| opendevreview | OpenStack Proposal Bot proposed openstack/project-config master: Normalize projects.yaml https://review.opendev.org/c/openstack/project-config/+/962557 | 02:25 |
|---|---|---|
| *** mrunge_ is now known as mrunge | 06:13 | |
| ildikov | Hi, I'm reaching out with a quick question. The StarlingX vulnerability team received a report regarding https://docs.starlingx.io/backup/ and points out that the directory listing shouldn't be available on that url. | 14:46 |
| ildikov | As the StarlingX docs site is on the opendev infrastructure, I wanted to check if y'all have run into this before? And might ideas how to resolve it? | 14:48 |
| clarkb | ildikov: that happens because there is no index.html in that directory. That seems to be intentional based on the links on this page: https://docs.starlingx.io/#backup-and-restore | 14:49 |
| clarkb | this isn't an opendev issue, its a content issue. We're serving what is present in the content | 14:49 |
| ildikov | the vulnerability report Staes that in this case the API response should be 403 | 14:49 |
| clarkb | if index-backup-1b466179efc3.html is renamed to index.html or an index.html is added you'll get the content of that index.html file | 14:50 |
| clarkb | ildikov: the server is configured to generate an index file autoamtically if one isn't present. This is intentional as it supports use cases like the tarballs hosting. We can theoretically turn that off for starlingx docs in particular since that should be its own vhost, but I think it would be good to undersatnd why fixing it in the content is not possible first | 14:51 |
| clarkb | its also not really a vulnerability as is | 14:52 |
| clarkb | it could potentially expose unwanted data if you push it there, but considered all of the docs are generated from public git repos already the risk is low to nil | 14:52 |
| ildikov | I understand | 14:53 |
| ildikov | thank you for clarifying | 14:54 |
| fungi | ildikov: yes, if there is no secret data in that directory, then there is absoutely no vulnerability in listing the contents of it. reports like that are noise and i just send them directly to the trash without even wasting my time responding | 14:56 |
| fungi | there is too little time in the day for dealing with actual vulnerabilities to spend it on that sort of nonsense | 14:57 |
| clarkb | looking at the source for the starlingx docs I think what happened is they stopped updating those particular docs so those are a point in time snapshot which is where the hash suffix comes from | 14:58 |
| clarkb | another option there is to have a minimal stub for those docs using proper indexes | 14:58 |
| clarkb | index.html that says "these docs are deprecated and not updated, see historical version here: linkwithsuffic" | 14:59 |
| *** NeilHanlon_ is now known as NeilHanlon | 15:06 | |
| fungi | Πthon is released! https://discuss.python.org/t/python-3-14-0-final-is-here/104210 | 15:32 |
| clarkb | TIL upper case π is far less recognizable | 15:35 |
| fungi | i contemplated saying πthon instead | 15:36 |
| clarkb | I thought it was a ∩ at first | 15:44 |
| fungi | my terminal fonts make both look too much like latin "n" | 15:46 |
| *** dhill is now known as Guest28563 | 16:19 | |
| *** dhill is now known as Guest28569 | 17:35 | |
| clarkb | I've deleted old nodepool images in rax flex and ovh. Ovh in particular was holding onto some old images. Still need to do rax classic, vexxhost, openmetal and osuosl | 17:44 |
| corvus | thanks! | 17:44 |
| tonyb | I'm going to be a couple of minutes late for the pre-PTG start. | 17:55 |
| clarkb | ack, its early for you no rush | 17:57 |
| fungi | we'll keep your seat warm | 17:57 |
| fungi | and coffee hot | 17:57 |
| clarkb | we've fully entered the time of year where I'm cold until about 2pm and then its too warm. Weather transition problems | 17:59 |
| fungi | i'm already in the room, assuming it's the one that matches the planning pad | 17:59 |
| fungi | which the pad says it should be | 17:59 |
| clarkb | fungi: I'm there to and don't see you | 18:00 |
| clarkb | https://meetpad.opendev.org/p/opendev-preptg-october-2025 | 18:00 |
| fungi | https://meetpad.opendev.org/opendev-preptg-october-2025 is what it says i'm in | 18:01 |
| clarkb | oh ha | 18:01 |
| fungi | now corvus is in mine too | 18:01 |
| clarkb | I copied the etherpad link and left the /p/ | 18:01 |
| clarkb | that will learn me | 18:01 |
| fungi | oh, /p strikes again, yep | 18:01 |
| clarkb | though I guess that works just not the way we want | 18:01 |
| fungi | yeah, low hanging fruit: blanket redirect from https://meetpad.opendev.org/p/(.*) to https://meetpad.opendev.org/$1 | 18:04 |
| clarkb | ok first block done. And now lunch | 20:05 |
| clarkb | and then a reminder that I have to pop out in about 1.5 hours for a dentist visit | 20:05 |
| clarkb | I started on the osuosl image cleanups. noble and jammy cleared out ok. older focal and bionic images hit 500 errors | 21:10 |
| clarkb | I'm going to have to pause there, but it seems likely we'll need to ask a cloud admin to cleanup whatever is left when I'm done | 21:10 |
| fungi | makes sense, thanks for working on that! | 21:11 |
| clarkb | ok I cleaned up the images in osuosl that I could delete https://paste.opendev.org/show/bC0wmj2PI0SXHcuVwC3P/ are the images I could not delete | 23:13 |
| clarkb | Ramereth[m]: absolutely no rush at all on this but https://paste.opendev.org/show/bC0wmj2PI0SXHcuVwC3P/ containts a list of image uploads in the osuosl arm64 openstack cloud that can be deleted but I get http 500 errors when attempting to do so as our normal user account | 23:14 |
| clarkb | I'm working on openmetal next | 23:14 |
| clarkb | openmetal is done except one jammy image wouldn't delete. Glance claims it is in use, but I'm not sure how as there are no nodepool nodes listed anymore | 23:18 |
| clarkb | I'll pause here. Rax classic and vexxhost are the remaining clouds that need the nodepool image cleanups | 23:19 |
| clarkb | also its looking like tomorrow after my morning meeting block (pre ptg included) I'll be popping out to help my brother move back into the house I just helped him move out of (the joys of home remodelling and moving twice in 4 months) | 23:23 |
| clarkb | our new ubuntu noble image uploads for builds created after I deleted the image with corrupted git repos have completed. We should check on the daily image builds that run in a couple of hours /me makes a note to check that tomorrow | 23:26 |
| clarkb | Mostly want to make sure there isn't some consistent problem that reproduces this issue as our assumption for right now is some fluke in uploads/conversion | 23:26 |
| tonyb | corvus: FWIW, I mostly understand why https://review.opendev.org/c/openstack/openstacksdk/+/931575 fails (at least for the test_create_object case). I need to learn a little more about swift and openstacksdk to fix it. | 23:58 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!