Add filter for security warnings from urllib3 #2688
Conversation
Obviously, we are aware of the security issues on the affected platforms, but these warnings serve no purpose on those platforms except to confuse or annoy users.
|
Is it possible to emit just a single warning somehow? (I know that's difficult if this happens with every comms attempt). Just wondering in case total suppression of these warnings looks bad to security boffins. |
|
Not sure how because the warnings come from client commands, which are individual invocations. At the moment, for example, each job on the affected system will get two sets. One from the started message command and one from the succeeded message command. The warnings are really pointless from the user's perspective because there is nothing they can do. It may be better if we simply document the potential issue of using HTTPS on python <2.7.10 in the user guide until we fully migrate to python 3. |
|
Fair enough, that's fine with me. |
|
Would it be possible to configure which warnings we ignore on a per-host basis so that sys-admins must explicitly ignore them? |
|
Yes, but is it worth investing so much complexity? It will not be long before we migrate Cylc to Python 3, so I think we can live with this. I'll add some extra docs to the user guide to document this issue. |
Also add extra info to user guide.
doc/src/cylc-user-guide/cug.tex
Outdated
| @@ -394,6 +396,8 @@ \subsection{Third-Party Software Packages} | |||
| \item {\bf pyOpenSSL} - \url{http://www.pyopenssl.org/} | |||
| \item {\bf python-requests} - \url{http://docs.python-requests.org/} | |||
| \item ({\bf python-urllib3} - should be bundled with python-requests) | |||
| \item ({\bf Python \lstinline@>=@ 2.7.9} (but not yet Python 3) is | |||
| recommended for the best security.) | |||
There was a problem hiding this comment.
Perhaps merge this into the previous paragraph to make it clear we support Python 2.6 something like:
{\bf Python \lstinline@>=2.6 <3@} is required {\bf Python \lstinline@>=2.7.9@} is recommended. Python
should already be installed in your Linux system. \url{https://python.org}.There was a problem hiding this comment.
Done. I have (hopefully) improved the statement regarding Python 2 requirement.
doc/src/cylc-user-guide/cug.tex
Outdated
| Cylc runs on Unix variants, usually Linux, and including Apple OS X. | ||
| Cylc runs on Linux. It is tested quite thoroughly on modern RHEL and Ubuntu | ||
| distros. Some users have also managed to make it work on other Unix variants | ||
| including Apple OS X. |
There was a problem hiding this comment.
Some users have also managed to make it work on other Unix variants including Apple OS X.
That phrasing sounds to me like It is working under OSX because some users could make it to work. However, it is unfortunately not documented nor obvious how one can make it work under OSX (see #2689), so I would rather phrase it more transparent, e.g.
Some users have also managed to make it work on other Unix variants including Apple OS X, but they are not officially tested and supported.
There was a problem hiding this comment.
I have added the suggested change to the latest commit.
Make it explicit that Apple OSX is not officially tested.
|
Do we not also need to filter |
|
|
|
@oliver-sanders - pinging you to sign off on this one, to get the release out early next week. |
Obviously, we are aware of the security issues on the affected
platforms, but these warnings serve no purpose on those platforms except
to confuse or annoy users.
Sufficient to close #2686. (Real fix will require #1874.)