Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting

2019-03-21 Thread Carlos Santana 
It can exist

Please let’s not create it

- Carlos Santana
@csantanapr

> On Mar 21, 2019, at 8:58 AM, Bertrand Delacretaz  
> wrote:
> 
> Hi,
> 
>> On Thu, Mar 21, 2019 at 10:03 AM Carlos Santana  wrote:
>> ...
>> -1 to have yet another ML list secur...@openwhisk.apache.org ...
> 
> FWIW I was not saying that that list should exist, just that it *can*
> exist if desired.
> 
> -Bertrand

Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting

2019-03-21 Thread Bertrand Delacretaz 
Hi,

On Thu, Mar 21, 2019 at 10:03 AM Carlos Santana  wrote:
...
> -1 to have yet another ML list secur...@openwhisk.apache.org ...

FWIW I was not saying that that list should exist, just that it *can*
exist if desired.

-Bertrand

Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting

2019-03-21 Thread Carlos Santana 
Yep that’s why I said let’s use the already 2 mailing lists secur...@apache.org 
and priv...@openwhisk.org

Let’s not create a 3rd

- Carlos Santana
@csantanapr

> On Mar 21, 2019, at 8:54 AM, Matt Sicker  wrote:
> 
> Security mailing lists should also be private and only accessible to PMC
> members (and ASF members).
> 
>> On Thu, Mar 21, 2019 at 04:03, Carlos Santana  wrote:
>> 
>> That’s fine to have a page and security mailing list.
>> 
>> Who is from the PPMC is going to monitor the security@ mailing list?
>> 
>> I’m already subscribe to private@
>> 
>> I would not want sensitive topics and reports to be discuss in this
>> security ML is people anyone is allowed to be subscribe.
>> 
>> The ASF process still need to be followed anyway and any reports we would
>> need to loop in secur...@apache.org anyway
>> 
>> I bet people would email by mistake secur...@openwhisk.apache.org with
>> sensitive data when they should have use secur...@apache.org and also bet
>> we will be explaining multiple time when to use each ML list.
>> 
>> I we have such ML list I certainly will not be using it or subscribing and
>> expect any serious reports and findings to find their way to private@
>> 
>> Is their are users that security questions on how to do something or
>> someone sharing best practice for security they can certainly use the dev@
>> list we have today
>> 
>> +1 to have a security page
>> -1 to have yet another ML list secur...@openwhisk.apache.org
>> 
>> - Carlos Santana
>> @csantanapr
>> 
>>> On Mar 21, 2019, at 4:28 AM, Bertrand Delacretaz 
>> wrote:
>>> 
>>> Hi,
>>> 
 On Wed, Mar 20, 2019 at 10:43 PM Carlos Santana 
>> wrote:
 For security reports, ASF already have a process let's not improvise..
>>> 
>>> Agreed but it's fine for projects to have their own security page, as
>>> long as the ASF process is followed.
>>> 
 ... Reported should send email to secur...@apache.org ...
>>> 
>>> It's also ok for projects to have their own security@ list, see
>>> https://sling.apache.org/project-information/security.html for an
>>> example.
>>> 
>>> -Bertrand
>> 
> -- 
> Matt Sicker

Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting

2019-03-21 Thread Matt Sicker 
Security mailing lists should also be private and only accessible to PMC
members (and ASF members).

On Thu, Mar 21, 2019 at 04:03, Carlos Santana  wrote:

> That’s fine to have a page and security mailing list.
>
> Who is from the PPMC is going to monitor the security@ mailing list?
>
> I’m already subscribe to private@
>
> I would not want sensitive topics and reports to be discuss in this
> security ML is people anyone is allowed to be subscribe.
>
> The ASF process still need to be followed anyway and any reports we would
> need to loop in secur...@apache.org anyway
>
> I bet people would email by mistake secur...@openwhisk.apache.org with
> sensitive data when they should have use secur...@apache.org and also bet
> we will be explaining multiple time when to use each ML list.
>
> I we have such ML list I certainly will not be using it or subscribing and
> expect any serious reports and findings to find their way to private@
>
> Is their are users that security questions on how to do something or
> someone sharing best practice for security they can certainly use the dev@
> list we have today
>
> +1 to have a security page
> -1 to have yet another ML list secur...@openwhisk.apache.org
>
> - Carlos Santana
> @csantanapr
>
> > On Mar 21, 2019, at 4:28 AM, Bertrand Delacretaz 
> wrote:
> >
> > Hi,
> >
> >> On Wed, Mar 20, 2019 at 10:43 PM Carlos Santana 
> wrote:
> >> For security reports, ASF already have a process let's not improvise..
> >
> > Agreed but it's fine for projects to have their own security page, as
> > long as the ASF process is followed.
> >
> >> ... Reported should send email to secur...@apache.org ...
> >
> > It's also ok for projects to have their own security@ list, see
> > https://sling.apache.org/project-information/security.html for an
> > example.
> >
> > -Bertrand
>
-- 
Matt Sicker

Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting

2019-03-21 Thread Carlos Santana 
That’s fine to have a page and security mailing list. 

Who is from the PPMC is going to monitor the security@ mailing list?

I’m already subscribe to private@

I would not want sensitive topics and reports to be discuss in this security ML 
is people anyone is allowed to be subscribe. 

The ASF process still need to be followed anyway and any reports we would need 
to loop in secur...@apache.org anyway

I bet people would email by mistake secur...@openwhisk.apache.org with 
sensitive data when they should have use secur...@apache.org and also bet we 
will be explaining multiple time when to use each ML list. 

I we have such ML list I certainly will not be using it or subscribing and 
expect any serious reports and findings to find their way to private@

Is their are users that security questions on how to do something or someone 
sharing best practice for security they can certainly use the dev@ list we have 
today

+1 to have a security page
-1 to have yet another ML list secur...@openwhisk.apache.org

- Carlos Santana
@csantanapr

> On Mar 21, 2019, at 4:28 AM, Bertrand Delacretaz  
> wrote:
> 
> Hi,
> 
>> On Wed, Mar 20, 2019 at 10:43 PM Carlos Santana  wrote:
>> For security reports, ASF already have a process let's not improvise..
> 
> Agreed but it's fine for projects to have their own security page, as
> long as the ASF process is followed.
> 
>> ... Reported should send email to secur...@apache.org ...
> 
> It's also ok for projects to have their own security@ list, see
> https://sling.apache.org/project-information/security.html for an
> example.
> 
> -Bertrand

Re: Added a "Security" page to website with simple, OW-specific instructions for vuln. reporting

2019-03-21 Thread Bertrand Delacretaz 
Hi,

On Wed, Mar 20, 2019 at 10:43 PM Carlos Santana  wrote:
> For security reports, ASF already have a process let's not improvise..

Agreed but it's fine for projects to have their own security page, as
long as the ASF process is followed.

>... Reported should send email to secur...@apache.org ...

It's also ok for projects to have their own security@ list, see
https://sling.apache.org/project-information/security.html for an
example.

-Bertrand

[slack-digest] [2019-03-20] #general

2019-03-21 Thread OpenWhisk Team Slack 
2019-03-20 03:48:03 UTC - Rodric Rabbah: I haven’t had a chance to look into 
this or replicate. I assume this is your own openwhisk deployment. 
https://openwhisk-team.slack.com/archives/C3TPCAQG1/p155305368333?thread_ts=1553053683.33=C3TPCAQG1

2019-03-20 08:14:59 UTC - Neeraj Mangal: @Adrian Schuepbach seems like SIGBUS 
error by gpf from trace, assuming you have access to your deployment, can you 
check if the disk on your invoker machine is not full, specifically /tmp 
directory. As you mentioned earlier it was working so seems like there is 
something not good with the system itself.
https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1553069699330100?thread_ts=1553025387.329000=C3TPCAQG1

2019-03-20 10:11:13 UTC - Adrian Schuepbach: No problem. Right, this is my own 
OpenWhisk deployment on Kubernetes (with 
incubator-openwhisk-deploy-kube/helm/openwhisk)
https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1553076673330300?thread_ts=1553053683.33=C3TPCAQG1

2019-03-20 10:15:39 UTC - Adrian Schuepbach: Yes, it seems like something with 
the system migth be the cause. I checked the disks, the machine with the lowest 
free space has still 144GB free, the other ones have more than 600GB free 
space. I assume that the invoker won't need as much space as 144GB. What do you 
think?
https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1553076939330500?thread_ts=1553025387.329000=C3TPCAQG1

2019-03-20 11:32:27 UTC - Neeraj Mangal: ah, ok. yup it does not require that 
much disk. Just to confirm , did you check /tmp space as well. if /tmp also has 
sufficient space, does other action runtime work on your setup, like nodejs?
https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1553081547330700?thread_ts=1553025387.329000=C3TPCAQG1

2019-03-20 11:40:23 UTC - Adrian Schuepbach: `/tmp` is not a separate 
partition, so it has the same amount of free disk space as `/`
nodejs works fine.

Interestingly, after rebooting the underlying physical machines, the java nop 
function worked again and after invoking a different java action, the problem 
was here again. Since the point, when I invoked this "faulty" Java action, I 
cannot invoke the Java nop function anymore. Something is going bad and causes 
this bus error, which then happens for every further Java action invocation.

I am trying to isolate the problem, restarted the physical machines again and 
starting with the nop function again. I hope to find the root cause and also I 
hope to see why the problem happens for every invocation after it happened once.
https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1553082023330900?thread_ts=1553025387.329000=C3TPCAQG1

2019-03-20 14:58:21 UTC - Michele Sciabarra: can some Rubyst around translate 
for me this Python code in Ruby:
```
from __future__ import print_function
from sys import stdin
from sys import stdout
from sys import stderr
from os import fdopen
import sys, os, json, traceback

# now import the action as process input/output
from main__ import main as main

env = os.environ
out = fdopen(3, "wb")
while True:
  line = stdin.readline()
  if not line: break
  args = json.loads(line)
  payload = {}
  for key in args:
if key == "value":
  payload = args["value"]
else:
  env["__OW_%s" % key.upper()]= args[key]
  res = {}
  try:
res = main(payload)
  except Exception as ex:
print(traceback.format_exc(), file=stderr)
res = {"error": str(ex)}
  out.write(json.dumps(res, ensure_ascii=False).encode('utf-8'))
  out.write(b'\n')
  stdout.flush()
  stderr.flush()
  out.flush()
```
https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1553093901331900

2019-03-20 15:23:26 UTC - Vincent Hou:  Document: about jenkins 
pipeline: 

https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1553095406332400

2019-03-20 15:24:29 UTC - Dave Grove: It seems like this might be more useful 
as a wiki document so it can be maintained by the community.  Why post on 
medium where it is hard to edit/keep up to date?
+1 : James Thomas
https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1553095469333600

2019-03-20 15:30:42 UTC - Vincent Hou: I lost my access to cwiki, just 
retrieved the credentials. @Dave Grove :disappointed:
https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1553095842334300

2019-03-20 15:34:22 UTC - Carlos Santana: wiki is down 

But I added a page about the OpenWhisk jenkins machine, you can edit that one, 
if you don't have access reset your password
https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1553096062335000

2019-03-20 15:38:20 UTC - Rodric Rabbah: can we pin jenkins url here
https://openwhisk-team.slack.com/archives/C3TPCAQG1/p1553096300335300

2019-03-20 15:46:41 UTC - Vincent Hou: I have just added a page for maintaining 
the jenkins

[slack-digest] [2019-03-20] #apigateway

2019-03-21 Thread OpenWhisk Team Slack 
2019-03-20 12:38:31 UTC - Mark Deuser: @Perry Dykes - try invoking your 
functions web action directly instead of going through the apigw.  the action 
url can be obtained with the `... action get ACTION --url` command
https://openwhisk-team.slack.com/archives/C3TP33Y2U/p1553085511014700

2019-03-20 12:39:09 UTC - Mark Deuser: then look at the activation record for 
failure details.. `... activation get ID` or `... activation get --last`
https://openwhisk-team.slack.com/archives/C3TP33Y2U/p1553085549015400

[slack-digest] [2019-03-20] #random

2019-03-21 Thread OpenWhisk Team Slack 
2019-03-20 03:47:05 UTC - Rodric Rabbah: 

+1 : Dominic Kim
https://openwhisk-team.slack.com/archives/C3UDXSFA6/p1553053625213200

2019-03-20 05:43:23 UTC - Roberto Diaz: @Michele Sciabarra I have a question 
for the runtime tests. Are the environment variables always strings? I mean 
these variables:
```
  | res["api_host"] = os.Getenv("__OW_API_HOST")
  | res["api_key"] = os.Getenv("__OW_API_KEY")
  | res["namespace"] = os.Getenv("__OW_NAMESPACE")
  | res["action_name"] = os.Getenv("__OW_ACTION_NAME")
  | res["activation_id"] = os.Getenv("__OW_ACTIVATION_ID")
  | res["deadline"] = os.Getenv("__OW_DEADLINE")
```
https://openwhisk-team.slack.com/archives/C3UDXSFA6/p1553060603214600

2019-03-20 07:27:35 UTC - Michele Sciabarra: @Roberto Diaz I always treated all 
of them as strings
https://openwhisk-team.slack.com/archives/C3UDXSFA6/p1553066855215900

2019-03-20 07:28:27 UTC - Michele Sciabarra: I do not think you can type them 
as there can be more - the set is not fixed
https://openwhisk-team.slack.com/archives/C3UDXSFA6/p1553066907216700

2019-03-20 07:28:41 UTC - Michele Sciabarra: or less - the api_key may not be 
present for example
https://openwhisk-team.slack.com/archives/C3UDXSFA6/p1553066921217100

2019-03-20 08:31:24 UTC - Roberto Diaz: Oki doki
https://openwhisk-team.slack.com/archives/C3UDXSFA6/p1553070684217300

2019-03-20 09:13:07 UTC - Dominic Kim: It seems cwiki is unresponsive.
https://openwhisk-team.slack.com/archives/C3UDXSFA6/p1553073187217700

2019-03-20 11:11:24 UTC - Carlos Santana: @Roberto Diaz a downstream can have 
more environment variables pass from invoker to container via /run but what you 
posted is good as a simple test 
+1 : Roberto Diaz
https://openwhisk-team.slack.com/archives/C3UDXSFA6/p1553080284219500

2019-03-20 11:23:52 UTC - Rodric Rabbah: @Roberto Diaz these are standard for 
actions, docs here if they’re helpful for context 

+1 : Roberto Diaz
https://openwhisk-team.slack.com/archives/C3UDXSFA6/p1553081032220200

2019-03-20 11:55:01 UTC - Carlos Santana: 
 
https://openwhisk-team.slack.com/archives/C3UDXSFA6/p1553082901220500