| fungi | this might be useful for consideration to tighten the pypi upload token use in our zuul jobs: https://pypi.org/project/pypitoken-cli/ | 16:11 |
|---|---|---|
| fungi | especially once it grows support for date range constraints, then upload jobs could in theory get short-term authorization to upload a single package, and if that token somehow got leaked then the risk would be virtually nonexistent | 16:13 |
| sean-k-mooney | neat it woudl be kind of like the hsort live build ssh keys we use. a short lived bearer token | 16:55 |
| sean-k-mooney | fungi: but i assuem it still woudl need the credtial ot be able to create a token | 16:55 |
| sean-k-mooney | i dont know how that is set up today but i assuem the upload job is defiend in a config project with a zuul secret for the pypi access | 16:56 |
| fungi | yes, the openstackci account has an unrestricted upload token stored as a zuul secret, which gets decrypted and supplied to the twine executable at upload time | 17:00 |
| opendevreview | Jay Faulkner proposed openstack/ossa master: OSSA-2026-013 Ironic: DoS via image CVE-2026-44919 https://review.opendev.org/c/openstack/ossa/+/988344 | 19:40 |
| JayF | gouthamr: fungi: ^ RFR please | 19:40 |
| fungi | thanks. looking | 19:42 |
| JayF | thanks, sending announcements | 19:53 |
| fungi | JayF: everything checks out (confirmed version ranges, tested urls, preview build in zuul looks great), so i went ahead and approved | 19:54 |
| JayF | good stuff, I'll email the world | 19:54 |
| fungi | i'm also on hand to approve the openstack-announce post | 19:54 |
| JayF | well, once https://security.openstack.org/ossa/OSSA-2026-013.html is not a 404 :D | 19:54 |
| JayF | fungi: I'm happy to have teh second set of eyes but I also hold those keys if you need to 404 yourself :D | 19:55 |
| fungi | nah, i'm around working on opendev stuff anyway | 19:55 |
| fungi | it's funny-sad to be on both ends of the server vulnerability spectrum, handling upstream advisories and then also trying to keep opendev's systems secure with the pile of new advisories that are showing up in my inbox every morning | 19:56 |
| fungi | being a sysadmin now has really just turned into prioritizing and reacting to a flood of security advisories | 19:57 |
| fungi | the post volume on the oss-security mailing list for this month is on track to be easily 5x what it was in may of last year | 19:58 |
| JayF | I've been watching the gentoo community get run haggard | 19:58 |
| JayF | especially with the kernel vulns; kernel just doesn't provide clean backports | 19:58 |
| JayF | I think folks just assume everyone does the stuff that, quite frankly, we do -- and take it for granted when folks like distro packagers have to bridge the gap | 19:58 |
| fungi | i sympathize with the kernel security team, they have an insurmountable task and are dealing with it the only way they really can | 19:59 |
| JayF | I mean, I do a little, but we have a pretty insurmountable task and are still trying to do it and apologetic when we drop the ball | 20:00 |
| JayF | Maybe they are just like, a few more years down the burnout path than we are? IDK | 20:01 |
| fungi | i think the fundamental differences there (which i fully understand) are that they've decided they can't really say for sure whether something's a vulnerability in some environments because really any bug in the kernel could be if you're holding it wrong, they can't realistically gauge severity because everyone's environment is different, and they see little benefit to | 20:03 |
| fungi | themselves in the cve process so have come up with a separate async team to satisfy every random person's demand to have something they consider a vulnerability assigned one | 20:04 |
| opendevreview | Merged openstack/ossa master: OSSA-2026-013 Ironic: DoS via image CVE-2026-44919 https://review.opendev.org/c/openstack/ossa/+/988344 | 20:04 |
| JayF | I understand that in theory, but the practice is that like, day 3 after one of these zerodays it not existing in a stable branch is a pretty strong sign of lack of concern/professionalism. Maybe they should change the name of those kernels to LTU (Long-Term-Unmaintained) instead of LTS :) | 20:05 |
| JayF | Either close the branches or properly support them or at least billboard it properly as not supported. | 20:06 |
| fungi | true, i expect the kernel stable branch maintainers are happy to have more help if people don't think they're reacting fast enough | 20:06 |
| fungi | promote job for ossa-2026-013 missed the 20:05 vos release window but should be done in time for the 20:10 | 20:07 |
| JayF | That's sorta a cop out? I'd hope if OpenStack got to the point where we truly weren't maintaining a thing, we'd retire it. It's about promises made vs promises kept | 20:07 |
| JayF | I know in practice that's not how it works here, but I've been vocal about trying to make ^^ as true as possible | 20:07 |
| fungi | well, i don't think they expected a week full of high-profile zero-day exploit announcements every day | 20:08 |
| JayF | here is where I wish every chat system, including IRC, had the :lolsob: emoji I upload to every slack I use :) | 20:09 |
| fungi | JayF: your advisory is live now | 20:10 |
| JayF | yep, and I hit send twice immediately | 20:10 |
| JayF | if you wanna review+approve the one to announce | 20:10 |
| fungi | just did | 20:11 |
| gouthamr | neat, missed the party as usual.. here for the after party | 20:35 |
| fungi | i brought drinks, who's got chips? | 21:17 |
| * gouthamr drops some H100s from his pocket | 21:18 | |
| * fungi breaks a tooth on one | 21:21 | |
| fungi | they're good with salsa though | 21:21 |
| gouthamr | :’D | 21:23 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!