Tuesday, 2015-06-09

*** browne has quit IRC00:18
*** sdake has joined #openstack-security00:29
*** tmcpeak has quit IRC00:32
*** sdake_ has quit IRC00:32
*** kutija|away has quit IRC00:33
*** dave-mccowan has joined #openstack-security00:33
*** tmcpeak has joined #openstack-security00:35
*** dave-mcc_ has quit IRC00:36
*** sdake_ has joined #openstack-security00:39
*** sdake has quit IRC00:42
*** hyakuhei1 has joined #openstack-security00:53
*** hyakuhei has quit IRC00:53
*** bpokorny has quit IRC00:56
*** sigmavirus24 is now known as sigmavirus24_awa01:06
*** kutija has joined #openstack-security01:16
*** sigmavirus24_awa is now known as sigmavirus2401:20
*** hyakuhei1 has quit IRC01:23
*** hyakuhei has joined #openstack-security01:24
*** jamielennox|away is now known as jamielennox01:32
*** bpokorny has joined #openstack-security01:44
*** sdake has joined #openstack-security01:58
*** sdake_ has quit IRC02:01
*** hyakuhei1 has joined #openstack-security02:03
*** hyakuhei has quit IRC02:03
*** bpokorny has quit IRC02:14
*** hyakuhei1 has quit IRC02:24
*** hyakuhei has joined #openstack-security02:28
*** hyakuhei has quit IRC02:35
*** hyakuhei has joined #openstack-security02:36
*** tmcpeak has quit IRC02:38
*** nkinder__ has joined #openstack-security02:50
*** markvoelker has joined #openstack-security02:59
*** markvoelker has quit IRC03:04
*** jraim has quit IRC03:06
*** serverascode has quit IRC03:06
*** hyakuhei1 has joined #openstack-security03:10
*** hyakuhei has quit IRC03:11
*** tmcpeak has joined #openstack-security03:13
*** sdake has quit IRC03:31
*** sdake has joined #openstack-security03:33
*** browne has joined #openstack-security03:33
*** sdake has quit IRC03:34
*** sigmavirus24 is now known as sigmavirus24_awa03:40
*** dave-mccowan has quit IRC04:06
*** hyakuhei1 has quit IRC04:31
*** hyakuhei has joined #openstack-security04:32
*** aswadr has joined #openstack-security04:40
*** hyakuhei has quit IRC04:46
*** markvoelker has joined #openstack-security04:48
*** hyakuhei has joined #openstack-security04:49
*** sdake has joined #openstack-security04:51
*** markvoelker has quit IRC04:53
*** tmcpeak has quit IRC05:15
*** hyakuhei has quit IRC05:36
*** hyakuhei has joined #openstack-security05:45
*** sdake has quit IRC06:16
*** jraim has joined #openstack-security06:17
*** alex_klimov has joined #openstack-security06:21
*** sweston has quit IRC06:34
*** serverascode has joined #openstack-security06:37
*** hyakuhei has quit IRC07:05
*** hyakuhei1 has joined #openstack-security07:05
*** hyakuhei has joined #openstack-security07:15
*** hyakuhei1 has quit IRC07:15
*** browne has quit IRC07:27
*** sdake has joined #openstack-security07:29
*** sweston has joined #openstack-security07:37
*** markvoelker has joined #openstack-security07:37
*** sdake_ has joined #openstack-security07:39
*** sdake has quit IRC07:43
*** markvoelker has quit IRC07:43
*** sdake has joined #openstack-security07:44
*** sdake_ has quit IRC07:47
*** sdake_ has joined #openstack-security08:22
*** sdake has quit IRC08:25
*** hyakuhei1 has joined #openstack-security08:32
*** hyakuhei has quit IRC08:32
*** sdake_ has quit IRC08:34
*** sdake has joined #openstack-security08:36
*** sdake_ has joined #openstack-security08:39
*** sdake_ has quit IRC08:41
*** sdake has quit IRC08:42
*** hyakuhei has joined #openstack-security09:14
*** hyakuhei1 has quit IRC09:14
*** markvoelker has joined #openstack-security09:27
*** markvoelker has quit IRC09:32
*** hyakuhei has quit IRC09:38
*** hyakuhei has joined #openstack-security09:38
*** hyakuhei has quit IRC09:59
*** hyakuhei1 has joined #openstack-security09:59
*** hyakuhei has joined #openstack-security10:56
*** hyakuhei1 has quit IRC10:56
openstackgerritStanislaw Pitucha proposed stackforge/anchor: CA doesn't need to be read-only  https://review.openstack.org/18966211:21
*** markvoelker has joined #openstack-security11:29
*** markvoelker has quit IRC11:34
*** hyakuhei has quit IRC11:37
*** hyakuhei has joined #openstack-security11:40
*** aswadr has quit IRC11:41
*** aswadr has joined #openstack-security11:43
*** HoangCX has joined #openstack-security11:59
*** HoangCX has quit IRC12:00
*** hyakuhei1 has joined #openstack-security12:15
*** hyakuhei has quit IRC12:15
*** dave-mccowan has joined #openstack-security12:34
*** tmcpeak has joined #openstack-security12:39
*** sigmavirus24_awa is now known as sigmavirus2412:41
*** hyakuhei1 has quit IRC12:41
*** bknudson has quit IRC12:41
*** hyakuhei has joined #openstack-security12:46
*** hyakuhei1 has joined #openstack-security13:05
*** hyakuhei has quit IRC13:06
*** sdake has joined #openstack-security13:17
*** jamielennox is now known as jamielennox|away13:23
*** singlethink has joined #openstack-security13:30
*** browne has joined #openstack-security13:32
*** WaltBarnes has joined #openstack-security13:34
*** bknudson has joined #openstack-security13:38
*** singleth_ has joined #openstack-security13:54
*** sdake has quit IRC13:56
*** localloop127 has joined #openstack-security13:57
*** singlethink has quit IRC13:58
*** asrangne has joined #openstack-security14:13
*** aswadr has quit IRC14:16
*** jian5397 has joined #openstack-security14:39
*** voodookid has joined #openstack-security14:39
*** salv-orl_ has joined #openstack-security14:51
*** salv-orlando has quit IRC14:52
*** sdake has joined #openstack-security15:05
*** sdake has quit IRC15:06
*** salv-orl_ has quit IRC15:06
*** sdake has joined #openstack-security15:07
*** markvoelker has joined #openstack-security15:07
*** salv-orlando has joined #openstack-security15:08
*** bpokorny has joined #openstack-security15:09
*** markvoelker has quit IRC15:12
*** dwyde has joined #openstack-security15:19
*** hyakuhei1 has quit IRC15:23
*** hyakuhei has joined #openstack-security15:29
*** sdake has quit IRC15:30
*** singleth_ has quit IRC15:38
*** dwyde has quit IRC15:48
*** dave-mccowan has quit IRC15:54
*** dwyde has joined #openstack-security15:56
*** singlethink has joined #openstack-security16:11
*** alex_klimov has quit IRC16:12
*** salv-orlando has quit IRC16:33
*** elmiko is now known as _elmiko16:41
sigmavirus24y'all will get a kick out of this: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-172916:45
sigmavirus24via http://www.openwall.com/lists/oss-security/2015/06/09/416:45
*** markvoelker has joined #openstack-security16:56
*** markvoelker has quit IRC17:01
*** salv-orlando has joined #openstack-security17:09
tmcpeaksigmavirus24: lol!17:23
*** hyakuhei has quit IRC17:28
*** hyakuhei has joined #openstack-security17:28
*** asrangne has quit IRC17:30
*** _elmiko is now known as elmiko17:52
*** hyakuhei has quit IRC17:58
*** hyakuhei has joined #openstack-security18:01
tmcpeakbrowne: awesome!!!18:01
*** dwyde has quit IRC18:03
*** sdake has joined #openstack-security18:07
*** dwyde has joined #openstack-security18:09
brownetmcpeak: no problem18:11
tmcpeak:) :)18:14
*** markvoelker has joined #openstack-security18:45
*** hyakuhei has quit IRC18:46
*** hyakuhei has joined #openstack-security18:47
*** openstackgerrit has quit IRC18:48
*** openstackgerrit has joined #openstack-security18:48
*** markvoelker has quit IRC18:49
*** jian5397 has left #openstack-security18:54
tmcpeaksigmavirus24: checking out your plugin work now18:59
tmcpeaklooks good18:59
tmcpeakjust making sure I have my head wrapped around it18:59
sigmavirus24I still need to address some of Eric's concerns18:59
sigmavirus24Yeah I tried to comment somethings that I thought people might find odd19:00
sigmavirus24I also need to explain taht I didn't add entry-points for our existing plugins19:00
sigmavirus24And that the info about which plugins were detected doesn't print anything at all if none were detected19:00
tmcpeakyea, those are small things though.  The comments are helpful19:01
*** jian5397 has joined #openstack-security19:02
*** singlethink has quit IRC19:07
*** sdake has quit IRC19:31
*** singlethink has joined #openstack-security19:31
tmcpeaksigmavirus24: you around?19:37
sigmavirus24sort of19:37
sigmavirus24what's up?19:37
tmcpeakwhen I'm running your change without specifying a format I'm getting:19:38
tmcpeakTraceback (most recent call last):19:38
tmcpeak  File "/usr/local/bin/bandit", line 10, in <module>19:38
tmcpeak    sys.exit(main())19:38
tmcpeak  File "/usr/local/lib/python2.7/site-packages/bandit/bandit.py", line 148, in main19:38
tmcpeak    args.output_format)19:38
tmcpeak  File "/usr/local/lib/python2.7/site-packages/bandit/core/manager.py", line 112, in output_results19:38
tmcpeak    output_format=output_format19:38
tmcpeak  File "/usr/local/lib/python2.7/site-packages/bandit/core/result_store.py", line 123, in report19:38
tmcpeak    self._write_report(files_list, scores, excluded_files)19:38
tmcpeak  File "/usr/local/lib/python2.7/site-packages/bandit/core/result_store.py", line 88, in _write_report19:38
tmcpeak    formatter = formatters_mgr['txt']19:38
tmcpeakif I don't specify an output format19:38
tmcpeakdoes that work for you? there might be something shady in my environment (it's happened before)19:38
sigmavirus24let me make sure everything's commited and pushed up19:39
sigmavirus24It was working before though. (me is reinstalling bandit)19:40
tmcpeaklooks like my extensions aren't loaded at the place I'm trying to use them19:41
sigmavirus24Nope. Works fine for me. I'm testing it by doing `tox -r -e py{..} --notest` then `.tox/py{..}/bin/bandit -r bandit/`19:41
sigmavirus24looks like you have it installed globally though19:41
tmcpeakI'm testing like this: bandit -r ~/Documents/projects/OpenStack_projects/keystone  (no virtual env)19:41
sigmavirus24I assume you had it installed globally before as well?19:42
tmcpeakI removed it just to make sure19:42
sigmavirus24Was it editable?19:42
sigmavirus24I've seen that cause problems with PBR+entry-points before19:42
sigmavirus24pip install -e19:42
sigmavirus24You can install something so that when you edit it, it updates automagically19:43
tmcpeakwell I'm currently doing "python setup.py install"19:43
sigmavirus24You can do `pip install .`19:43
sigmavirus24That makes it much easier to uninstall19:43
sigmavirus24Then you can just do `pip uninstall bandit`19:43
sigmavirus24or `pip install --force-reinstall .`19:43
* sigmavirus24 doesn't know how well setuptools installs over itself with PBR19:44
tmcpeaklet me try that19:45
tmcpeaklol, ok19:45
tmcpeakwhen I went all the way through the rabbit hole of "pip uninstall bandit" until it said not found, and then "pip install ." now it works :)19:45
tmcpeakfalse alarm19:45
sigmavirus24pip can't uninstall things that were `python setup.py install`'d19:46
tmcpeakso I think the answer to how well setuptools installs over itself is "crappily"19:46
sigmavirus24I think typically setuptools would do just fine19:46
tmcpeakcool, thanks man.. back on the testing19:46
sigmavirus24I don't know how PBR affects that though19:46
*** localloop127 has quit IRC20:01
*** jamielennox|away is now known as jamielennox20:01
tmcpeakbrowne: around?20:02
sigmavirus24tmcpeak: get it to work?20:05
tmcpeaksigmavirus24: yep! it looks good to me20:05
tmcpeakwith the exception of fixing Eric's concerns20:06
tmcpeakalso.. I didn't see the plugin string printed in parser epilog at all20:06
sigmavirus24tmcpeak: including adding a blueprint?20:06
tmcpeakoh, yeah.. I should have dropped a comment20:06
tmcpeakI don't think we need a blueprint20:06
sigmavirus24tmcpeak: right, with no plugins registered, it doesn't print them20:06
sigmavirus24I don't mind writing a blueprint20:06
tmcpeakwe've discussed the work here20:06
tmcpeakI don't think we need one20:06
* sigmavirus24 just wants to know what he has to do this weekend20:06
tmcpeakin my mind blueprint would be if somebody has work in mind but wants community buy in first20:07
tmcpeakI think we're small enough we can just discuss it here20:07
tmcpeakbesides, blueprint after the fact is kind of pointless :)20:07
sigmavirus24Yeah that's why I threw up a blueprint for the use of thread/multiprocessing20:07
sigmavirus24We've done that in glance =P20:07
sigmavirus24I should update that copyright too. Rackspace wasn't paying me for this stuff so it's technically just OpenStack Foundation copyright20:08
tmcpeakoh yeah, I've got to check that out20:08
tmcpeaksigmavirus24: let it not be said that you don't know how to party ;)20:08
sigmavirus24I just have experience with static analysis tools and what makes them good20:09
sigmavirus24took a long time for flake8 to get where it is20:09
tmcpeakI'm glad to have you hacking away on Bandit now :)20:10
tmcpeaksince you're here, what are your thoughts on Joe's comments here:20:10
tmcpeakI can explain the surrounding lines to print - we're printing a whole statement, we don't really have any way to parse the relevant part of the statement out20:11
tmcpeakthe slow thing puzzles me20:11
tmcpeakI've never seen Bandit even take a minute20:11
tmcpeakI'm open to the suggestion to suppress listing excluded files20:11
sigmavirus24tmcpeak: Bandit easily took 10 minutes (I stopped keeping track) when I ran it against glance20:11
tmcpeakwhat? really?20:11
*** hyakuhei has quit IRC20:12
sigmavirus24I was looking for a way to have bandit only print files with a score greater than zero20:12
sigmavirus24If that's supposed to be -l then it doesn't work20:12
*** hyakuhei has joined #openstack-security20:12
sigmavirus24I agree with most of Joe's points to be honest. I was going to work on slowly and iteratively improving them20:12
*** alex_klimov has joined #openstack-security20:12
sigmavirus24I mean, the pastebin thing is whatever20:12
sigmavirus24I can show you projects where you can't pastebin the flake8 analysis either =P20:13
tmcpeakI just ran it against Glance and it took about 30 seconds20:13
sigmavirus24How did you run it against glance?20:13
tmcpeakbandit -r my_glance_directory20:14
sigmavirus24Yeah I ran it from a virtualenv but I'll time it this time20:14
tmcpeaksame, I'll pull the latest and time it20:14
sigmavirus24Oh I know what I did20:15
sigmavirus24I ran it against all of the glance projects (specs, glanceclient, glance, glance_store)20:15
brownei'm around20:15
* sigmavirus24 recently restructured his projects folder so he has glance/api, glance/store, glance/client, glance/specs20:16
tmcpeak31 seconds20:16
sigmavirus24tmcpeak: yep glance is only ~370 files so it's fast20:16
tmcpeakahh browne: I'm curious about Joe Gordon's comment that Bandit is slow20:16
sigmavirus24tmcpeak: run it against 7000 and it takes a while =P20:16
tmcpeakwell yeah ;)20:16
browneit doesn't take that long for me20:16
brownemaybe 2 minutes max20:16
sigmavirus24huh, glanceclient is 6800 files? that seems wrong20:17
*** singleth_ has joined #openstack-security20:17
tmcpeakwhat are we running it against browne?20:17
brownei meant with nova, ~80020:17
tmcpeakjust nova?20:17
browneso yeah, 6800 is probably slow20:17
brownejoe's comment was on my nova patch20:17
tmcpeaksigmavirus24: why on earth is that 6800 Python files? ;)20:18
sigmavirus24tmcpeak: so if I give it the entire repository then it comes up as 680020:18
tmcpeakbrowne: do you have the job that ran? or he ran it locally20:18
sigmavirus24If I scope it to the glanceclient directory it's fine20:18
brownei ran locally20:18
tmcpeakon just nova?20:18
brownewas planning to add the ci job later20:18
brownejust nova20:18
brownelet me run again now20:19
tmcpeak1444 files for Nova, timing now20:19
browne809 if you exclude tests and such20:19
*** singlethink has quit IRC20:20
brownepretty quick20:20
sigmavirus24Now run flake8 against all of them ;)20:20
tmcpeakyeah, 2m4s20:21
sigmavirus24I think flake8/hacking is Joe's typical point of reference20:21
tmcpeakfor the whole thing20:21
sigmavirus24That should finish in < 1 minute unless you're on an old version of flake8 without multiprocessing20:21
tmcpeaksigmavirus24: yeah, makes sense20:21
*** dwyde has quit IRC20:21
tmcpeakstill I think 1-2 mins is somewhat reasonable for a gate20:22
tmcpeaktempest takes like.. weeks20:22
sigmavirus24tmcpeak: I don't disagree20:22
sigmavirus24The thing is if people are running this locally20:22
sigmavirus241-2 minutes is more than enough for me to get distracted and start doing something else  only to completely forget what I was doing in that project in the first place20:22
tmcpeakyeah, true.. but then you come back and remember you were doing your final local tests before pushing your code and heading out for a beer20:23
tmcpeakI guess threading is the only real solution to pick up the speed20:23
tmcpeakor exclude more20:24
sigmavirus24yeah I mean it isn't a huge deal to me20:24
sigmavirus24It's fast enough for most of the usecases that we care about20:24
tmcpeakI'd like to address Joe's concerns though20:24
sigmavirus24So one thing that is probably super easy is to set a default threshold for when a file is printed to the screen20:25
sigmavirus24e.g., score > X20:25
sigmavirus24or >=20:25
brownethe -l does that20:25
sigmavirus24browne: didn't work for me recently20:25
brownefilters by severity20:25
tmcpeaksigmavirus24: no?20:26
sigmavirus24unless the help docs are just wrong20:26
brownei use -ll to get only medium and high20:26
sigmavirus24I used -l -l and it still printed everything20:26
sigmavirus24let me try -ll20:26
tmcpeakyeah, -l is same as everything20:26
tmcpeak-ll is medium high, -lll is only high20:26
tmcpeak(I think)20:26
sigmavirus24Everything with score: 0 still appears for me20:27
browneflake8 take around 30s20:27
brownefor me on nova20:27
sigmavirus24I'm running off of my entry-points branch though20:27
sigmavirus24So maybe I broke something somehow20:27
sigmavirus24Also, it seems we don't filter out *.pyc20:27
tmcpeaksigmavirus24: no, pyc won't be included because it isn't in the included files type in the bandit profile20:28
*** dwyde has joined #openstack-security20:28
sigmavirus24tmcpeak: right but it's printed in "Files excluded"20:28
sigmavirus24Which is extraordinarily annoying20:28
browneyeah, that was a Joe complaint too20:29
brownefine for a verbose switch20:29
tmcpeakyeah, I guess we can suppress excluded files from default output20:29
browneeven included files is probably unnecessary by default20:30
tmcpeakcool, yeah that should be an easy fix20:30
* sigmavirus24 leaves it as an exercise to the reader20:33
* sigmavirus24 should get back to work20:33
*** markvoelker has joined #openstack-security20:34
tmcpeaksigmavirus24: thanks man!20:35
sigmavirus24that or jsut file bugs and assign them to me20:35
sigmavirus24I'll get around to them eventually =P20:35
tmcpeakI can take that one on20:37
tmcpeakit's been a while since I've committed any code to Bandit, I think it's about tie20:38
*** WaltBarnes has quit IRC20:38
sigmavirus24There are a lot of people who've commited to bandit who don't have their emails linked to a github account20:38
sigmavirus24by their metrics I have the 2nd most number of commits in bandit20:38
*** markvoelker has quit IRC20:39
tmcpeak;) gaming it20:40
*** singlethink has joined #openstack-security20:41
*** singleth_ has quit IRC20:44
sigmavirus24the stats are about the only thing I still like about GitHub20:46
*** localloop127 has joined #openstack-security20:51
*** hyakuhei has quit IRC21:04
*** localloop127 has quit IRC21:04
openstackgerritTravis McPeak proposed stackforge/bandit: Adding verbose flag  https://review.openstack.org/18994121:06
*** hyakuhei has joined #openstack-security21:07
tmcpeakBandit - less suck on output : https://review.openstack.org/#/c/189941/21:07
sigmavirus24tmcpeak: ++21:07
*** jian5397 has quit IRC21:08
tmcpeaksigmavirus24: waiting for your stuff too ;)21:08
tmcpeakbknudson: ping21:19
bknudsontmcpeak: what's up?21:20
tmcpeakseems like you are attending these cross functional meetings anyway, would you mind representing security?  hyakuhei asked me too, but a lot of this stuff is more "openstacky" then I have the knowledge for21:20
tmcpeak*asked me to21:20
tmcpeakmaybe you can shout if something security related comes up that you don't know the answer to?21:21
tmcpeakbknudson: ^21:24
bknudsontmcpeak: sure.21:24
openstackgerritTravis McPeak proposed stackforge/bandit: Adding verbose flag  https://review.openstack.org/18994121:24
tmcpeakbknudson: awesome, thank you21:25
bknudsontmcpeak: is there anything you want me to bring up? they have a section for cross-project announcements.21:25
bknudsonbandit progress?21:26
tmcpeakbknudson: if anything maybe the developer guidelines would be good to sociallize21:27
tmcpeak*socialize - no types today21:27
*** localloop127 has joined #openstack-security21:28
bknudsontmcpeak: we'll want to announce significant milestones like starting / initial and when complete.21:32
tmcpeakahh ok, on that page?21:32
tmcpeakor in the meeting?21:32
bknudsontmcpeak: in the cross-project meeting21:32
tmcpeakbknudson: ok cool, makes sense.  How major?21:33
tmcpeakwe should have a new pinned version of Bandit soon, we can announce that21:33
bknudsonthat would probably be good enough for me to mention it at the meeting.21:33
tmcpeakok cool.. what's a good way to do this? I can just drop you notes when we have something good to say?21:34
bknudsonbring it up at the OSSG meeting21:34
tmcpeakbknudson: ok cool - perfect21:34
brownebtw, will there be a OSSG mid-cycle?21:36
tmcpeakbrowne: I'm pretty sure :)21:36
tmcpeakyeah, I guess it's almost that time again, isn't it?21:36
brownecool, thought the last was very productive21:36
tmcpeakfor sure, we got lots of good stuff done21:37
bknudsonnova and keystone are next month21:37
bknudsonand I think horizon and glance want to colocate with nova21:37
tmcpeakhow time flies!21:37
brownenova is at IBM rochester21:37
browneisn't that your home turf bknudson?21:38
bknudsonbrowne: y, it's in the building here.21:38
bknudsonso I should be able to stop in there and complain about security21:38
bknudsonrootwrap and stuff21:38
tmcpeakbknudson: btw, moved out to Montana for the summer.. drove through the very southern part of Minnesota - not super impressed21:39
bknudsontmcpeak: I90 is not exciting21:40
bknudsonexcept for the SPAM museum.21:40
tmcpeaksomehow TripAdvisor failed to bring that to my attention21:41
brownedo they have spam tastings?21:41
bknudsonof course21:41
tmcpeakactually it's beloved on TripAdvisor: http://www.tripadvisor.com/Attraction_Review-g29612-d126890-Reviews-Spam_Museum_and_Visitor_Center-Austin_Minnesota.html21:42
browneoh, SPAM museum is closed till 2016. :(21:42
brownecrap, i missed the SPAMERICAN tour in San Fran21:44
tmcpeakbrowne: :'(21:45
*** localloop127 has quit IRC22:04
*** dwyde has quit IRC22:06
*** bknudson has quit IRC22:13
*** dwyde has joined #openstack-security22:19
*** dwyde has quit IRC22:21
*** singlethink has quit IRC22:25
*** voodookid has quit IRC23:11
openstackgerritMerged stackforge/bandit: Adding verbose flag  https://review.openstack.org/18994123:18
*** markvoelker has joined #openstack-security23:21
*** markvoelker has quit IRC23:26

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!