| *** gyee has quit IRC | 02:25 | |
| *** dasp has quit IRC | 04:41 | |
| *** dasp has joined #openstack-security | 04:41 | |
| *** rezroo has quit IRC | 04:54 | |
| *** rezroo has joined #openstack-security | 04:54 | |
| *** dave-mccowan has quit IRC | 05:14 | |
| *** pcaruana has joined #openstack-security | 06:01 | |
| *** rezroo has quit IRC | 06:17 | |
| *** Luzi has joined #openstack-security | 06:53 | |
| *** rcernin has quit IRC | 07:09 | |
| *** tesseract has joined #openstack-security | 08:00 | |
| *** Jackneill has joined #openstack-security | 08:23 | |
| *** tesseract has quit IRC | 08:24 | |
| *** pcaruana has quit IRC | 08:24 | |
| *** johanssone has quit IRC | 08:24 | |
| *** irclogbot_0 has quit IRC | 08:24 | |
| *** benj_ has quit IRC | 08:24 | |
| *** gagehugo has quit IRC | 08:24 | |
| *** strigazi has quit IRC | 08:24 | |
| *** dasp has quit IRC | 08:24 | |
| *** fyx has quit IRC | 08:24 | |
| *** trident has quit IRC | 08:24 | |
| *** openstackgerrit has quit IRC | 08:24 | |
| *** w|zzy_ has quit IRC | 08:24 | |
| *** yankcrime has quit IRC | 08:24 | |
| *** Anticimex has quit IRC | 08:24 | |
| *** knikolla has quit IRC | 08:24 | |
| *** Jackneill has quit IRC | 08:24 | |
| *** fungi has quit IRC | 08:24 | |
| *** Luzi has quit IRC | 08:24 | |
| *** lhinds has quit IRC | 08:24 | |
| *** freerunner has quit IRC | 08:24 | |
| *** tristanC has quit IRC | 08:24 | |
| *** johnsom has quit IRC | 08:24 | |
| *** andy_ has quit IRC | 08:24 | |
| *** f0o has quit IRC | 08:24 | |
| *** mnaser has quit IRC | 08:24 | |
| *** ChanServ has quit IRC | 08:24 | |
| *** Jackneill has joined #openstack-security | 08:24 | |
| *** tesseract has joined #openstack-security | 08:24 | |
| *** Luzi has joined #openstack-security | 08:24 | |
| *** pcaruana has joined #openstack-security | 08:24 | |
| *** dasp has joined #openstack-security | 08:24 | |
| *** trident has joined #openstack-security | 08:24 | |
| *** johanssone has joined #openstack-security | 08:24 | |
| *** f0o has joined #openstack-security | 08:24 | |
| *** w|zzy_ has joined #openstack-security | 08:24 | |
| *** fyx has joined #openstack-security | 08:24 | |
| *** openstackgerrit has joined #openstack-security | 08:24 | |
| *** irclogbot_0 has joined #openstack-security | 08:24 | |
| *** lhinds has joined #openstack-security | 08:24 | |
| *** benj_ has joined #openstack-security | 08:24 | |
| *** yankcrime has joined #openstack-security | 08:24 | |
| *** knikolla has joined #openstack-security | 08:24 | |
| *** Anticimex has joined #openstack-security | 08:24 | |
| *** fungi has joined #openstack-security | 08:24 | |
| *** gagehugo has joined #openstack-security | 08:24 | |
| *** strigazi has joined #openstack-security | 08:24 | |
| *** freerunner has joined #openstack-security | 08:24 | |
| *** andy_ has joined #openstack-security | 08:24 | |
| *** tristanC has joined #openstack-security | 08:24 | |
| *** ChanServ has joined #openstack-security | 08:24 | |
| *** mnaser has joined #openstack-security | 08:24 | |
| *** johnsom has joined #openstack-security | 08:24 | |
| *** orwell.freenode.net sets mode: +o ChanServ | 08:24 | |
| *** rcernin has joined #openstack-security | 08:51 | |
| *** PrinzElvis has joined #openstack-security | 09:36 | |
| *** rcernin has quit IRC | 09:53 | |
| *** Luzi has quit IRC | 10:38 | |
| *** PrinzElvis has quit IRC | 12:55 | |
| *** dasp has quit IRC | 15:02 | |
| *** dasp has joined #openstack-security | 15:03 | |
| *** rezroo has joined #openstack-security | 15:19 | |
| *** dave-mccowan has joined #openstack-security | 15:21 | |
| *** dave-mccowan has quit IRC | 15:26 | |
| *** heikkine has joined #openstack-security | 15:28 | |
| *** gyee has joined #openstack-security | 16:09 | |
| *** rezroo has quit IRC | 17:53 | |
| *** tesseract has quit IRC | 18:04 | |
| *** Jackneill has quit IRC | 18:16 | |
| *** cmurphy has joined #openstack-security | 18:31 | |
| *** rezroo has joined #openstack-security | 18:53 | |
| cmurphy | gagehugo: fungi I attached a patch for #1855080 what are the next steps for getting it reviewed and ci'd and merged? should I just submit it to gerrit or is there an embargo procedure? | 19:01 |
|---|---|---|
| fungi | well, not talking about it in public would be the embargo procedure ;) | 19:01 |
| fungi | gagehugo: also mentioned that the details got disclosed in #openstack-keystone though? | 19:01 |
| fungi | so maybe we should just consider the embargo already broken | 19:02 |
| cmurphy | yes it was... | 19:02 |
| cmurphy | but can continue discussion in private anyway | 19:03 |
| fungi | i haven't looked yet at the irc discussion to see how much of it was laid out, just a sec | 19:04 |
| fungi | cmurphy: i've updated the bug to recommend we switch to our process for public reports and dispense with the embargo overhead | 19:10 |
| fungi | the details in irc are basically also those in the report | 19:11 |
| cmurphy | fungi: okay, thanks | 19:11 |
| cmurphy | fungi: for future reference, what would be the procedure? | 19:11 |
| fungi | cmurphy: both public and private report processes are described at https://security.openstack.org/vmt-process.html#process but basically the next steps under embargo would have been review from other keystone reviewers and preapproval within bug comments as well as the vmt drafting and reviewing an impact description in bug comments, then scheduling the disclosure date and sending copies of the | 19:13 |
| fungi | backports to the embargo-notice mailing list | 19:13 |
| cmurphy | fungi: thanks | 19:13 |
| fungi | the process for public reports is simpler and more like our usual workflow for any bug on the other hand. push patches to gerrit, propose backports, get at least tentative approval in review, similarly someone (usually a vmt member) proposes an impact description and advisory to the openstack/ossa repo and that gets reviewed in parallel. when everything is approved an advisory is published to the | 19:15 |
| fungi | security.openstack.org site and a number of relevant public mailing lists | 19:15 |
| fungi | publication for private/embargoed reports on the other hand is that at the scheduled disclosure time we push the fixes and advisory change all at once, hope pre-review/manual testing were sufficient to get it passing gate jobs, and send advisory to public mailing lists | 19:17 |
| fungi | obviously embargoes are not only a lot more work but also more of a scramble and nail-biting come disclosure time | 19:18 |
| fungi | so if there's a good reason not to do one (for example, the problem has already been mentioned in public) then it's best to just get it done quicker in public | 19:18 |
| gagehugo | fungi cmurphy: yeah the details are already out there, moving to public and getting cmurphy's ps in gerrit quickly would be a good path forward imo | 19:35 |
| fungi | thanks | 19:39 |
| gagehugo | cmurphy: could you submit that fix then for this when you get a chance? | 19:43 |
| cmurphy | gagehugo: done | 19:45 |
| gagehugo | thanks! | 19:47 |
| fungi | gagehugo: are you interested in drafting the impact description for this one? if so i'll set you as the assignee on the ossa task | 19:48 |
| gagehugo | yeah will do | 19:48 |
| fungi | you can push it straight up to gerrit for openstack/ossa if you want, since this is now public | 19:48 |
| fungi | gagehugo: also, a reminder, if you switch a bug to public, remove the embargo preamble from the bug description | 19:49 |
| gagehugo | ah ok, will do | 19:49 |
| fungi | it's no longer relevant and can cause future confusion | 19:50 |
| fungi | (i just did it now for this one) | 19:50 |
| fungi | thanks for picking it up! | 19:50 |
| *** pcaruana has quit IRC | 21:32 | |
| *** Jackneill has joined #openstack-security | 21:51 | |
| *** rcernin has joined #openstack-security | 22:19 | |
| *** Jackneill has quit IRC | 22:20 | |
| *** rezroo has quit IRC | 22:26 | |
| *** rezroo has joined #openstack-security | 22:26 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!