| opendevreview | Jay Faulkner proposed openstack/ossa master: OSSA-2024-004; Ironic CVE-2024-47211 https://review.opendev.org/c/openstack/ossa/+/931307 | 14:55 |
|---|---|---|
| JayF | fungi: https://review.opendev.org/c/openstack/ossa/+/931307 please review | 14:55 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: OSSA-2024-004; Ironic CVE-2024-47211 https://review.opendev.org/c/openstack/ossa/+/931307 | 14:56 |
| fungi | looking now | 14:57 |
| fungi | JayF: i added a few quick inline comments | 15:06 |
| JayF | fungi: you want me to move the note about unmaintained from lines 25/26 to the bottom? | 15:07 |
| JayF | or did you miss I had it there altogether | 15:07 |
| fungi | oh , hold on | 15:07 |
| fungi | ah, it ended up in a mitigation section, okay (we don't normally put mitigation text in advisories, but that's fine i guess) | 15:08 |
| JayF | I can move it if it should move | 15:09 |
| JayF | I don't care just wanting to validate intentions | 15:09 |
| JayF | also, you think like master:\n\thttp... or master/epoxy:\n\thttp | 15:09 |
| fungi | nah it's fine, no need to delay this further, we should just make sure not to copy it to future ones (and sorry, juggling this while on a conference call) | 15:09 |
| JayF | I'm thinking leave out release name since it doesn't exist? | 15:10 |
| JayF | I'm still pushing a patch so happy to flly improve :D | 15:10 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: OSSA-2024-004; Ironic CVE-2024-47211 https://review.opendev.org/c/openstack/ossa/+/931307 | 15:10 |
| JayF | that should fit in a bit better | 15:10 |
| fungi | we've included the current cycle name with the master branch patch link in prior advisories | 15:11 |
| JayF | ack one sec | 15:11 |
| JayF | fungi: I find no examples of master branch being used in the last few ossas | 15:12 |
| JayF | and our policy says we only support released things, so that matches my understanding | 15:13 |
| JayF | e.g. https://github.com/openstack/ossa/blob/master/ossa/OSSA-2023-001.yaml | 15:13 |
| fungi | JayF: yes sorry, we usually say "2025.1/Epoxy | 15:13 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: OSSA-2024-004; Ironic CVE-2024-47211 https://review.opendev.org/c/openstack/ossa/+/931307 | 15:13 |
| JayF | aha makes sense | 15:13 |
| JayF | that's why it didn't pop out as needed when looking back | 15:13 |
| fungi | check every past ossa, we always include a link to the master branch patch it just doesn't say "master" | 15:14 |
| JayF | that makes sense in refelction but when looking at older examples I wasn't clicking links before lol | 15:14 |
| fungi | no worries | 15:14 |
| JayF | the latest update should be g2g | 15:15 |
| * JayF notes the public security change for next time, too | 15:16 | |
| JayF | ugh closes-bug line | 15:17 |
| JayF | I'll close it manually | 15:17 |
| JayF | next time I'm budgeting morning time for coffee before trying to do this :D | 15:18 |
| fungi | no worries. mostly helps to have it included in the very first patchset so the bug gets it linked on initial proposal too | 15:18 |
| opendevreview | Merged openstack/ossa master: OSSA-2024-004; Ironic CVE-2024-47211 https://review.opendev.org/c/openstack/ossa/+/931307 | 15:21 |
| JayF | fungi: ^ security.openstack.org is not updated, and there is no post job running | 15:24 |
| JayF | there it is | 15:25 |
| JayF | that's weird, the job was done | 15:26 |
| * JayF suspects some kind of afs magic happening on the backend? | 15:26 | |
| JayF | https://security.openstack.org/ossa/OSSA-2024-004.html we need to update the sorting on that renderer, I think | 15:26 |
| JayF | I might take a look to see | 15:26 |
| fungi | yes, the promote job writes new content into the writable volume, then every 5 minutes we run a `vos release` command to copy the new state to the read-only replicas used by our webservers and such | 15:27 |
| fungi | JayF: and yes, we do still need some function to more smartly sort the entries | 15:27 |
| JayF | is that how all docs work and I've just never noticed? | 15:27 |
| JayF | weird | 15:27 |
| JayF | yeah, I might look at that now | 15:28 |
| fungi | or maybe just not sort them and leave them in the order they've been added in the yaml | 15:28 |
| fungi | which is probably simpler | 15:28 |
| fungi | JayF: yes, docs.o.o, governance.o.o, releases.o.o, etc all work identically with regard to content publication | 15:28 |
| fungi | if you have an afs client configured you can find their content in various subdirectories of /afs/openstack.org which are then mapped to vhosts on static.opendev.org | 15:29 |
| fungi | static.opendev.org is really just an apache front-end to afs | 15:30 |
| JayF | I haven't run a machine with an AFS client in ... 15 years? | 15:31 |
| JayF | CVE publication requested, with a link to our OSSA | 15:35 |
| JayF | and an email to openstack-announce is all that's left, I think | 15:36 |
| JayF | fungi: was there a wiki page to update? I ask b/c rosmaita's email looks like a wiki page copy pasted :) | 15:39 |
| JayF | oh hey, detailed instructions in the doc | 15:39 |
| JayF | great job you | 15:39 |
| rosmaita | :D | 15:39 |
| fungi | JayF: no wiki page involved. see the process document, we usually just paste the interim rst rendering into e-mail directly | 15:40 |
| rosmaita | JayF: you might want to look at https://review.opendev.org/c/openstack/ossa/+/930339 , it has some more detailed instructions | 15:40 |
| JayF | I found it | 15:40 |
| JayF | the instructions in the doc were sufficient for me to find it | 15:41 |
| JayF | but I'll look at that, they could be clearer | 15:41 |
| fungi | https://security.openstack.org/_sources/ossa/OSSA-2024-003.rst | 15:41 |
| fungi | yeah, i wasn't sure how to reflect that in prose | 15:41 |
| fungi | the openstack docs theme seems to intentionally omit the usual rst source document links you find in other sphinx themes | 15:42 |
| JayF | email out | 15:42 |
| JayF | oh I didn't realize it could be gotten from there at all | 15:42 |
| JayF | I pulled it from the gate job from where it merged | 15:43 |
| fungi | JayF: did you mean to sign the announcement? | 15:43 |
| JayF | I think at this point I'm setup to sign anything | 15:43 |
| fungi | looking at the version in the moderation queue, it doesn't look like you signed it | 15:43 |
| JayF | oooh | 15:43 |
| JayF | reject it, I'll resend one there | 15:43 |
| fungi | discarded | 15:44 |
| JayF | aha sent from wrong email | 15:44 |
| JayF | that's why | 15:44 |
| JayF | that one was supposed to be signed but doesn't appear to be? wtf | 15:46 |
| fungi | yeah, no signature on it | 15:47 |
| JayF | my thunderbird says it's signing it | 15:47 |
| JayF | but that's clearly a lie | 15:47 |
| fungi | the ones you sent me last week worked | 15:48 |
| JayF | the one I just sent looks good | 15:49 |
| JayF | you wanna sanity check? | 15:49 |
| JayF | I used the tried and true repair method of "oh crap it just worked the second time without anything different or any explanation as to why it didn't work before" | 15:50 |
| JayF | every engineer's favorite resolution | 15:50 |
| fungi | OpenPGP_0x6B75D939B424C6D4.asc | 15:50 |
| fungi | OpenPGP_signature.asc | 15:50 |
| fungi | lgtm, approved it | 15:50 |
| JayF | I don't know if just opening the key manager fixed it or what, I upgraded thunderbird the other day | 15:50 |
| JayF | honestly this is the only case in the universe you have to use pgp email for these days, the support is rough in gui clients | 15:51 |
| fungi | i dunno, i sign every message i send to any public mailing list, or when acting in an official capacity | 15:51 |
| fungi | in mutt i just hit p,s and then it prompts me for my passphrase to unlock the signing key when i hit send | 15:52 |
| fungi | but i get that support varies among muas | 15:53 |
| JayF | my thunderbird signs anything from jay@jvf.cc by default, or at least, is configured to | 15:53 |
| JayF | I honestly hadn't thought about the implications of adding an employer email to my key so I just haven't | 15:53 |
| opendevreview | Merged openstack/ossa master: Update process doc https://review.opendev.org/c/openstack/ossa/+/930339 | 15:55 |
| fungi | i add addresses if i use them for public interaction, and then revoke their respective uids if i no longer have control of them later | 16:03 |
| fungi | but also i keep a fairly short expiration on my keys and just extend it periodically | 16:03 |
| opendevreview | Jeremy Stanley proposed openstack/ossa master: Fix formatting for OSSA-2024-004 notes https://review.opendev.org/c/openstack/ossa/+/931315 | 16:17 |
| fungi | JayF: i just noticed the last note in that ossa got it sentence split up between two entries ^ | 16:17 |
| JayF | is one +2 sufficient in ossa? | 16:18 |
| JayF | probalby? | 16:18 |
| fungi | not a big problem, just wanted to push up the quick fix before i forget | 16:18 |
| fungi | yeah, just you reviewing that would be plenty. thanks! | 16:18 |
| fungi | i even self-approve stuff in ossa when necessary | 16:18 |
| fungi | anyway, now i'm really disappearing for the next few hours | 16:18 |
| JayF | I figured, I think in practice I-personally will follow a "one +2 is OK" rule -- excepting cases where stuff is pre-reviewed e.g. in a bug and we know nobody else is around | 16:19 |
| opendevreview | Merged openstack/ossa master: Fix formatting for OSSA-2024-004 notes https://review.opendev.org/c/openstack/ossa/+/931315 | 16:30 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!