Thursday, 2015-05-07

*** shakamunyi has quit IRC01:02
*** bpokorny has quit IRC01:36
*** salv-orlando has quit IRC02:03
*** browne1 has quit IRC02:07
*** shakamunyi has joined #openstack-security02:09
*** tmcpeak has quit IRC02:34
*** markvoelker has quit IRC03:04
*** sdake_ has joined #openstack-security03:09
*** sdake has quit IRC03:13
*** sdake has joined #openstack-security03:36
*** browne has joined #openstack-security03:36
*** sdake_ has quit IRC03:39
*** markvoelker has joined #openstack-security04:04
*** markvoelker has quit IRC04:09
*** dave-mccowan has quit IRC04:24
*** onrul has joined #openstack-security04:57
*** markvoelker has joined #openstack-security05:05
*** markvoelker has quit IRC05:10
*** sdake has quit IRC05:20
*** sdake has joined #openstack-security05:24
*** sdake_ has joined #openstack-security05:26
*** sdake has quit IRC05:29
*** onrul has quit IRC05:40
*** salv-orlando has joined #openstack-security05:50
*** markvoelker has joined #openstack-security05:51
*** markvoelker has quit IRC05:56
*** sdake_ is now known as sdake06:10
*** markvoelker has joined #openstack-security06:52
*** markvoelker has quit IRC06:56
*** markvoelker has joined #openstack-security08:53
*** markvoelker has quit IRC08:58
*** markvoelker has joined #openstack-security09:54
*** markvoelker has quit IRC09:58
*** tmcpeak has joined #openstack-security10:21
*** markvoelker has joined #openstack-security10:55
*** markvoelker has quit IRC11:00
*** openstackgerrit has quit IRC11:52
*** openstackgerrit has joined #openstack-security11:52
*** markvoelker has joined #openstack-security11:56
*** markvoelker has quit IRC12:00
*** markvoelker has joined #openstack-security12:15
*** dave-mccowan has joined #openstack-security12:24
*** tmcpeak has quit IRC12:38
*** tmcpeak has joined #openstack-security13:03
*** nkinder has quit IRC13:14
*** singlethink has joined #openstack-security13:33
*** jamielennox is now known as jamielennox|away13:51
*** nkinder has joined #openstack-security14:08
*** tmcpeak has quit IRC14:17
*** tmcpeak has joined #openstack-security14:18
*** voodookid has joined #openstack-security14:28
*** dwyde has joined #openstack-security15:05
*** salv-orlando has quit IRC15:08
*** bpokorny has joined #openstack-security15:16
*** tmcpeak has quit IRC15:25
*** browne has quit IRC15:31
*** singlethink has quit IRC15:42
*** sdake has quit IRC15:44
*** sdake has joined #openstack-security15:44
*** tmcpeak has joined #openstack-security15:51
*** sicarie has joined #openstack-security15:58
openstackgerritMerged stackforge/bandit: Update the README file
*** salv-orlando has joined #openstack-security16:09
*** salv-orlando has quit IRC16:12
*** browne has joined #openstack-security16:13
*** singlethink has joined #openstack-security16:15
*** dwyde has quit IRC16:28
*** shakamunyi has quit IRC16:29
tmcpeakbrowne: I've managed to undo your move of -> README.rst :16:42
browneha, ok, np16:42
*** dwyde has joined #openstack-security16:49
*** bpokorny_ has joined #openstack-security16:51
*** sdake_ has joined #openstack-security16:52
*** bpokorny has quit IRC16:55
*** sdake has quit IRC16:56
*** fletcher has joined #openstack-security17:02
*** tkelsey has joined #openstack-security17:12
*** sdake has joined #openstack-security17:13
*** sdake_ has quit IRC17:17
*** fletcher has quit IRC17:22
*** anteaya has quit IRC17:45
*** Codeman655 has joined #openstack-security17:45
*** Codeman655 has quit IRC17:54
*** bpokorny has joined #openstack-security18:02
tmcpeaknkinder: ping18:05
nkindertmcpeak: hey hey18:05
tmcpeakhey there18:05
tmcpeakyou get anywhere with that OSSN->RST?18:05
*** bpokorny_ has quit IRC18:06
nkindertmcpeak: no.  I need to push it up to github.  Been swamped with regular work stuff + summit prep18:06
nkinderI will get it up there before the summit18:06
tmcpeakahh ok cool18:06
tmcpeakgmurphy: ^18:07
*** sdake has quit IRC18:08
*** sdake has joined #openstack-security18:09
*** salv-orlando has joined #openstack-security18:23
*** salv-orlando has quit IRC18:27
*** tkelsey has quit IRC18:43
*** sdake_ has joined #openstack-security18:43
*** sdake has quit IRC18:47
tmcpeakdstufft: around?18:57
dstuffttmcpeak: sup19:01
tmcpeakdstufft: curious about the state of PyPI security.. been reading a bit on signed packages and similar things19:02
tmcpeaksome of this looks fairly old though19:02
tmcpeakdstufft: currently picking my way through this thread on TUF… and went through most of the PEP you contributed to for integration with TUF19:03
dstuffttmcpeak: the state is we rely entirely on HTTPS right now, though the state of pip is that if you're using a new enough pip you'll _only_ get stuff from PyPI not random hosts from around the world19:03
tmcpeakdstufft: ok, I also noticed that not many packages on PyPI are signed by the authors19:03
dstufftit's not really useful to gpg sign packages19:04
dstufftI mean, theortically some distros verify those signatures19:04
dstufftbut pip doesn't nor does anything else that I'm aware of19:04
dstufftlong term TUF is, I'm pretty sure, the answer19:04
tmcpeakdstufft: but if the packages are signed, we can do a gpg verification manually before we install them with PIP, right?19:04
dstufftbut I haven't gotten around to doing that, I'm focusing more on replacing the horrible codebase that powers PyPI first19:05
dstuffttmcpeak: sure, if you can figure out what keys to trust anyways :)19:05
dstufftI don't really consider that a very useful thing though, because if it's not done automatically and it's not something we can require then it's not super useful19:06
dstufft100 singed packages and 1 unsigned package and you're still hit19:06
tmcpeakdstufft: ah, ok… the reason I'm bringing this up is because I was picking at an idea of getting OpenStack components and dependencies signed, then having a list of the keys that should have signed them, then at least providing code to check those signatures19:06
*** dwyde has quit IRC19:06
tmcpeakdstufft: it just makes me exceedingly nervous that security of all of OpenStack is depending on the integrity of 250 bits of code, most of which aren't signed19:07
*** dwyde has joined #openstack-security19:07
dstuffttmcpeak: I mean, you can sign them. Some distros might use them but not much else will. Probably not many people will bother19:08
tmcpeakdstufft: yeah, at least having the option of checking signatures seems like it would be a benefit19:08
tmcpeakat least from where I stand19:09
tmcpeakgiving people the option19:09
tmcpeakto validate if they want… I know most people will just "pip install -r all_the_things" and be done with it19:09
tmcpeakdstufft: you're right though, all it takes is one unsigned, and what does signed even mean if nobody is checking the quality of this stuff19:09
dstuffttmcpeak: Yea, well I mean fundamentally PyPI is never going to be more than "make sure you get the bits that the author uploaded", whether those bits are "safe" or "ok" is an exercise left to the reader19:11
tmcpeakdstufft: what's the deal with warehouse?19:11
dstuffttmcpeak: PyPI 2.019:12
tmcpeakdstufft: anything good to read there? is it solving any security problems?19:12
*** sicarie has quit IRC19:13
dstuffttmcpeak: PyPI legacy (aka what's running PyPI right now) was written in like... 2003, before the rise of things like web frameworks or unit testing, and it's mostly two 3000+ line files with spaghetti code and stuff wound all around. It was never designed to be a permanent thing. It was a proof of concept that never got replaced and has had various people of various skill levels indescminately adding things over time19:13
dstufftso Warehouse is "let's rewrite from scratch with modern components and practices"19:14
tmcpeakdstufft: I feel like I've heard this story before19:14
dstufftRight now warehouse isn't trying to do much of anything that PyPI itself doesn't do (other than have a sensible implementation)19:14
tmcpeakahh ok cool19:15
dstufftthe goal is to get warehouse to feature parity, then drop it in as a repalcement, deal with the fallout, then move forward on making improvements19:15
tmcpeakcool — did you guys get anywhere with PEP-0458?19:15
dstufftit's stalled, largely because it's a large block of work that needs someone familar with both cryptography/security and PyPI/pip to review it and implement it19:16
dstufftand I think the set of people who fit that is.. well me.19:17
tmcpeakdstufft: makes sense19:17
tmcpeakdstufft: any last words of advice regarding jumping headfirst into a quest to push OpenStack requirements to all be signed by their authors?19:17
dstuffttmcpeak: nothing that comes to mind! Happy to review anything you write or do for it though19:18
tmcpeakdstufft: awesome, thanks for your time!19:20
gmurphy= security guidance -> ossa -> security.o.o19:21
tmcpeakgmurphy: sweet!19:21
*** singlethink has quit IRC19:22
gmurphyi think we should nit all the docs on this review and get things up to an ok standard in one go19:22
*** bpokorny has quit IRC19:22
tmcpeakcool, I'll take a pass19:22
*** bpokorny has joined #openstack-security19:23
*** singlethink has joined #openstack-security19:34
*** tkelsey has joined #openstack-security19:38
tmcpeakbrowne chair6 elmiko gmurphy nkinder tkelsey — you've been chosen (victimized) completely randomly (probably not) for your valuable input on this:
tmcpeakplease take a stab at reviewing… our goal is to make these developer friendly guidelines written in simple language.  I know you're all busy, but please take the time to review a few19:41
elmikotmcpeak: ack, i'll take a gander19:41
tmcpeakdave-mccowan, dstanek, dwyde, erw, jraim, redrobot, sdake, singethink, sweston, voodookid19:41
tmcpeakmore random victims ;)19:41
dstanektmcpeak: np19:42
*** tkelsey has quit IRC19:42
voodookidlet me take a look19:42
tmcpeakelmiko, dstanek, voodookid: thanks!19:43
tmcpeakthis one is the quintessential good example:
tmcpeakwe'd like them in that voice, casual, etc19:46
voodookidhow would you like the comments to be made? Within gerrit?19:52
*** singleth_ has joined #openstack-security20:00
*** salv-orlando has joined #openstack-security20:01
*** bpokorny_ has joined #openstack-security20:02
*** singlethink has quit IRC20:03
*** bpokorny_ has quit IRC20:03
*** bpokorny_ has joined #openstack-security20:04
*** bpokorny has quit IRC20:06
*** bknudson has joined #openstack-security20:09
*** salv-orlando has quit IRC20:16
*** sdake_ has quit IRC20:29
gmurphyso i think initially we should just do this via review comments for the current patchset.20:46
elmikogmurphy: +120:47
gmurphythen we can figure out how to split it up or i can just address all the suggestions.20:47
elmikoit is a large patch to review. lots of reading, i wonder if it would be more efficient to review them as individual docs?20:48
gmurphyhmm could be.20:49
elmikoi dunno, just my first reaction as i'm starting to read these.20:49
gmurphymaybe i should abandon change.20:49
elmikosome of them seem like they would be accepted with little compaint20:50
elmikotmcpeak: any thoughts on this ^^20:53
elmikogmurphy: don't rush to abandon just yet. let's see what others think. i may be alone in this.20:53
gmurphyno i agree it would probably make things easier.20:54
gmurphyi guess i could drop all the ones that got comments from the next patch set and push them up separately for individual review20:55
gmurphyi dunno!20:56
gmurphytmcpeak: thoughts?20:56
elmikoyea, given the call to review and the number of comments it might be best to just charge ahead at this point20:57
elmikocall it a learned lesson for next time ;)20:57
*** browne has quit IRC20:58
tmcpeakgmurphy, elmiko: yeah, let's charge ahead21:00
tmcpeakprobably easier to get one review through than a bunch21:01
tmcpeakgmurphy, elmiko: so where did we get to? we'll just push ahead?21:01
elmikotmcpeak: i think so21:02
elmikoespecially given all the comments that are rolling in21:02
tmcpeakyep, ok sounds good21:02
*** bpokorny has joined #openstack-security21:02
*** bpokorny_ has quit IRC21:05
*** sdake has joined #openstack-security21:08
gmurphyalso fwiw you can also check the html output ->
*** sdake_ has joined #openstack-security21:11
*** sdake has quit IRC21:15
elmikogmurphy: nice, thanks21:28
*** sdake_ is now known as sdake21:30
*** sdake_ has joined #openstack-security21:54
*** sdake has quit IRC21:58
*** browne has joined #openstack-security22:16
*** nkinder has quit IRC22:18
*** sdake has joined #openstack-security22:22
*** salv-orlando has joined #openstack-security22:25
*** sdake_ has quit IRC22:25
*** dwyde has quit IRC22:30
*** salv-orlando has quit IRC22:31
*** sdake has quit IRC22:51
*** sdake has joined #openstack-security22:53
*** singleth_ has quit IRC22:56
*** voodookid has quit IRC23:07
*** markvoelker has quit IRC23:26
*** nkinder has joined #openstack-security23:34
*** onrul has joined #openstack-security23:38
*** tkelsey has joined #openstack-security23:39
*** tkelsey has quit IRC23:43
*** markvoelker has joined #openstack-security23:56
*** markvoelker has quit IRC23:57
*** markvoelker has joined #openstack-security23:57

Generated by 2.14.0 by Marius Gedminas - find it at!