On 2015-08-11 20:42:26 + (+), Bhandaru, Malini K wrote:
[...]
Another place I see value is running periodically against past
releases – Icehouse, Juno etc to catch any vulnerabilities in
production systems. When we issue security notes we typically
specify any past releases that carry
Rob, Timur, Travis, and Victor, thank you for your input! We are excited about
the feedback.
Added [Security] in subject per Rob’s suggestion. Copied all the security
interested parties who responded.
Another place I see value is running periodically against past releases –
Icehouse, Juno etc
...@yuggoth.org]
Sent: Wednesday, August 5, 2015 10:16 AM
To: OpenStack Development Mailing List (not for usage questions)
Subject: Re: [openstack-dev] [Security] Would people see a value in the
cve-check-tool? (Reshetova, Elena)
On 2015-08-05 09:54:52 -0700 (-0700), Clint Byrum wrote:
Doesn't
(Merging thread from security ML)
Bandit probably isn¹t the correct integration point for this - cve-check
has its own analysis procedures while
Bandit uses Python AST. Also I see the use workflows being different.
For Bandit a developer/gate wants to
check a specific code snippet whereas for
On 2015-08-05 13:14:40 + (+), McPeak, Travis wrote:
[...]
The only concern that I have is the requisite database.
Downloading a 500MB + CVE database for the jobs could become
painful. We could either keep the CVE database on each node in
the test pool or download it at the start of
On 8/5/15, 08:14, McPeak, Travis travis.mcp...@hp.com wrote:
(Merging thread from security ML)
Bandit probably isn¹t the correct integration point for this - cve-check
has its own analysis procedures while
Bandit uses Python AST. Also I see the use workflows being different.
For Bandit a
On 2015-08-05 15:04:15 + (+), Ian Cordasco wrote:
One point of clarification. Not every project has to opt into
global-requirements so this isn't necessarily true. Also with the
merging of the stackforge and openstack namespaces, it'll be
harder to distinguish when a project is or
On Wed, Aug 5, 2015, at 08:22 AM, Jeremy Stanley wrote:
On 2015-08-05 15:04:15 + (+), Ian Cordasco wrote:
One point of clarification. Not every project has to opt into
global-requirements so this isn't necessarily true. Also with the
merging of the stackforge and openstack
]
Sent: Wednesday, August 5, 2015 6:15 AM
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] [Security] Would people see a value in the
cve-check-tool? (Reshetova, Elena)
(Merging thread from security ML)
Bandit probably isn¹t the correct integration point for this - cve-check has
On 2015-08-05 08:28:27 -0700 (-0700), Clark Boylan wrote:
We already track it in the requirements repo itself [0]. Not sure if we
need an additional tracking method.
[0]
https://git.openstack.org/cgit/openstack/requirements/tree/projects.txt
That tracks repos which get reqs sync proposals
On 2015-08-05 16:08:16 + (+), Reshetova, Elena wrote:
[...]
Actually the database is downloaded only once ( thefirst time) and
then only database diffs are downloaded, which is much faster. I
don't know enough about your node setup (do you fully clean up
each node between the builds?)
Excerpts from Reshetova, Elena's message of 2015-08-05 09:08:16 -0700:
The only concern that I have is the requisite database. Downloading a
500MB + CVE database for the jobs could become painful. We could either
keep the CVE database on each node in the test pool or download it at the
On 2015-08-05 15:22:29 + (+), Jeremy Stanley wrote:
[...]
Now that we've dissolved more of those arbitrary distinctions, this
seems like a great opportunity for tracking with a governance tag.
I'll go ahead and propose one later today if I get a spare moment.
Actually, I take that
On 2015-08-05 09:54:52 -0700 (-0700), Clint Byrum wrote:
Doesn't this feel like a job for AFS? Maintain the db there, and let the
nodes access it as-needed?
I guess it depends on whether the tool needs to read the entire
database to perform its queries (in which case using AFS would be
14 matches
Mail list logo