| ricolin_ | Hi team I make a patch for support BFV for DHSS instance, please kindly review when you got time, thanks:) | 02:08 |
|---|---|---|
| ricolin_ | https://review.opendev.org/c/openstack/manila/+/959016 | 02:08 |
| *** vhari_ is now known as vhari | 15:00 | |
| fungi | vhari: note that the ossa "won't fix" on https://bugs.launchpad.net/manila/+bug/2125397 (as mentioned in the meeting earlier) just means the vmt won't issue any security advisory about that bug report, it's not meant as a judgement about validity of the bug in other contexts | 16:25 |
| fungi | my comment in the bug was more about why it was safe to go ahead and switch it to public without waiting for further input and confirmation | 16:26 |
| fungi | we semi-regularly get people running canned security scanners on our git repos and then reporting those results as "bugs" in the projects, so i tend to be fairly terse in such cases | 16:28 |
| fungi | a lot of them come from "security grifters" hoping for handouts from bug bounty programs, and the reporters disappear the moment they figure out there's no payday for them | 16:29 |
| gouthamr | i could swear i've seen this sorta bug before | 17:49 |
| gouthamr | https://bugs.launchpad.net/manila/+bug/2106619 | 17:52 |
| gouthamr | this one ^ | 17:53 |
| gouthamr | and this one on cinder: https://bugs.launchpad.net/bugs/2106615 | 17:53 |
| gouthamr | ty for chiming in here, fungi - i am not sure what we could do about this.. | 17:57 |
| gouthamr | 1) there's a version of the library that contains a vulnerability - sure, we can't track/blocklist each of these.. our requirements files merely specify a lower bound (and rarely a blocklisted version because it affects our testing) | 17:57 |
| gouthamr | 2) regarding the "incompatible" licencing.. i mean, these are OSI compatible licenses, i don't know why we'd believe BlackDuck to tell us what's appropriate to use in OpenStack? | 17:57 |
| fungi | yes, if i were a manila maintainer i'd politely ask the reporter to raise any specific concerns or problems they have, but say that automated scan results are out of scope for bug reports as they're simply not actionable | 18:03 |
| gouthamr | +1 yeah sounds reasonable | 18:13 |
| opendevreview | Francesco Pantano proposed openstack/manila master: Add jsonschema and bump oslo.db requirements https://review.opendev.org/c/openstack/manila/+/962310 | 19:45 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!