| *** avanzaghi5 is now known as avanzaghi | 00:56 | |
| dtantsur | This may be old news, just making sure y'all are aware: https://github.com/eventlet/eventlet/issues/795 | 13:41 |
|---|---|---|
| fungi | odds are we won't hit that until we start testing with 3.12 in about 6 months. the security risk mentioned there is presumably only an option if we use eventlet to make https/tls socket connections rather than relying on another module to provide that functionality | 13:47 |
| fungi | s/option/problem/ | 13:47 |
| fungi | definitely worth keeping tabs on though | 13:48 |
| fungi | codesearch does turn up some projects that import eventlet's monkeypatched urllib2, socket, and/or ssl modules | 13:53 |
| dansmith | ugh | 13:53 |
| fungi | but from a vmt perspective we have a long-standing public security hardening bug about securing service-to-service connections against mitm, so this isn't really anything new in that regard | 13:54 |
| dansmith | I' | 13:55 |
| dansmith | am more commenting on the fact that this is that broken and yet unfixed | 13:55 |
| dansmith | it's not just that it's not secure, it's that it's broken on newer python | 13:56 |
| *** Gues__________________________ is now known as jjung | 13:58 | |
| fungi | yep, and we've (eventlet upstream and consumers alike) not acted on a deprecation from roughly 3 years ago | 13:59 |
| frickler | this also seems relevant in the context of eventlet + py312 https://github.com/eventlet/eventlet/issues/804 | 14:03 |
| dtantsur | So, do we rewrite OpenStack in Go or Rust? :D | 14:08 |
| fungi | no rewriting in toy languages, please ;) | 14:08 |
| fungi | cobol or go home | 14:08 |
| dtantsur | That's the spirit! | 14:09 |
| dtantsur | On a serious note, maybe, MAYBE, we should slowly think about dropping eventlet | 14:09 |
| fungi | yeah, i can't believe that's never come up before | 14:09 |
| dtantsur | I keep complaining in the Ironic channel, but probably never bothered to annoy y'all here | 14:09 |
| dtantsur | We should have talked about it on the current PTG.. | 14:11 |
| clarkb | fungi: IBM will sell you a watson labeled code generation system to convert cobol to java. Once upon a time you might have refered to that as a compiler but now its AI | 14:14 |
| fungi | yes, everything is ai now | 14:14 |
| * TheJulia has thoughts and opinions, but that would be a distraction | 14:24 | |
| clarkb | its interesting that SNI is called out in that issue. I know not having SNI breaks good portions of the Internet but isn't SNI typically considered a less secure compromise because it discloses too much information in the clear portion of conection setup? | 14:25 |
| dansmith | I thought there was some SNI replacement that *is* secure now | 14:26 |
| dansmith | but yeah I think you're right about the original SNI thing | 14:26 |
| dansmith | so not sure if they mean SNI-like stuff or just the original SNI spec | 14:26 |
| clarkb | ah got it | 14:26 |
| dtantsur | I think the alternative is not widely deployed yet | 14:27 |
| dtantsur | ESNI was kinda insecure too, ECH is very new | 14:28 |
| clarkb | also interesting that python presumably refuses to fix those methods because of compatibility issues. But deleting the code entirely is fine nevermind compatibility issues there | 14:32 |
| clarkb | feels like priorities are misplaced. But maybe that is the easier thing to do since deleting code requires less effort than debugging it | 14:33 |
| dansmith | well, I dunno that it's fixable necessarily as it might be a "this is the wrong way to do this" sort of thing | 14:36 |
| dansmith | however, it sucks to just remove stuff like this because you're *sure* it's so important that it's worth breaking people's software | 14:36 |
| clarkb | well the fix is to use a different piece of code that has a very similar api. I don't think its a case of "impossible to accomplish" | 14:40 |
| dansmith | yeah well if so then it's definitely heinous | 14:40 |
| clarkb | but looking at that more closely the context tooling forces you to be more explicit about verification options and tls versions and so on. So probably part of hte problem is they don't want you to assume their global assumptions are good any longer | 14:40 |
| dansmith | yeah, it just sucks to break everything for such a thing, IMHO.. print a warning to stdout or something attention-getting, but... idk, I'm just tired of this level of breakage and being such a moving target | 14:42 |
| clarkb | ya and the ssl context flag behavior change between ypthon releases too | 14:42 |
| * dansmith nods | 14:42 | |
| dtantsur | Changing code may lead to subtle bugs, deleting is clear and transparent | 14:42 |
| * dtantsur is guessing without having any context either | 14:42 | |
| clarkb | so you end up with code that creates a context using ssl.PROTOCOL_TLS_CLIENT flags and then explicitly disable sslv3 anyway because if run under and older python TLS_CLIENT might allow sslv3 | 14:43 |
| fungi | from an upstream cpython perspective, they'd like to be able to completely discard the ssl module from stdlib | 14:56 |
| fungi | and never think about it again | 14:57 |
| fungi | it's a huge portability challenge for them, especially for windows builds | 14:57 |
| fungi | they'd rather programs relied on third-party modules for cryptographic operations | 14:58 |
| dtantsur | A wise call (except that a lot of stuff even in stdlib depends on SSLContext) | 15:04 |
| fungi | yeah, they're aware that they can't easily untangle it | 15:08 |
| JayF | HEADS UP: We've switched times of next two vPTG sessions | 15:41 |
| JayF | ELECTION RETROSPECTIVE is now at UTC 1700-1800 | 15:41 |
| JayF | MORE PREDICTABLE PYTHON MIN VERSION is now at UTC 1600-1700 | 15:41 |
| opendevreview | Tony Breeds proposed openstack/governance master: [docs] Add links to release based runtimes https://review.opendev.org/c/openstack/governance/+/899301 | 20:58 |
| JayF | someone downstream in GR-OSS is looking at Python 3.12 support in eventlet: https://github.com/eventlet/eventlet/pull/797#issuecomment-1783534827 | 21:58 |
| fungi | awesome | 22:47 |
| JayF | I do suspect we'll still end up needing to touch every project that uses it due to the api change | 23:00 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!