Wednesday, 2020-09-02

« Tuesday, 2020-09-01 Index Thursday, 2020-09-03 »
openstackgerritMerged openstack/requirements master: update constraint for oslo.policy to new release 3.4.0  https://review.opendev.org/74934200:41
*** evrardjp has quit IRC04:33
*** evrardjp has joined #openstack-requirements04:33
*** vishalmanchanda has joined #openstack-requirements04:55
openstackgerritmathieu bultel proposed openstack/requirements stable/train: DNM - testing jobs  https://review.opendev.org/74929305:55
openstackgerritOpenStack Proposal Bot proposed openstack/requirements master: Updated from generate-constraints  https://review.opendev.org/74944206:29
*** e0ne has joined #openstack-requirements07:26
*** tosky has joined #openstack-requirements07:37
openstackgerritHervĂ© Beraud proposed openstack/requirements master: Updated from generate-constraints  https://review.opendev.org/74944207:38
*** dtantsur|afk is now known as dtantsur08:23
*** lbragstad has quit IRC12:35
*** lbragstad has joined #openstack-requirements12:38
openstackgerritMatthew Thode proposed openstack/requirements master: Updated from generate-constraints  https://review.opendev.org/74944212:50
*** tosky has quit IRC15:31
*** dtantsur is now known as dtantsur|afk16:57
openstackgerritOpenStack Proposal Bot proposed openstack/requirements master: update constraint for os-brick to new release 4.0.0  https://review.opendev.org/74955917:09
*** e0ne has quit IRC18:29
*** vishalmanchanda has quit IRC18:43
*** toabctl has quit IRC19:22
*** toabctl has joined #openstack-requirements19:24
*** e0ne has joined #openstack-requirements19:51
prometheanfire#startmeeting requirements20:36
openstackMeeting started Wed Sep  2 20:36:22 2020 UTC and is due to finish in 60 minutes.  The chair is prometheanfire. Information about MeetBot at http://wiki.debian.org/MeetBot.20:36
openstackUseful Commands: #action #agreed #help #info #idea #link #topic #startvote.20:36
*** openstack changes topic to " (Meeting topic: requirements)"20:36
openstackThe meeting name has been set to 'requirements'20:36
prometheanfire#topic rollcall20:36
*** openstack changes topic to "rollcall (Meeting topic: requirements)"20:36
prometheanfiretonyb, prometheanfire, dirk, smcginnis ping20:36
prometheanfireo/20:36
prometheanfirenot sure if anyone else is around20:38
prometheanfire#endmeeting20:40
*** openstack changes topic to "OpenStack Requirements - IRC meetngs on Wednesdays @ 07:00 UTC in here in #openstack-requirements - See agenda @ http://tinyurl.com/h44ryuw - IRC channel is *LOGGED* @ http://tinyurl.com/j38rk24"20:40
openstackMeeting ended Wed Sep  2 20:40:50 2020 UTC.  Information about MeetBot at http://wiki.debian.org/MeetBot . (v 0.1.4)20:40
openstackMinutes:        http://eavesdrop.openstack.org/meetings/requirements/2020/requirements.2020-09-02-20.36.html20:40
openstackMinutes (text): http://eavesdrop.openstack.org/meetings/requirements/2020/requirements.2020-09-02-20.36.txt20:40
openstackLog:            http://eavesdrop.openstack.org/meetings/requirements/2020/requirements.2020-09-02-20.36.log.html20:40
prometheanfiresmcginnis: meant to ping you, but forgot, what do you think of this?20:44
prometheanfire[16:07:54] <raildo> prometheanfire, hey, we made this requirement bump for pysaml2 to avoid an CVE https://review.opendev.org/#/c/747001/20:44
*** e0ne has quit IRC20:44
prometheanfire[16:08:16] <raildo> prometheanfire, do you think this is something that we can backport for the stable branches as well?20:44
prometheanfire[17:37:14] <prometheanfire> raildo: I'd say to message the list, for non-openstack projects we don't do updates for security (rely on OS's for that)20:44
prometheanfire[17:37:22] <prometheanfire> was there any change needed in keystone?20:44
prometheanfire[17:39:01] <raildo> prometheanfire, https://github.com/openstack/keystone/commit/c0d63cecd8c082fbde9843b3ebc2d465ad341d35 we bumped the pysaml2 version to when that CVE got releases20:44
prometheanfire[17:39:51] <prometheanfire> ya, that's not anything code wise at least20:44
smcginnisprometheanfire: Sorry I missed the meeting. Too many distractions today.20:55
smcginnisre: pysaml2, do we need to change that in requirements? Looks like the projects can just raise their lower-constraints?20:56
smcginnisOr do we need to raise upper-constraints first?20:56
* smcginnis looks...20:56
smcginnisussuri is 5.0.020:56
smcginnisSo train and older would need a u-c bump. Train is at 4.8.0.20:57
smcginnisprometheanfire: I think we've said no in the past because we aren't in the business of managing security updates for stable branches?20:57
smcginnisprometheanfire: The problem, or at least the part that would scare me about this, is doing a major version bump on older stable branches.20:58
smcginnisAnd what the possible unintended side effects of doing that would be.20:58
*** dustinc has joined #openstack-requirements20:58
smcginnisNot an insignificant set of changes there either: https://github.com/IdentityPython/pysaml2/compare/v4.8.0...v5.0.020:59
prometheanfireya, that's why I'd say no, not only that, but it's for the appearance of security (keystone doesn't think they were hit by the bug anyway)20:59
smcginnisYeah, I'm in the no camp right now unless someone can give a convincing explanation of how the benefits outweigh the risks.21:00
prometheanfirecool21:02
*** prometheanfire has quit IRC21:59
*** prometheanfire has joined #openstack-requirements22:04
*** dustinc has quit IRC23:08
*** irclogbot_1 has quit IRC23:29
*** irclogbot_2 has joined #openstack-requirements23:33
« Tuesday, 2020-09-01 Index Thursday, 2020-09-03 »

Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!