Wednesday, 2019-12-04

*** gyee has quit IRC02:25
*** dasp has quit IRC04:41
*** dasp has joined #openstack-security04:41
*** rezroo has quit IRC04:54
*** rezroo has joined #openstack-security04:54
*** dave-mccowan has quit IRC05:14
*** pcaruana has joined #openstack-security06:01
*** rezroo has quit IRC06:17
*** Luzi has joined #openstack-security06:53
*** rcernin has quit IRC07:09
*** tesseract has joined #openstack-security08:00
*** Jackneill has joined #openstack-security08:23
*** tesseract has quit IRC08:24
*** pcaruana has quit IRC08:24
*** johanssone has quit IRC08:24
*** irclogbot_0 has quit IRC08:24
*** benj_ has quit IRC08:24
*** gagehugo has quit IRC08:24
*** strigazi has quit IRC08:24
*** dasp has quit IRC08:24
*** fyx has quit IRC08:24
*** trident has quit IRC08:24
*** openstackgerrit has quit IRC08:24
*** w|zzy_ has quit IRC08:24
*** yankcrime has quit IRC08:24
*** Anticimex has quit IRC08:24
*** knikolla has quit IRC08:24
*** Jackneill has quit IRC08:24
*** fungi has quit IRC08:24
*** Luzi has quit IRC08:24
*** lhinds has quit IRC08:24
*** freerunner has quit IRC08:24
*** tristanC has quit IRC08:24
*** johnsom has quit IRC08:24
*** andy_ has quit IRC08:24
*** f0o has quit IRC08:24
*** mnaser has quit IRC08:24
*** ChanServ has quit IRC08:24
*** Jackneill has joined #openstack-security08:24
*** tesseract has joined #openstack-security08:24
*** Luzi has joined #openstack-security08:24
*** pcaruana has joined #openstack-security08:24
*** dasp has joined #openstack-security08:24
*** trident has joined #openstack-security08:24
*** johanssone has joined #openstack-security08:24
*** f0o has joined #openstack-security08:24
*** w|zzy_ has joined #openstack-security08:24
*** fyx has joined #openstack-security08:24
*** openstackgerrit has joined #openstack-security08:24
*** irclogbot_0 has joined #openstack-security08:24
*** lhinds has joined #openstack-security08:24
*** benj_ has joined #openstack-security08:24
*** yankcrime has joined #openstack-security08:24
*** knikolla has joined #openstack-security08:24
*** Anticimex has joined #openstack-security08:24
*** fungi has joined #openstack-security08:24
*** gagehugo has joined #openstack-security08:24
*** strigazi has joined #openstack-security08:24
*** freerunner has joined #openstack-security08:24
*** andy_ has joined #openstack-security08:24
*** tristanC has joined #openstack-security08:24
*** ChanServ has joined #openstack-security08:24
*** mnaser has joined #openstack-security08:24
*** johnsom has joined #openstack-security08:24
*** sets mode: +o ChanServ08:24
*** rcernin has joined #openstack-security08:51
*** PrinzElvis has joined #openstack-security09:36
*** rcernin has quit IRC09:53
*** Luzi has quit IRC10:38
*** PrinzElvis has quit IRC12:55
*** dasp has quit IRC15:02
*** dasp has joined #openstack-security15:03
*** rezroo has joined #openstack-security15:19
*** dave-mccowan has joined #openstack-security15:21
*** dave-mccowan has quit IRC15:26
*** heikkine has joined #openstack-security15:28
*** gyee has joined #openstack-security16:09
*** rezroo has quit IRC17:53
*** tesseract has quit IRC18:04
*** Jackneill has quit IRC18:16
*** cmurphy has joined #openstack-security18:31
*** rezroo has joined #openstack-security18:53
cmurphygagehugo: fungi I attached a patch for #1855080 what are the next steps for getting it reviewed and ci'd and merged? should I just submit it to gerrit or is there an embargo procedure?19:01
fungiwell, not talking about it in public would be the embargo procedure ;)19:01
fungigagehugo: also mentioned that the details got disclosed in #openstack-keystone though?19:01
fungiso maybe we should just consider the embargo already broken19:02
cmurphyyes it was...19:02
cmurphybut can continue discussion in private anyway19:03
fungii haven't looked yet at the irc discussion to see how much of it was laid out, just a sec19:04
fungicmurphy: i've updated the bug to recommend we switch to our process for public reports and dispense with the embargo overhead19:10
fungithe details in irc are basically also those in the report19:11
cmurphyfungi: okay, thanks19:11
cmurphyfungi: for future reference, what would be the procedure?19:11
fungicmurphy: both public and private report processes are described at but basically the next steps under embargo would have been review from other keystone reviewers and preapproval within bug comments as well as the vmt drafting and reviewing an impact description in bug comments, then scheduling the disclosure date and sending copies of the19:13
fungibackports to the embargo-notice mailing list19:13
cmurphyfungi: thanks19:13
fungithe process for public reports is simpler and more like our usual workflow for any bug on the other hand. push patches to gerrit, propose backports, get at least tentative approval in review, similarly someone (usually a vmt member) proposes an impact description and advisory to the openstack/ossa repo and that gets reviewed in parallel. when everything is approved an advisory is published to the19:15 site and a number of relevant public mailing lists19:15
fungipublication for private/embargoed reports on the other hand is that at the scheduled disclosure time we push the fixes and advisory change all at once, hope pre-review/manual testing were sufficient to get it passing gate jobs, and send advisory to public mailing lists19:17
fungiobviously embargoes are not only a lot more work but also more of a scramble and nail-biting come disclosure time19:18
fungiso if there's a good reason not to do one (for example, the problem has already been mentioned in public) then it's best to just get it done quicker in public19:18
gagehugofungi cmurphy: yeah the details are already out there, moving to public and getting cmurphy's ps in gerrit quickly would be a good path forward imo19:35
gagehugocmurphy: could you submit that fix then for this when you get a chance?19:43
cmurphygagehugo: done19:45
fungigagehugo: are you interested in drafting the impact description for this one? if so i'll set you as the assignee on the ossa task19:48
gagehugoyeah will do19:48
fungiyou can push it straight up to gerrit for openstack/ossa if you want, since this is now public19:48
fungigagehugo: also, a reminder, if you switch a bug to public, remove the embargo preamble from the bug description19:49
gagehugoah ok, will do19:49
fungiit's no longer relevant and can cause future confusion19:50
fungi(i just did it now for this one)19:50
fungithanks for picking it up!19:50
*** pcaruana has quit IRC21:32
*** Jackneill has joined #openstack-security21:51
*** rcernin has joined #openstack-security22:19
*** Jackneill has quit IRC22:20
*** rezroo has quit IRC22:26
*** rezroo has joined #openstack-security22:26

Generated by 2.15.3 by Marius Gedminas - find it at!