Re: [opnfv-tech-discuss] Security PTL

[Luke Hinds]

Hi,

Further to the below email, could I make an nomination for Ash Young as
Security PTL and put it up for vote?

Ash knows the role and topic (security) very well and worked alongside me
on a lot of security topics and was a key contributor for a significant
amount  of time. I can't think of a better engineer to take up the role as
PTL.

Regards,

Luke

On Fri, Jun 28, 2019 at 10:03 AM Luke Hinds  wrote:

> Hello,
>
> I would like to notify the TSC that I wish to step down as Security PTL.
>
> I have not been active in the role for a long time now, so this very much
> makes sense as the right thing to do.
>
> I have also changed responsibilities with Red Hat that mean I would not
> have the time needed, should the role start to demand attention again in
> the future.
>
> It's been a pleasure working with you all and I would happily mentor
> anyone interested in the position of security manager. All aspects of the
> role are very well documented too.
>
> I am not familiar with the current off-boarding process, but the main
> tasks I see are removing my name from some of the confluence pages / wiki
> we have.
>
> There is also the anteater project, which we can depreciate should you
> like or keep using. I guess the former, as I made a release a while ago,
> but it was never pulled into the opnfv jobs.
>
> Best Regards,
>
> Luke Hinds
>
> --
> Luke Hinds  | CTO Office | Red Hat
> e: lhi...@redhat.com | irc: lhinds @freenode | t: +44 12 52 36 2483
>


-- 
Luke Hinds  | CTO Office | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | t: +44 12 52 36 2483
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#23375): 
https://lists.opnfv.org/g/opnfv-tech-discuss/message/23375
Mute This Topic: https://lists.opnfv.org/mt/32281622/21656
Group Owner: opnfv-tech-discuss+ow...@lists.opnfv.org
Unsubscribe: https://lists.opnfv.org/g/opnfv-tech-discuss/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[opnfv-tech-discuss] Security PTL

[Luke Hinds]

Hello,

I would like to notify the TSC that I wish to step down as Security PTL.

I have not been active in the role for a long time now, so this very much
makes sense as the right thing to do.

I have also changed responsibilities with Red Hat that mean I would not
have the time needed, should the role start to demand attention again in
the future.

It's been a pleasure working with you all and I would happily mentor anyone
interested in the position of security manager. All aspects of the role are
very well documented too.

I am not familiar with the current off-boarding process, but the main tasks
I see are removing my name from some of the confluence pages / wiki we have.

There is also the anteater project, which we can depreciate should you like
or keep using. I guess the former, as I made a release a while ago, but it
was never pulled into the opnfv jobs.

Best Regards,

Luke Hinds

-- 
Luke Hinds  | CTO Office | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | t: +44 12 52 36 2483
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#23306): 
https://lists.opnfv.org/g/opnfv-tech-discuss/message/23306
Mute This Topic: https://lists.opnfv.org/mt/32281622/21656
Group Owner: opnfv-tech-discuss+ow...@lists.opnfv.org
Unsubscribe: https://lists.opnfv.org/g/opnfv-tech-discuss/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [opnfv-tech-discuss] [releng] Anteater maintenance

[Luke Hinds]

Thanks Bryan,

Any recommendations on who I could contact at LF to see if they want to use
the tool.

You're of course welcome to do anything you please with anteater in acumos.

Cheers,

Luke

On Tue, Jan 8, 2019 at 6:37 PM SULLIVAN, BRYAN L (BRYAN L) <
bryan.sulli...@research.att.com> wrote:

> Hi Luke,
>
> Thanks for continuing to develop this on github. Did you know that the LF
> recently launched a new compliance toolset project?
> https://www.linuxfoundation.org/press-release/2018/12/the-linux-foundation-to-launch-new-tooling-project-to-improve-open-source-compliance/
>
> Your work might be useful to them.
>
> I'm currently working in a related area for the Acumos project, leading
> the TSC Security Committee (https://wiki.acumos.org/display/SEC) and lead
> of the security-verification component of the Acumos platform (in
> development). Trust in the project code is one of the items in scope for
> the Security Committee, so it's good to see you are still working in that
> area. I'll look into the latest version.
>
> On the notices, I also still get them though haven't done anything on them
> for a while.
> I agree, if OPNFV is not minding that store, they should consider turning
> it down.
>
> Thanks,
> Bryan Sullivan | AT
> --
> *From:* opnfv-tech-discuss@lists.opnfv.org [
> opnfv-tech-discuss@lists.opnfv.org] on behalf of Luke Hinds [
> lhi...@redhat.com]
> *Sent:* Friday, January 04, 2019 12:32 AM
> *To:* opnfv-tech-discuss
> *Subject:* [opnfv-tech-discuss] [releng] Anteater maintenance
>
> Hi RelEng Folks,
>
> I am not as involved in OPNFV any longer. I still get a few emails around
> anteater information at gate.
>
> Would someone else like to take over managing the issues at gate or should
> we decommission the project (in opnfv)?
>
> Also it's running an old version now, there is a later version which is
> much improved and can be found below. We did talk about implementing this,
> but it never happened in the end.
>
> https://github.com/anteater/anteater
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_anteater_anteater=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=eAjgBbuNlHCiHt6jSQC7qJa3JsbM6CvmpTl-3-JwTpY=ACeM_qM28hmlnnLp9_P1P1Zp93swhBR-mxxVOy2GEJo=>
>
> Regards,
>
> Luke
>


-- 
Luke Hinds | NFV Partner Engineering | CTO Office | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | t: +44 12 52 36 2483
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#22623): 
https://lists.opnfv.org/g/opnfv-tech-discuss/message/22623
Mute This Topic: https://lists.opnfv.org/mt/28970529/21656
Group Owner: opnfv-tech-discuss+ow...@lists.opnfv.org
Unsubscribe: https://lists.opnfv.org/g/opnfv-tech-discuss/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[opnfv-tech-discuss] [releng] Anteater maintenance

[Luke Hinds]

Hi RelEng Folks,

I am not as involved in OPNFV any longer. I still get a few emails around
anteater information at gate.

Would someone else like to take over managing the issues at gate or should
we decommission the project (in opnfv)?

Also it's running an old version now, there is a later version which is
much improved and can be found below. We did talk about implementing this,
but it never happened in the end.

https://github.com/anteater/anteater

Regards,

Luke
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#22604): 
https://lists.opnfv.org/g/opnfv-tech-discuss/message/22604
Mute This Topic: https://lists.opnfv.org/mt/28970529/21656
Group Owner: opnfv-tech-discuss+ow...@lists.opnfv.org
Unsubscribe: https://lists.opnfv.org/g/opnfv-tech-discuss/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [opnfv-tech-discuss] [releng][security][infra] Anteater Improvements

[Luke Hinds]

Sorry for spamming you folks, but the last one was broken:

https://regexr.com/3lv46

On Fri, Mar 9, 2018 at 9:36 AM, Luke Hinds <lhi...@redhat.com> wrote:

> Another example with domain based urls:
>
> https://regexr.com/3lv1o
>
> All we need do then is make an entry in anteater as follows
>
> curl_http:
>   regex: "wget.*|curl.*https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{2,
> 256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)"
>   desc: "Object retrieval from non authorised site."
>
> And then domains would be white listed with a simple entry in the ignore
> list:
>
> file_audits:
>   file_contents:
> - ^#
> - \.onap\.org\/
>
> The above would allow all file downloads, but if we wanted to be more
> specific, we could:
>
> file_audits:
>   file_contents:
> - ^#
> - \.onap\.org\/files\/.*\/*\.iso|img|yaml|tar
>
> Hopefully its possible to see how flexible the tool is now.
>
>
>
> On Fri, Mar 9, 2018 at 9:24 AM, Luke Hinds <lhi...@redhat.com> wrote:
>
>> A simple way to solve this is using regex. You can really build up
>> multiple conditions, for example the following link will match anyone using
>> curl /wget against an IP address, but things such as 'yum install curl'
>> will not get picked up.
>>
>> https://regexr.com/3lv1o # Play around with the text section
>>
>> When used in this way, the tool really becomes quite powerful. I use it
>> myself for non security context stuff such as blocking depreciated
>> functions, release names etc.
>>
>>
>> On Thu, Mar 8, 2018 at 3:31 PM, SULLIVAN, BRYAN L (BRYAN L) <
>> bryan.sulli...@research.att.com> wrote:
>>
>>> Aric,
>>>
>>> To clarify my intent - it was that the blocking of wget/curl/etc tool
>>> use except as allowed by regex rules, is the onerous part since there are
>>> many different uses and it will be difficult to create/maintain the regexp
>>> rules.
>>>
>>> I actually would *prefer* use of an external service such as VirusTotal
>>> that could flag risky content sources however they do it (FQDN, IP, etc
>>> though they are not a perfect solution either), since at least any
>>> private-subnet targets for wget/curl would pass that test.
>>>
>>> Of course, one could argue that if a DNS is hacked then even curl for
>>> Keystone APIs can result in a vulnerability... but we have limits in what
>>> we can achieve. And such hacks would threaten use of the same resources
>>> even via python libraries e.g. for OpenStack clients, so it's not just
>>> curl/wget that would be at risk.
>>>
>>> Thanks,
>>> Bryan Sullivan | AT
>>>
>>> -Original Message-
>>> From: opnfv-tech-discuss-boun...@lists.opnfv.org [mailto:
>>> opnfv-tech-discuss-boun...@lists.opnfv.org] On Behalf Of Aric Gardner
>>> Sent: Thursday, March 08, 2018 7:21 AM
>>> To: Fatih Degirmenci <fatih.degirme...@ericsson.com>
>>> Cc: opnfv-tech-discuss <opnfv-tech-discuss@lists.opnfv.org>
>>> Subject: Re: [opnfv-tech-discuss] [releng][security][infra] Anteater
>>> Improvements
>>>
>>> Hi Faith,
>>>
>>> Regarding your comments on reproducibility and traceability.
>>>
>>> If we are not blocking ips, which I agree with Bryan is heavy handed
>>> from a practical perspective. Perhaps ant eater could create a report
>>> of external sources per repository, and then exit 0.
>>>
>>> The developers could then be alerted to our concerns.
>>>
>>> Gerrit Comment or email to ptl:
>>>
>>> "Hi $project developer" Here are external ips connected to your build.
>>> {list goes here}
>>> If any of these sources should go offline, your builds will no longer
>>> be reproducible or traceable.
>>> Please consider this carefully. If you need a file hosted, contact
>>> helpdesk and they will be happy to put in on artifacts.opnfv.org
>>>
>>> Or something like that..
>>>
>>>
>>> -Aric
>>>
>>>
>>> On Thu, Mar 8, 2018 at 9:11 AM, Fatih Degirmenci
>>> <fatih.degirme...@ericsson.com> wrote:
>>> > Hi Luke,
>>> >
>>> >
>>> >
>>> > I have few comments and followup questions regarding this:
>>> >
>>> > “This in turn means we won't raise alarms over curl, git clone and
>>> wget and
>>> > will instead check the IP addresses or URLS that those comma

Re: [opnfv-tech-discuss] [releng][security][infra] Anteater Improvements

[Luke Hinds]

Another example with domain based urls:

https://regexr.com/3lv1o

All we need do then is make an entry in anteater as follows

curl_http:
  regex: "wget.*|curl.*https?:\/\/(www\.)?[-a-zA-Z0-9@
:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)"
  desc: "Object retrieval from non authorised site."

And then domains would be white listed with a simple entry in the ignore
list:

file_audits:
  file_contents:
- ^#
- \.onap\.org\/

The above would allow all file downloads, but if we wanted to be more
specific, we could:

file_audits:
  file_contents:
- ^#
- \.onap\.org\/files\/.*\/*\.iso|img|yaml|tar

Hopefully its possible to see how flexible the tool is now.



On Fri, Mar 9, 2018 at 9:24 AM, Luke Hinds <lhi...@redhat.com> wrote:

> A simple way to solve this is using regex. You can really build up
> multiple conditions, for example the following link will match anyone using
> curl /wget against an IP address, but things such as 'yum install curl'
> will not get picked up.
>
> https://regexr.com/3lv1o # Play around with the text section
>
> When used in this way, the tool really becomes quite powerful. I use it
> myself for non security context stuff such as blocking depreciated
> functions, release names etc.
>
>
> On Thu, Mar 8, 2018 at 3:31 PM, SULLIVAN, BRYAN L (BRYAN L) <
> bryan.sulli...@research.att.com> wrote:
>
>> Aric,
>>
>> To clarify my intent - it was that the blocking of wget/curl/etc tool use
>> except as allowed by regex rules, is the onerous part since there are many
>> different uses and it will be difficult to create/maintain the regexp rules.
>>
>> I actually would *prefer* use of an external service such as VirusTotal
>> that could flag risky content sources however they do it (FQDN, IP, etc
>> though they are not a perfect solution either), since at least any
>> private-subnet targets for wget/curl would pass that test.
>>
>> Of course, one could argue that if a DNS is hacked then even curl for
>> Keystone APIs can result in a vulnerability... but we have limits in what
>> we can achieve. And such hacks would threaten use of the same resources
>> even via python libraries e.g. for OpenStack clients, so it's not just
>> curl/wget that would be at risk.
>>
>> Thanks,
>> Bryan Sullivan | AT
>>
>> -Original Message-
>> From: opnfv-tech-discuss-boun...@lists.opnfv.org [mailto:
>> opnfv-tech-discuss-boun...@lists.opnfv.org] On Behalf Of Aric Gardner
>> Sent: Thursday, March 08, 2018 7:21 AM
>> To: Fatih Degirmenci <fatih.degirme...@ericsson.com>
>> Cc: opnfv-tech-discuss <opnfv-tech-discuss@lists.opnfv.org>
>> Subject: Re: [opnfv-tech-discuss] [releng][security][infra] Anteater
>> Improvements
>>
>> Hi Faith,
>>
>> Regarding your comments on reproducibility and traceability.
>>
>> If we are not blocking ips, which I agree with Bryan is heavy handed
>> from a practical perspective. Perhaps ant eater could create a report
>> of external sources per repository, and then exit 0.
>>
>> The developers could then be alerted to our concerns.
>>
>> Gerrit Comment or email to ptl:
>>
>> "Hi $project developer" Here are external ips connected to your build.
>> {list goes here}
>> If any of these sources should go offline, your builds will no longer
>> be reproducible or traceable.
>> Please consider this carefully. If you need a file hosted, contact
>> helpdesk and they will be happy to put in on artifacts.opnfv.org
>>
>> Or something like that..
>>
>>
>> -Aric
>>
>>
>> On Thu, Mar 8, 2018 at 9:11 AM, Fatih Degirmenci
>> <fatih.degirme...@ericsson.com> wrote:
>> > Hi Luke,
>> >
>> >
>> >
>> > I have few comments and followup questions regarding this:
>> >
>> > “This in turn means we won't raise alarms over curl, git clone and wget
>> and
>> > will instead check the IP addresses or URLS that those commands query.
>> This
>> > should make anteater a lot less chatty at gate.”
>> >
>> >
>> >
>> > You might remember that one of the reasons we have checks for curl/wget
>> is
>> > to find out if projects pull artifacts from unknown IPs during
>> > build/deployment/testing.
>> >
>> > These are not malicious but we have seen that few of the IPs where the
>> > projects fetch the artifacts belong to non-production/personal devices
>> that
>> > tend to disappear over time.
>> >
>> > As you know, this is an importan

Re: [opnfv-tech-discuss] [releng][security][infra] Anteater Improvements

[Luke Hinds]

I wonder is this might be a good topic for the next infra-wg. One thing we
may be able to do is fix up the regex so stuff such as 'yum install curl'
or 'apt-get install wget' don't cause false alarms.

The good thing with the framework is the regexs are easy to get at, so its
easy for anyone to push a patch with a better fine tuned regex.


On Thu, Mar 8, 2018 at 3:07 PM, SULLIVAN, BRYAN L (BRYAN L) <
bryan.sulli...@research.att.com> wrote:

> Fatih,
>
>
>
> I think the problem is that it’s very difficult to differentiate between
> use of wget/curl etc for:
>
>- Pulling in components/data from external sources, as part of a
>deploy or test process, or even by design of the component being developed
>(e.g. a config file is pulled from some repo/place and used in component
>configuration)
>- Use of APIs exposed by the NFV platform or applications running
>under it
>
>
>
> Requiring all the latter uses to be allowed through regexp rules would be
> the onerous part.
>
>
>
> Thanks,
>
> Bryan Sullivan | AT
>
>
>
> *From:* Fatih Degirmenci [mailto:fatih.degirme...@ericsson.com]
> *Sent:* Thursday, March 08, 2018 7:01 AM
> *To:* SULLIVAN, BRYAN L (BRYAN L) <bryan.sulli...@research.att.com>; Luke
> Hinds <lhi...@redhat.com>; opnfv-tech-discuss <opnfv-tech-discuss@lists.
> opnfv.org>
>
> *Subject:* Re: [opnfv-tech-discuss] [releng][security][infra] Anteater
> Improvements
>
>
>
> Hi Brian,
>
>
>
> My comment wasn’t about the tools themselves but what they are used for
> and to be honest the suggestion is nothing sort of heavy-handed approach.
>
>
>
> If someone includes something in an artifact that is consumed by someone
> else for different purposes, we have responsibility to them that we will
> always be able to recreate that artifact for different purposes such as
> troubleshooting.
>
> If people hook their own machines to store artifacts that go into final
> OPNFV release and if these machines disappear, we will have no possibility
> to recreate what we released.
>
> Apart from that, if people want to rebuild something for some reason, they
> will be unable to do that since the dependencies will not be available
> anymore.
>
> These concerns are based on what we found while looking at our earlier
> releases so I’m not talking about something that’s possible to happen but a
> real issue that happened and we had to intervene.
>
>
>
> If projects guarantee the long term availability of the artifacts on the
> original location (ie until the EOL of that specific release) and they ask
> for exception, there will be no blocking.
>
>
>
> As you said, you are free to the promote tools and approaches like how I
> am doing here since I believe they are important to be shared.
>
>
>
> /Fatih
>
>
>
> *From: *"SULLIVAN, BRYAN L (BRYAN L)" <bryan.sulli...@research.att.com>
> *Date: *Thursday, 8 March 2018 at 15:31
> *To: *Fatih Degirmenci <fatih.degirme...@ericsson.com>, Luke Hinds <
> lhi...@redhat.com>, "opnfv-tech-discuss@lists.opnfv.org" <
> opnfv-tech-discuss@lists.opnfv.org>
> *Subject: *RE: [opnfv-tech-discuss] [releng][security][infra] Anteater
> Improvements
>
>
>
> I do recommend that we rely upon tools that can focus on the trust of
> specific sources, and not the use of platform capabilities such as curl,
> wget, etc. These (curl, wget, etc) are tools that can be used for many
> purposes inside an application like an OPNFV platform, or its
> deployment/testing tools. The flagging/blocking of patches just because the
> code contains use of wget/curl/etc is an onerous and heavy-handed approach
> to the goal. Having to create regexp rules for each valid use of wget/curl
> is a non-starter for me and likely many others in this project. Thus I
> support Luke’s plan, and intend to promote these same tools and approaches
> for use in the Acumos and other LFN projects.
>
>
>
> Thanks,
>
> Bryan Sullivan | AT
>
>
>
> *From:* opnfv-tech-discuss-boun...@lists.opnfv.org [
> mailto:opnfv-tech-discuss-boun...@lists.opnfv.org
> <opnfv-tech-discuss-boun...@lists.opnfv.org>] *On Behalf Of *Fatih
> Degirmenci
> *Sent:* Thursday, March 08, 2018 6:12 AM
> *To:* Luke Hinds <lhi...@redhat.com>; opnfv-tech-discuss <
> opnfv-tech-discuss@lists.opnfv.org>
> *Subject:* Re: [opnfv-tech-discuss] [releng][security][infra] Anteater
> Improvements
>
>
>
> Hi Luke,
>
>
>
> I have few comments and followup questions regarding this:
>
> “This in turn means we won't raise alarms over curl, git clone and wget
> and will instead check the IP 

[opnfv-tech-discuss] [releng][security][infra] Anteater Improvements

[Luke Hinds]

Hello,

I have some changes to improve the reporting ability and hopefully tone
down the false positives.

Aneater will now interface with the VirusTotal public API:

1. If anteater finds a public IP address, the DNS history will be quiered
to see if the IP has past or present associations with malicious domains.

2. If a URL is found, it is checked against the VirusTotal API to see if
its marked as malicous.

3. Binaries will be sent to VirusTotal for a scan by the aggregation of
scanners hosted there.

For anyone wanting a demo, please see the following:

https://asciinema.org/a/JfzUPWpBGm0wDKPCN3KlK2DK0

I will work with various people to get this rigged into CI.

This in turn means we won't raise alarms over curl, git clone and wget and
will instead check the IP addresses or URLS that those commands query. This
should make anteater a lot less chatty at gate.

Cheers,

Luke
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [releng] Secrets in environment variables

[Luke Hinds]

Sorry all I missed this email...

On Thu, Mar 1, 2018 at 8:46 PM, Trevor Bramwell <
tbramw...@linuxfoundation.org> wrote:

> Hi Julien,
>
> Yes we have that plugin installed.
>
> Luke,
>
> If there is known file location virus total looks for the api key,
> another option is using the Config File Provider[1][2]. The credentials
> would be stored in a file on Jenkins master and pulled down before the
> build, then removed once the build completes.
>
> Though ensuring credentials are cleaned up even if the build fails
> requires the Post Build Script[3] plugin as well (which is also installed).
>

Currently I just pull it from the environment (as this works well with
circle-ci and travis)

try:
apikey = os.environ["VT_KEY"]
except KeyError:
logger.error("Please set your virustotal.com API key as an environment
variable")
sys.exit(1)




>
> Regards,
> Trevor Bramwell
>
> [1] https://plugins.jenkins.io/config-file-provider
> [2] https://docs.openstack.org/infra/jenkins-job-builder/
> wrappers.html#wrappers.config-file-provider
> [3] https://docs.openstack.org/infra/jenkins-job-builder/
> publishers.html#publishers.postbuildscript
>
> On Thu, Mar 01, 2018 at 09:15:58AM +, Julien wrote:
> > Hi Luke,
> >
> > Yes, you can inject a secret string in the jjb :
> >
> > wrappers:
> >  - credentials-binding:
> >  - zip-file:
> > credential-id: b3e6f337-5d44-4f57-921c-1632d796caa6
> > variable: CONFIG_ZIP
> >  - file:
> > credential-id: b3e6f337-5d44-4f57-921c-1632d796caab
> > variable: config_file
> >  - username-password:
> > credential-id: b3e6f337-5d44-4f57-921c-1632d796caac
> > variable: config_username_password
> >  - text:
> > credential-id: b3e6f337-5d44-4f57-921c-1632d796caad
> > variable: config_text
> >
> > it supports file, text, username-password, etc. It can not be echo/cat
> > during the CI execution.
> > It requires a Credentials Binding plugin.
> > @Trevor, Aric, can you double check is it installed already?
> > We use this method to avoid API token leak issue in internal CI.
> >
> > [1], https://docs.openstack.org/infra/jenkins-job-builder/wrappers.html
> > [2], https://wiki.jenkins.io/display/JENKINS/Credentials+Binding+Plugin
> >
> >
> > Luke Hinds <lhi...@redhat.com>于2018年2月20日周二 下午4:11写道：
> >
> > > Hi,
> > >
> > > Do we have the capability to handle (inject?) environment variable
> secrets
> > > in our CI that are set during a build?
> > >
> > > I am looking at introducing virus total checks into anteater and this
> > > needs an API key which we don't want to share in the open.
> > >
> > > Currently I have the code look for the key in the environment, rather
> then
> > > a config file..is this workable?
> > >
> > > e.g...
> > >
> > > export VT_KEY=''
> > > echo $VT_KEY
> > > 
> > > --
> > > Luke Hinds | NFV Partner Engineering | CTO Office | Red Hat
> > > e: lhi...@redhat.com | irc: lhinds @freenode | t: +44 12 52 36 2483
> > > ___
> > > opnfv-tech-discuss mailing list
> > > opnfv-tech-discuss@lists.opnfv.org
> > > https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
> > >
>



-- 
Luke Hinds | NFV Partner Engineering | CTO Office | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | t: +44 12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] {releng-anteater] project_scan.py check for top-level license needs enhancements

[Luke Hinds]

Thanks, I'll take a look.

On 16 Feb 2018 5:45 pm, "SULLIVAN, BRYAN L (BRYAN L)" <
bryan.sulli...@research.att.com> wrote:

> I’m not sure how/where to raise this as a bug, so I created a JIRA issue:
> https://jira.opnfv.org/browse/RELENG-346
>
>
>
> Anteater needs to verify that the project top-level license file is
> correctly formatted (“Licence string present”), and accept any variation of
> file name “LICENSE*” (e.g. LICENSE.txt) as a valid present license file.
>
>
>
> Thanks,
>
> Bryan Sullivan | AT
>
>
>
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] Anteater status and link issue

[Luke Hinds]

Top post with an example using the Virus Total API:

> anteater --bincheck --project testproject --path
/home/luke/repos/personal/anteater/tests/testproject

2018-02-13 14:49:18,349 - anteater.src.get_lists - INFO - Loaded
testproject specific file_audits entries
2018-02-13 14:49:18,352 - anteater.src.get_lists - INFO - Loaded
testproject specific file_contents entries
2018-02-13 14:49:18,375 - anteater.src.project_scan - INFO - Non
Whitelisted Binary file:
/home/luke/repos/personal/anteater/tests/testproject/images/pal.png
2018-02-13 14:49:18,376 - anteater.src.project_scan - INFO - Performing
Scan: /home/luke/repos/personal/anteater/tests/testproject/images/pal.png
2018-02-13 14:49:18,824 - anteater.src.project_scan - INFO - File last
scanned and shown as clean on:, 2018-02-13 13:44:11
2018-02-13 14:49:18,825 - anteater.src.project_scan - INFO - Full report
here:
https://www.virustotal.com/file/a71e13ebeb2500ed20781ab3ae8a9b306cf69a6c8be9a31e96d4e04f1657b4d8/analysis/1518529451

2018-02-13 14:49:18,825 - anteater.src.project_scan - INFO - The following
sha256 hash can be used in your testproject.yaml file:
a71e13ebeb2500ed20781ab3ae8a9b306cf69a6c8be9a31e96d4e04f1657b4d8

Should have the URL / Domain / IP stuff working later in the week.


On Tue, Feb 13, 2018 at 9:41 AM, Luke Hinds <lhi...@redhat.com> wrote:

>
>
> On Tue, Feb 13, 2018 at 12:17 AM, SULLIVAN, BRYAN L (BRYAN L) <
> bryan.sulli...@research.att.com> wrote:
>
>> Comments etc inline
>>
>>
>>
>> Thanks,
>>
>> Bryan Sullivan | AT
>>
>>
>>
>> *From:* Luke Hinds [mailto:lhi...@redhat.com]
>> *Sent:* Monday, February 12, 2018 9:04 AM
>> *To:* SULLIVAN, BRYAN L (BRYAN L) <bryan.sulli...@research.att.com>
>> *Cc:* opnfv-tech-discuss@lists.opnfv.org; degirmenci, fatih <
>> fatih.degirme...@ericsson.com>; Raymond Paik <rp...@linuxfoundation.org>
>> *Subject:* Re: [opnfv-tech-discuss] Anteater status and link issue
>>
>>
>>
>>
>>
>>
>>
>> On Tue, Feb 6, 2018 at 2:32 PM, SULLIVAN, BRYAN L (BRYAN L) <
>> bryan.sulli...@research.att.com> wrote:
>>
>> Hi all,
>>
>> I’m wondering where the Anteater program is – and want to note a broken
>> link: build jobs with Anteater violations reference “Please visit:
>> https://wiki.opnfv.org/x/5oey
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.opnfv.org_x_5oey=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=rxS4DJ0v-VW97BzYjY1_yRCmM1znHlxObcXiTIP6RBI=s4zQHMsxrgVhlTs-Sw4-uGIsKYDMsnIQuvx0TehUoSk=>
>> ”, which is the wiki page https://wiki.opnfv.org/pages/v
>> iewpage.action?pageId=11700198
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.opnfv.org_pages_viewpage.action-3FpageId-3D11700198=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=rxS4DJ0v-VW97BzYjY1_yRCmM1znHlxObcXiTIP6RBI=burTDZjfgUSG9lAKW4MjRDZULxleQEsKGknHvhdqzbA=>,
>> which says “Project specific exceptions can be added for file_name,
>> file_contents and binaries, by using the name of the repository within the
>> anteater/exceptions/ directory of the releng-anteater
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.opnfv.org_gerrit.opnfv.org-3A29418_releng-2Danteater.git=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=rxS4DJ0v-VW97BzYjY1_yRCmM1znHlxObcXiTIP6RBI=LrWykp0HOa_RUbxOEJDo7sojbPgNgsVsrlV6jmwMVx4=>
>>  repository.” – but that link (releng-anteater
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.opnfv.org_gerrit.opnfv.org-3A29418_releng-2Danteater.git=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=rxS4DJ0v-VW97BzYjY1_yRCmM1znHlxObcXiTIP6RBI=LrWykp0HOa_RUbxOEJDo7sojbPgNgsVsrlV6jmwMVx4=>)
>> is broken.
>>
>> I want to start adding the exceptions for Models etc as an example for
>> the LF IT team that is setting up the Acumos project gerrit/CI/CD process,
>> and in general to help optimize the Anteater overhead for projects. I think
>> we need to get some analysis of the types of exceptions that are typical,
>> and establish a process for vetting those exceptions that goes beyond a
>> simple review by a releng committer.
>>
>> Further, we need to bring in other scan tools (e.g. security
>> vulnerability, virus, or malicious code scans) into the Anteater process.
>> This is in response to concerns about the security of the governance
>> process for open source (e.g. upstream, but also direct contribution in
>> projects) that is used to build production-oriented systems. We need to
>> demonstrate that OPNFV and other LF projects are addressing these concerns
>> through their infra too

Re: [opnfv-tech-discuss] Anteater status and link issue

[Luke Hinds]

On Tue, Feb 13, 2018 at 12:17 AM, SULLIVAN, BRYAN L (BRYAN L) <
bryan.sulli...@research.att.com> wrote:

> Comments etc inline
>
>
>
> Thanks,
>
> Bryan Sullivan | AT
>
>
>
> *From:* Luke Hinds [mailto:lhi...@redhat.com]
> *Sent:* Monday, February 12, 2018 9:04 AM
> *To:* SULLIVAN, BRYAN L (BRYAN L) <bryan.sulli...@research.att.com>
> *Cc:* opnfv-tech-discuss@lists.opnfv.org; degirmenci, fatih <
> fatih.degirme...@ericsson.com>; Raymond Paik <rp...@linuxfoundation.org>
> *Subject:* Re: [opnfv-tech-discuss] Anteater status and link issue
>
>
>
>
>
>
>
> On Tue, Feb 6, 2018 at 2:32 PM, SULLIVAN, BRYAN L (BRYAN L) <
> bryan.sulli...@research.att.com> wrote:
>
> Hi all,
>
> I’m wondering where the Anteater program is – and want to note a broken
> link: build jobs with Anteater violations reference “Please visit:
> https://wiki.opnfv.org/x/5oey
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.opnfv.org_x_5oey=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=rxS4DJ0v-VW97BzYjY1_yRCmM1znHlxObcXiTIP6RBI=s4zQHMsxrgVhlTs-Sw4-uGIsKYDMsnIQuvx0TehUoSk=>
> ”, which is the wiki page https://wiki.opnfv.org/pages/v
> iewpage.action?pageId=11700198
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.opnfv.org_pages_viewpage.action-3FpageId-3D11700198=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=rxS4DJ0v-VW97BzYjY1_yRCmM1znHlxObcXiTIP6RBI=burTDZjfgUSG9lAKW4MjRDZULxleQEsKGknHvhdqzbA=>,
> which says “Project specific exceptions can be added for file_name,
> file_contents and binaries, by using the name of the repository within the
> anteater/exceptions/ directory of the releng-anteater
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.opnfv.org_gerrit.opnfv.org-3A29418_releng-2Danteater.git=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=rxS4DJ0v-VW97BzYjY1_yRCmM1znHlxObcXiTIP6RBI=LrWykp0HOa_RUbxOEJDo7sojbPgNgsVsrlV6jmwMVx4=>
>  repository.” – but that link (releng-anteater
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.opnfv.org_gerrit.opnfv.org-3A29418_releng-2Danteater.git=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=rxS4DJ0v-VW97BzYjY1_yRCmM1znHlxObcXiTIP6RBI=LrWykp0HOa_RUbxOEJDo7sojbPgNgsVsrlV6jmwMVx4=>)
> is broken.
>
> I want to start adding the exceptions for Models etc as an example for the
> LF IT team that is setting up the Acumos project gerrit/CI/CD process, and
> in general to help optimize the Anteater overhead for projects. I think we
> need to get some analysis of the types of exceptions that are typical, and
> establish a process for vetting those exceptions that goes beyond a simple
> review by a releng committer.
>
> Further, we need to bring in other scan tools (e.g. security
> vulnerability, virus, or malicious code scans) into the Anteater process.
> This is in response to concerns about the security of the governance
> process for open source (e.g. upstream, but also direct contribution in
> projects) that is used to build production-oriented systems. We need to
> demonstrate that OPNFV and other LF projects are addressing these concerns
> through their infra toolsets.
>
>
>
> Sorry Bryan, I missed a few of these emails thanks (or rather no thanks)
> to a bad mail filter rule.
>
> I am working on the following now which we will see soon:
>
> Much better documentation: http://anteater.readthedocs.io/en/latest/
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__anteater.readthedocs.io_en_latest_=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=rxS4DJ0v-VW97BzYjY1_yRCmM1znHlxObcXiTIP6RBI=AdeEyIqajKWRGD1zz3MXcKrWoAWYR6mXmQDgVVzp1Zo=>
>
> [bryan] Are you going to start hosting these docs at docs.opnfv.org?
>
We can do yes, although I guess it make sense to have the main body of the
documentation around the tool upstream (once the github re-homing happens),
and then have everything OPNFV developers need to know about how anteater
is used in OPNFV at docs.opnfv.org - this way there won't be materials in
docs.opnfv.org around using Travis CI (which would confuse people).

> Virus total integration:
>
>* Any binaries will be scanned using the virus total API, unless a
> sha256 waiver is already present e.g. https://github.com/opnfv/relen
> g-anteater/blob/master/exceptions/calipso.yaml#L9
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_opnfv_releng-2Danteater_blob_master_exceptions_calipso.yaml-23L9=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=ML-JPRZQOfToJjMwlJLPlcWimAEwMA5DZGNIrk-cgy0=rxS4DJ0v-VW97BzYjY1_yRCmM1znHlxObcXiTIP6RBI=WNetEYMktH0pxwVzSJXZyDFVnJr6lIDBhM6laGBrbjs=>
>
>* Any IP addresses / domain name / URL will be

[opnfv-tech-discuss] [infra] Meeting time and calender invites.

[Luke Hinds]

Hello All,

A couple of points:

Meeting times were discussed. It was planned to move back to 16:00 UTC
which works better for North America (and myself and Fatih), but this is
not good for Asia (where its midnight). Open to ideas input, however just
to note I won't be able to chair at 15:00 UTC, so would need to rain check
that time.

Calender invites: This seems silly to me. In my opinion folks should manage
their own calenders, just as we do upstream. Currently every two months the
chair sends out a meeting request to tech-discuss, that gets used by a few
and then gets a ton of declines messaged back. My proposal, manage your own
calender and then if your timezone changes, you can just move the invite
yourself.

Cheers,

Luke

-- 
Luke Hinds | NFV Partner Engineering | CTO Office | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] [infra] Infra-WG Meeting cancelled

[Luke Hinds]

Hello,

We have had to cancel today's infra working group meeting, due to an
personal event on my side meaning I cannot attend to chair. As Jack and
Faith are also out / busy, a decision was made to cancel for now.

Regards,

Luke
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [releng] Committer list per Releng repository

[Luke Hinds]

Only caveat I have is that there are no committers (or regular reviewers)
to releng-anteater to get patches landed.

With that in mind though, I don't mind moving the project back to github
(where its easier for anyone to patch) and we keep all the project
exception files in releng (where it would have a high amount of commiters
who can help review what would only be regular expressions).

The above would suit me well, as I would like to get anteater more adopted
upstream as others have shown an interest in implementing the project.


On Fri, Dec 8, 2017 at 9:05 AM, Markos Chandras <mchand...@suse.de> wrote:

> +1
>
> On 12/08/2017 12:01 AM, Fatih Degirmenci wrote:
> > Hi Releng Committers,
> >
> >
> >
> > During OPNFV Plugfest, we had conversations around having committer list
> > per Releng repository/Gerrit Project.
> >
> >
> >
> > The reason behind this is that, Releng project currently has 5 different
> > repositories as listed below. [1]
> >
> >
> >
> >   * releng
> >   * releng-anteater
> >   * releng-testresults
> >   * releng-utils
> >   * releng-xci
> >
> >
> >
> > The work that is done in these repositories require different competence
> > profiles. For example for releng repository, the committers need to have
> > knowledge in CI, Jenkins, Jenkins Job Builder and so on.
> >
> > Apart from the required competence, some developers might not be
> > interested in certain parts of Releng but interested in others.
> >
> >
> >
> > Having single committer list across all Releng owned repositories
> > prevents us from recognizing contributors and promoting them as
> > committers for the corresponding repositories since they will perhaps
> > never have enough contributions across all of them.
> >
> > Another limitation is that, the current review practices followed by
> > Releng is not good and we need to improve this. Having right set of
> > committers per repo and getting patches reviewed by them properly will
> > help with the quality of work we are doing.
> >
> >
> >
> > In order to address this limitation and have the ability and the
> > possibility to recognize and promote developers who made great
> > contributions to Releng in general in the repositories they worked in, I
> > propose to create committer list per repo.
> >
> >
> >
> > Please respond to this mail with +1 and -1 and share questions,
> > comments, concerns if you have any.
> >
> >
> >
> > I plan to bring this topic to TSC on December 12th if the vote passes.
> >
> >
> >
> > [1] https://gerrit.opnfv.org/gerrit/#/admin/projects/?filter=releng
> >
> >
> >
> > /Fatih
> >
>
>
> --
> markos
>
> SUSE LINUX GmbH | GF: Felix Imendörffer, Jane Smithard, Graham Norton
> HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409, Nürnberg
>



-- 
Luke Hinds | NFV Partner Engineering | CTO Office | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] [releng] Anteater gerrit comment formatting

[Luke Hinds]

Hi,

I raised the following JIRA [1], but not sure of the best way to fix the
jjb script (don't understand the logic with the sed command)

Would someone be able to take this on, as its leaving quite some messy
comments on quite a few anteater jobs.

[1] https://jira.opnfv.org/browse/RELENG-308

Cheers,

Luke
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] Lab as a Service - Installer Support

[Luke Hinds]

Second retry of this email to gauge interest of other installs.

So far we have Compass4NFV.

On Mon, Jul 17, 2017 at 3:39 PM, Luke Hinds <lhi...@redhat.com> wrote:

> Dear Installer Projects,
>
> I have an action from the infra-wg to gauge which installers can support
> LaaS.
>
> Please peruse the following wiki link for more details on the effort.
>
> https://wiki.opnfv.org/display/INF/Lab+as+a+Service
>
> Recommend you go over the work flow in detail, and consider if you have
> interfaces that can accept the requests and process deployment status.
>
> Any question, please ask over this email or attend the infra-wg group.
>
> Many Thanks,
>
> Luke
>
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [OPNFV Helpdesk #43579] [linuxfoundation.org #43579] RE: uploading UI code to OPNFV

[Luke Hinds via RT]

There are a few things that first off look concerning, but might be unit
tests perhaps:

2017-07-27 13:43:40,245 - anteater.src.patch_scan - ERROR - File
contains violation:
/home/opnfv/anteater/calipso/ui/imports/startup/server/seeds/users.js
2017-07-27 13:43:40,245 - anteater.src.patch_scan - ERROR - Flagged
Content: password: '123456',


The binary files are flagged as we need to be sure they are safe and don't
have for example malicious payload. In this instance I am sure they are
safe, as you're the source, but they still get flagged as at a later point
they could be swapped out by someone with files that have a nefarious
payload.


On Thu, Jul 27, 2017 at 5:41 PM, kor...@cisco.com via RT <
opnfv-helpd...@rt.linuxfoundation.org> wrote:

> Thanks Frank, this post helps a lot
> Aric  - thanks for the comment , yes we noticed that and now have code
> submitted into git, while looking into exceptions next
>
> best regards
> koren
>
>
> -Original Message-
> From: Aric Gardner via RT [mailto:opnfv-helpd...@rt.linuxfoundation.org]
> Sent: Thursday, July 27, 2017 7:06 PM
> To: Koren Lev (korlev)
> Cc: dmcbr...@linuxfoundation.org; Eyal Lapid -T (elapid - AMAN COMPUTERS
> LTD at Cisco); Frank Brockners (fbrockne); opnfv-project-leads@lists.
> opnfv.org; opnfv-tech-discuss@lists.opnfv.org; rp...@linuxfoundation.org;
> Yaron Yogev (yayogev)
> Subject: Re: [opnfv-tech-discuss] [OPNFV Helpdesk #43579] [
> linuxfoundation.org #43579] RE: uploading UI code to OPNFV
>
> One further note: Anteater declares a failure however, it does not vote
> and will not block you from merging your patch.
> -Aric
>
> On Thu, Jul 27, 2017 at 12:00 PM, Frank Brockners via RT <
> opnfv-helpd...@rt.linuxfoundation.org> wrote:
> > Koren,
> >
> > did you check out https://wiki.opnfv.org/pages/viewpage.action?pageId=
> 10294496 already?
> >
> > Frank
> >
> > From: Koren Lev (korlev)
> > Sent: Donnerstag, 27. Juli 2017 16:17
> > To: David McBride <dmcbr...@linuxfoundation.org>; TECH-DISCUSS OPNFV
> > <opnfv-tech-discuss@lists.opnfv.org>; opnfv-project-leads
> > <opnfv-project-le...@lists.opnfv.org>
> > Cc: Raymond Paik <rp...@linuxfoundation.org>;
> > opnfv-helpd...@rt.linuxfoundation.org; Frank Brockners (fbrockne)
> > <fbroc...@cisco.com>; Yaron Yogev (yayogev) <yayo...@cisco.com>; Eyal
> > Lapid -T (elapid - AMAN COMPUTERS LTD at Cisco) <ela...@cisco.com>
> > Subject: uploading UI code to OPNFV
> >
> > Hi,
> >
> > Calipso project includes a UI module, it needs several media files (.jpg
> .png .ico etc) uploaded too (not too big, mostly for css stuff).
> > Currently Jenkins rejects those (example): “ERROR - Non Whitelisted
> Binary file: /home/opnfv/anteater/calipso/ui/public/cisco-favicon.ico”
> >
> > How can we request an exception for those types and how long this will
> take please ?
> > attaching all as we have a MS5 to complete.
> >
> > regards
> > Koren
> >
> > ___
> > opnfv-tech-discuss mailing list
> > opnfv-tech-discuss@lists.opnfv.org
> > https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>
>
> ___
> opnfv-tech-discuss mailing list
> opnfv-tech-discuss@lists.opnfv.org
> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>



-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483

___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [OPNFV Helpdesk #43579] [linuxfoundation.org #43579] RE: uploading UI code to OPNFV

[Luke Hinds]

There are a few things that first off look concerning, but might be unit
tests perhaps:

2017-07-27 13:43:40,245 - anteater.src.patch_scan - ERROR - File
contains violation:
/home/opnfv/anteater/calipso/ui/imports/startup/server/seeds/users.js
2017-07-27 13:43:40,245 - anteater.src.patch_scan - ERROR - Flagged
Content: password: '123456',


The binary files are flagged as we need to be sure they are safe and don't
have for example malicious payload. In this instance I am sure they are
safe, as you're the source, but they still get flagged as at a later point
they could be swapped out by someone with files that have a nefarious
payload.


On Thu, Jul 27, 2017 at 5:41 PM, kor...@cisco.com via RT <
opnfv-helpd...@rt.linuxfoundation.org> wrote:

> Thanks Frank, this post helps a lot
> Aric  - thanks for the comment , yes we noticed that and now have code
> submitted into git, while looking into exceptions next
>
> best regards
> koren
>
>
> -Original Message-
> From: Aric Gardner via RT [mailto:opnfv-helpd...@rt.linuxfoundation.org]
> Sent: Thursday, July 27, 2017 7:06 PM
> To: Koren Lev (korlev)
> Cc: dmcbr...@linuxfoundation.org; Eyal Lapid -T (elapid - AMAN COMPUTERS
> LTD at Cisco); Frank Brockners (fbrockne); opnfv-project-leads@lists.
> opnfv.org; opnfv-tech-discuss@lists.opnfv.org; rp...@linuxfoundation.org;
> Yaron Yogev (yayogev)
> Subject: Re: [opnfv-tech-discuss] [OPNFV Helpdesk #43579] [
> linuxfoundation.org #43579] RE: uploading UI code to OPNFV
>
> One further note: Anteater declares a failure however, it does not vote
> and will not block you from merging your patch.
> -Aric
>
> On Thu, Jul 27, 2017 at 12:00 PM, Frank Brockners via RT <
> opnfv-helpd...@rt.linuxfoundation.org> wrote:
> > Koren,
> >
> > did you check out https://wiki.opnfv.org/pages/viewpage.action?pageId=
> 10294496 already?
> >
> > Frank
> >
> > From: Koren Lev (korlev)
> > Sent: Donnerstag, 27. Juli 2017 16:17
> > To: David McBride <dmcbr...@linuxfoundation.org>; TECH-DISCUSS OPNFV
> > <opnfv-tech-discuss@lists.opnfv.org>; opnfv-project-leads
> > <opnfv-project-le...@lists.opnfv.org>
> > Cc: Raymond Paik <rp...@linuxfoundation.org>;
> > opnfv-helpd...@rt.linuxfoundation.org; Frank Brockners (fbrockne)
> > <fbroc...@cisco.com>; Yaron Yogev (yayogev) <yayo...@cisco.com>; Eyal
> > Lapid -T (elapid - AMAN COMPUTERS LTD at Cisco) <ela...@cisco.com>
> > Subject: uploading UI code to OPNFV
> >
> > Hi,
> >
> > Calipso project includes a UI module, it needs several media files (.jpg
> .png .ico etc) uploaded too (not too big, mostly for css stuff).
> > Currently Jenkins rejects those (example): “ERROR - Non Whitelisted
> Binary file: /home/opnfv/anteater/calipso/ui/public/cisco-favicon.ico”
> >
> > How can we request an exception for those types and how long this will
> take please ?
> > attaching all as we have a MS5 to complete.
> >
> > regards
> > Koren
> >
> > ___
> > opnfv-tech-discuss mailing list
> > opnfv-tech-discuss@lists.opnfv.org
> > https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>
>
> ___
> opnfv-tech-discuss mailing list
> opnfv-tech-discuss@lists.opnfv.org
> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>



-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Lab as a Service - Installer Support

[Luke Hinds]

Dear Installer Projects,

I have an action from the infra-wg to gauge which installers can support
LaaS.

Please peruse the following wiki link for more details on the effort.

https://wiki.opnfv.org/display/INF/Lab+as+a+Service

Recommend you go over the work flow in detail, and consider if you have
interfaces that can accept the requests and process deployment status.

Any question, please ask over this email or attend the infra-wg group.

Many Thanks,

Luke

-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [anteater] build log for anteator

[Luke Hinds]

On Fri, Jul 14, 2017 at 1:43 AM, Yujun Zhang (ZTE) <zhangyujun+...@gmail.com
> wrote:

> Yes, that's what I am seeking.
>
> When a comment is posted by a bot, I would be curious on where this
> message is coming from. I suppose it is posted from some periodic check
> task?
>
>
So we have a jira open to provide a snippet of text on what the 'thinking'
is behind the block, I believe that is what Julien is going to address.

>
> On Fri, Jul 14, 2017 at 7:00 AM Julien <julien...@gmail.com> wrote:
>
>> Oh,
>>
>> I understand the issue: no output of the detailed log of the Jenkins task.
>>
>> Luke, I will deal with this.
>>
>>
Thanks Julien.


>
>> Luke Hinds <lhi...@redhat.com>于2017年7月13日周四 下午10:13写道：
>>
>>> How do you mean by build log Yujun? I am always interested in feedback /
>>> improvements.
>>>
>>>
>>> On Wed, Jul 12, 2017 at 4:10 AM, Yujun Zhang (ZTE) <
>>> zhangyujun+...@gmail.com> wrote:
>>>
>>>> I notices a warning on license header in https://gerrit.opnfv.org/
>>>> gerrit/#/c/36839/
>>>>
>>>> [image: Screen Shot 2017-07-12 at 11.03.55 AM.png]
>>>>
>>>> However the build log is not posted. It's OK for now since the failure
>>>> is clear enough. But it would be nice to have the build log as well as
>>>> other CI jobs.
>>>>
>>>> --
>>>> Yujun
>>>>
>>>> --
>>>> Yujun Zhang
>>>>
>>>> ___
>>>> opnfv-tech-discuss mailing list
>>>> opnfv-tech-discuss@lists.opnfv.org
>>>> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>>>>
>>>>
>>>
>>>
>>> --
>>> Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
>>> e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 |
>>> t: +44 12 52 36 2483
>>> ___
>>> opnfv-tech-discuss mailing list
>>> opnfv-tech-discuss@lists.opnfv.org
>>> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>>>
>> --
> Yujun Zhang
>



-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Secure use of curl / wget and external artefacts

[Luke Hinds]

Anteater has raised that a lot of projects are using curl / wget to pull
down artefacts from external sites that are often instantiated (in the case
of an IMG file) or piped through bash (in the case of a shell script).

This is dangerous and has known risks, so I have put together a wiki page
explaining what the risks are and how to mitigate them (with example code
and script snippets):

https://wiki.opnfv.org/display/security/How+to+handle+leverage+artefacts+in+a+secure+manner

Please do read, and consider patching your code where it does the above.
You have E release to do so, but for F release it will be blocked by
Anteater and for the more dangerous examples I will make a recommendation
to release to consider its impact when released to end users.

Thanks,

Luke
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [anteater] build log for anteator

[Luke Hinds]

How do you mean by build log Yujun? I am always interested in feedback /
improvements.


On Wed, Jul 12, 2017 at 4:10 AM, Yujun Zhang (ZTE) <zhangyujun+...@gmail.com
> wrote:

> I notices a warning on license header in https://gerrit.opnfv.org/
> gerrit/#/c/36839/
>
> [image: Screen Shot 2017-07-12 at 11.03.55 AM.png]
>
> However the build log is not posted. It's OK for now since the failure is
> clear enough. But it would be nice to have the build log as well as other
> CI jobs.
>
> --
> Yujun
>
> --
> Yujun Zhang
>
> ___
> opnfv-tech-discuss mailing list
> opnfv-tech-discuss@lists.opnfv.org
> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] OPNFV UK User Group

[Luke Hinds]

Hello OPNFV'ers,

So the OPNFV UK User Group is now active, and we have our first meet up
organised for September, in central London at the Red Hat Innovation Labs.

We already have 15 members, and 8 members have already reserved spots.

Attendance is limited to 35 people, so reserve soon if you wish to secure a
place (and intend to turn up).

The agenda will be set over the next few weeks.

https://www.meetup.com/OPNFV-UK-User-Group/events/241208551/

-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [Infra][Pharos][Releng][Octopus] Proposal to implement installers' quickstart wrapper scripts

[Luke Hinds]

Some articles on risks:

https://sysdig.com/blog/friends-dont-let-friends-curl-bash/

https://www.seancassidy.me/dont-pipe-to-your-shell.html

https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install

The safest way to do this is using GPG with --recv-key and --verify, I am
sure with some creativity its possible to get it into one line. I believe
rvm do this.

On Fri, Jun 30, 2017 at 4:06 AM, liangqi (D) <liang...@huawei.com> wrote:

> Thanks for pointing out this security issue.
>
> I think curl | bash install is the easiest way to deploying a system, and
> with minimum dependency. Could you please some examples on how to use
> checksum to insure the script is securely executed.
>
> I saw at the head of https://get.docker.com/ has the info like:
>
> ```bash
> # This script is meant for quick & easy install via:
> #   $ curl -fsSL get.docker.com -o get-docker.sh
> #   $ sh get-docker.sh
> #
> # For test builds (ie. release candidates):
> #   $ curl -fsSL test.docker.com -o test-docker.sh
> #   $ sh test-docker.sh
> #
> # NOTE: Make sure to verify the contents of the script
> #   you downloaded matches the contents of install.sh
> #   located at https://github.com/docker/docker-install
> #   before executing.
> ```
>
> Best Regards,
> Qi Liang
> --
> *From:* Luke Hinds [lhi...@redhat.com]
> *Sent:* Thursday, June 29, 2017 18:32
> *To:* liangqi (D)
> *Cc:* opnfv-tech-discuss@lists.opnfv.org; bryan.sulli...@att.com;
> narinder.gu...@canonical.com
> *Subject:* Re: [opnfv-tech-discuss] [Infra][Pharos][Releng][Octopus]
> Proposal to implement installers' quickstart wrapper scripts
>
> Hi,
>
> Don't want to detract from the topic, but please do not use curl | bash,
> its dangerous and if opnfv.org is every compromised, scripts like this
> could be used to back door all the PODS and test sites deployed by end
> users.
>
> If deploying a system this way, then use a checksum (with sha256 or
> stronger) to first to insure the script has not been tampered with (I have
> examples if some are needed).
>
> Cheers,
>
> Luke
>
> On Thu, Jun 29, 2017 at 10:54 AM, liangqi (D) <liang...@huawei.com> wrote:
>
>> Hi,
>>
>> In OPNFV we have 4 installers in Danube release, we will have more in the
>> next release. Each of them supports multiple scenarios and has different
>> install user steps. This is quite confusing and difficult to use,
>> especially for the newbies.
>>
>> In releng we already have scripts to trigger all installers' deploy and
>> test, but the scripts are CI oriented, not user oriented.
>>
>> So I proposal to implement wrapper scripts in releng to provide easy way
>> for people to try opnfv. With minimum requirement(a server with Ubuntu
>> 14.04/16.04 or CentOS7 installed and with internet connectivity), without
>> checking detail installers' install guide, just run one command you will
>> get your environment ready.
>>
>> The simplest way to install opnfv environment will be like:
>> `curl https://get.opnfv.org/ephrates/quickstart.sh | bash`.
>>
>> For each installer we may have one command deploy like:
>> `curl https://get.opnfv.org/ephrates/compass/quickstart.sh | bash`
>>
>> Basic virtual deploy workflows:
>>
>> 1. Run command (e.g. `curl https://get.opnfv.org/ephrates/quickstart.sh
>> | bash`)
>> 2. Check environment
>> 3. Fetch supported installers and select one installer
>> 4. Generate the deploy command and execute
>> 5. Verify the deployed environment
>> 6. Deploy success
>>
>> For BareMetal deployment the workflow are almost the same, the only
>> different is you need prepare physical servers/switches, connect the
>> cables, setup the switches, create a pod-descriptor file, and run the
>> deploy command with the pod-descriptor file.
>>
>> The attached slide illustrate the initial idea, which was shared by
>> Justin at the OPNFV Summit in Beijing.
>> Here is the initial script patch: https://gerrit.opnfv.org/gerri
>> t/#/c/36711/
>>
>> @Uli, I saw you've sent the latest infra working group meeting agenda in
>> the mailing list. Could you please include the topic to the infra working
>> group meeting agenda.
>>
>> Welcome feedback, comments, discuss here or at the infra working group
>> meeting.
>>
>> Best Regards,
>> Qi Liang
>>
>> ___
>> opnfv-tech-discuss mailing list
>> opnfv-tech-discuss@lists.opnfv.org
>> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>>
>>
>
>
> --
> Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
> e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
> 12 52 36 2483
>



-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Roll out of CI Gate Security (please read if PTL)

[Luke Hinds]

Hi,

Over the 30 days we will be rolling out CI gate security checks (anteater)
to all projects.

The checks will be non-voting for the E release cycle, and voting for F, so
there is plenty of time for people to get used to what anteater reports on.

A full schedule can be seen here:
https://wiki.opnfv.org/display/INF/Project+Roll+Out+for+Anteater

All projects have been added, apart from those that are locked.

Some key points:

If anteater reports a failure, please add myself or someone from releng,
infra-wg as reviewers (handy way of notifying us).  We can then help create
an exception for you.

Each project, will have its own exception file (think of this as a filter
that allows certain strings to pass unchallenged). For reference, you can
see how functest are starting to work with their own file [1]

[1] https://git.opnfv.org/releng-anteater/commit/exceptions/functest.yaml

Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [Infra][Pharos][Releng][Octopus] Proposal to implement installers' quickstart wrapper scripts

[Luke Hinds]

Hi,

Don't want to detract from the topic, but please do not use curl | bash,
its dangerous and if opnfv.org is every compromised, scripts like this
could be used to back door all the PODS and test sites deployed by end
users.

If deploying a system this way, then use a checksum (with sha256 or
stronger) to first to insure the script has not been tampered with (I have
examples if some are needed).

Cheers,

Luke

On Thu, Jun 29, 2017 at 10:54 AM, liangqi (D) <liang...@huawei.com> wrote:

> Hi,
>
> In OPNFV we have 4 installers in Danube release, we will have more in the
> next release. Each of them supports multiple scenarios and has different
> install user steps. This is quite confusing and difficult to use,
> especially for the newbies.
>
> In releng we already have scripts to trigger all installers' deploy and
> test, but the scripts are CI oriented, not user oriented.
>
> So I proposal to implement wrapper scripts in releng to provide easy way
> for people to try opnfv. With minimum requirement(a server with Ubuntu
> 14.04/16.04 or CentOS7 installed and with internet connectivity), without
> checking detail installers' install guide, just run one command you will
> get your environment ready.
>
> The simplest way to install opnfv environment will be like:
> `curl https://get.opnfv.org/ephrates/quickstart.sh | bash`.
>
> For each installer we may have one command deploy like:
> `curl https://get.opnfv.org/ephrates/compass/quickstart.sh | bash`
>
> Basic virtual deploy workflows:
>
> 1. Run command (e.g. `curl https://get.opnfv.org/ephrates/quickstart.sh |
> bash`)
> 2. Check environment
> 3. Fetch supported installers and select one installer
> 4. Generate the deploy command and execute
> 5. Verify the deployed environment
> 6. Deploy success
>
> For BareMetal deployment the workflow are almost the same, the only
> different is you need prepare physical servers/switches, connect the
> cables, setup the switches, create a pod-descriptor file, and run the
> deploy command with the pod-descriptor file.
>
> The attached slide illustrate the initial idea, which was shared by Justin
> at the OPNFV Summit in Beijing.
> Here is the initial script patch: https://gerrit.opnfv.org/
> gerrit/#/c/36711/
>
> @Uli, I saw you've sent the latest infra working group meeting agenda in
> the mailing list. Could you please include the topic to the infra working
> group meeting agenda.
>
> Welcome feedback, comments, discuss here or at the infra working group
> meeting.
>
> Best Regards,
> Qi Liang
>
> _______
> opnfv-tech-discuss mailing list
> opnfv-tech-discuss@lists.opnfv.org
> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] UK / London OPNFV meetup

[Luke Hinds]

Hi,

I would like to see if there is any interest in having a UK (possibly
London) OPNFV meetup.

This would be an informal event, either in a pub somewhere or some office
space if a kind donor appears. If it goes well, then we can build from
there.

I hope to see at least five + positives, to signify its worth going ahead.

Times are flexible, but I figure September might be good target, as its
outside the summer holiday break period, but we will still have some
daylight kicking around.

Cheers,

Luke
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [infra] Docker changes in Anteater

[Luke Hinds]

Thanks Trevor!

Just found a bug in my code now its running, so patch on its way.

On Tue, Jun 27, 2017 at 8:14 PM, Trevor Bramwell <
tbramw...@linuxfoundation.org> wrote:

> Hey Luke,
>
> Thanks for the reviews! It looks like the patch[1] fixed the
> verification[2] and anteater is running again.
>
> Regards,
> Trevor Bramwell
>
> [1] https://gerrit.opnfv.org/gerrit/#/c/36601/
> [2] https://build.opnfv.org/ci/job/opnfv-security-audit-
> verify-master/148/console
>
> On Tue, Jun 27, 2017 at 05:15:40PM +0100, Luke Hinds wrote:
> > Hi Trevor,
> >
> > I am ok with going for #1
> >
> > If should not really be me approving patches in releng, so will let the
> > other cores chime in.
> >
> > For #2 I looked at your log and see what you mean. I cannot spot why a
> > normal user is allowed to install.
> >
> > This is what I get when trying to install on my home PC (arch linux):
> >
> > [Errno 13] Permission denied: '/usr/lib/python2.7/site-packages/
> >
> > Regards,
> >
> > Luke
> >
> >
> >
> > On Tue, Jun 27, 2017 at 5:04 PM, Trevor Bramwell <
> > tbramw...@linuxfoundation.org> wrote:
> >
> > > Hey Luke,
> > >
> > > I'm definitely opting for #1 and have a patch here[1]. This change can
> > > be moved into the docker container later to resolve your concerns about
> > > path changes.
> > >
> > > Unrelated to the specific change, there are two questions this raises
> > > which speak to the nature of our CI infra:
> > >
> > > 1. Why are docker build results not part of the verification for
> patchsets?
> > >
> > >If we don't provide feedback for docker builds (and also have the
> > >build/publish steps seperate) how will the community know when their
> > >Dockefile changes break builds?
> > >
> > > 2. How did the Docker build work for me locally but not on
> ericsson-build3?
> > >
> > >I've attached my build log and compared it to the last build[2], but
> > >no major differences jump out to me. The only differences I saw
> > >between the docker environments was a newer version of Go running on
> > >ericsson-build3.
> > >
> > > Regards,
> > > Trevor Bramwell
> > >
> > > [1] https://gerrit.opnfv.org/gerrit/#/c/36601/
> > > [2] https://build.opnfv.org/ci/job/releng-anteater-docker-
> > > build-push-master/14/console
> > >
> > > On Tue, Jun 27, 2017 at 01:50:15PM +0100, Luke Hinds wrote:
> > > > Hi,
> > > >
> > > > Patch [1] resulted in docker build failing due to a non root user not
> > > > having permissions to write to /usr/lib/python2.7, as seen in job
> [2]. To
> > > > address this I opened [3] and pushed patch [4] which implements a
> > > > virtualenv, but this now fails as the anteater path is not known.
> > > >
> > > > There are two ways to resolve this.
> > > >
> > > > 1. We hardcode the path to anteater in anteaters jjb scripts.
> > > > 2. We revert back to running docker as before (root) user.
> > > >
> > > > I guess 1 makes sense, but has some risk if the POSIX path were to
> > > change.
> > > > For '2' I am not opposed as I don't see any security risk running the
> > > > commands as root in the container. As I understand, this is a create
> /
> > > > destroy scenario with no data persisting in any volumes or pulled in
> > > > externally. Looking around others such as functest also run as root
> to
> > > > create their needed env.
> > > >
> > > > [1] https://gerrit.opnfv.org/gerrit/#/c/36325/
> > > > [2]
> > > > https://build.opnfv.org/ci/job/releng-anteater-docker-
> > > build-push-master/14/console
> > > > [3] https://jira.opnfv.org/browse/RELENG-260
> > > > [4] https://gerrit.opnfv.org/gerrit/#/c/36571
> > > > [5]
> > > > https://build.opnfv.org/ci/job/opnfv-security-audit-
> > > verify-master/133/console
> > > >
> > > > --
> > > > Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
> > > > e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84
> |
> > > t: +44
> > > > 12 52 36 2483
> > >
> >
> >
> >
> > --
> > Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
> > e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 |
> t: +44
> > 12 52 36 2483
>



-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [infra] Docker changes in Anteater

[Luke Hinds]

Hi Trevor,

I am ok with going for #1

If should not really be me approving patches in releng, so will let the
other cores chime in.

For #2 I looked at your log and see what you mean. I cannot spot why a
normal user is allowed to install.

This is what I get when trying to install on my home PC (arch linux):

[Errno 13] Permission denied: '/usr/lib/python2.7/site-packages/

Regards,

Luke



On Tue, Jun 27, 2017 at 5:04 PM, Trevor Bramwell <
tbramw...@linuxfoundation.org> wrote:

> Hey Luke,
>
> I'm definitely opting for #1 and have a patch here[1]. This change can
> be moved into the docker container later to resolve your concerns about
> path changes.
>
> Unrelated to the specific change, there are two questions this raises
> which speak to the nature of our CI infra:
>
> 1. Why are docker build results not part of the verification for patchsets?
>
>If we don't provide feedback for docker builds (and also have the
>build/publish steps seperate) how will the community know when their
>Dockefile changes break builds?
>
> 2. How did the Docker build work for me locally but not on ericsson-build3?
>
>I've attached my build log and compared it to the last build[2], but
>no major differences jump out to me. The only differences I saw
>between the docker environments was a newer version of Go running on
>ericsson-build3.
>
> Regards,
> Trevor Bramwell
>
> [1] https://gerrit.opnfv.org/gerrit/#/c/36601/
> [2] https://build.opnfv.org/ci/job/releng-anteater-docker-
> build-push-master/14/console
>
> On Tue, Jun 27, 2017 at 01:50:15PM +0100, Luke Hinds wrote:
> > Hi,
> >
> > Patch [1] resulted in docker build failing due to a non root user not
> > having permissions to write to /usr/lib/python2.7, as seen in job [2]. To
> > address this I opened [3] and pushed patch [4] which implements a
> > virtualenv, but this now fails as the anteater path is not known.
> >
> > There are two ways to resolve this.
> >
> > 1. We hardcode the path to anteater in anteaters jjb scripts.
> > 2. We revert back to running docker as before (root) user.
> >
> > I guess 1 makes sense, but has some risk if the POSIX path were to
> change.
> > For '2' I am not opposed as I don't see any security risk running the
> > commands as root in the container. As I understand, this is a create /
> > destroy scenario with no data persisting in any volumes or pulled in
> > externally. Looking around others such as functest also run as root to
> > create their needed env.
> >
> > [1] https://gerrit.opnfv.org/gerrit/#/c/36325/
> > [2]
> > https://build.opnfv.org/ci/job/releng-anteater-docker-
> build-push-master/14/console
> > [3] https://jira.opnfv.org/browse/RELENG-260
> > [4] https://gerrit.opnfv.org/gerrit/#/c/36571
> > [5]
> > https://build.opnfv.org/ci/job/opnfv-security-audit-
> verify-master/133/console
> >
> > --
> > Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
> > e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 |
> t: +44
> > 12 52 36 2483
>



-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] [infra] Docker changes in Anteater

[Luke Hinds]

Hi,

Patch [1] resulted in docker build failing due to a non root user not
having permissions to write to /usr/lib/python2.7, as seen in job [2]. To
address this I opened [3] and pushed patch [4] which implements a
virtualenv, but this now fails as the anteater path is not known.

There are two ways to resolve this.

1. We hardcode the path to anteater in anteaters jjb scripts.
2. We revert back to running docker as before (root) user.

I guess 1 makes sense, but has some risk if the POSIX path were to change.
For '2' I am not opposed as I don't see any security risk running the
commands as root in the container. As I understand, this is a create /
destroy scenario with no data persisting in any volumes or pulled in
externally. Looking around others such as functest also run as root to
create their needed env.

[1] https://gerrit.opnfv.org/gerrit/#/c/36325/
[2]
https://build.opnfv.org/ci/job/releng-anteater-docker-build-push-master/14/console
[3] https://jira.opnfv.org/browse/RELENG-260
[4] https://gerrit.opnfv.org/gerrit/#/c/36571
[5]
https://build.opnfv.org/ci/job/opnfv-security-audit-verify-master/133/console

-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [infra][releng] verify-status plugin for gerrit

[Luke Hinds]

Hi Julien,

Looks interesting, I loaded it into chrome, but did not see any difference
- that might be from other extensions running though.

I think on the whole this is cool addon, but I would still prefer we use
the plugin (if agreed), that way we can support users also on safari and
firefox. It also saves people hitting different issues if they run other
extensions (ublock etc).

Good work though.

Luke


On Sun, Jun 25, 2017 at 1:15 PM, Julien <julien...@gmail.com> wrote:

> Hi Luke,
>
> For avoiding to import new plugins to the gerrit server, my team has
> developed a local plugin for chrome, which can implement the same features
> as Openstack Infra team does. We use the most of the code from Openstack
> Infra.
> This plugin is in link https://chrome.google.com/
> webstore/detail/jenkins-jobs-show-in-gerr/mhdfkoddkdgcfmmhljfhekpadgmniagd.
> It is open source also, please refer to: https://github.com/
> openzero-team/toggle-ci . Wen juan is responsible for the plugin
> development.
>
> Currently, it can filter out the CI results, but job execution table does
> not be shown in the gerrit main page. I think there are some different
> configuration between Openstack and OPNFV gerrit system. If we want to get
> better effect, I remember some configuration changes would be introduces in
> gerrit.conig. It has supported in our local gerrit system. I just don't
> remember the details and will give what's change tomorrow.
>
> Aric, what's you opinion about this feature.
>
> BR/Julien
>
> Luke Hinds <lhi...@redhat.com>于2017年6月25日周日 下午7:01写道：
>
>> Have we considered using the verify-status plugin for gerrit?
>>
>> I feel this may be a useful addition and will make it easier to visually
>> separate user comments from ci-voting jobs.
>>
>> There is a screencapture on the following documentation link that shows
>> the difference that it makes.
>>
>> https://gerrit.googlesource.com/plugins/verify-status/+
>> doc/master/src/main/resources/Documentation/about.md
>>
>> --
>> Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
>> e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 |
>> t: +44 12 52 36 2483
>> ___
>> opnfv-tech-discuss mailing list
>> opnfv-tech-discuss@lists.opnfv.org
>> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] [infra][releng] verify-status plugin for gerrit

[Luke Hinds]

Have we considered using the verify-status plugin for gerrit?

I feel this may be a useful addition and will make it easier to visually
separate user comments from ci-voting jobs.

There is a screencapture on the following documentation link that shows the
difference that it makes.

https://gerrit.googlesource.com/plugins/verify-status/+doc/master/src/main/resources/Documentation/about.md

-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Anteater Presentation

[Luke Hinds]

Hello *,

I put together a some slides (pdf) on Anteater, which we rigged into our CI
build process during the summit.

http://lukehinds.com/presentations/anteater.pdf

If anyone is unsure of what Anteater is:

1. It scans git patches for potential malicious strings or binaries.

2. If a potential malicious object is identified, it is *blocked from
merging until reviewed.

* blocked as in -1 gerrit review

This is now running on releng, with other projects being phased in each
week.

As said before, this will be non voting for E release to allow developers
to get used to working with the tool.

We are also just on the verge of submission of the tool to PyPi to allow
developers to test and validate patches locally.

Contributions are also welcome. I am pleased to see there are now five
developers from four different companies who are submitting patches to
anteater.

Cheers,

Luke

-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [releng][docs] Anteater checks

[Luke Hinds]

Hi Yolanda,

RST files (docs) should have a licence, see 'Documentation' on
https://wiki.opnfv.org/display/DEV/Contribution+Guidelines#ContributionGuidelines-GeneralCodeheaders

I think the question is more if a README.rst should have a license header.

I agree with you and think not, as they are often rendered on github / pypi
etc.

Cheers,

Luke

On Mon, Jun 19, 2017 at 11:12 AM, Yolanda Robla Mota <yrobl...@redhat.com>
wrote:

> Hi, good morning
> In the recent checks from the Anteater project, i've seen an alert coming,
> asking about a missing license header on a README file.
> See: https://gerrit.opnfv.org/gerrit/#/c/35731/ , Jenkins Ericsson
> feedback on patchset 3.
>
> Any of our rst files have a license header there, and i'd say it's
> uncommon to add license headers to rst files.
> What do people think about it? Shall we add this check to rst files, or
> limit those to source code files (python, ruby, java, bash, etc...)
>
> Thanks in advance for the feedback!
>
> --
>
> Yolanda Robla Mota
>
> Principal Software Engineer, RHCE
>
> Red Hat
>
> <https://www.redhat.com>
>
> C/Avellana 213
>
> Urb Portugal
>
> yrobl...@redhat.comM: +34605641639
> <http://redhatemailsignature-marketing.itos.redhat.com/>
> <https://red.ht/sig>
>



-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [infra] [security] Wiki page for Anteater

[Luke Hinds]

YAML file that is used by a
>script/installer to install dependencies. While as noted above it would be
>good to be as clever (whether good or bad clever) as the script designers
>so that we could develop a profile of what is actually included/used in
>OPNFV deploys, this would be an incredibly complex undertaking, that I am
>not sure we are staffed for as a project.
>
> The tool can cover any retrieval method, be that curl , wget , git (or any
others) and as shown above we can go as detailed as we need and drill down
to a specific parent repo:

 "git (.*)\\.openstack\\.org\openstack-helm"


>
>
> Overall I am reluctant to approve a tool that mixes the dual intent of
> license checks and trust, using an ultimately superficial method. I would
> not want the community to give any impression that we had done a good and
> thorough job on this, without actually doing it.
>
>
>

I am not strongly opinionated on the license functionality, I added it as
there was a strong interest  at the plugfest.

Also thanks for the feedback, as said I recommend coming along to the
session at the summit.



> Thanks,
>
> Bryan Sullivan | AT
>
>
>
> *From:* Luke Hinds [mailto:lhi...@redhat.com]
> *Sent:* Thursday, May 18, 2017 1:17 PM
> *To:* SULLIVAN, BRYAN L <bs3...@att.com>
> *Cc:* opnfv-tech-discuss <opnfv-tech-discuss@lists.opnfv.org>;
> degirmenci, fatih <fatih.degirme...@ericsson.com>; Ulrich Kleber <
> ulrich.kle...@huawei.com>; Jack Morgan <jack.mor...@intel.com>; Ashlee
> Young (Ash) <ashleeyo...@huawei.com>
> *Subject:* Re: [opnfv-tech-discuss] [infra] [security] Wiki page for
> Anteater
>
>
>
>
>
>
>
> On Thu, May 18, 2017 at 6:25 PM, SULLIVAN, BRYAN L <bs3...@att.com> wrote:
>
> Luke,
>
>
>
> I assume that the edits I made to the page are acceptable. I see that
> further edits have been made.
>
>
>
> I added some additional extensions to the list of standard binary artifact
> types that are allowed (doc, docx, ppt, pptx). I suggest we scan the
> current repos to see how prevalent binaries are, and what types there are
> before we kick this off. I would suggest that it start out allowing
> anything that is currently there, and we can back off the list, and add
> project-specific exceptions as we get more experience with why/how we would
> want to restrict/assess binaries more. Some examples might include:
>
>- Any situations that we can detect, in which binaries might have
>questionable/risky content. This would imply e.g. a virus etc scan of the
>binaries, or a license scan.
>- If we want to encourage projects to include only certain types of
>binaries (not sure how or why). Using this tool as a hoop that projects
>would have to jump thru (however easy) to encourage sticking to certain
>content types, seems pretty useless.
>
>
>
> The goal is that as this rolls out, we do not impede any commits at start,
> rather we gather information about what **may** need to change in the
> repos, and when ready we back off the exceptions or make them project
> specific.
>
>
>
>
>
> We discussed implementation approaches at the hackfest and arrived a
> similar phased approach:
>
>
>
> Perform daily or weekly scans for projects that are there only to inform,
> not enforce.
>
>
>
> Implement the gate checks for E release as non voting (on new patches
> only).
>
>
>
> At F release it becomes voting, but only on each new patch set.
>
>
>
> I have reserved a session at the summit for discussion around the tool and
> what direction we should take.
>
>
>
>
>
>
>
> I would like to see some more features added to the process though. The
> cursory license check is OK for code contributed to OPNFV, but just as
> important is any reference to code that the submitted code interfaces with.
> So we need to be able to scan the references to ensure that the
> contribution and its references are compatible under OPNFV’s policy. For
> example:
>
>- It is acceptable for an OPFNV-hosted module to be Eclipse licensed,
>and import a GPL-licensed module’s interfaces (example: the VES collectd
>plugin in the Barometer project: https://git.opnfv.org/
>barometer/tree/3rd_party/collectd-ves-plugin/ves_plugin/ves_plugin.py
>
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__git.opnfv.org_barometer_tree_3rd-5Fparty_collectd-2Dves-2Dplugin_ves-5Fplugin_ves-5Fplugin.py=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=OrbtGCluczz9awEKz9Fv7g=N0kl4c4VoE-w1kESTKRujNpyrBEsI2M7Zxt_QNwKtmM=6gmiQPu-UYuhpjHDpwDNsjLNHf7BfmkiGGnM0VTLJBA=>)
>.
>- It would **not** be acceptable for the VES collectd plugin to be 

[opnfv-tech-discuss] [infra] Anteater code reviews

[Luke Hinds]

Hi All,

If any of you could help review the following code, please do so:

https://gerrit.opnfv.org/gerrit/#/c/34901/

Regards,

Luke
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [infra] [security] Wiki page for Anteater

[Luke Hinds]

o all now, and not just you Bryan who I know is already savvy on
the topic.

This is an interesting write up on the level of people we very likely have
taking an interest in our code and build systems already:
https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551 - Its a scary
read and a good view of the current landscape.



> We may need to incorporate additional tools e.g. Fossology or proprietary
> toolchains (e.g. Blackduck – we should see if we can get an Open Source
> project use license from them).
>
>
>
> Thanks,
>
> Bryan Sullivan | AT
>
>
>
> *From:* opnfv-tech-discuss-boun...@lists.opnfv.org [mailto:
> opnfv-tech-discuss-boun...@lists.opnfv.org] *On Behalf Of *Luke Hinds
> *Sent:* Wednesday, May 17, 2017 11:22 AM
> *To:* opnfv-tech-discuss <opnfv-tech-discuss@lists.opnfv.org>;
> degirmenci, fatih <fatih.degirme...@ericsson.com>; Ulrich Kleber <
> ulrich.kle...@huawei.com>; Jack Morgan <jack.mor...@intel.com>; Ashlee
> Young (Ash) <ashleeyo...@huawei.com>
> *Subject:* [opnfv-tech-discuss] [infra] [security] Wiki page for Anteater
>
>
>
> I have pushed up the code for anteater (releng-anteater) and have added a
> lot more body to the wiki page for anyone interested in the project [1].
> This will also become release worthy documentation forthcoming, once I have
> got a feel for what needs communicating and used feedback to gather an FAQ.
>
>
>
> It is worth PTLs / committers getting familiar with writing your own regex
> over the coming E release cycle, as you might find Anteater falsely reports
> a string / binary etc, and you need to commit a patch with a project
> waiver.
>
>
>
> For more details on this, see the wiki section 'Anteater Has Blocked my
> patch, what should I do?'
>
>
>
> Anteater is planned to be non-voting for E-release, and voting for F.
>
>
>
> If anyone knows of security folk / researchers who can help add new
> additional to the string blacklists, please encourage them to contribute.
> Same for general code contributions as well.
>
>
>
> [1] https://wiki.opnfv.org/pages/viewpage.action?pageId=10294496
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.opnfv.org_pages_viewpage.action-3FpageId-3D10294496=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=OrbtGCluczz9awEKz9Fv7g=tvgj3rZU8k95hpdxYmC2JBDssmUX2OVG-u7sehtnywE=wzis0JQJeIPUvl4uhJ8hit4CUW3Wdon1F2Iy0IMeuVY=>
>
>
>
>
>
> --
>
> Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
>
> e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t:
> +44 12 52 36 2483
>



-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] [infra] [security] Wiki page for Anteater

[Luke Hinds]

I have pushed up the code for anteater (releng-anteater) and have added a
lot more body to the wiki page for anyone interested in the project [1].
This will also become release worthy documentation forthcoming, once I have
got a feel for what needs communicating and used feedback to gather an FAQ.

It is worth PTLs / committers getting familiar with writing your own regex
over the coming E release cycle, as you might find Anteater falsely reports
a string / binary etc, and you need to commit a patch with a project
waiver.

For more details on this, see the wiki section 'Anteater Has Blocked my
patch, what should I do?'

Anteater is planned to be non-voting for E-release, and voting for F.

If anyone knows of security folk / researchers who can help add new
additional to the string blacklists, please encourage them to contribute.
Same for general code contributions as well.

[1] https://wiki.opnfv.org/pages/viewpage.action?pageId=10294496


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t:
+44 12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [infra] License checks in CI

[Luke Hinds]

On Fri, Apr 21, 2017 at 5:34 AM, SULLIVAN, BRYAN L <bs3...@att.com> wrote:

> Luke, is the “and others.” required? If only one contributor has
> contributed to the code for a module, “and others” seems to be superfluous.
> So far, I have not seen specific guidance that this is required.
>
>
>

I am using the text recommendations on the wiki [1], and don't really have
an opinion on this myself. Whichever is preferred I can implement.


> Also, does the tool support the abbreviated license form?
>
>
>

Is that like rays example above. If so It can do, I just need to know text
to check for.

 [1] https://wiki.opnfv.org/display/DEV/Contribution+Guidelines


Thanks,
>
> Bryan Sullivan | AT
>
>
>
> *From:* Luke Hinds [mailto:lhi...@redhat.com]
> *Sent:* Thursday, April 20, 2017 7:44 AM
> *To:* SULLIVAN, BRYAN L <bs3...@att.com>; Raymond Paik <
> rp...@linuxfoundation.org>; Ash Young <a...@yunify.org>; gang chi <
> justin.chig...@gmail.com>; opnfv-tech-discuss@lists.opnfv.org
> *Subject:* [infra] License checks in CI
>
>
>
> We have licence checking code staged for CI.
>
>
>
> 2017-04-20 15:27:43,197 - anteater.src.scan_tasks - INFO - Running Licence
> Check on: insecure-test-repo
>
> 2017-04-20 15:27:43,198 - anteater.src.scan_tasks - INFO - Licence Check
> passed for: /home/luke/ant_repos/insecure-python/path_traversal.py
>
> 2017-04-20 15:27:43,198 - anteater.src.scan_tasks - INFO - Licence Check
> passed for: /home/luke/ant_repos/insecure-python/shell_true.py
>
> 2017-04-20 15:27:43,198 - anteater.src.scan_tasks - ERROR - No License
> file within: /home/luke/ant_repos/insecure-python/tmp_path.py
>
> 2017-04-20 15:27:43,198 - anteater.src.scan_tasks - ERROR - No License
> file within: /home/luke/ant_repos/insecure-python/shell_true2.py
>
>
>
> It will search for the complete Apache 2.0 block, but will filter out text
> between:
>
>
>
> Copyright (c) 2017  and others
>
>
>
> ...As this is where an author adds unique fields, such as name, company,
> email.
>
>
>
> So this will pass for a python / bash file:
>
>
>
>   
> ##
>
>   # Copyright (c) 2017 Donald Duck [dd...@warnerbros.com] and others.
>
>   #
>
>   # All rights reserved. This program and the accompanying materials
>
>   # are made available under the terms of the Apache License, Version 2.0
>
>   # which accompanies this distribution, and is available at
>
>   # http://www.apache.org/licenses/LICENSE-2.0
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.apache.org_licenses_LICENSE-2D2.0=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=OrbtGCluczz9awEKz9Fv7g=td_IzMPBW9CfmbbhyQ8uSU7I3T_ELG51PHEdqwbr1kM=N1xiXPMOm5ICaQPBDtznlOIFnW7Mo57U6tRjPf3wqbY=>
>
>   
> ##
>
>
>
> So as long as someone uses the license format from the developers wiki or
> by means of Justin's license script [1], it will pass the gate. Any
> deviation from this, will get a -1 (when this is implemented at gate).
>
>
>
> I am planning on getting this rigged into CI during plugfest week. If
> anyone is interested or wants a demo, come by and say hello.
>
>
>
> [1] https://github.com/Justin-chi/Lab/blob/master/add_license.sh
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_Justin-2Dchi_Lab_blob_master_add-5Flicense.sh=DwMFaQ=LFYZ-o9_HUMeMTSQicvjIg=OrbtGCluczz9awEKz9Fv7g=td_IzMPBW9CfmbbhyQ8uSU7I3T_ELG51PHEdqwbr1kM=f_h49j4Zz_jB2e7BAI1v7YrftRXEPupUFdAVDYWnT-E=>
>
>
>
>
>
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [infra] License checks in CI

[Luke Hinds]

On Fri, Apr 21, 2017 at 4:44 AM, Raymond Paik <rp...@linuxfoundation.org>
wrote:

> Thanks Luke. This is cool...
>
> In case people use the SPDX identifier, could you check for the following
> as well?
>

This should be possible, I will try a few things out.


>
>   
> ##
>   # Copyright (c) 2017 Donald Duck [dd...@warnerbros.com] and others.
>   #
>   # All rights reserved. This program and the accompanying materials
>   # are made available under the terms of the Apache License, Version 2.0
>   # which accompanies this distribution, and is available at
>   # SPDX-License-Identifier: Apache-2.0
>   
> ##
>
> Also, is this meant to only check code or can we also check license in
> docs (e.g. Creative Commons 4.0)?
>
>
Plan to cover all languages (c/c++,java,python and shell scripts) and RST
(CC 4.0) and Unix style patches.


> Cheers,
>
> Ray
>
> On Thu, Apr 20, 2017 at 6:41 PM, Ash Young <a...@yunify.org> wrote:
>
>> Cool! I'm gonna check it out. Have a new version of PMD to also factor
>> into this.
>>
>> On Thu, Apr 20, 2017 at 9:43 AM, Luke Hinds <lhi...@redhat.com> wrote:
>>
>>> We have licence checking code staged for CI.
>>>
>>> 2017-04-20 15:27:43,197 - anteater.src.scan_tasks - INFO - Running
>>> Licence Check on: insecure-test-repo
>>> 2017-04-20 15:27:43,198 - anteater.src.scan_tasks - INFO - Licence Check
>>> passed for: /home/luke/ant_repos/insecure-python/path_traversal.py
>>> 2017-04-20 15:27:43,198 - anteater.src.scan_tasks - INFO - Licence Check
>>> passed for: /home/luke/ant_repos/insecure-python/shell_true.py
>>> 2017-04-20 15:27:43,198 - anteater.src.scan_tasks - ERROR - No License
>>> file within: /home/luke/ant_repos/insecure-python/tmp_path.py
>>> 2017-04-20 15:27:43,198 - anteater.src.scan_tasks - ERROR - No License
>>> file within: /home/luke/ant_repos/insecure-python/shell_true2.py
>>>
>>> It will search for the complete Apache 2.0 block, but will filter out
>>> text between:
>>>
>>> Copyright (c) 2017  and others
>>>
>>> ...As this is where an author adds unique fields, such as name, company,
>>> email.
>>>
>>> So this will pass for a python / bash file:
>>>
>>>   
>>> ##
>>>   # Copyright (c) 2017 Donald Duck [dd...@warnerbros.com] and others.
>>>   #
>>>   # All rights reserved. This program and the accompanying materials
>>>   # are made available under the terms of the Apache License, Version 2.0
>>>   # which accompanies this distribution, and is available at
>>>   # http://www.apache.org/licenses/LICENSE-2.0
>>>   
>>> ##
>>>
>>> So as long as someone uses the license format from the developers wiki
>>> or by means of Justin's license script [1], it will pass the gate. Any
>>> deviation from this, will get a -1 (when this is implemented at gate).
>>>
>>> I am planning on getting this rigged into CI during plugfest week. If
>>> anyone is interested or wants a demo, come by and say hello.
>>>
>>> [1] https://github.com/Justin-chi/Lab/blob/master/add_license.sh
>>>
>>> --
>>> Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
>>> e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 |
>>> t: +44 12 52 36 2483
>>>
>>
>>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] Add license information for files without them

[Luke Hinds]

Just found this thread again after searching my inbox for something else.

So I am prototyping this at the moment.  I plan to do the following...

Each file that is held at gate, will be checked to see what sort of file
extension it has (.py, .java, .c etc) and then a check will be made to make
sure if has an Apache 2.0 License in place. I check for the file
extensions, because of course bash and python use # comment blocks, java
uses /* */ and so on, and there are different shebangs I might need to
filter out.

I plan to get this rigged into gate with infra's help during the plugfest

On Wed, Feb 22, 2017 at 6:42 AM, Raymond Paik <rp...@linuxfoundation.org>
wrote:

> Sorry I missed this over the long weekend (here in the US).
>
> I think what Luke is suggesting is independent of the license scanning
> tool.  If Luke's security scanning tool can be extended to flag files
> without license headers, that could be helpful.  Of course we'd need to
> filter out false positives (e.g. image files that will not have license
> headers)
>
> Thanks,
>
> Ray
>
> On Sat, Feb 18, 2017 at 2:57 PM, Yujun Zhang (ZTE) <
> zhangyujun+...@gmail.com> wrote:
>
>> +2 for gate check instead of reminding by Email.
>>
>> It seems Ray has used another tool for license scanning.
>> Luke Hinds <lhi...@redhat.com>于2017年2月19日 周日06:32写道：
>>
>>> If its useful we could add something to our gate to check for license
>>> text? We are trailing a system that checks for private keys, secrets and
>>> blobs being pushed to repos, I could look to extend this to perform a
>>> license check too?
>>>
>>> On Sat, Feb 18, 2017 at 5:27 PM, Yujun Zhang (ZTE) <
>>> zhangyujun+...@gmail.com> wrote:
>>>
>>> The script works great in qtip repo[1]. Thanks a lot, Justin.
>>>
>>> A few comments for improvements
>>>
>>>
>>>1. add license to this script itself so people know how to
>>>contribute. By default, it is proprietary.
>>>2. ignore __init__.py as indicated in OPNFV contribution
>>>guidelines[2]. A workaround is `git checkout **/__init__.py` after
>>>processing.
>>>3. use company name mapping in stackalytics[3]. I believe it covers
>>>most contributors in OPNFV
>>>4. rename the the repo. It is strange to fork a repo named Lab to
>>>other account.
>>>
>>>
>>> [1]: https://gerrit.opnfv.org/gerrit/#/c/29029/
>>> [2]: https://wiki.opnfv.org/display/DEV/Contribution+Guidelines
>>> [3]: http://git.openstack.org/cgit/openstack/stackalytics/tr
>>> ee/etc/default_data.json#n23439
>>>
>>> On Fri, Feb 17, 2017 at 10:52 AM gang chi <justin.chig...@gmail.com>
>>> wrote:
>>>
>>> Hi,
>>>
>>> I think most of team has received mail from Ray who told me there are
>>> over hundred files without License in Compass4nfv repo. I think some team
>>> may have same issue with me.
>>> so I share my script to generate license header for OPNFV repos.
>>>
>>> https://github.com/Justin-chi/Lab/blob/master/add_license.sh
>>>
>>> Here is result of the script: https://gerrit.opnfv.org/gerrit/#/c/28885/
>>>
>>> Hope it will works for you.
>>>
>>> Regards
>>> Justin
>>> ___
>>> opnfv-tech-discuss mailing list
>>> opnfv-tech-discuss@lists.opnfv.org
>>> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>>>
>>> --
>>> Yujun Zhang
>>>
>>> ___
>>> opnfv-tech-discuss mailing list
>>> opnfv-tech-discuss@lists.opnfv.org
>>> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>>>
>>>
>>>
>>>
>>> --
>>> Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
>>> e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 |
>>> t: +44 12 52 36 2483
>>>
>> --
>> Yujun Zhang
>>
>> ___
>> opnfv-tech-discuss mailing list
>> opnfv-tech-discuss@lists.opnfv.org
>> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>>
>>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] [infra] PTO next week

[Luke Hinds]

Hi Folks,

I am on PTO next week, so won't be at the Infra-WG meeting on Monday.

Cheers,

Luke
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Security Group moving to the Infra-WG

[Luke Hinds]

After discussions and voting in the OPNFV Security Group (SG) and the
Infra-WG, it has been decided that the SG will move into the Infra-WG.

This decision was largely based on the SG and Infra-WG having already
worked well together on projects such as the core infrastructure security
program, security vuln patching and further planned work such as security
lint checks at gate.

The SG will now meet in Infra-WG weekly meeting, where engineers from both
groups can share expertise and experience. We will also move or at least
reference security topics in the Infra-WG Wiki.

One noted comment was the SG being under Infra WG will mean less focus on
developing security features. This however does not mean the security
group, won't be able to help or advise on any project proposals focused on
security use cases, but going forward, we will be more active in
contributing to OPNFV release & development security.

I hope I have illustrated well the clear synergies between security / infra
with the release models OPNFV utilises in CI / DevOps, and we look forward
to working on some interesting challenges together.

Regards,

Luke
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] [functest] Security Scanning

[Luke Hinds]

Hi Functest'ers,

I am aware I have not been as active on security scanning as I originally
hoped, largely due to being v-busy working on upstream. I have also not
seen much uptake in contributions from others or any requests for support
or enhancements to make from operators / users of OPNFV.

With the above snippet in mind, would you like to revisit the projects use
in functest? I am not saying I wish to decommission, as I put quite a good
number of hours into the code, but at the same time I am aware my
contributions have not been very active and I am not sure if that will
change in the foreseeable future. You might see otherwise and like to
enhance it further, so it seems a discussion could be worthwhile.

If you would like we could have this as a topic on a functest meeting or
alternately I will be at the plugfest too.

Cheers,

Luke
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] Add license information for files without them

[Luke Hinds]

If its useful we could add something to our gate to check for license text?
We are trailing a system that checks for private keys, secrets and blobs
being pushed to repos, I could look to extend this to perform a license
check too?

On Sat, Feb 18, 2017 at 5:27 PM, Yujun Zhang (ZTE) <zhangyujun+...@gmail.com
> wrote:

> The script works great in qtip repo[1]. Thanks a lot, Justin.
>
> A few comments for improvements
>
>
>1. add license to this script itself so people know how to contribute.
>By default, it is proprietary.
>2. ignore __init__.py as indicated in OPNFV contribution
>guidelines[2]. A workaround is `git checkout **/__init__.py` after
>processing.
>3. use company name mapping in stackalytics[3]. I believe it covers
>most contributors in OPNFV
>4. rename the the repo. It is strange to fork a repo named Lab to
>other account.
>
>
> [1]: https://gerrit.opnfv.org/gerrit/#/c/29029/
> [2]: https://wiki.opnfv.org/display/DEV/Contribution+Guidelines
> [3]: http://git.openstack.org/cgit/openstack/stackalytics/
> tree/etc/default_data.json#n23439
>
> On Fri, Feb 17, 2017 at 10:52 AM gang chi <justin.chig...@gmail.com>
> wrote:
>
>> Hi,
>>
>> I think most of team has received mail from Ray who told me there are
>> over hundred files without License in Compass4nfv repo. I think some team
>> may have same issue with me.
>> so I share my script to generate license header for OPNFV repos.
>>
>> https://github.com/Justin-chi/Lab/blob/master/add_license.sh
>>
>> Here is result of the script: https://gerrit.opnfv.org/gerrit/#/c/28885/
>>
>> Hope it will works for you.
>>
>> Regards
>> Justin
>> ___
>> opnfv-tech-discuss mailing list
>> opnfv-tech-discuss@lists.opnfv.org
>> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>>
> --
> Yujun Zhang
>
> ___
> opnfv-tech-discuss mailing list
> opnfv-tech-discuss@lists.opnfv.org
> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Project Termination for Inspector

[Luke Hinds]

Hi,

I would like to propose project termination for Inspector.

I took over the project from the last PTL, with a view to care for the
project in the event of community uptake / interest, but a year later
contributions are non existent and I have zero free time myself to work on
the project.

I would therefore like to propose termination 2 weeks from now by the TSC
(31/01/17)

No other projects / platform build processes have dependency on Inspector.

Regards,

Luke Hinds
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Meeting time change for Security Group

[Luke Hinds]

Hi,

It was decided that the Security Group will change meeting times from 14:00
UTC to 16:00 utc to make it  a little easier for folks attending from the
US.

Also with the Holiday season upon us, we will now not meet until the
04/01/2017

Thanks,

Luke

-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

[Luke Hinds]

On Mon, Dec 19, 2016 at 3:00 PM, Serg Melikyan <smelik...@mirantis.com>
wrote:

> Hi Luke,
>
> there are several kind of projects in Open NFV space, and I am happy
> that your proposal covers not only python projects. Having security
> job templates which we can be re-used in gates with an extensive
> description of how to use them is very important and helpful. My only
> ask would be to pay attention to how exceptions will be specified for
> each gate check - security, as well as lint checks have very high
> number of false-positive results.
>
> Once this initiative will be ready for beta-testing I will be glad to
> help you do this beta-testing on Fuel.
>
> P.S. there is an interesting project in OpenStack community, called
> Bandit [1], which allows to run security lint for Python source code,
> utilizing the ast module from the Python standard library. Seems
> interesting to have this checks on some of the projects.
>
> References:
> [1] https://wiki.openstack.org/wiki/Security/Projects/Bandit



Hi Serg,

So we have developed a wrapper around bandit, rats and PMD for security
linting (with those three we have full language coverage), and with the
lint checks, we plan on having it non-voting (for the same reason you
outline of false positives). So for example, a project developed in python
will have a link to bandit report, whereas something in c or ruby would be
a rats html report. These reports will be 'fyi' only.

The only checks planned with a -1 voting ability is for binaries found and
secrets (private keys etc) - the key thing is though, we have an exception
list, so we can waiver / whitelist false positives.

Great to hear you have an interest in getting involved, be glad to work
with you when we can bring it in for projects.

Luke



>
>
> On Mon, Dec 19, 2016 at 6:49 AM, Luke Hinds <lhi...@redhat.com> wrote:
> >
> >
> > On Mon, Dec 19, 2016 at 2:30 PM, Tapio Tallgren <
> tapio.tallg...@nokia.com>
> > wrote:
> >>
> >> Luke,
> >>
> >> Since you are checking for binary files (point 2), will you also check
> all
> >> checkouts from version control systems (like git)? I would like all of
> these
> >> to pull in explicit versions (as opposed to main), since otherwise you
> will
> >> have no idea what you are building.
> >
> >
> > Is this a case of opnfv code / scripts  that clone in an external repo?
> If
> > you could give me an example case to help understand..
> >
> >>
> >>
> >> We also have a similar problem with external repositories: if you
> install
> >> Linux packages from an external repository, you again have a risk that
> there
> >> are random changes to what is installed. This is fortunately mostly
> relevant
> >> for installers.
> >
> >
> >  Understood, there is not much I believe we can do here in respect of
> this
> > work item.
> >
> >>
> >> -Tapio
> >>
> >>
> >>
> >>
> >> On 12/19/2016 03:28 PM, Luke Hinds wrote:
> >>
> >> Hi Yujun,
> >>
> >> I would need Fatih to comment as I am not that up to speed on CI. The
> >> following is an albeit incomplete example of how we will wire this in:
> >>
> >>
> >> https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=
> refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%
> 2Fopnfv-security-scan.yml
> >>
> >> Regards,
> >>
> >> Luke
> >>
> >> On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang <zhangyujun+...@gmail.com>
> >> wrote:
> >>>
> >>> Luke,
> >>>
> >>> I remember that Fatih once mentioned that there are no gates in OPNFV
> CI
> >>> yet. So you are talking about some additional verification jobs
> enforced on
> >>> each commit. Or it is something like the current daily/weekly job.
> >>>
> >>> Could you help to clarify it?
> >>>
> >>> On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds <lhi...@redhat.com> wrote:
> >>>>
> >>>> Hi,
> >>>>
> >>>> Myself and Ash with help from Fatih are currently prototyping some new
> >>>> gates we plan to phase in overtime.
> >>>>
> >>>> The idea is that each commit made to an OPNFV repo will perform some
> >>>> checks.
> >>>>
> >>>> 1. Search for any strings containing passwords, ssh / tls certs and
> >>>> other stuff we don't want sitting around in repos to then be scooped
> up for
> >&

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

[Luke Hinds]

On Mon, Dec 19, 2016 at 2:30 PM, Tapio Tallgren <tapio.tallg...@nokia.com>
wrote:

> Luke,
>
> Since you are checking for binary files (point 2), will you also check all
> checkouts from version control systems (like git)? I would like all of
> these to pull in explicit versions (as opposed to main), since otherwise
> you will have no idea what you are building.
>

Is this a case of opnfv code / scripts  that clone in an external repo? If
you could give me an example case to help understand..


>
> We also have a similar problem with external repositories: if you install
> Linux packages from an external repository, you again have a risk that
> there are random changes to what is installed. This is fortunately mostly
> relevant for installers.
>

 Understood, there is not much I believe we can do here in respect of this
work item.


> -Tapio
>
>
>
>
> On 12/19/2016 03:28 PM, Luke Hinds wrote:
>
> Hi Yujun,
>
> I would need Fatih to comment as I am not that up to speed on CI. The
> following is an albeit incomplete example of how we will wire this in:
>
> https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=refs%
> 2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%2Fopnfv
> -security-scan.yml
>
> Regards,
>
> Luke
>
> On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang <zhangyujun+...@gmail.com>
> wrote:
>
>> Luke,
>>
>> I remember that Fatih once mentioned that there are no gates in OPNFV CI
>> yet. So you are talking about some additional verification jobs enforced on
>> each commit. Or it is something like the current daily/weekly job.
>>
>> Could you help to clarify it?
>>
>> On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds <lhi...@redhat.com> wrote:
>>
>>> Hi,
>>>
>>> Myself and Ash with help from Fatih are currently prototyping some new
>>> gates we plan to phase in overtime.
>>>
>>> The idea is that each commit made to an OPNFV repo will perform some
>>> checks.
>>>
>>> 1. Search for any strings containing passwords, ssh / tls certs and
>>> other stuff we don't want sitting around in repos to then be scooped up for
>>> a release.
>>>
>>> 2. Search out any binaries. We need to be very strict over what compiled
>>> binaries are packaged in release (if any at all), as a binary could be
>>> compromised (without the knowledge of the project itself).
>>>
>>> 3. Security lint checks. Code will be searched for patterns such as
>>> shell executions, xss flaws etc and reports linked within the gate.
>>>
>>> The plan is to have 1,2 as voting (-1 / +1) and 3 initially as a guide
>>> for projects, with the support of the security group, if needed.
>>>
>>> For both 1,2 we will maintain a waiver / exception list. This means that
>>> if no threat is shown to be present, an ignore entry can be made for a
>>> single project. The gate will then allow the said string, file etc to pass
>>> with no vote.
>>>
>>> Initially we are working with a sandbox project, so expect no
>>> interruptions at all. From there we will start to bring projects over, so
>>> they will be aware ahead of any changes implemented that will affect them.
>>>
>>> Cheers,
>>>
>>> Luke
>>> ___
>>> opnfv-security mailing list
>>> opnfv-secur...@lists.opnfv.org
>>> https://lists.opnfv.org/mailman/listinfo/opnfv-security
>>>
>>
>
>
> --
> Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
> e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
> 12 52 36 2483
>
>
> ___
> opnfv-tech-discuss mailing 
> listopnfv-tech-discuss@lists.opnfv.orghttps://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>
>
>
> ___
> opnfv-tech-discuss mailing list
> opnfv-tech-discuss@lists.opnfv.org
> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

[Luke Hinds]

Yujun,

I said gate, but I meant check (so every time a commit happens, not a
workflow +1)

Luke

On Mon, Dec 19, 2016 at 1:28 PM, Luke Hinds <lhi...@redhat.com> wrote:

> Hi Yujun,
>
> I would need Fatih to comment as I am not that up to speed on CI. The
> following is an albeit incomplete example of how we will wire this in:
>
> https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=
> refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%
> 2Fopnfv-security-scan.yml
>
> Regards,
>
> Luke
>
> On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang <zhangyujun+...@gmail.com>
> wrote:
>
>> Luke,
>>
>> I remember that Fatih once mentioned that there are no gates in OPNFV CI
>> yet. So you are talking about some additional verification jobs enforced on
>> each commit. Or it is something like the current daily/weekly job.
>>
>> Could you help to clarify it?
>>
>> On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds <lhi...@redhat.com> wrote:
>>
>>> Hi,
>>>
>>> Myself and Ash with help from Fatih are currently prototyping some new
>>> gates we plan to phase in overtime.
>>>
>>> The idea is that each commit made to an OPNFV repo will perform some
>>> checks.
>>>
>>> 1. Search for any strings containing passwords, ssh / tls certs and
>>> other stuff we don't want sitting around in repos to then be scooped up for
>>> a release.
>>>
>>> 2. Search out any binaries. We need to be very strict over what compiled
>>> binaries are packaged in release (if any at all), as a binary could be
>>> compromised (without the knowledge of the project itself).
>>>
>>> 3. Security lint checks. Code will be searched for patterns such as
>>> shell executions, xss flaws etc and reports linked within the gate.
>>>
>>> The plan is to have 1,2 as voting (-1 / +1) and 3 initially as a guide
>>> for projects, with the support of the security group, if needed.
>>>
>>> For both 1,2 we will maintain a waiver / exception list. This means that
>>> if no threat is shown to be present, an ignore entry can be made for a
>>> single project. The gate will then allow the said string, file etc to pass
>>> with no vote.
>>>
>>> Initially we are working with a sandbox project, so expect no
>>> interruptions at all. From there we will start to bring projects over, so
>>> they will be aware ahead of any changes implemented that will affect them.
>>>
>>> Cheers,
>>>
>>> Luke
>>> ___
>>> opnfv-security mailing list
>>> opnfv-secur...@lists.opnfv.org
>>> https://lists.opnfv.org/mailman/listinfo/opnfv-security
>>>
>>
>
>
> --
> Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
> e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
> 12 52 36 2483
>



-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [Opnfv-security] Security checks at Gate

[Luke Hinds]

Hi Yujun,

I would need Fatih to comment as I am not that up to speed on CI. The
following is an albeit incomplete example of how we will wire this in:

https://gerrit.opnfv.org/gerrit/gitweb?p=releng.git;hb=refs%2Fchanges%2F71%2F25971%2F1;f=jjb%2Fsecurityscanning%2Fopnfv-security-scan.yml

Regards,

Luke

On Mon, Dec 19, 2016 at 1:12 PM, Yujun Zhang <zhangyujun+...@gmail.com>
wrote:

> Luke,
>
> I remember that Fatih once mentioned that there are no gates in OPNFV CI
> yet. So you are talking about some additional verification jobs enforced on
> each commit. Or it is something like the current daily/weekly job.
>
> Could you help to clarify it?
>
> On Mon, Dec 19, 2016 at 7:39 PM Luke Hinds <lhi...@redhat.com> wrote:
>
>> Hi,
>>
>> Myself and Ash with help from Fatih are currently prototyping some new
>> gates we plan to phase in overtime.
>>
>> The idea is that each commit made to an OPNFV repo will perform some
>> checks.
>>
>> 1. Search for any strings containing passwords, ssh / tls certs and other
>> stuff we don't want sitting around in repos to then be scooped up for a
>> release.
>>
>> 2. Search out any binaries. We need to be very strict over what compiled
>> binaries are packaged in release (if any at all), as a binary could be
>> compromised (without the knowledge of the project itself).
>>
>> 3. Security lint checks. Code will be searched for patterns such as shell
>> executions, xss flaws etc and reports linked within the gate.
>>
>> The plan is to have 1,2 as voting (-1 / +1) and 3 initially as a guide
>> for projects, with the support of the security group, if needed.
>>
>> For both 1,2 we will maintain a waiver / exception list. This means that
>> if no threat is shown to be present, an ignore entry can be made for a
>> single project. The gate will then allow the said string, file etc to pass
>> with no vote.
>>
>> Initially we are working with a sandbox project, so expect no
>> interruptions at all. From there we will start to bring projects over, so
>> they will be aware ahead of any changes implemented that will affect them.
>>
>> Cheers,
>>
>> Luke
>> ___
>> opnfv-security mailing list
>> opnfv-secur...@lists.opnfv.org
>> https://lists.opnfv.org/mailman/listinfo/opnfv-security
>>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Security checks at Gate

[Luke Hinds]

Hi,

Myself and Ash with help from Fatih are currently prototyping some new
gates we plan to phase in overtime.

The idea is that each commit made to an OPNFV repo will perform some
checks.

1. Search for any strings containing passwords, ssh / tls certs and other
stuff we don't want sitting around in repos to then be scooped up for a
release.

2. Search out any binaries. We need to be very strict over what compiled
binaries are packaged in release (if any at all), as a binary could be
compromised (without the knowledge of the project itself).

3. Security lint checks. Code will be searched for patterns such as shell
executions, xss flaws etc and reports linked within the gate.

The plan is to have 1,2 as voting (-1 / +1) and 3 initially as a guide for
projects, with the support of the security group, if needed.

For both 1,2 we will maintain a waiver / exception list. This means that if
no threat is shown to be present, an ignore entry can be made for a single
project. The gate will then allow the said string, file etc to pass with no
vote.

Initially we are working with a sandbox project, so expect no interruptions
at all. From there we will start to bring projects over, so they will be
aware ahead of any changes implemented that will affect them.

Cheers,

Luke
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Gotomeeting reservation

[Luke Hinds]

Hi,

I'll be honest, I am completely out of sync with what we are doing for
gotomeeting slots now.

In the security group, we went to IRC only a while ago to free up a session
slot, but we now need a gotomeeting session to walk over some stuff that
will need audio / video for one time.

The security group meeting is at 14:00 UTC Wednesday, and we want it for
tomorrow , how would I go about getting tabs on this time?

Cheers,

Luke
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] OPNFV on Github

[Luke Hinds]

On Thu, Nov 3, 2016 at 8:07 PM, Trevor Bramwell <
tbramw...@linuxfoundation.org> wrote:

> Hi Luke, et al.,
>
> The OPNFV Gerrit repos should now exist under https://github.com/opnfv,
> and they get updated within 30s of Gerrit changes being merged.
>
> We are still working on getting the bot in place to close PR's and
> forward people onto a 'Getting started with OPNFV' page.
>
> For those interested in seeing their OPNFV contributions show up in
> their Github profile, they will need to update their list of email
> addresses on their Github account to include the address used to submit
> changes to Gerrit.
>
> If you see any repos missing, or have any concerns, please let us know
> at helpd...@opnfv.org.
>
> Regards,
> Trevor Bramwell
>

Fantastic, thanks Trevor.


> On Fri, Oct 21, 2016 at 10:38:03AM +0100, Luke Hinds wrote:
> > Hi All,
> >
> > I took my eye off the ball and missed the dates for this week.
> >
> > Did anything transpire?
> >
> > Luke
> >
> >
> >
> > >
> > > On Wed, Oct 5, 2016 at 10:41 AM, Christopher Price <
> chrispric...@gmail.com
> > > > wrote:
> > >
> > >> Hi Folks,
> > >>
> > >>
> > >>
> > >> I’d like to propose that we:
> > >>
> > >> 1)   Clarify how we want this to be done  (looks like we have a
> > >> solid idea of this now)
> > >>
> > >> 2)   Determine whom will “own” the github account (Aric &/or
> Trevor
> > >> I guess)
> > >>
> > >> 3)   Present and discuss in community (October 13th call I think
> is
> > >> the best)
> > >>
> > >> 4)   Present it to the TSC for approval (October 18th would seem
> > >> adequate)
> > >>
> > >> 5)   Make it so…
> > >>
> > >>
> > >>
> > >> Maybe we can capture this on the wiki in some way.
> > >>
> > >> I have made a start:  https://wiki.opnfv.org/display
> > >> /DEV/Licensing+and+External+repo%27s+discussion#Licensinga
> > >> ndExternalrepo%27sdiscussion-ProposalforOPNFVrepomirroringtoGitHub
> but
> > >> it probably needs some niceness added to it.  J
> > >>
> > >> We can present and discuss this on the 13th and potentially use it for
> > >> TSC approval on the 18th.
> > >>
> > >>
> > >>
> > >> / Chris
> > >>
> > >>
> > >>
> > >> *From: *<opnfv-tech-discuss-boun...@lists.opnfv.org> on behalf of
> Peter
> > >> Lee <pe...@corenova.com>
> > >> *Date: *Wednesday 5 October 2016 at 04:58
> > >> *To: *"SULLIVAN, BRYAN L" <bs3...@att.com>, Aric Gardner <
> > >> agard...@linuxfoundation.org>, "MORTON JR., AL" <acmor...@att.com>
> > >> *Cc: *TECH-DISCUSS OPNFV <opnfv-tech-discuss@lists.opnfv.org>
> > >>
> > >> *Subject: *Re: [opnfv-tech-discuss] OPNFV on Github
> > >>
> > >>
> > >>
> > >> I started the opnfv org in github a while back to host the promise
> > >> project and associated assets. I'd be happy to transfer the ownership
> of
> > >> the GitHub opnfv org to whoever we designate as the new owner.
> > >>
> > >> Thanks,
> > >>
> > >> Peter
> > >>
> > >> On Tue, Oct 4, 2016 at 1:02 PM SULLIVAN, BRYAN L <bs3...@att.com>
> wrote:
> > >>
> > >> Aric,
> > >>
> > >> When you say " mirroring to github is done " you don't mean currently,
> > >> right? ("will be done")
> > >>
> > >> Also - any chance we could get Iben to donate opnfv to us as the org
> > >> name? He got out ahead of this game a while back:
> > >> https://github.com/opnfv
> > >> It would be great if we could hang our repos off that link and org...
> > >>
> > >> Thanks,
> > >> Bryan Sullivan | AT
> > >>
> > >> -Original Message-
> > >> From: opnfv-tech-discuss-boun...@lists.opnfv.org [mailto:
> > >> opnfv-tech-discuss-boun...@lists.opnfv.org] On Behalf Of Aric Gardner
> > >> Sent: Tuesday, October 04, 2016 12:32 PM
> > >> To: MORTON JR., AL <acmor...@att.com>
> > >> Cc: opnfv-tech-discuss@lists.opnfv.org
> > >> Subject: Re: [opnfv-tech-disc

Re: [opnfv-tech-discuss] Graduation reviews discussion

[Luke Hinds]

On Thu, Nov 3, 2016 at 5:34 AM, Yujun Zhang <zhangyujun+...@gmail.com>
wrote:

> I think there would be a different expectation for "mature" projects.
>
> It is quite difficult to define "fully functional" and "stable" since the
> projects never stop evolution even after mature.
>
> From a developer's view, a mature project can be judged from
>
>1. regular release cycle
>2. test coverage
>3. documentation completeness
>4. security integrity
>5. timely response on feedback
>6. fluent process on evolution
>
> My two cents.
>
>
+1

security integrity could entail a project being audited (which most already
are) and being vulnerability managed:

https://wiki.opnfv.org/pages/viewpage.action?pageId=2926046


On Thu, Nov 3, 2016 at 1:25 PM Raymond Paik <rp...@linuxfoundation.org>
> wrote:
>
>> All,
>>
>> One of my action items from the TSC meeting  We discussed graduation
>> reviews for "mature" projects in OPNFV.  On the Project Lifecycle document (
>> https://www.opnfv.org/developers/technical-project-
>> governance/project-lifecycle), a mature project is defined as "Project
>> is fully functioning and stable, has achieved successful releases."
>>
>> One of the questions that was raised on the call was, after graduation
>> how would "mature" projects be different from projects in the "incubation"
>> stage.  Is this just a badge/label or are there different expectations?
>>
>> Please discuss :-)
>>
>> Thanks,
>>
>> Ray
>> ___
>> opnfv-tech-discuss mailing list
>> opnfv-tech-discuss@lists.opnfv.org
>> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>>
>
> ___
> opnfv-tech-discuss mailing list
> opnfv-tech-discuss@lists.opnfv.org
> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Security Impact Review Reminder

[Luke Hinds]

Hello PTLs and Committers et al,

A monthly reminder that if you're staging any code, specs, docs that in
anyway touch upon security, please be aware that you can place the text
'SecurityImpact' into your commit message.

This will then automatically notify the security group who can then review,
or provide advice and feedback.

Likewise, you can also include opnfv-secur...@lists.opnfv.org or place a
[security] tag in your subject header on email discussions, if you want us
to join in on a discussion.

Many Thanks,

Luke - Security Group PTL

-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] Jose Lausuch is the New Functest PTL

[Luke Hinds]

Perfect man for the job. Congrats Jose.


On Tue, Oct 11, 2016 at 1:00 PM, <morgan.richo...@orange.com> wrote:

> Hi TSC,
>
> I would like to inform that the Functest project elected this morning
> his new PTL.
>
> We just applied the recommendations we voted in Functest
> (https://wiki.opnfv.org/display/functest/Functest+admin)
>
> Jose -  you all know him -  will take the lead of the project.
>
> He has been very active in the project (and not only in Functest...)
> since Arno and has a perfect knowledge of the OPNFV ecosystem.
>
> Eisenhower said "Leadership consists of nothing but taking
> responsibility for everything that goes wrong and giving your
> subordinates credit for everything that goes well."
>
> @José: Do not worry, we already know that most of the things that go
> well in Functest are due to you, so I am sure you will be a great PTL!
> And as Liverpool Footbal fans are used to sing: "You will never walk
> alone..."
>
> I was very happy to PTLize Functest from Arno to Colorado. Still many
> rivers to cross...
>
> I will keep on contributing in Functest in addition of my TSC/Testing
> group/EndUserGroup tasks.
>
> vote is available here:
> http://ircbot.wl.linuxfoundation.org/meetings/opnfv-functest/2016/opnfv-
> functest.2016-10-11-08.01.html
> (note I received 4 additional Yes proxies by mail)
> INFO file has been amended: https://gerrit.opnfv.org/gerrit/#/c/22969/
> I will ask for the modification of the mailing list to include Jose in
> PTL mailing list (and remove myself)
>
> /Morgan
>
>
> 
> _
>
> Ce message et ses pieces jointes peuvent contenir des informations
> confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez
> recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
> electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou
> falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged
> information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and
> delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been
> modified, changed or falsified.
> Thank you.
>
> ___
> opnfv-tech-discuss mailing list
> opnfv-tech-discuss@lists.opnfv.org
> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>



-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] OPNFV Packaging CI

[Luke Hinds]

On Tue, Sep 27, 2016 at 1:55 AM, Leif Madsen  wrote:

> On Sun, Sep 25, 2016 at 01:19:21PM +, Alexandru Avadanii wrote:
> > Hi, Luke,
> > My experience so far included mostly DEB packages, which fell in 3
> categories for Armband:
> >
> > -  Backported from newer distro (lots of Ubuntu Xenial arm64
> DEBs backported to Trusty)
> >
> > -  Patched until upstream pulls our fixes (lshw is a good
> example, it’s broken in all arm64 Ubuntus  - all distros)
> >
> > -  Divergent functionality (we roll our own grub2, based on an
> Ubuntu pacakge, but with added patches from Fedora and OpenSUSE – it’s hard
> to fiind a grub2 package that satifies all conditions for integrating with
> our Cobbler integration approach)
> >
> > As for RPMs, we built only 2 custom packages, which I’m sure won’t be
> upstreamed soon:
> >
> > -  qemu-user-static for CentOS7 (implied building some static
> libs as well, including libc), which is used by Fuel to cross-build images
> (e.g. arm64 chroots on a x86 machine);
> >
> > -  cobbler-grub-aarch64 (contains a single EFI-compatible arm64
> binary of grub2-efi-arm64 standalone, used by cobbler as the netloader of
> choice for Armband)
> >
> > In my opinion, handlng the above by hand or using obscure external
> procedures (most Fuel plugins build some DEBs and/or RPMs, each in a
> different way) is prone to error
> > and code duplication over time.
> >
> > Also, and maybe I should have started with this, consider the case where
> the ISO build process is tied to x86 (like Fuel currently is), and the
> artifacts are expected to contain
> > packages for different architectures (AArch64?), which cannot be locally
> built [easily], in which case fetching some precompiled packages from an
> OPNFV public repo would be nice.
>
> Do you have a particular method in mind here? I think my biggest
> issue would be around building yet another system to build packages. For
> example, for RPMs, it would be almost trivial to employ the COPR build
> system and host any custom packages in that namespace.
>
> What I would hate to see, would be a set of custom scripts or
> applications to build packages, and then host them within the OPNFV
> namespace, along with having to maintain that whole pipeline.
>
> I assume there is some sort of DEB equivalent of COPR where those
> packages could be hosted, and packages build on a remote service?
>
>
There is PPA ():

https://help.launchpad.net/Packaging/PPA



> --
> Leif Madsen | Partner Engineer - NFV & CI
> NFV Partner Engineering
> Red Hat
> GPG: (D670F846) BEE0 336E 5406 42BA 6194 6831 B38A 291E D670 F846
>
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Results of Security Threat Analysis for Colorado.

[Luke Hinds]

Hello All,

An update on the results of the Security Threat Analysis for Colorado.

All projects were given a cursory scan using our security lint tool
'anteater', and I then took an in-depth manual review and released
individual project reports to the PTL's, with each containing
recommended code remediation's to address issues that were found.

The whole process resulted in twelve patches being merged into nine
projects:

https://gerrit.opnfv.org/gerrit/#/c/20751 master branch
https://gerrit.opnfv.org/gerrit/#/c/21995 master branch
https://gerrit.opnfv.org/gerrit/#/c/20911 master branch
https://gerrit.opnfv.org/gerrit/#/c/20693 master branch
https://gerrit.opnfv.org/gerrit/#/c/21541 master branch
https://gerrit.opnfv.org/gerrit/#/c/22139 master branch
https://gerrit.opnfv.org/gerrit/#/c/21997 master branch
https://gerrit.opnfv.org/gerrit/#/c/21985 master branch
https://gerrit.opnfv.org/gerrit/#/c/21499 master branch
https://gerrit.opnfv.org/gerrit/#/c/21799 master branch
https://gerrit.opnfv.org/gerrit/#/c/21437 master branch
https://gerrit.opnfv.org/gerrit/#/c/22007 stable/brahmaputra

A vulnerability was also discovered in Brahmaputra release and handled
under our vulnerability management process. This is now patched in
c-release and backported to b.

Overall the highlight of the key threats found were:

* Cross site scripting attacks [1]
* Unsafe use of eval [2]
* Unsafe yaml handling [3]
* Possible shell executions [4]
* Leakage of private keys [5].
* Running flask in debug mode. [6]

A lot of false positives were also present, what with the OPNFV being
test oriented.

I personally want to thank everyone involved in the above patches, who
mobilized with speed and handled the situation with a level head and
professionalism. Many thanks, you know who you all are.

Also a thanks to Michael Lazar & Alexander of DataArt who contacted me
with an issue they found while researching OPNFV security.

Looking forward
--

So the threat analysis has definitely proved very useful, but very time
consuming too - analyzing thousands of lines of code, over many projects
meant many a late night. I now have a tool to automate this, so I will
seek to integrate this as a gerrit / CI gate / job.

However, you can all really help here, by using the gerrit tag
‘SecurityImpact’ we have.

All you need to do is mention ‘SecurityImpact’ anywhere in a gerrit
review and it will automatically notify the Security group members, to
come in and provide feedback in your gerrit patch. As a general rule,
use this if ever in doubt on a change (or even not). The group are happy
to get any requests come in. More details can be found on our secure
code page:

https://wiki.opnfv.org/display/security/Securecode

One other key point is the use of private keys / passwords in projects.
This I understand can be challenging, as we automate a lot of black box
style testing which is hands off. I am of the mind to set up a working
group to look at this topic and help formulate some guidance on handling
SSH / TLS keys, certs. Any volunteers, please do let me know.

Last of all, we really need more folk helping in security. A lot of
'hand wringing' happens in the industry on security being a top concern,
but very little are willing to put boots on the ground. It would be
really nice to see that happen, so if you know of anyone in your
company, encourage them (or even yourself) to come to our meetings and
get involved.

References:

[1] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
[2] http://lucumr.pocoo.org/2011/2/1/exec-in-python/
[3]
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-libraries.html
[4] https://security.openstack.org/guidelines/dg_avoid-shell-true.html
[5]
http://security.stackexchange.com/questions/55525/how-can-an-attacker-use-a-leaked-private-key
[6]
https://labs.detectify.com/2015/10/02/how-patreon-got-hacked-publicly-exposed-werkzeug-debugger/
[5]

Regards,

Luke - Security Group PTL
-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 |
t: +44 12 52 36 2483


0x3C202614.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] [Security Advisory] Private key `vtep-privkey.pem` resides in ansible files directory for open-contrail role in Compass4NFV.

[Luke Hinds]

Private key `vtep-privkey.pem` resides in ansible files directory for
open-contrail role in Compass4NFV.
---

Date: Sep 21, 2016

CVE #: Pending

### Affects ###

Brahmaputra release.

### Description ###

A private key ‘vtep-privkey.pem’ was discovered in the ansible role for
open-contrail in Compass4NFV project folders. With this key being in the
public domain (git repository), if implemented by a user it could result
in man-in-the-middle type attacks between the Open vSwitch Database
(OVSDB) and Tor (top of the rack) switch.

### Patches ###

https://gerrit.opnfv.org/gerrit/#/c/21997 master branch
https://gerrit.opnfv.org/gerrit/#/c/22007 stable/brahmaputra

### Steps to patch ###

 Brahmaputra 

Users of Brahmaputra should follow the steps outlined below to patch
this issue.

1. Update compass4nfv code

If you don't have local compass4nfv code, then directly get latest
brahmaputra branch code.

$ git clone https://git.opnfv.org/cgit/compass4nfv/
$ git checkout remotes/origin/stable/brahmaputra

If you have local compass4nfv code, change to compass4nfv code directory
and perform:

$ git branch --set-upstream-to=origin/stable/brahmaputra stable/brahmaputra
$ git pull

or

$ rm -rf deploy/adapters/ansible/roles/open-contrail/files/provision

2. Follow the installation guide [1] to deploy openstack (Skip if you
already deployed openstack)

3. Clean vtep-privkey.pem key in compass-core

ssh login to compass-core(192.168.200.2) as root, and then run below
command:

# find / -name vtep-privkey.pem | xargs rm

 Colorado 

No action is required for Colorado release users, as the fix has been
applied directly into the master branch pre-release.

### Contact and References ###

Reported by: Luke Hinds, Red Hat
Contact: opnfv-secur...@lists.opnfv.org
This Advisory: https://wiki.opnfv.org/pages/viewpage.action?pageId=7768349
[1]
http://artifacts.opnfv.org/compass4nfv/brahmaputra/docs/configguide/index.html
http://www.juniper.net/techpubs/en_US/junos16.1/topics/task/installation/sdn-ovsdb-ssl-files-installing.html




0x3C202614.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [opnfv-tsc] Nomations for the 2016 OPNFV Committer Board Election

[Luke Hinds]

Sorry if this is a re-hash of something already discussed...

What is the criteria for generating the committer list?


On Tue, Sep 13, 2016 at 5:21 AM, Raymond Paik <rp...@linuxfoundation.org>
wrote:

> All,
>
> I'd like to start the nomination period for the OPNFV Committer Board
> election.  OPNFV Committers as listed on https://wiki.opnfv.org/
> display/DEV/2016+Committer+Board+Election+-+Committers+List will be
> eligible to run for and vote in the Committer Board election.
>
> If you'd like to nominate yourself or other committers, please either
> reply to this email or send an email to opnfv-tech-discuss with "Committer
> Board Nomination" in the subject like.  In case a committer is nominated by
> someone else, the nominee must accept the nomination in writing.  I'll skip
> setting up the "self-nomination" wiki page as that wasn't used for the
> recent TSC election.
>
> The nomination period will close at 5pm Pacific Time on September 23rd
> (Friday).
>
> Thanks,
>
> Ray
>
> ___
> opnfv-tsc mailing list
> opnfv-...@lists.opnfv.org
> https://lists.opnfv.org/mailman/listinfo/opnfv-tsc
>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] OPNFV Projects - Security Threat Analysis

[Luke Hinds]

Hello All,

We will shortly be sharing the results of the threat analysis audit that
is underway within the security group.

This will be in the format of a email sent to the PTL of each audited
project, with a restricted Google Drive link to the report.

The PTL’s email, will be added with view / comment permissions on the
report. If the contact email, is not enabled for Google services, the
PTL should reply and provide one that is.

You may also request access for other committers in your project, by
providing their respective email addresses.

We elected to use Google Drive, as it allows access control, some amount
of data privacy (https) and a comment system for discussion.

If you cannot use Google drive / don’t want to, then we can share the
report using GPG encrypted email / file instead.

Note: That anything that is high risk and needs embargo, will instead be
handled in a private Jira issue and will follow the vulnerability
process devised in the OPNFV Security Group[1].

Some FAQ:

Q: Why not share in public? It's open source.

A: As the reports highlight potential security risks, it is responsible
and right to allow the projects PTL time to comment on the risk, work
with the security group, and if need be prepare patches. This is known
as 'Responsible Disclosure' [2] and is as widely adopted process in open
source projects.

Q: What sort of risks will be you reporting, what can we expect?

A: Most of the feedback is geared to promote secure coding. In the
security group, we have performed analysis on each project's code and
architecture, by looking for typical risk patterns such as shell
executions, xss attacks, use of poor encryption etc. You can find some
more details on our wiki [3] or within the Linux foundation core
infrastructure initiative [4]. when we can, we make recommended
remediation's, often using the same reported code.

Q: I have some items in my report, and I am concerned / don’t understand
the context?

A: You may contact the Auditor named in your report to discuss any items
in more detail.

Q: Hmmm, my report highlights a risk, you’re wrong and I disagree!

A: You know your project's code (and its intention, exposure, use case)
much better than us. A risk we highlight could be a false positive. We
are also fully aware, that OPNFV projects perform a lot of blackbox
style testing against environments, which then are ripped down and
cleaned post test, so what would be risk in production (hard coded
passwords), is not a risk in a test environment. We also welcome
discussion, should you have some helpful input.

Q: Yay! So does this mean OPNFV is 100% secure?!

A: Not as such. There is a well known quote used in SEC ‘There is no
security on this earth; there is only opportunity'. We do this to
promote friendly discussions on security, improve security awareness and
as an outreach to developers within the community. We do not do this to
unfairly critic any individual or project, nor to provide absolute
guarantees to users of OPNFV. Of course though, the result of this in
turn naturally promotes better security awareness in OPNFV, so that is
the positive take away.

Q: This really helped me! Thanks!

A: Happy to have helped, show some love! Security can often seem like a
thankless task with little award, and so let others know how it helped
you.

[1] https://wiki.opnfv.org/pages/viewpage.action?pageId=2926046
[2] https://en.wikipedia.org/wiki/Responsible_disclosure
[3] https://wiki.opnfv.org/display/security/Securecode
[4] https://www.coreinfrastructure.org/

Best Regards,

Luke (OPNFV Security Group)


0x3C202614.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] Stop commit count!

[Luke Hinds]

Hi Carlos,

Are we sure its not a process the PTL may prefer? I find some folk don't
like commits that cover more then one change, and instead prefer a
single jira / commit to be used, even piecemeal for small changes.

To digress though, Open Source projects do have a lot of cases of people
bending the rules to appear more prolific (stackalytics.com has had its
fair share). This is where I wonder if we should not tout 'top
contributors' as metric of merit.

Luke


On 30/08/16 13:40, Carlos Goncalves wrote:
> Hi folks,
> 
>  
> 
> I’m sorry for bringing this up to the list but it came to my attention
> some time ago now of a continued practice carried by some
> contributors/committers that I don’t think we as community would like to
> continue supporting, not to say tolerant. I’m talking about commit
> counts for the sake of whatever reasons you/your organization may have
> behind.
> 
>  
> 
> While I don’t want to go into details and list individual contributions,
> one example is creating JIRA issues and commits per small change (e.g.
> adding license headers to files) when it is more than obvious and
> desired to everyone to have just a single JIRA and commit. Commit count
> is not the way how you can show the project you’re involved in is more
> or less active or meeting expected goals, and bumping up
> yourself/organization in the top committer list is, well, you know…!
> 
>  
> 
> Commit count can be an excellent metric to evaluate how an
> individual/organization/project performs when done well. Trying to
> work-around that, cheat if you will, should be pinpointed and resolved
> -- in the open or not, I personally don’t care.
> 
>  
> 
> 
> 
>  
> 
> Thanks,
> 
> Carlos
> 
>  
> 
> 
> 
> ___
> opnfv-tech-discuss mailing list
> opnfv-tech-discuss@lists.opnfv.org
> https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
> 
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] (no subject)

[Luke Hinds]

Hello,

I wanted to open up to the community in more detail, the plans we have for
the security audit.

Its a four pronged process..

1. Look at dependencies (modules / libraries) used and attempt to verify no
known risks are associated with said dependencies.

2. Perform a secure code audit to look for potential security risks such as
shell executions, sql injections etc. More details here:
https://wiki.opnfv.org/display/security/Securecode

3. Look for use of weak cryptography / hashing algorithms.

4. Encourage compliance to the LF Badge program.

Members of the security team will each perform this audit, and will contact
the PTL and core committers on each project with the results.

The project itself, can then contact the security group to discuss or seek
advice, should they need it.

We are open to feedback on the whole process as well.

Our plan is try trial the process for Colorado,  and then have it as a
milestone for D-release.

Thanks,

Luke - OPNFV Security Group
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] simple list of project names

[Luke Hinds]

Ah that is perfect, thanks Chris!

On Sat, Aug 20, 2016 at 10:33 PM, Chris Wright <chr...@redhat.com> wrote:

> I use gerrit ls-projects to enumerate projects and their git repos (to
> clone and keep up to date).  Something like:
>
>   ssh gerrit.opnfv.org -p 29418 gerrit ls-projects
>
> (there are a few of administraive repos like All-Projects, All-Users,
> and Compliance that probably aren't interesting for you here)
>
> thanks,
> -chris
>
> * Luke Hinds (lhi...@redhat.com) wrote:
> > Hello,
> >
> > I need to gather a simple list (in an easily parsed format) of projects
> > that have repos.
> >
> > I could crawl pages with urllib.request, but figured there might be
> > something around already?
> >
> > Cheers,
> >
> > Luke
> >
> > --
> > Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
> > e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 |
> t: +44
> > 12 52 36 2483
>
> > ___
> > opnfv-tech-discuss mailing list
> > opnfv-tech-discuss@lists.opnfv.org
> > https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss
>
>


-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] simple list of project names

[Luke Hinds]

Hello,

I need to gather a simple list (in an easily parsed format) of projects
that have repos.

I could crawl pages with urllib.request, but figured there might be
something around already?

Cheers,

Luke

-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

[opnfv-tech-discuss] Security Audit Discussions

[Luke Hinds]

Hi,

As discussed on today's call, and etherpad to start to flesh out what a
security audit would consist of   for each release. This then gets
discussed next week on the TSC.

https://etherpad.opnfv.org/p/sec-audit

Regards,
Luke

-- 
Luke Hinds | NFV Partner Engineering | Office of Technology | Red Hat
e: lhi...@redhat.com | irc: lhinds @freenode | m: +44 77 45 63 98 84 | t: +44
12 52 36 2483
___
opnfv-tech-discuss mailing list
opnfv-tech-discuss@lists.opnfv.org
https://lists.opnfv.org/mailman/listinfo/opnfv-tech-discuss

Re: [opnfv-tech-discuss] [opnfv-tsc] Opening nominations for the Committers-at-Large TSC elections

[Luke Hinds]

 nomination period closes
> this Friday
> > > at 5pm Pacific Time.  Please send in your nominations or
> post self
> > > nominations
> > > at https://wiki.opnfv.org/display/DEV/2016+Commiters-at-
> Large+TSC+Election+Self-Nominations
> > <https://wiki.opnfv.org/display/DEV/2016+Commiters-at-
> Large+TSC+Election+Self-Nominations>
> > > <https://wiki.opnfv.org/display/DEV/2016+Commiters-at-
> Large+TSC+Election+Self-Nominations
> > <https://wiki.opnfv.org/display/DEV/2016+Commiters-at-
> Large+TSC+Election+Self-Nominations>>
> > >
> > > Thanks,
> > >
> > > Ray
> > >
> > > On Sun, Aug 7, 2016 at 11:21 PM, Raymond Paik
> > > <rp...@linuxfoundation.org <mailto:rpaik@linuxfoundation.
> org>
> > <mailto:rp...@linuxfoundation.org
> > <mailto:rp...@linuxfoundation.org>>> wrote:
> > >
> > > OPNFV Community:
> > >
> > > Based on feedback last week, the list of committers
> have been
> > > updated and you can find the committers list
> > > at https://wiki.opnfv.org/
> display/DEV/OPNFV+Committers+List
> > <https://wiki.opnfv.org/display/DEV/OPNFV+Committers+List>
> > >
> >  <https://wiki.opnfv.org/display/DEV/OPNFV+Committers+List
> > <https://wiki.opnfv.org/display/DEV/OPNFV+Committers+List>>.
> > >
> > > Now, I'd like to open the nomination period for the
> > > Committers-at-Large TSC elections.  As noted in the
> elections
> > > wiki page
> > > (https://wiki.opnfv.org/display/DEV/Community+
> Election+Procedure#CommunityElectionProcedure-CommunityTSCmemberelection(
> proposalpendingapproval)
> > <https://wiki.opnfv.org/display/DEV/Community+
> Election+Procedure#CommunityElectionProcedure-CommunityTSCmemberelection(
> proposalpendingapproval)>
> > >
> >  <https://wiki.opnfv.org/display/DEV/Community+
> Election+Procedure#CommunityElectionProcedure-CommunityTSCmemberelection(
> proposalpendingapproval)
> > <https://wiki.opnfv.org/display/DEV/Community+
> Election+Procedure#CommunityElectionProcedure-CommunityTSCmemberelection(
> proposalpendingapproval)>>,
> > > nominations can be either self-nominations or anyone
> can
> > > nominate other committers. If a committer is nominated
> by
> > > others, the nominee must accept the nomination for it
> to be valid.
> > >
> > > For self-nominations, I created a wiki page with a
> suggested
> > > template
> > > at https://wiki.opnfv.org/
> display/DEV/2016+Commiters-at-Large+TSC+Election+Self-Nominations
> > <https://wiki.opnfv.org/display/DEV/2016+Commiters-at-
> Large+TSC+Election+Self-Nominations>
> > >
> >  <https://wiki.opnfv.org/display/DEV/2016+Commiters-at-
> Large+TSC+Election+Self-Nominations
> > <https://wiki.opnfv.org/display/DEV/2016+Commiters-at-
> Large+TSC+Election+Self-Nominations>>.
> > > If you are interested in nominating yourself, please
> add your
> > > nomination statements directly on the wiki page.
> > >
> > > If you'd like to nominate others, please send your
> nominations
> > > to opnfv-tsc & opnfv-tech-discuss mailing lists so
> that your
> > > nominations can be accepted (or declined) by the
> nominees on the
> > > mailing lists.
> > >
> > > I will close the nominations at 5pm Pacific Time on
> August 12th
> > > (Friday).  Please let me know if you have any
> questions.
> > >
> > > Thanks,
> > >
> > > Ray
> > >
> > >
> > >
> > >
> > >
> > >
> > > ___
> > > opnfv-tsc mailing list
> > > opnfv-...@lists.opnfv.org <mailto:opnfv-...@lists.opnfv.org>
> >