Friday, 2020-10-16

*** austin987 has joined #openstack-security00:01
*** macz_ has joined #openstack-security00:20
*** Jackneill has joined #openstack-security00:25
*** macz_ has quit IRC00:25
*** gyee has quit IRC01:15
*** macz_ has joined #openstack-security02:08
*** macz_ has quit IRC02:12
*** dave-mccowan has quit IRC04:36
*** macz_ has joined #openstack-security12:41
*** macz_ has quit IRC12:46
*** priteau has joined #openstack-security13:40
*** dave-mccowan has joined #openstack-security14:19
*** macz_ has joined #openstack-security14:34
*** macz_ has quit IRC14:39
*** macz_ has joined #openstack-security14:51
priteauHi fungi and gagehugo. I would just like to check if there's anything left to do on OSSA-2020-007? I see the CVE has been made public, was it requested by either of you?15:25
funginope, if you request a cve for an already public issue then it's usually made public straight away or shortly after they assign the number15:27
fungipriteau: i tried to give you a heads up via irc privmsg once it merged pointing to the documentation on how to distribute copies to relevant mailing lists, and we also covered it in the security sig meeting yesterday. i'll get you a link to the meeting minutes15:28
priteauSorry, I was on a VPN yesterday and kept off IRC. I should really set up a bouncer…15:29
priteauDon't worry I know how to find the minutes ;-)15:29
fungipriteau: here's where we covered it:
priteaufungi: I can send the email, even GPG sign it, but my pub key is known by maybe two people in the world. Is this a problem?16:04
fungipriteau: not a problem at all. in fact, it's a solution. this is how your key gets to be known by more people. now it will be in mailing list archives as having signed a security advisory ;)16:05
priteauSure, but with no trust that it was actually me sending the email? I've used gpg a handful of times, but the first time the other person actually checked my ID before trusting my key ;-)16:07
fungipriteau: in this case it's going to refer back to verifiable discussions in code review and bug trackers, so it's a good opportunity to build visibility16:08
priteaufungi: I think I'm missing something. The GPG signature file doesn't contain my pub key right, so for this to be in any way useful I should still publish my pub key somewhere?16:27
fungipriteau: publishing your key to the keyserver network is a good idea regardless, but people will still know what key id has signed the message and when they see another message with a signature made by the same key they will be able to confirm both messages came from someone who probably controls that key and they may want to fetch it from the keyserver network to find out16:28
priteauI see, thanks.16:33
fungiyou're establishing a reputation, essentially16:35
fungi(a reputation for your key)16:35
*** mgariepy has quit IRC16:44
*** mgariepy has joined #openstack-security16:46
priteaufungi: Before I send to openwall, does the email sent to openstack-discuss look ok?16:57
fungipriteau: yep, looks great, and seems to be signed by a key with id 0x4FEF431A967B606016:59
priteauI've uploaded it to
fungicool, it should propagate to other keyservers from there, though can take a few days as the classic keyserver distribution protocol uses periodic e-mail messages17:00
fungi(literally the keyservers e-mail copies of updated public keys to one another)17:01
priteauI tried to import your key from at first but it doesn't appear to be up to date17:01
fungi shows the most recent selfsig on mine expires 2021-09-18 so maybe isn't getting timely updates from the sks pool17:04
priteauThanks for your help!17:06
fungiyou're welcome!17:07
fungioof, searching at just spins indefinitely for me17:08
fungipriteau: i approved your openstack-announce post in the moderation queue just now as well17:13
*** mgariepy has quit IRC17:39
*** mgariepy has joined #openstack-security17:44
*** priteau has quit IRC19:40
*** dave-mccowan has quit IRC22:00
*** dave-mccowan has joined #openstack-security22:04
*** dave-mccowan has quit IRC23:12
*** dave-mccowan has joined #openstack-security23:33
*** macz_ has quit IRC23:54
*** dave-mccowan has quit IRC23:55

Generated by 2.17.2 by Marius Gedminas - find it at!