Monday, 2026-04-27

« Friday, 2026-04-24 Index Tuesday, 2026-04-28 »
opendevreviewJay Faulkner proposed openstack/ossa master: Add OSSA-2026-008: Ironic IPMI Console injection  https://review.opendev.org/c/openstack/ossa/+/98642416:25
JayFgouthamr: rosmaita: fungi: ^ please review, this is for an unembargoed bug in Ironic where fixes and releases are already in progress16:34
gouthamron it JayF 16:34
rosmaitaJayF: how big a hurry are you in? nit: extra whitespace at the end of line 816:39
rosmaitaotherwise, LGTM ... how confident are you about the "affects" string?  (I hate checking those)16:40
JayFI'm never confident about them, but I paired on this one with cid and so had to talk the logic out loud16:40
JayFhopefully that means I've done a good job :D 16:40
gouthamryeah you could just edit it in gerrit if you care, and another couple of typos16:41
JayFrare oppo to help show someone what happens for most security bugs in public since we didn't embargo this (non-default config in something that'd be highly unlikely to run in a multitenant cloud)16:41
JayFplenty of time to push an update :)16:41
JayFOnly real reason I'm "rushing" is I fly to Dallas on Wednesday so I wanna have this buttoned up by then16:41
rosmaitachecking the affected versions now, almost done16:45
opendevreviewJay Faulkner proposed openstack/ossa master: Add OSSA-2026-008: Ironic IPMI Console injection  https://review.opendev.org/c/openstack/ossa/+/98642416:45
JayFthat's for the typos16:45
opendevreviewJay Faulkner proposed openstack/ossa master: Add OSSA-2026-008: Ironic IPMI Console injection  https://review.opendev.org/c/openstack/ossa/+/98642416:50
opendevreviewMerged openstack/ossa master: Add OSSA-2026-008: Ironic IPMI Console injection  https://review.opendev.org/c/openstack/ossa/+/98642416:58
fungiJayF: i've only got time to skim (we're on a 10-minute break between presentations), but overall it lgtm. i didn't test the urls to confirm they link to the right bits though17:16
JayFIt's already announced and out :)17:17
JayFI thought you were not in this week? Or am I misremembering17:17
JayF(how long has it been since an OSSA was issued without you even reviewing it? Maybe worth a celly!)17:17
mnasiadkaJayF: I don’t know if that’s only my Mail.app client - but the fonts in OSSA-2026-008 mail are nearly black :)17:40
mnasiadkaIn gmail web app the fonts are white17:41
JayFIt's sent from a reasonably configured thunderbird17:43
JayFI'm unsure why it'd be appearing so strangely17:43
JayF(and that's the first report I've ever gotten of that behavior from my client)17:44
JayFplease someone else chime in if it's something you're seeing so I can doulbe check my setup17:44
JayFgouthamr indicated in another channel he had the same issue :( 17:58
JayFI'll look at my compose settings but won't re-spam the world 17:58
gouthamri need to pin this channel :|17:59
gouthamryeah, encoding has html and the text was colored, probably revealing to the world that you're a dark mode guy :D18:00
JayFyeah, apparently thunderbird has some bad defaults surrounding this18:02
JayFaccording to an old reddit thread I have fixed it now 🤞18:03
gouthamrah, share reddit thread, i'm a thunderbird noob18:03
JayFthat is lost to the sands of my history. I went settings -> composition -> uncheck "Use reader's default colors"18:05
JayFwhich on mine were set to black text black bg so clearly screwed up lol18:05
gouthamrblack text black background sounds great for security 18:06
gouthamri've set the sending format to "Only Plain Text" too.. also went and tweaked this from the config editor interface:18:10
gouthamrmail.identity.default.compose_html = false18:10
JayFmaking it not default to html is an okay idea, assuming it's easy to toggle18:11
JayFI like the default of something like plain text for something I compose, match-formats for anythign I reply to18:11
JayFbut I don't do that for a major reason: I learned a LOT of email clients do not display plain text if there's no html version alongside18:11
JayFit's jsut ... blank18:11
JayFat least that was true in the late 2000s when I worked in email more closely18:12
gouthamrsecurity folks: theoretically if you had a bug where you had to fix a number of things, and the bugfixes were getting backported to all the older stable branches. would you prefer if we squashed all the changes?19:25
gouthamrit's could be seen as against the way we do single-purpose commits in OpenStack19:26
gouthamrsingle purpose commits help with easier review and possibly with reverting changes, isolating issues with git tooling19:27
gouthamrbut, if you did a handful of changes as a patch train, backporting these to older stable branches could be painful to shephed - and, package maintainers/downstream consumers may find it hard.. because they'd be patching things together ideally to close a specific security vulnerability.. 19:28
gouthamrwhat's a good tradeoff here? we've seldom done "massive" code backports.. but in theory, we could be making them19:29
gouthamrnow as we discover and close age old security flaws19:30
sean-k-mooneywell we have19:31
sean-k-mooneyjust not in a secuirty context19:31
sean-k-mooneywell not initally19:32
sean-k-mooneythe full backprot for the image inspection fixes includign all the patches to fix the reguresion with iso support19:32
sean-k-mooneywas quite exstinsive19:32
gouthamroh, do you have a link for that example, sean-k-mooney ?19:34
JayFPart of what made that complex is that it was incredibly cross-project, right?19:34
JayFDo we have any history of releasing a single-project security advisory with "N" patches for a given branch?19:34
sean-k-mooneyJayF: no it was that the inital fix broke a buch of fucntioalty requring a addtion set of pacths to fix that sepreate form the inital cve fix19:35
sean-k-mooneyhttps://bugs.launchpad.net/nova/+bug/2059809 had  a buch of sqash patches19:36
JayFHonestly I was just thinking like, from a technical perspective, can you cat multiple .patch files from `git format-patch` together to create a multi-commit patch file? So you could deploy 1 file, N commits?19:36
sean-k-mooneybut we meged the indivutal commtis https://review.opendev.org/c/openstack/nova/+/92325519:37
JayFoh, interesting19:38
JayFthat might have caused some pain for downstream rebases19:38
sean-k-mooneyim double checkign that but i belive that is what we did19:38
sean-k-mooneywell i was the one that did the backprot at redhat wht gibi help since dan was goign on pto for july 4th19:38
JayFdownstream not meaning red hat in this case, fwiw :)19:39
sean-k-mooneyso with my downstrema hat on any secuirty backports i have done internally ahve alwasy been on a per patch basis 19:39
sean-k-mooneyat least for nova i dont think iahve ever seen us merge a squash commit on master19:41
sean-k-mooneyits possibel the entir commit history was discarded and it was presented as a single commit19:42
JayFThat's sorta what my point was?19:42
JayFIf we put a squash commit in the advisory19:42
JayFand a downstream applies it to their downstream git fork19:42
JayFthey will then be somewhat perm. misaligned with a stable branch that got a non-squashed backport into git19:42
sean-k-mooneyright so we normally dont squash in the sabel branch eihter19:43
JayFI guess we have those problems anyway from times when patches were revised after advisory before landing, idk19:43
JayFsean-k-mooney: yeah, what I'm saying is I think there's a way to make *fewer files for an advisory* while having those files contain *the correct number and shape of commits*19:43
JayFsean-k-mooney: I at no point would suggest we ever issue patches that are squashed into a single *commit* if we aren't shaping it that way in master/backports.19:44
sean-k-mooneyright but not a squash correct jsut a set of commtis in one file19:44
sean-k-mooneyok so they are just concatinated togeter into one file represeting the history19:44
JayFthat's my understanding19:44
JayFI'm 99% sure there's a way to shape them that way19:44
JayFand I think it's as simple as cat patch1 patch2 patch3 > multipatch19:45
sean-k-mooneyack19:45
JayFbut I'm not 100% sure19:45
sean-k-mooneyi belvie the vmt process doc has the comamnd somewhere19:45
sean-k-mooneydo you know if its common for teams to follwo the otherwise normal "create a repoducer test" and then "fix it flow"19:46
sean-k-mooneyi.e. for normla bug fixes in nova and some other project we like to see a repocuer patch first followed by an actual fix19:47
sean-k-mooneyis suspect that is depriotiesed with security work to some degree19:47
JayFI don't think I've ever seen a project in OpenStack other than Nova enforce that rule.19:47
JayFHaving a test in the same commit, yes. Having it separate to clearly demonstrate a bug is a part of nova process that is heavier than for most projects.19:48
sean-k-mooneyack it really does make it easier to review but i have not really seen it elsewhere either19:48
sean-k-mooneyya it make the actuall review process simpler but it frontload that by making you repodcue the issue up fornt rather then just the fix19:49
sean-k-mooneyi or other cores often end up writing the repoducer for drive by contibotors or operators 19:49
fungiJayF: no, i'm not really around this week, just checking in between meetings but you pinged me specifically (at 16:34) asking me to review it, so did my best20:02
JayFfungi: just force of habit :) also ignore the email to discuss-owner, I've cleared the queue20:04
fungithanks!20:04
gouthamrJayF: we ultimately do email patch files (apart from including gerrit links in the advisory). so even if things merge as several separate gerrit changes, operators/packagers would rely on us having curated the patch files correctly.. this is our recommendation, then?20:08
* gouthamr isn't aware of multi-commit patch documentation in the security bug process20:08
sean-k-mooneyif you use git format-patch on a brnach and give it a directiy it will output numbered patch fiels in the order they need to be applie20:09
sean-k-mooneyand i belive git am 20:09
sean-k-mooneycan do the reverse 20:09
JayFwell also I think again20:09
sean-k-mooneyto reconstuct the branch20:09
JayFyou can cat 001* 002* 003* > all.patch20:09
JayFand git am will pop them in happily20:09
sean-k-mooneybut lookign at the older bug ya i think you can etiehr do  ^ or pass an extra flag to create the unifed file20:10
JayFgouthamr: yep, but we only email patch files in cases of embargoed bugs with coordinated disclosure. e.g. the recent Ironic OSSA, not-embargoed, at no point did we ever have to pass around .patch files20:10
JayFgouthamr: this is why the VMT generally encourages teams to strongly evaluate the cost:benefit of embaroing issues20:10
gouthamrtrue true20:10
gouthamrack, makes sense20:11
sean-k-mooneyoh that was a public security bug20:11
sean-k-mooneyithe ironic one that just shipped20:11
sean-k-mooneyi have used both of those ironic ipmi console before in the past but i dont currently have an ironic isntall at home20:11
sean-k-mooneyipmi-shellinabox was cool while that was a mainted project20:12
sean-k-mooneyah https://security.openstack.org/#security-information-for-openstack-developers is what i was lookign for i was expecting it here https://security.openstack.org/vmt-process.html#patch-development20:15
gouthamrah! yes20:16
sean-k-mooneywe coudl improve that with a multi commit exampel20:17
sean-k-mooneyill see if i can find time to do that 20:17
gouthamrhttps://bugs.launchpad.net/horizon/+bug/2150331 is now public 22:07
« Friday, 2026-04-24 Index Tuesday, 2026-04-28 »

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!