[openstack-dev] [security][bandit] Looking to the future

Kelsey, Timothy John tim.kelsey at hp.com
Sat Sep 5 16:46:08 UTC 2015


Hey Bandit Folks,
Thanks for all the great work done during the recent security mid cycle, we have made some really solid progress on key areas like documentation, testing, and code quality. It was also great to see people in person! This email follows on from various conversations with the hope of keeping our momentum and planning out our next steps.

Key Focus Areas

Documentation
We made good progress here getting our docs layout and initial content down. The next steps now are to keep pushing to bring our docs up to scratch across the board, covering all testing and report plugins we have available today. As cores, I would suggest we don’t accept any new tests without accompanying documentation. Work will now be done to integrate our sphinx build with infra to get our stuff available online, much in the same way as Anchor has done here: http://docs.openstack.org/developer/anchor/

Testing
We had a strong push to add unit tests to supplement our existing functional tests. Going forward we should continue to focus on bringing our coverage up and bug fixing as we go. Cores should be mindful of coverage when reviewing new patches and significant blocks of new work should of course be accompanied with unit tests. To help with this, coverage reporting will be added to the current tox output report.

Code Quality
Bandit is growing fast, new and interesting stuff is being added all the time, but its worth keeping in mind that there is a lot of code that was hastily written for the original prototype and still persists in the code base today. This is a source of potential bugs and unnecessary complexity, any effort directed in improving this situation would be a good thing. Refactoring is also a perfect opportunity to bring up our test coverage as well.

Releases
Up to this point bandit has had a fairly add-hoc release schedule, with new releases being pushed once a significant number of new features/bug fixes have been accumulated. Going forward we should review this strategy and determine if it is still appropriate. We should also consider how our releases could best tie into the overarching OpenStack release cadence. I would very much like to hear peoples thoughts on this matter.

Anyway, please let me know what people think of this, or anything else that I haven’t covered here.

Thanks again for all your hard work

--
Tim Kelsey
Cloud Security Engineer
HP Hellion



More information about the OpenStack-dev mailing list