| opendevreview | Martin Kopec proposed openstack/security-doc master: Update Interop doc https://review.opendev.org/c/openstack/security-doc/+/821552 | 12:57 |
|---|---|---|
| opendevreview | OpenStack Proposal Bot proposed openstack/security-doc master: Updated from openstack-manuals https://review.opendev.org/c/openstack/security-doc/+/821571 | 14:13 |
| opendevreview | Merged openstack/security-doc master: Update Interop doc https://review.opendev.org/c/openstack/security-doc/+/821552 | 14:43 |
| redrobot | Hi security friends! | 18:32 |
| redrobot | I need to have the VMT look at a couple of bugs | 18:32 |
| redrobot | how do I get the ball rolling on that? | 18:33 |
| fungi | redrobot: private or public bugs? | 18:35 |
| redrobot | fungi I think they're still private. | 18:38 |
| redrobot | https://storyboard.openstack.org/#!/story/2009253 | 18:38 |
| redrobot | https://storyboard.openstack.org/#!/story/2009297 | 18:38 |
| fungi | yeah, those are private, looks like i have access to them since it's granted to the openstack-security team there | 18:39 |
| fungi | i'll read and follow up in comments on those shortly, thanks | 18:40 |
| fungi | redrobot: i've commented on them | 18:51 |
| redrobot | thanks for reviewing those fungi. I've changed both bugs to public as you suggested. | 19:10 |
| fungi | yay! now we can talk openly in here in that case | 19:11 |
| fungi | we should probably file requests for two cves, but we can write one impact description as long as the affected versions are roughly the same | 19:11 |
| redrobot | I've patched both all the way back to stable/train | 19:12 |
| fungi | but did the fixes for both appear in all the same stable point releases? | 19:13 |
| fungi | (assuming any point releases have been tagged with those fixes in them) | 19:13 |
| redrobot | That's a good question ... I'm not sure if any have been taged yet | 19:15 |
| fungi | what i usually do when i'm writing up an impact description is use git tag --contains for the commit id of each patch | 19:18 |
| fungi | if that returns results (in an up to date clone) then it's fixed for its branch by the earliest tag returned | 19:18 |
| fungi | if nothing is returned, i double-check that it appears in the branch history after the most recent tag, and claim that it will be fixed by the next lowest possible patch version number after the most recent tag | 19:19 |
| gagehugo | fungi: Any reason not to announce on the ML about retiring the security-specs repo? I don't think anyone's contributed to it outside of infra fixes in years. | 20:47 |
| fungi | no, let's do that | 20:47 |
| fungi | i thought we had decided to, but i don't recall if i volunteered to do it, apologies if i did and haven't yet | 20:48 |
| gagehugo | I don't think we volunteered anything but I can send one out this afternoon | 20:50 |
| fungi | thanks! | 20:53 |
| gagehugo | I don't really see anything worth keeping in specs | 20:59 |
| fungi | yeah, i looked a while back and that was my conclusion as well | 21:00 |
| gagehugo | should this go to discuss and announcements? | 21:06 |
| fungi | just discuss | 21:07 |
| gagehugo | ok | 21:16 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!