Monday, 2015-06-08

*** markvoelker has joined #openstack-security00:25
*** kutija_ is now known as kutija|away00:28
*** markvoelker has quit IRC00:30
*** tmcpeak has quit IRC00:32
*** mitz has joined #openstack-security00:47
*** jamielennox|away is now known as jamielennox01:07
*** dave-mccowan has quit IRC01:24
*** dave-mccowan has joined #openstack-security01:46
*** JAHoagie has joined #openstack-security01:53
*** markvoelker has joined #openstack-security02:14
*** markvoelker has quit IRC02:19
*** hyakuhei1 has quit IRC02:22
*** hyakuhei has joined #openstack-security02:22
*** JAHoagie has quit IRC02:39
*** JAHoagie has joined #openstack-security02:54
*** aswadr has joined #openstack-security03:04
*** JAHoagie has quit IRC03:18
*** hyakuhei has quit IRC03:25
*** hyakuhei has joined #openstack-security03:26
*** ankldrey has quit IRC03:34
*** dave-mcc_ has joined #openstack-security03:55
*** dave-mccowan has quit IRC03:57
*** dave-mcc_ has quit IRC03:59
*** hyakuhei has quit IRC04:06
*** hyakuhei has joined #openstack-security04:06
*** hyakuhei1 has joined #openstack-security04:22
*** hyakuhei has quit IRC04:22
*** hyakuhei1 has quit IRC05:02
*** hyakuhei has joined #openstack-security05:02
*** hyakuhei has quit IRC05:50
*** hyakuhei1 has joined #openstack-security05:50
*** markvoelker has joined #openstack-security05:52
*** markvoelker has quit IRC05:56
*** hyakuhei1 has quit IRC05:57
*** hyakuhei has joined #openstack-security06:01
*** hyakuhei has quit IRC06:27
*** hyakuhei has joined #openstack-security06:27
*** hyakuhei has quit IRC06:47
*** hyakuhei has joined #openstack-security06:52
openstackgerritOpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals
*** markvoelker has joined #openstack-security07:40
*** markvoelker has quit IRC07:45
openstackgerritMerged openstack/security-doc: Updated from openstack-manuals
*** hyakuhei1 has joined #openstack-security08:04
*** hyakuhei has quit IRC08:04
*** hyakuhei1 has quit IRC08:33
*** hyakuhei has joined #openstack-security08:40
*** hyakuhei1 has joined #openstack-security08:56
*** hyakuhei has quit IRC08:56
*** hyakuhei1 has quit IRC09:20
*** hyakuhei has joined #openstack-security09:20
*** markvoelker has joined #openstack-security09:29
*** markvoelker has quit IRC09:34
*** hyakuhei has quit IRC09:40
*** hyakuhei has joined #openstack-security09:41
*** openstackgerrit has quit IRC10:09
*** openstackgerrit has joined #openstack-security10:09
*** hyakuhei1 has joined #openstack-security10:10
*** hyakuhei has quit IRC10:11
*** hyakuhei1 has quit IRC11:11
*** hyakuhei has joined #openstack-security11:11
*** markvoelker has joined #openstack-security11:30
*** hyakuhei has quit IRC11:34
*** markvoelker has quit IRC11:35
*** hyakuhei has joined #openstack-security11:35
*** alex_klimov has joined #openstack-security11:46
*** hyakuhei has quit IRC12:09
*** hyakuhei has joined #openstack-security12:11
*** hyakuhei has quit IRC12:47
*** hyakuhei1 has joined #openstack-security12:47
*** dave-mccowan has joined #openstack-security12:53
*** singlethink has joined #openstack-security12:56
*** hyakuhei1 has quit IRC13:14
*** markvoelker has joined #openstack-security13:20
*** hyakuhei has joined #openstack-security13:20
*** nunbrs has quit IRC13:24
*** markvoelker has quit IRC13:25
*** tmcpeak has joined #openstack-security13:36
chair6sigmavirus24: cool, i'll take a look a bit later on today.. launchpad is at
*** sigmavirus24_awa is now known as sigmavirus2414:11
*** localloop127 has joined #openstack-security14:22
*** jamielennox is now known as jamielennox|away14:38
*** voodookid has joined #openstack-security14:48
*** voodookid has quit IRC14:53
*** hyakuhei has quit IRC14:54
*** hyakuhei has joined #openstack-security14:56
*** dwyde has joined #openstack-security14:57
*** nkinder has joined #openstack-security15:02
*** voodookid has joined #openstack-security15:07
*** markvoelker has joined #openstack-security15:08
*** markvoelker has quit IRC15:13
*** hyakuhei has quit IRC15:18
*** bpokorny has joined #openstack-security15:18
tmcpeakdstufft: ping15:22
*** hyakuhei has joined #openstack-security15:23
*** localloop127 has quit IRC15:32
*** localloop127 has joined #openstack-security15:40
*** sdake has joined #openstack-security15:47
*** sdake_ has joined #openstack-security15:48
*** singlethink has quit IRC15:51
*** sdake has quit IRC15:52
*** sdake_ is now known as sdake15:56
*** dwyde has quit IRC16:14
*** dwyde has joined #openstack-security16:19
*** hyakuhei1 has joined #openstack-security16:21
*** hyakuhei has quit IRC16:22
*** singlethink has joined #openstack-security16:33
*** dwyde has quit IRC16:52
*** alex_klimov has quit IRC16:55
*** pdesai has joined #openstack-security16:56
*** markvoelker has joined #openstack-security16:57
*** sicarie has joined #openstack-security16:58
sicarieWow, it seems like forever since we’ve had a secguide meeting :)17:00
elmikoyea, seriously!17:00
sicariewow, and it looks like we have a few more bugs too:
sicariepdesai: ping?17:01
*** shelleea007 has joined #openstack-security17:01
sicariewelcome shelleea00717:01
sicarieOkay, I’ll follow up with pdesai later - I think I missed an email from her I need to follow up on anyway17:02
pdesaiHi everyone17:02
*** markvoelker has quit IRC17:02
sicariepdesai: ah, welcome!17:02
pdesaithanks :)17:03
sicarieso we have a bunch of bugs, and the first one
openstackLaunchpad bug 1455678 in openstack-manuals "Tokens in Identity Chapter - Cover all types of tokens" [Undecided,Confirmed]17:03
sicariepdesai: care to give a quick overview?17:03
pdesaiSure, i think we should add little background of different types of tokens and pros and cons of each from security standpoint17:04
sicarieand what level of criticality were you thinking on this?17:04
sicarielooks like it would be great info to have17:04
elmikoagreed, good bug17:05
sicarieis everyone good with medium?17:05
sicarieCool, so next I have:
openstackLaunchpad bug 1459038 in openstack-manuals "Security Guide - Chapter 7. Dashboard - ngingx over Apache" [Undecided,Confirmed]17:06
sicarieI opened this because in the Dashboard section they just say “we prefer Nginx"17:06
sicarieNo comparison of why or what else exists17:06
elmikohmm, that definitely needs an explanation17:06
shelleea007i agree17:06
sicarieI’d like to break that out into “Nginx is good for quick stand-ups, but Apache + haproxy is better for HA….” etc...17:07
sicarieI don’t think this is critical though17:07
sicarieSo I’d say low?17:07
sicariemaybe even wishlist?17:07
shelleea007or low hanging fruit17:08
shelleea007someone who likes to research might like it17:08
sicarieshelleea007: maybe, but I think this would take a bit of research17:08
sicarie+1 exactly!17:08
elmikomight be tough as lhf, there could be a bunch of work to explain the reasoning17:08
shelleea007ok. Just a thought17:09
pdesai+1 for wishlist17:09
sicarieSounds good, I’ll roll with wishlist - I want to sprint through these and modify them later if we need to - I’d like to discuss the migration at the end17:09
sicarieso next:
openstackLaunchpad bug 1459040 in openstack-manuals "Security Guide - Chapter 7. Dashboard - Too Many Sections" [Undecided,In progress] - Assigned to The-Kid (speer-emett)17:10
sicarieeach section of the dashboard was broken out into its own file17:10
elmikothis one is under review now17:10
sicarieand doing an ls of security-doc/security-guide/ was HUGE17:10
elmikooh man...17:10
sicarieyes, a new contributor I met at the summit grabbed it17:10
sicarieYeah, he’s very sharp17:11
sicarieHere’s the review for that17:11
sicarieI hope I already attached you all to it17:11
sicarieyeah, I think so17:11
elmikoyea, i didn't comment because i was curious to see the result of your request =)17:11
sicarieYeah, I just think brining them in under domains will flow a little better logically - we’ll see17:12
sicariehopefully I’m not sending him around in circles17:12
elmikoi didn't quite follow how you wanted them organized, but i'm still reading through that chapter17:12
sicarieSo, I was thinking low criticality17:12
elmikolow is probably fine since this change is mostly developer facing17:12
sicarieand I was pulling down his changes and building the guide locally to take a look at it17:13
sicarieif you have ‘maven’ installed you can cd into the security-doc/security-guide and run mvn clean build or something similar and both the pdf and html will be auto-generated in a tmp folder17:13
sicariejust in case anyone didn’t already know17:14
sicarieoh cool17:14
sicarieI didn’t know the gate did that17:14
sicariepdesai: thanks!17:14
pdesaiyou can find the layout here instead of pulling the changes down, if only care for reviewing17:14
elmikoi usually just run the local mvn build to ensure that things are working properly17:15
sicarieOh cool, you all were already on top of that17:15
sicarieso next:
openstackLaunchpad bug 1455546 in openstack-manuals "Security Guide - Acknowledge Editor Contributions for last 2 years" [Undecided,Incomplete]17:15
sicarieI thought it would be nice to acknowledge bdpayne and his stewardship of the guide for the last 2 years17:16
*** erw has left #openstack-security17:16
sicariethe location of this addition is interesting - the ‘acknowledgements’ page is a graphic with company logos :(17:16
sicarieSo I read through the intro and thought this location was most appropriate17:16
sicariewe might consider updating that at some point, or expanding it17:17
elmikoyea, i think that section makes sense17:17
sicarieAnd then I was thinking low criticality (possibly even wishlist)17:17
elmikoi'm good with either17:18
sicarieshelleea007 or pdesai: any preference?17:18
shelleea007i concur with low17:18
pdesaiyup low17:18
*** dwyde has joined #openstack-security17:18
sicarieso next:
openstackLaunchpad bug 1459820 in openstack-manuals "OpenStack Security Guide - Mandatory Access Control policy guidance" [Undecided,Confirmed]17:19
sicarieOne of the things that’s always bugged me is recommending building MAC policies without any guidance on how17:19
shelleea007that is a good one17:19
sicarieSo I’d like to add some recommendation on SELinux/AppArmor/Grsecurity MAC policies to at least get poeple started17:20
sicarieand I’d like to put this at medium priority17:20
shelleea007i concur with that one17:20
pdesai+1 for medium17:20
elmikosounds good, which section would this add to?17:20
sicarieelmiko: hit the nail on the head!17:20
sicarieso this is also something that would cover multiple projects and require multiple policies17:20
sicarieI think this needs to be on a per-project basis17:21
sicarieWhich may end up being per-chapter17:21
sicarieInitially, I’d like to build this out as part of the Compute chapter as a general section17:21
sicariebut as time goes on, I’d like to expand this to cover the core projects, and have a section per chapter17:21
elmikomaybe this could eventually end up as part of the per-chapter checklist or something?17:21
sicarieelmiko: good thought17:21
pdesaiyup sounds good17:22
elmikoi guess we could even start building up an internal checklist for each chapter, case study (check), mac (check), etc...17:22
sicarieI was going to put the bug on an “each chapter should have this” recommendation, but having done half of Alice’s case studies that’s a HUGE pain17:22
sicarieelmiko: +1 can you open a bug to do so?17:23
elmikoyea, open a bug to create a chapter checklist?17:23
sicarieoh, yeah, or just comment on that bug17:24
openstackLaunchpad bug 1342993 in openstack-manuals "Adding Security Checklist in Security Guide" [Medium,In progress] - Assigned to Priti Desai (priti-desai)17:24
elmikodefinitely, i'll make a comment17:24
sicarieOkay, I’m going to call it here because I want to discuss the rst migration17:24
sicariebut if you have time, please feel free to take a look at the last 3 bugs we didn’t get to17:24
sicarieso the rst migration is mostly automated, but there is definite manual work required after17:25
sicariebuild, validate, check links, check format, content, etc...17:25
pdesaiwant to find out about migration, i have stalled 1342993 until the migration17:25
sicariepdesai: good to know!17:25
sicarieso that’s the question in my mind17:26
sicarieI’d really like to get the compute, network, and dashboard sections reviewed for up to date/accurate security guidance17:26
sicariebut is docbook delaying that?17:26
sicarieOr would migrating to rst now be a more significant delay due to the unknown follow-up work?17:27
elmikoyea, we will need to break in current work when we decide to do the switch17:27
sicarieelmiko: +117:27
elmikoi think it might be best to do the change to rst, then start rereading everything17:28
elmikosince we are already reading these chapters for correctness, why do it twice17:28
elmikowould it be possible for us to focus on one chapter at a time?17:28
elmikolike, convert a chapter to rst, then review, then move on to the next?17:28
sicarieelmiko: that’s a good question17:28
elmikomaybe we could use an alternate directory structure to hold the rst until we have completed the entire transition17:29
sicarieI’ll join the docs meeting tomorrow or Wednesday (I think it’s wednesday this week), and ask17:29
elmikocool, was just about to ask that lol17:29
elmikothey might have some good advice17:29
sicarieelmiko: yes, there is a current process17:29
sicarieI’ll figure out what is needed and we’ll focus on that as of next Monday, I’ll get some set milestones17:30
sicarieCool, thanks everyone!17:30
elmikoi'm gonna be out next monday, spark summit17:30
sicarieelmiko: I’ll make sure to send an email follow-up - have fun!17:30
elmikosicarie: awesome, thanks!17:30
*** hyakuhei1 has quit IRC17:33
*** pdesai has quit IRC17:37
*** hyakuhei has joined #openstack-security17:42
*** aswadr has quit IRC17:51
*** sdake has quit IRC18:02
*** sdake has joined #openstack-security18:02
*** openstackgerrit has quit IRC18:09
*** openstackgerrit has joined #openstack-security18:09
*** browne has joined #openstack-security18:19
*** shelleea007 has quit IRC18:23
*** sicarie has quit IRC18:45
*** markvoelker has joined #openstack-security18:46
*** markvoelker has quit IRC18:52
*** bpokorny_ has joined #openstack-security19:12
*** bpokorny has quit IRC19:15
*** alex_klimov has joined #openstack-security19:56
*** dave-mcc_ has joined #openstack-security19:59
*** singleth_ has joined #openstack-security19:59
*** singlethink has quit IRC20:02
*** dave-mccowan has quit IRC20:02
*** markvoelker has joined #openstack-security20:35
*** markvoelker has quit IRC20:40
*** dave-mccowan has joined #openstack-security20:50
*** dave-mcc_ has quit IRC20:50
*** hyakuhei has quit IRC20:50
*** hyakuhei has joined #openstack-security20:51
*** hyakuhei has quit IRC20:57
*** hyakuhei has joined #openstack-security20:57
*** nkinder_ has joined #openstack-security21:05
*** dave-mcc_ has joined #openstack-security21:06
*** nkinder has quit IRC21:09
*** dave-mccowan has quit IRC21:10
*** nkinder_ has quit IRC21:12
*** nkinder_ has joined #openstack-security21:13
*** sdake_ has joined #openstack-security21:19
*** sdake has quit IRC21:23
*** nkinder_ has quit IRC21:26
*** nkinder_ has joined #openstack-security21:27
*** localloop127 has quit IRC21:45
*** singleth_ has quit IRC21:54
*** nkinder__ has joined #openstack-security21:58
*** nkinder_ has quit IRC22:02
*** nkinder__ has quit IRC22:03
*** nkinder__ has joined #openstack-security22:04
*** dave-mccowan has joined #openstack-security22:15
*** dave-mcc_ has quit IRC22:18
*** markvoelker has joined #openstack-security22:21
*** markvoelker has quit IRC22:26
*** dwyde has quit IRC22:26
*** bpokorny_ has quit IRC22:28
*** bpokorny has joined #openstack-security22:28
*** voodookid has quit IRC23:02
*** nkinder__ has quit IRC23:18
*** bpokorny has quit IRC23:19
*** bpokorny has joined #openstack-security23:19
*** dave-mcc_ has joined #openstack-security23:23
openstackgerritMerged stackforge/bandit: Log the version of Python bandit is running under
*** dave-mccowan has quit IRC23:26
*** alex_klimov has quit IRC23:29

Generated by 2.14.0 by Marius Gedminas - find it at!