| opendevreview | Merged openstack/glance stable/victoria: [stable-only] Remove glance-code-constants-check https://review.opendev.org/c/openstack/glance/+/863945 | 06:09 |
|---|---|---|
| opendevreview | Merged openstack/glance stable/ussuri: [stable-only] Remove glance-code-constants-check https://review.opendev.org/c/openstack/glance/+/863946 | 06:31 |
| *** bhagyashris_ is now known as bhagyashris|ruck | 07:34 | |
| opendevreview | Merged openstack/glance stable/zed: Enforce image safety during image_conversion https://review.opendev.org/c/openstack/glance/+/871614 | 12:37 |
| opendevreview | Merged openstack/glance stable/yoga: Enforce image safety during image_conversion https://review.opendev.org/c/openstack/glance/+/871617 | 12:38 |
| opendevreview | Merged openstack/glance stable/xena: Enforce image safety during image_conversion https://review.opendev.org/c/openstack/glance/+/871619 | 16:22 |
| zigo | dansmith: Hi there! How are you? | 20:56 |
| zigo | I was able to backport the Glance CVE-2022-47951 patch to Rocky, but the unit tests file where the tests are going doesn't exist in Rocky, so don't know what to do with the added tests. | 20:56 |
| zigo | Any suggestion? | 20:56 |
| zigo | FYI, I tested installing a fresh Glance/Rocky on a VM, and I could upload a file, so I'm at least sure it's not fully broken! :) | 20:57 |
| dansmith | zigo: rocky is before my glance tenure, so not entirely sure.. is the image_conversion file there but just not the test file? | 20:57 |
| zigo | Correct. | 20:57 |
| zigo | glance/glance/tests/unit/async_/flows/plugins/test_image_conversion.py doesn't exist ... | 20:58 |
| dansmith | Well, I guess you need to either not backport the tests (do they ever get run?) or recreate the skeleton of that file enough so they run | 20:58 |
| zigo | dansmith: In Debian, and I guess in most distro, we run unit tests when the package is built. | 20:59 |
| dansmith | okay | 20:59 |
| zigo | It's a very good insurance that the package is working. | 20:59 |
| zigo | That's also how I managed to fix Nova (and backported 2 other patches for the CVE patch to work...). | 20:59 |
| dansmith | so I guess you need the test class, setUp(), the _setup_whatever() function and the test functions | 21:00 |
| zigo | dansmith: I tried to make a new file from scratch and failed ... :/ | 21:00 |
| zigo | dansmith: I just wonder: is it planned that you backport to Rocky too? | 21:00 |
| zigo | If so, I'll stop my efforts ... | 21:00 |
| dansmith | did you try just copying the whole test file from a newer release? that might work | 21:00 |
| dansmith | zigo: nope | 21:01 |
| zigo | I copied the file yes, but removed all the tests that aren't part of the CVE patch. | 21:01 |
| zigo | So, only setup() and so on remains ... | 21:01 |
| dansmith | and that failed how? | 21:01 |
| zigo | "oslo_config.cfg.NoSuchOptError: no such option conversion_plugin_options in group [DEFAULT]" | 21:02 |
| zigo | (4 failures) | 21:02 |
| zigo | TypeError: option values must be strings | 21:02 |
| zigo | 2023-01-25 13:51:55,453 ERROR [stevedore.extension] Could not load 'swift': option values must be strings | 21:02 |
| dansmith | ah, well, that's getting pretty old and crusty you know | 21:02 |
| zigo | :) | 21:02 |
| dansmith | probably better to sync with abhi in (his) morning since he was around back then, and likely knows better how much of image_conversion was present in rocky (or not) | 21:03 |
| zigo | Ok. Thanks. | 21:03 |
| zigo | I probably will just upload like this to security-master, and see if someone complains ! :) | 21:04 |
| zigo | It's better than leaving glance unpatched. | 21:04 |
| dansmith | seems like a reasonable plan :) | 21:04 |
| zigo | At least, as I wrote above, I'm sure it's not completely broken... :P | 21:05 |
| dansmith | you said "upload an image", but you know this doesn't impact the upload workflow, right/ | 21:05 |
| dansmith | almost everyone uses upload, but this impacts *import* which is a two-phase commit sort of thing | 21:05 |
| zigo | Right, I just wanted to make sure Glance continued working... | 21:06 |
| zigo | I'm guessing it's a test issue only, so... | 21:06 |
| dansmith | ack, well, in that same goal, since this doesn't impact upload, which is what almost everyone uses, it's also less likely to break that common workflow | 21:06 |
| dansmith | which makes merging it without tests... safer? :) | 21:07 |
| zigo | I've already done the patching work for 9 releases of openstack, times 3 packages (glance, nova, cinder), plus 2 packages of oslo.utils, that's 29 packages, I'm getting a little tired of this CVE ! :) | 21:07 |
| dansmith | heh, I bet :) | 21:07 |
| zigo | I still got some unpatched cinder version, moving to that. Thanks for your useful comments! | 21:09 |
| dansmith | np | 21:09 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!