpeakwill fix soon21:25
*** tkelsey has joined #openstack-security21:26
*** hyakuhei has quit IRC21:55
*** tkelsey has quit IRC21:57
*** bpb__ has quit IRC21:57
*** dwyde has quit IRC22:25
*** browne1 has joined #openstack-security22:28
*** browne has quit IRC22:29
*** salv-orl_ has joined #openstack-security22:34
*** salv-orlando has quit IRC22:34
*** bpokorny_ has joined #openstack-security22:38
*** salv-orl_ has quit IRC22:38
*** ljfisher has quit IRC22:39
*** bpokorn__ has joined #openstack-security22:40
*** bpokorny has quit IRC22:41
*** salv-orlando has joined #openstack-security22:42
*** bpokorny_ has quit IRC22:43
*** singlethink has quit IRC22:53
*** markvoelker has quit IRC23:01
*** voodookid has quit IRC23:08
*** tmcpeak has quit IRC23:27
*** markvoelker has joined #openstack-security23:47
*** markvoelker has quit IRC23:51

Generated by 2.14.0 by Marius Gedminas - find it at!