#openstack-meeting-alt log

17:02:23 <hyakuhei_> #startmeeting openstack security group
17:02:24 <openstack> Meeting started Thu Aug 28 17:02:23 2014 UTC and is due to finish in 60 minutes.  The chair is hyakuhei_. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:02:25 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:02:27 <openstack> The meeting name has been set to 'openstack_security_group'
17:02:31 <tmcpeak> lol
17:02:33 <hyakuhei_> #topic Open Meeting
17:02:35 <sarnold007> aello all
17:02:39 <hyakuhei_> Roll call :)
17:02:43 <bknudson> hi
17:02:46 <sicarie> o/
17:02:53 <tmcpeak> \o
17:02:59 <rlpple> \o
17:03:04 <dstanek> hello
17:03:06 <sarnold007> o/
17:03:12 <nkinder> hi all!
17:03:20 <hyakuhei_> welcome all :D - nice turn out today!
17:03:22 <rlpple> rlpple = Randy Perryman @ Dell
17:03:28 <hyakuhei_> Hey rlpple
17:03:42 <hyakuhei_> So I don't have many agenda items for this week, well 2
17:03:47 <hyakuhei_> 1. Lots of OSSNs in the queue
17:03:53 <rlpple> Posted to #openstack-security channel that is is going on.
17:04:24 <bknudson> do we have a place to post an agenda?
17:04:27 <hyakuhei_> 2. We'll be voting on the next leader of the OSSG soon, have a think about if you'd like this dubious honor ;)
17:04:53 <hyakuhei_> bknudson: we normally just make it hte first part of the conversation, previously we've tried it by email but it seemed better ad-hoc
17:05:06 <tmcpeak> dubious indeed :P
17:05:14 <bknudson> in keystone we update the wiki meeting page.
17:05:23 <nkinder> yeah, that approach works nicely
17:05:26 <hyakuhei_> We can certainly do that
17:05:42 <hyakuhei_> But as we currently have two things, lets not worry about that right now
17:06:47 <tmcpeak> where's the OSSN queue?
17:07:01 <hyakuhei_> #link https://bugs.launchpad.net/ossn
17:07:05 <nkinder> here's reviews - https://review.openstack.org/#/q/status:open+project:openstack/security-doc,n,z
17:07:15 <nkinder> and hyakuhei_'s link is the bug queue
17:07:41 <nkinder> we have 3 OSSNs in progress in the review queue
17:07:56 <nkinder> 2 of them need updates by the authors in response to review feedback
17:08:37 <nkinder> stan needs to review the feedback from morgan (keystone-core) on this - https://review.openstack.org/114971
17:09:06 <nkinder> and priti has comments from a few of us on this - https://review.openstack.org/#/c/113422/
17:09:22 <hyakuhei_> Ok, so do we need to chase up the authors?
17:09:26 <nkinder> I haven't seen priti around here, and 0020 seems like it's getting stalled out
17:09:37 <nkinder> It might make sense for someone else to take over it and wrap it up
17:09:52 <tmcpeak> I can ping her
17:10:01 <hyakuhei_> Yeah, not many changes required.
17:10:11 <nkinder> tmcpeak: thanks, that would be great
17:10:19 <nkinder> shohel has one he drafted as well
17:10:35 <nkinder> https://review.openstack.org/114460
17:11:00 <nkinder> I haven't had time to review it myself yet, but it should be an easy one
17:11:06 <hyakuhei_> Can we get some #action's please?
17:11:10 <hyakuhei_> for the minutes :)
17:11:32 <nkinder> #action tmcpeak to ping priti on OSSN-0020
17:12:00 <nkinder> hyakuhei_: can you ping stan on 0023?
17:12:09 <tmcpeak> I will
17:12:29 <nkinder> #action tmcpeak to ping stan on OSSN-0023
17:12:39 <nkinder> Does anyone want to review 0024?
17:12:49 <bknudson> do we have a policy on reviews where someone other than the original author can post a new revision?
17:12:53 <tmcpeak> sure, where is that?
17:12:56 <nkinder> I'll review it in the next few days
17:13:11 <nkinder> tmcpeak: https://review.openstack.org/114971
17:13:20 <nkinder> bknudson: nothing hard and fast
17:13:49 <nkinder> I try not to just grab stuff from people, unless it's something small that would be considered helpful
17:14:18 <tmcpeak> nkinder: this link is 23
17:14:18 <nkinder> bknudson: if something is obviously stale, I'd say it's free game
17:14:33 <nkinder> tmcpeak: what link are you looking for?
17:14:37 <bknudson> https://review.openstack.org/#/c/114460/ is 24
17:14:38 <tmcpeak> 24
17:14:41 <nkinder> ah, sorry
17:14:45 <tmcpeak> ok cool
17:14:58 <nkinder> 0024 is here - https://review.openstack.org/114460
17:15:00 <tmcpeak> I'll review this shortly
17:15:06 <nkinder> #action nkinder to review OSSN-0024
17:15:14 <bknudson> this is about tokens in logs
17:15:14 <nkinder> #action tmcpeak to review OSSN-0024
17:15:19 <tmcpeak> Priti says she can do it next week, is that good enough?
17:15:29 <nkinder> #action bknudson to review OSSN-0024
17:15:29 <tmcpeak> Symantec has a shut down week next week
17:15:45 <nkinder> bknudson: considering that you fixed that, it makes sense for you to review the OSSN :)
17:15:47 <bknudson> so 24 is the same as 23?
17:16:10 <bknudson> oh, this is keystoneclient
17:16:12 <tmcpeak> Stan is here
17:16:19 <tmcpeak> viraptor: update on 23?
17:16:43 <viraptor> will be posted today
17:16:47 <tmcpeak> cool
17:17:00 <nkinder> bknudson: I think they should be merged
17:17:14 <nkinder> bknudson: I hadn't looked at 0024, but they're largely the same thing
17:17:34 <nkinder> viraptor: take a look at 0024 too, as I think we should just combine it with you work on 0023
17:18:11 <nkinder> 0024 mentions that passwords are logged as part of logging requests at DEBUG level
17:18:16 <nkinder> that was fixed recently
17:18:26 <nkinder> 0023 is for logging of tokens at INFO level
17:18:41 <viraptor> that may confuse people though - one is fixable, the other isn't
17:18:56 <nkinder> so we can combine these into one uber-note about sensitive data logging, or we can make 0024 only cover the password case
17:19:24 <nkinder> viraptor: yeah, your note is about the token in the v2 URL
17:19:25 <viraptor> I think these are quite different cases
17:19:46 <nkinder> I was thinking of the token logging (not in the URL) that bknudson was working on
17:19:51 <nkinder> so yes, separate then.
17:20:02 <nkinder> bknudson: agreed?
17:20:05 <bknudson> y, I think they're different, too
17:20:18 <bknudson> one is mostly about the v2.0 API
17:20:19 <nkinder> ok, good.
17:20:35 <nkinder> yes, 0023 is restricted to the v2 API having the tokens in the URL
17:20:39 <tmcpeak> and nkinder: you got part about Priti saying she'll wrap it up next week?
17:20:44 <nkinder> tmcpeak: yep!
17:20:51 <tmcpeak> ok cool
17:20:54 <nkinder> tmcpeak: that works for me
17:20:59 <tmcpeak> sounds good
17:21:41 <nkinder> There are many other OSSNs in the queue - https://bugs.launchpad.net/ossn/
17:21:52 <nkinder> Lots to choose from...  Anyone interested?
17:22:14 <tmcpeak> I'll probably pick one up
17:22:28 <nkinder> #action tmcpeak to pick up an OSSN
17:22:33 <nkinder> #action nkinder to pick up an OSSN
17:22:50 <nkinder> so that leaves 6 more unclaimed if my math is correct
17:22:51 <tmcpeak> done
17:23:21 <nkinder> #action nkinder to call for OSSN help on the mailing list
17:23:35 <nkinder> ok, I think that's it for OSSNs then.
17:24:02 <hyakuhei_> Nice, thanks nkinder tmcpeak
17:24:03 <nkinder> tmcpeak: did you have anything going on around bandit?
17:24:09 <tmcpeak> I do!
17:24:18 <tmcpeak> I've been talking a bit with chair6
17:24:30 <tmcpeak> and we agree that the following changes would be nice
17:24:41 <tmcpeak> 1) Get each test as a separate plugin
17:24:49 <tmcpeak> 2) Move the config to a JSON format
17:25:16 <tmcpeak> 3) Create the possibility to run from a predefined config which will allow you to select tests
17:25:27 <tmcpeak> this is so that we can have openstack specific tests, for example
17:25:36 <nkinder> I thought we had #3?
17:25:49 <tmcpeak> I guess #3 I'm talking about like profiles
17:25:59 <tmcpeak> so it would be something like bandit -p openstack
17:26:10 <tmcpeak> or bandit -p generic_python
17:26:31 <tmcpeak> 4) create helper functions so that people who write tests don't need to be aware of the gritty details of AST
17:26:49 <nkinder> For 3, why not just use -t <config file>?
17:27:14 <tmcpeak> yeah, it's the same thing
17:27:21 <tmcpeak> oh, does -t already exist?
17:27:25 <nkinder> If we want to commit different config files in the bandit tree, that's fine too (openstack.ini, generic-python.ini)
17:27:38 <nkinder> yes, -t is described in the README
17:27:39 <tmcpeak> ok perfect, then #3 is a noop
17:27:57 <tmcpeak> 5) eventually allow for tests to be defined without writing python code
17:27:57 <nkinder> for 4, what helpers are you thinking of?
17:28:10 <tmcpeak> I'll give you an example of a couple I wrote yesterday
17:28:23 <tmcpeak> @property
17:28:24 <tmcpeak> def function_name(self):
17:28:47 <tmcpeak> so I can check context.function_name == "xxx" or "yyy" in context.function_name
17:28:58 <tmcpeak> rather than having to know about where in the context structure I need to look
17:29:13 <nkinder> that makes sense
17:29:15 <tmcpeak> def is_module_imported(self, module):
17:29:26 <nkinder> the context is extensible, and we should add things that may be commonly used
17:29:35 <tmcpeak> yeah totally
17:29:46 <nkinder> chair6 and I just focused on imports and such since that's what our tests used
17:30:01 <nkinder> but let's extend context as we see fit
17:30:04 <tmcpeak> for sure
17:30:17 <nkinder> We just need to still provide access to the raw node to do fancy AST stuff if required
17:30:39 <hyakuhei_> Yeah, it makes sense to enable people to do 'clever' things as required
17:30:48 <tmcpeak> for sure
17:31:08 <nkinder> ok, so back to #2 - is there something that we think JSON will help with that ini can't cover?
17:31:26 <tmcpeak> chair6: brought that point up
17:31:28 <bknudson> seems like yaml is easier to use for a richer config file
17:31:48 <tmcpeak> the reason we were thinking JSON over yaml is that yaml requires non-default libraries
17:32:01 <nkinder> well, is a rich format needed?
17:32:09 <tmcpeak> good question
17:32:18 <tmcpeak> we can definitely discuss that
17:32:21 <nkinder> because moving away from simple ini seems in conflict with #5 (allow tests to be added without code)
17:32:22 <tmcpeak> I was probably going to take that last
17:32:41 <tmcpeak> by that I'd be fine with JSON
17:32:49 <nkinder> are we trying to make this easy to add tests for non-devs, or do we want it to be powerful with a higher barrier to entry?
17:33:16 <tmcpeak> I'd say allow people to write tests without any understanding of AST is my main focus
17:33:23 <nkinder> I wouldn't switch the format unless there is something that ini isn't allowing us to do.  Otherwise it's just refactoring for no real reason IMHO
17:33:43 <tmcpeak> cool, let's chat offline and we can decide
17:33:49 <tmcpeak> I'm fine with leaving ini
17:34:00 <tmcpeak> I think chair6 had some reason he wanted to switch but I can't remember what it is
17:34:01 <nkinder> ok, cool.  I'm OK with JSON if it has a benefit.
17:34:28 <nkinder> tmcpeak: and a big +1 on avoiding the need to know AST to write tests as much as possible
17:34:46 <tmcpeak> yeah, personal pet peeve of mine, I don't know what it is but AST gives me bad feelings
17:35:18 <tmcpeak> that's all I had
17:35:30 <tmcpeak> but bandit active development is in flight
17:35:36 <tmcpeak> we should have something even better soon :)
17:36:39 <nkinder> tmcpeak: great, sounds good
17:36:57 <nkinder> bdpayne: did you have anything to discuss about the book?
17:37:11 <tmcpeak> bdpayne was recruiting for OSSG last night :)
17:37:11 <bdpayne> no updates this week
17:37:15 <bdpayne> thanks for checking!
17:37:34 <bdpayne> yeah, it's been a busy week on some other things
17:37:42 <nkinder> hyakuhei_: any other topics from you?
17:39:05 <hyakuhei_> Nothing from me - though I wont be around for the next meetng as I'm on vacation
17:39:12 <nkinder> hyakuhei_: enjoy!
17:39:15 <hyakuhei_> So if someone else wants to run it, that'd be great
17:39:20 <nkinder> Any topics from anyone else?
17:39:23 <hyakuhei_> I will, I'm not taking any internets with me at all :D
17:39:39 <tmcpeak> nice
17:40:01 <hyakuhei_> Ok I guess we can wrap early folks :D
17:40:11 <tmcpeak> cool, later everybody
17:40:19 <hyakuhei_> #endmeeting