*** austin987 has joined #openstack-security | 00:01 | |
*** macz_ has joined #openstack-security | 00:20 | |
*** Jackneill has joined #openstack-security | 00:25 | |
*** macz_ has quit IRC | 00:25 | |
*** gyee has quit IRC | 01:15 | |
*** macz_ has joined #openstack-security | 02:08 | |
*** macz_ has quit IRC | 02:12 | |
*** dave-mccowan has quit IRC | 04:36 | |
*** macz_ has joined #openstack-security | 12:41 | |
*** macz_ has quit IRC | 12:46 | |
*** priteau has joined #openstack-security | 13:40 | |
*** dave-mccowan has joined #openstack-security | 14:19 | |
*** macz_ has joined #openstack-security | 14:34 | |
*** macz_ has quit IRC | 14:39 | |
*** macz_ has joined #openstack-security | 14:51 | |
priteau | Hi fungi and gagehugo. I would just like to check if there's anything left to do on OSSA-2020-007? I see the CVE has been made public, was it requested by either of you? | 15:25 |
---|---|---|
fungi | nope, if you request a cve for an already public issue then it's usually made public straight away or shortly after they assign the number | 15:27 |
fungi | priteau: i tried to give you a heads up via irc privmsg once it merged pointing to the documentation on how to distribute copies to relevant mailing lists, and we also covered it in the security sig meeting yesterday. i'll get you a link to the meeting minutes | 15:28 |
priteau | Sorry, I was on a VPN yesterday and kept off IRC. I should really set up a bouncer… | 15:29 |
priteau | Don't worry I know how to find the minutes ;-) | 15:29 |
fungi | priteau: here's where we covered it: http://eavesdrop.openstack.org/meetings/security/2020/security.2020-10-15-15.00.log.html#l-20 | 15:30 |
priteau | Thanks | 15:31 |
priteau | fungi: I can send the email, even GPG sign it, but my pub key is known by maybe two people in the world. Is this a problem? | 16:04 |
fungi | priteau: not a problem at all. in fact, it's a solution. this is how your key gets to be known by more people. now it will be in mailing list archives as having signed a security advisory ;) | 16:05 |
priteau | Sure, but with no trust that it was actually me sending the email? I've used gpg a handful of times, but the first time the other person actually checked my ID before trusting my key ;-) | 16:07 |
fungi | priteau: in this case it's going to refer back to verifiable discussions in code review and bug trackers, so it's a good opportunity to build visibility | 16:08 |
priteau | fungi: I think I'm missing something. The GPG signature file doesn't contain my pub key right, so for this to be in any way useful I should still publish my pub key somewhere? | 16:27 |
fungi | priteau: publishing your key to the keyserver network is a good idea regardless, but people will still know what key id has signed the message and when they see another message with a signature made by the same key they will be able to confirm both messages came from someone who probably controls that key and they may want to fetch it from the keyserver network to find out | 16:28 |
priteau | I see, thanks. | 16:33 |
fungi | you're establishing a reputation, essentially | 16:35 |
fungi | (a reputation for your key) | 16:35 |
*** mgariepy has quit IRC | 16:44 | |
*** mgariepy has joined #openstack-security | 16:46 | |
priteau | fungi: Before I send to openwall, does the email sent to openstack-discuss look ok? | 16:57 |
fungi | priteau: yep, looks great, and seems to be signed by a key with id 0x4FEF431A967B6060 | 16:59 |
priteau | I've uploaded it to http://keys.gnupg.net/ | 17:00 |
fungi | cool, it should propagate to other keyservers from there, though can take a few days as the classic keyserver distribution protocol uses periodic e-mail messages | 17:00 |
fungi | (literally the keyservers e-mail copies of updated public keys to one another) | 17:01 |
priteau | I tried to import your key from pgp.mit.edu at first but it doesn't appear to be up to date | 17:01 |
fungi | http://pool.sks-keyservers.net:11371/pks/lookup?op=vindex&search=0x97ae496fc02dec9fc353b2e748f9961143495829&fingerprint=on shows the most recent selfsig on mine expires 2021-09-18 so maybe pgp.mit.edu isn't getting timely updates from the sks pool | 17:04 |
priteau | Thanks for your help! | 17:06 |
fungi | you're welcome! | 17:07 |
fungi | oof, searching at https://pgp.mit.edu/ just spins indefinitely for me | 17:08 |
fungi | priteau: i approved your openstack-announce post in the moderation queue just now as well | 17:13 |
*** mgariepy has quit IRC | 17:39 | |
*** mgariepy has joined #openstack-security | 17:44 | |
*** priteau has quit IRC | 19:40 | |
*** dave-mccowan has quit IRC | 22:00 | |
*** dave-mccowan has joined #openstack-security | 22:04 | |
*** dave-mccowan has quit IRC | 23:12 | |
*** dave-mccowan has joined #openstack-security | 23:33 | |
*** macz_ has quit IRC | 23:54 | |
*** dave-mccowan has quit IRC | 23:55 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!