Wednesday, 2019-05-15

« Tuesday, 2019-05-14 Index Thursday, 2019-05-16 »
openstackgerritMerged openstack/requirements stable/pike: update constraint for ovsdbapp to new release 0.4.4  https://review.opendev.org/65846200:32
*** hongbin has joined #openstack-requirements02:39
*** hongbin has quit IRC03:18
openstackgerritMerged openstack/requirements stable/pike: update constraint for os-net-config to new release 7.3.9  https://review.opendev.org/65908803:54
*** udesale has joined #openstack-requirements03:58
tonybI'm 99% certain we need the caps for py2 and py3.  We just had a bunch of issues where the py2 jobs were getting version from py3.  Not everything can use constraints and removing those markers will break *those* jobs04:35
prometheanfiretonyb: I'm not sure WHY that's happening though, perhaps dep calc is beind done in py3 for py2 tests?04:39
prometheanfireI'm aware not everything can use constraits, but for some reason generate-constraints is fine with my proposed patch04:40
tonybI don't understand how that can be.  but you saw the integration gate broke horribly without them04:44
tonybwe hid that by using py3 (which is a good thing) but still unless there is some new dark magic in newer pips?04:45
prometheanfireya, I'm not sure either04:53
*** e0ne has joined #openstack-requirements05:05
*** e0ne has quit IRC05:08
*** spsurya has joined #openstack-requirements05:49
*** e0ne has joined #openstack-requirements06:35
*** tosky has joined #openstack-requirements07:27
*** zigo has quit IRC07:28
*** hberaud|gone is now known as hberaud07:40
*** brinzh has joined #openstack-requirements07:40
*** jpich has joined #openstack-requirements07:55
brinzhHi all, anyone can help me to review this error about the cap sphinx on py27.08:24
brinzhhttp://logs.openstack.org/02/659202/3/check/requirements-check/6469812/job-output.txt.gz#_2019-05-15_07_09_13_48082308:24
brinzhI have no opinion with it, thks.08:26
*** jpich has quit IRC08:28
*** jpich has joined #openstack-requirements08:29
*** dtantsur|afk is now known as dtantsur08:35
*** hberaud has quit IRC08:40
*** hberaud has joined #openstack-requirements08:41
*** brinzhang has joined #openstack-requirements09:08
*** brinzh has quit IRC09:10
*** zigo has joined #openstack-requirements09:36
*** hberaud is now known as hberaud|lunch10:07
*** zigo has quit IRC10:30
*** zigo has joined #openstack-requirements10:42
*** hberaud|lunch is now known as hberaud10:58
*** udesale has quit IRC11:08
*** udesale has joined #openstack-requirements11:09
*** spsurya has quit IRC12:08
*** jpich has quit IRC12:20
*** jpich has joined #openstack-requirements12:21
smcginnistonyb: I think the reason it failed before was upper-constraints didn't have the python_versions set that it needed to.12:59
smcginnistonyb: If we have those set correctly in u-c, I don't see why g-r also needs to have upper caps.13:00
smcginnisSeems a little redundant.13:00
*** dangtrinhnt has quit IRC13:15
*** dangtrinhnt has joined #openstack-requirements13:16
*** brinzhang has quit IRC13:30
*** davee_ has joined #openstack-requirements14:06
*** tosky has quit IRC15:16
*** hberaud has quit IRC15:17
*** tosky has joined #openstack-requirements15:18
*** e0ne has quit IRC15:50
*** e0ne has joined #openstack-requirements15:50
openstackgerritMatthew Thode proposed openstack/requirements master: Updated from generate-constraints  https://review.opendev.org/65863615:51
openstackgerritOpenStack Proposal Bot proposed openstack/requirements master: Updated from generate-constraints  https://review.opendev.org/65863615:52
prometheanfiresmcginnis: listed what needs to be done to update jsonschema in the review https://review.opendev.org/65863615:52
*** ccamacho has quit IRC15:56
smcginnisprometheanfire: Comments on there? I don't see anything.16:00
smcginnisDo we still need to capture python 3.4?16:01
prometheanfiresmcginnis: patchset 416:01
prometheanfiresmcginnis: I don't think so, same for py2616:01
prometheanfiresmcginnis: bot overwrote my change a min after I uploaded16:01
prometheanfireworking on restoring...16:02
openstackgerritAndreas Jaeger proposed openstack/requirements master: Updated from generate-constraints  https://review.opendev.org/65863616:03
openstackgerritMatthew Thode proposed openstack/requirements master: Updated from generate-constraints  https://review.opendev.org/65863616:08
*** tosky has quit IRC16:13
*** jpich has quit IRC16:38
openstackgerritWalter A. Boring IV (hemna) proposed openstack/requirements master: Add cinder extras infinisdk  https://review.opendev.org/65808616:44
openstackgerritWalter A. Boring IV (hemna) proposed openstack/requirements master: Add cinder extras pywbem library  https://review.opendev.org/65808816:45
openstackgerritWalter A. Boring IV (hemna) proposed openstack/requirements master: Add cinder extras purestorage library  https://review.opendev.org/65809616:46
openstackgerritMerged openstack/requirements stable/pike: update constraint for os-collect-config to new release 7.2.3  https://review.opendev.org/65909117:01
*** dtantsur is now known as dtantsur|afk17:01
*** e0ne has quit IRC17:07
smcginnisprometheanfire: Any idea what this is about? http://logs.openstack.org/39/659339/2/check/requirements-check/ea930b1/job-output.txt.gz#_2019-05-15_17_05_15_02378917:09
prometheanfiresmcginnis: no, would need to look at source17:10
smcginnisI'm probably missing a small typo or something, but it looks exactly like what was done in other repos successfully and what is in g-r other than the lower limit.17:13
prometheanfiresmcginnis: requirements ourself doesn't have separate lines for sphinx17:17
smcginnisprometheanfire: Yeah we do - https://opendev.org/openstack/requirements/src/branch/master/global-requirements.txt#L45617:18
smcginnisThat's what has been causing everyone headaches and why I was pushing for just doing that in upper-constraints.17:18
prometheanfiresmcginnis: I'm talking about our doc/requirements.txt17:19
smcginnisDo we run our own check tests against ourselves? I wonder if we will hit it too once we need to change anything there.17:20
*** udesale has quit IRC17:21
prometheanfireit's worth a test, just make the change in our repo and submit17:22
openstackgerritSean McGinnis proposed openstack/requirements master: DNM: Test doc req change  https://review.opendev.org/65934317:22
*** e0ne has joined #openstack-requirements18:10
*** e0ne has quit IRC18:13
*** tosky has joined #openstack-requirements18:43
*** e0ne has joined #openstack-requirements19:17
*** hberaud has joined #openstack-requirements19:52
*** e0ne has quit IRC19:56
*** e0ne has joined #openstack-requirements19:59
openstackgerritSean McGinnis proposed openstack/requirements master: Make requirements-check output more obvious  https://review.opendev.org/65936819:59
prometheanfire30 min20:00
tonyb[m]I'm going to be a little late, struggling to get out of bed this morning #professional20:26
prometheanfireheh, been there, back in .au?20:26
smcginnisGiven the time there, and that you just travelled around the world, you have a good excuse.20:27
*** e0ne has quit IRC20:28
tonyb[m]Yup got back on (my Monday)20:29
prometheanfire#startmeeting requirements20:30
openstackMeeting started Wed May 15 20:30:09 2019 UTC and is due to finish in 60 minutes.  The chair is prometheanfire. Information about MeetBot at http://wiki.debian.org/MeetBot.20:30
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.20:30
*** openstack changes topic to " (Meeting topic: requirements)"20:30
openstackThe meeting name has been set to 'requirements'20:30
prometheanfire#topic rollcall20:30
*** openstack changes topic to "rollcall (Meeting topic: requirements)"20:30
prometheanfiretonyb, prometheanfire, number80, dirk, coolsvap, toabctl, smcginnis, dhellmann ping20:30
prometheanfireo/20:30
smcginniso/20:30
prometheanfire#topic Any controversies in the Queue?20:34
*** openstack changes topic to "Any controversies in the Queue? (Meeting topic: requirements)"20:34
prometheanfirenot too bad, just need to email horizon for django (email list)20:35
prometheanfireadded to todo20:35
smcginnisDoes that django one fall under the same category as the requests ones?20:37
prometheanfireya, it really does20:37
prometheanfiredirk: ping20:37
prometheanfireless impact though20:37
tonyb[m]Yeah same idea20:38
tonyb[m]We need to decide how proactive we're going to be there20:38
prometheanfirehttps://review.opendev.org/65863620:38
prometheanfireignore that20:38
prometheanfireya, I feel like it's all or nothing.  as soon as we start accepting some out of tree stuff we become 'secure' and all that bagage20:39
tonybYeah there is a little of that20:40
tonybStill there is scope to 'play' with it and then write up a policy20:41
tonybI agree with fungi though that it's a vendor thing for the most part *but* I'm pretty sure vendors aren't doign it as well as they could *and* that us doing it is a weaker signal than we'd like :(20:42
fungii really worry that us attempting to do it poorly ends up being a strong but dangerously misleading signal20:43
fungihonestly, if you want some semblance of a "secure" deployment from source and pypi packages, continuously deploy master and drink from the firehose20:44
prometheanfirewhat if we accept updates but do not do them ourselves?20:45
smcginnisI wouldn't say continuous from master would be secure, but updating to latest release would be better than expecting a secure stable older branch.20:45
prometheanfireby bot20:45
prometheanfireheh, everyone should be on master at all times20:45
tonybprometheanfire: that's a pretty weak line to draw20:46
tonyb"it wasn't us" ... just a bot we wrote and ran20:46
prometheanfireproposed updates allowed?20:46
prometheanfireno, I mean not us as in not bot driven20:46
fungii'll be the first to admit that security isn't an all-or-nothing game, and selectively applying fixes for high-risk vulnerabilities can be useful, but the proposal isn't about doing that it's about upgrading the things which are easy to upgrade rather than the things which are critical to upgrade20:46
prometheanfireif someone wants to come by and propose something....20:46
prometheanfireas dirk is currently doing, we'd allow that20:47
smcginnisIf we did allow it, it has potential for vendors to rally around to watch for security issues. But that's also the argument for extended maintenance, and stable in general hasn't attracted much vendor support.20:47
tonybfungi: to be fair I don20:47
fungiand when the thing they want to propose requires patching projects in non-backward-compatible ways on stable branches to be able to use newer version whatever of some dependency... we tell them (and users who are relying on this as their only means of securnig python dependencies for openstack source deployments) "tough luck"?20:48
tonyb't think we;ve formalised the proposal yet20:48
smcginnisEven though many of the vendors are shipping products based on those older releases.20:48
tonybI *think* it's use publically available data to inform and upgrade pypi packages with known CVEs20:48
prometheanfirefungi: that's the only option we have right now20:48
tonybI don't know that we have moer than that20:48
prometheanfiretonyb: I think that's the direction dirk wants to head in20:48
fungiwe have the option of telling users *clearly* not to rely on this as a secure deployment model, right?20:49
tonybI *suspect* that the larger chnages or more core chnages will get resistance20:49
prometheanfirefungi: true, that is always an option20:49
tonybfungi: Yes we can do that20:49
smcginnisWell, maybe for now we should just hold on any of these, then wait for someone to come up with a proposal that's at least marginally sane and maintainable.20:49
tonybokay20:49
tonybI don't want to add to dirk's workload but that sounds sane20:49
tonybdirk: Can you hash out a policy we'll discuss the *policy* on the list with wider input and then implement whatever that outcome is20:50
smcginnisStable security pop up team? :)20:50
fungii think whether or not we laggingly apply and test a handful of arbitrary dependency bumps for some external python deps, we have to tell users this isn't a safe solution20:50
prometheanfirewhat sounds sane? can you add your proposal to https://etherpad.openstack.org/p/non-openstack-stable-security-constraints-updates ?20:50
tonybfungi: That20:51
fungibecause 1. we won't even know about them as far in advance as most of the distros, 2. we can't guarantee we'll be able to apply them since we don't carry forks of our deps where we apply selective backports of fixes20:51
tonybs fair20:52
smcginnisIs there somewhere we should add a doc warning saying "These were the tested requirements at the time of release but there may be newer security fixes available that have not been thoroughly tested upstream"? Something like that to set the right expectation?20:52
smcginnisOr rather, have somewhere to point to when someone comes along with an issue.20:52
prometheanfirefungi: that's why I had two lists20:52
prometheanfiresmcginnis: at min, yes20:52
tonyb+120:53
fungiyep, i think both not conflating this solution with the (intentionally frozen) upper constraints list and making it clear to users that this isn't really a significant improvement security-wise are both necessary features of any proposal, i just still question the utility of it at all20:54
prometheanfireI'd rather not do it to be honest20:55
fungiwe're basically saying "hey, we sometimes update this other list over here with some more secure dependencies, but you're still going to want to solve the harder problem of updating the ones we can't work out a safe way to update ourselves"20:55
fungiso... why bother?20:55
prometheanfireexactly20:56
fungithe thing we'd be solvnig is the easier and less useful thing to be solved, and users still have to deal with the harder thing they needed solved that we couldn't20:56
prometheanfireI guess I'll point dirk to the meeting notes, but he's really the one pushing it I think20:56
fungiand solving the harder problem solves the easy one anyway20:56
smcginnisThe only ones I am concerned about are the LOCI and others like that. But that's kind of a general issue with container images.20:57
fungiat some point they're either going to need to carry patches of dependencies to secure them while keeping them working with stable branches of our software, or carry patches to stable branches of our software to work with newer dependencies20:58
prometheanfireya, given the way we branch it's not going to support a source based install any other way20:59
smcginnisContainers might be an easier argument to just upgrade to latest anyway.20:59
prometheanfireI know that's what's told in OSA20:59
prometheanfireanything else?  I'd recommend adding stuff to https://etherpad.openstack.org/p/non-openstack-stable-security-constraints-updates for this21:01
tonybI21:04
tonybll read it later when I have more coffee onboard21:04
prometheanfireok21:05
tonyb... actually looking at my todo list for today it wont happen today21:05
prometheanfire#topic open floor21:05
*** openstack changes topic to "open floor (Meeting topic: requirements)"21:05
smcginnisI'd like to understand why we can't do the python_version capping just in upper-constraints. I don't think I understand that yet, if there actually is a reason.21:06
smcginnisAnd seeing a lot of grambling in other projects about requirements breaking them now with needing to update their sphinx entries.21:06
tonybSo with my understanding of how pip works, it's just fundamentally needed21:07
prometheanfiredo we have a good test case for it?]21:08
tonybwhat I don't get is how generate-constraints seemed to do the right thing21:08
tonybwe all saw how the integration job broke without those python_version markers21:08
smcginnisIf pip is passed the upper constraints though, it shouldn't have an issue figuring out the max version it can use.21:08
smcginnisI think the job broke because we didn't have the python_version flags in upper-constraints.21:08
tonybsmcginnis: right *if* it's passed one we totally don21:09
smcginnisWe just happened to fix that by putting them in g-r instead.21:09
prometheanfireit shouldn't be even trying to figure versions out21:09
tonybt need the markers in g-r21:09
smcginnistonyb: But shouldn't projects always be using upper constraints? I would consider that an issue for that project, not u-c vs g-r.21:09
tonybbut *we* should need them to make our tools do the right thing21:10
tonybsmcginnis: in the gate yes21:10
tonybsmcginnis: but nothing actually makes them install with them21:10
tonybsmcginnis: some vendors do a better job than others of staying on top of versions21:11
tonyband for most vendors they only have one version of python to deal with21:11
smcginnisKind of makes our debate about raising upper constraints on stable branches moot if we're now saying they aren't used anyway.21:11
tonybsmcginnis: I agree that it's be nice to drop them but without a bunch of understanding of pip I don't see we can (yet)21:11
tonybsmcginnis: A little yes21:12
prometheanfirepip still doesn't dep solve :D21:12
smcginnisOK, at least I understand a little better now. Thanks for explaining it.21:12
smcginnisHopefully we don't hit too many of these before we can drop py2.21:12
prometheanfireagreed21:13
prometheanfireanything else?21:13
tonybprometheanfire: that's an over simlification21:13
tonybI have it on my todo list to look into this but it'll be at least a week21:13
prometheanfiretonyb: I know, was just looking at https://github.com/pypa/pip/issues/988 is all21:14
prometheanfirewas looking at it earlier today actually21:14
tonybYeah21:14
prometheanfirewas mentioned in https://github.com/kennethreitz/requests/issues/506721:14
prometheanfirelooks like they are targeting 2.22.0 for urllib3/requests21:14
prometheanfireok, going to close the meeing unless someone speaks up21:15
smcginnisI'm good21:15
tonybI think it's probably worth writing up something for the list21:15
tonybto describe what happened last week21:16
tonybprometheanfire: do you have time to draft something on an etherpad?21:16
prometheanfiretonyb: maybe, not tonight though21:17
tonybprometheanfire: cool21:17
tonybprometheanfire: that's still sooner than I could do it ;P21:17
prometheanfiretomorrow at the soonest21:17
tonybcool beans21:19
*** hberaud is now known as hberaud|gone21:19
prometheanfire#endmeeting21:20
*** openstack changes topic to "OpenStack Requirements - IRC meetngs on Wednesdays @ 07:00 UTC in here in #openstack-requirements - See agenda @ http://tinyurl.com/h44ryuw - IRC channel is *LOGGED* @ http://tinyurl.com/j38rk24"21:20
openstackMeeting ended Wed May 15 21:20:09 2019 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)21:20
openstackMinutes:        http://eavesdrop.openstack.org/meetings/requirements/2019/requirements.2019-05-15-20.30.html21:20
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/requirements/2019/requirements.2019-05-15-20.30.txt21:20
openstackLog:            http://eavesdrop.openstack.org/meetings/requirements/2019/requirements.2019-05-15-20.30.log.html21:20
openstackgerritMerged openstack/requirements stable/stein: Add safety check output to the linters output  https://review.opendev.org/65708022:18
openstackgerritMerged openstack/requirements stable/rocky: Add safety check output to the linters output  https://review.opendev.org/65710622:19
*** tosky has quit IRC23:00
*** brinzhang has joined #openstack-requirements23:41
« Tuesday, 2019-05-14 Index Thursday, 2019-05-16 »

Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!