| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: OSSA-2026-006 Errata 1 https://review.opendev.org/c/openstack/ossa/+/983983 | 08:28 |
|---|---|---|
| opendevreview | Merged openstack/ossa master: OSSA-2026-006 Errata 1 https://review.opendev.org/c/openstack/ossa/+/983983 | 13:39 |
| fungi | wow... https://www.openwall.com/lists/oss-security/2026/04/10/1 | 13:41 |
| fungi | talk about trying to put the cat back in the bag | 13:41 |
| fungi | beans back in the can | 13:41 |
| fungi | maybe there's more to the story there | 13:41 |
| fungi | interesting to see the reporter's maximum embargo roughly corresponds with ours, but i guess upstream there didn't like the idea that a reporter could disclose a vulnerability they discovered | 13:43 |
| opendevreview | Goutham Pacha Ravi proposed openstack/ossa master: Add OSSA-2026-007 (CVE-2026-pending) https://review.opendev.org/c/openstack/ossa/+/984129 | 20:55 |
| gouthamr | fungi: interesting, but, wouldn't the upstream policies govern this? | 20:58 |
| gouthamr | deleting the bug is weird, but, we have language that a reasonable fix must be identified within two weeks to justify the embargo | 21:02 |
| fungi | upstream policies can't govern a bug reporter, though sure the project is within their rights to delete a bug report in their defect tracker of course | 21:04 |
| fungi | but ignores that the reporter can still publish their own advisory with all the same details, so there's not much point | 21:05 |
| fungi | it mainly just makes the project look bad when the only story out there is that the reporter notified them, waited 3.5 months, still no fix/advisory, opened a public bug and then it got deleted | 21:06 |
| fungi | our policy in openstack is to switch the bug to public within 3 months regardless of whether a fix is ready, so within the expectations of that reporter, but i guess systemd is used to taking longer to fix things sometimes | 21:08 |
| fungi | a lot of our reporting policy and intake process is designed to placate reporters so that they won't feel like they need to give up on us and go publish something on their own, understanding that we can't stop them if they do and so we're effectively at their mercy | 21:09 |
| fungi | hence stating a maximum embargo window up front and making sure we do everything possible to credit them in our publications | 21:11 |
| gouthamr | ack fungi, that's good learning | 21:19 |
| gouthamr | JayF: fungi: are you around to check on an OSSA, or wait until Monday? | 21:20 |
| fungi | i'm around | 21:20 |
| fungi | for as long as you need | 21:21 |
| gouthamr | this might be quick :) https://review.opendev.org/c/openstack/ossa/+/984129 | 21:21 |
| fungi | but also if you want an excuse to be done for the week and enjoy your weekend, i'm happy to give it to you ;) | 21:21 |
| gouthamr | haha, no.. i've a few more hours. i noticed responses on the bug a bit late or would've done this earlier in the day | 21:21 |
| fungi | aha, thanks i missed that one | 21:21 |
| fungi | gouthamr: lgtm, though i commented recommending tuesday instead at this point. it's not like a few more days are going to make it easier for someone to exploit anyway | 21:34 |
| gouthamr | fungi: ah ty, makes sense, i can update the date and W-1 and wait | 21:34 |
| fungi | also don't forget to add closes-bug trailers for both the bugs listed in the advisory and add an ossa bugtask to the one that doesn't have it yet | 21:34 |
| fungi | and set them both to public security instead of just public | 21:35 |
| gouthamr | yes the other one has no mention of any of this! | 21:36 |
| fungi | and many thanks for working on this one! | 21:37 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!