Wednesday, 2024-03-06

« Tuesday, 2024-03-05 Index Thursday, 2024-03-07 »
spotz[m]Deployment docs are the most likely to be updated00:03
opendevreviewTony Breeds proposed openstack/election master: [templates] Update links  https://review.opendev.org/c/openstack/election/+/91138701:28
*** promethe- is now known as prometheanfire01:30
opendevreviewTony Breeds proposed openstack/election master: Simplify and update-governance  https://review.opendev.org/c/openstack/election/+/88820904:05
frickleravanzaghi: please check the vwx-eom release patch https://review.opendev.org/c/openstack/releases/+/91039207:23
fricklernoonedeadpunk: please check the vwx-eom release patch https://review.opendev.org/c/openstack/releases/+/91043009:51
noonedeadpunkthanks for the ping09:54
noonedeadpunkI'm falling bahind duties for last month, but hopefully be back up to speed starting April09:55
fricklernoonedeadpunk: np, thanks for the update10:01
noonedeadpunkI actually also need to take care of osa's eom patch...10:02
noonedeadpunkbut it's slightly more complex10:02
fricklernoonedeadpunk: I pinged elodilles about that, not sure if it can be autogenerated?11:33
noonedeadpunkI think it used to be at least for branching11:34
noonedeadpunkas I saw generated proposals for these11:35
noonedeadpunkI'm talking about this now: https://opendev.org/openstack/releases/src/branch/master/deliverables/yoga/openstack-ansible-roles.yaml11:35
fricklernoonedeadpunk: yes, I think there was something that because it doesn't appear in governance directly, the script needs some explicit kick in order to generate that for vwx, too11:37
elodilleswell, i don't know off top of my head whether i did it with standard tooling or had to do it with some minimal scripting myself o:) so i have to check11:37
noonedeadpunkwell, all these repos are under governance jsut in case11:38
elodillesnevertheless, the 'official' transition_series.sh script cannot handle it11:39
elodilleshence we miss it all the time :S11:39
elodillesnew-release command does not work. give a minute and i'll create a patch for xwv-unmaintain then11:44
elodillesnoonedeadpunk: there it is https://review.opendev.org/c/openstack/releases/+/91150912:01
fungifrickler: moving discussion here, as i said in the tc meeting a few weeks ago i'll gladly subscribe any tc members to that murano bug if they express interest in either trying to help fix it or deciding to switch it to public. murano hasn't opted into granting that authority to the vmt but as a part of openstack i can see an argument for tc members to make that choice on behalf of the13:48
fungiproject13:48
*** tosky_ is now known as tosky13:57
fricklerfungi: ok, I would offer myself to look strictly only at the latter option, but let's wait for JayF first14:06
fungii mainly just don't want to overstep my authority in this case, since up to now it's been granted to the vmt by each individual team (though implicitly in the case of the earliest projects, they could still decide to opt out of it at any time)14:09
fungithe problem comes, as we've seen in other areas, when there's nobody active enough in the team to grant that authority14:10
fricklerfungi: yes, in my understanding the authority then falls back to the TC like in the case when there is no PTL candidate, but maybe others have different opinions14:11
fricklertc-members: ^^ I guess that's interesting enough a topic to ping you all14:12
JayFI am +1 to opening up that bug. I'm unsure how to express that in any official way14:16
fungii can subscribe you to the bug, and then you can switch the bug type in launchpad from private security to public security along with a sentence or two comment about why you're doing it14:22
fungithough if you want to gather more (formal or informal) consensus from the rest of the tc first, i understand14:23
fungiunrelated, on the subject of openstack-wide architectural issues, the uwsgi entrypoint script discussion is heating back up again. seems package maintainers and deployment developers are looking for some official decision on the path forward14:37
fungii suppose it could be summarized and communicated with an official goal14:38
JayFThere is a goal that's been issued. It's technically gotten enough votes to be merged, but there hasn't been any real engagement on it to the point where I'm convinced that merging it actually solidifies it as a goal14:59
JayFI'd say in general we have a review bandwidth problem with longer form governance changes right now, which doesn't really make sense to me15:00
fungioh, i had forgotten there was one proposed already. i suppose it's worth me linking it in that thread and encouraging participants to review15:01
fungithanks for the reminder!15:01
dansmith_JayF: I hate to say this, but you probably need to beat the drum more15:02
*** dansmith_ is now known as dansmith15:02
dansmithgmann was insanely good about "reminding" about reviews15:02
dansmithit sucks, I'm not proud of myself, but with so many things in the air, I'm pretty event-driven15:02
JayFHonestly, I'm pretty event driven at this point too which is where I have not done a good job of this kind of periodic reminder stuff lol15:03
dansmithcode changes get my attention regularly because of other reviews, test results, rechecks, etc but gov stuff not so much15:03
fricklertc-members: the release team has discovered some issues during the unmaintained migration, I've tried to list them at https://etherpad.opendev.org/p/unmaintained-release-issues , feedback welcome especially where noted15:41
fricklerelodilles: ttx: hberaud_: ^^ fyi15:42
frickler(there you got your event to drive you ;)15:42
fricklerJayF: sorry for more pinging, but regarding the PTG: do you intend to continue to use zoom sessions? because then I wouldn't need to worry about the actual scheduling of sessions15:46
JayFThe PTG, generally, is being held in meetpad this year.15:46
JayFI do not have any personal desire to upend the default, same as last PTG.15:46
JayFIf someone cares deeply, they're welcome to advocate for change.15:46
frickleroh, that's news to me15:46
JayFI'll note it's also possible that there will be a new chair by then15:46
JayFso anything I say about PTG planning should be considered tentative :)15:47
JayFbtw frickler I never am bothered by the ping. I manage my notifications around working hours and all, if you ever bother me when I don't wanna be bothered it's my (or Android's) fault :D 15:47
fricklerbut then the mentioning of "Ocata room" in the ptg etherpad is misleading15:47
fricklerJayF: just wanted to show some sign of politeness ;)15:48
frickleralso ack regarding the tentativeness15:48
JayFfrickler: click the os-tc links to ocata room :)15:48
JayFit takes you to meetpad15:49
JayFthe API stays the same, we just changed drivers ;) 15:49
fricklermaybe time to drop this legacy "room" concept then15:49
fricklerso, no zoom at all? was that announced somewhere?15:50
JayFI am happy to keep that level of PTG planning outta scope of me-personally as much as possible. I have a full plate already :D 15:50
JayFfrickler: I know last year when we were talking about if it should be zoom or meetpad, they said meetpad would be default next ptg, that's part of why I was ... choosing to not fight that battle then15:50
fungiredoing the schedule design is the plan but it would take a larger rework of the software, so for this time around it was decided to just explicitly override the track urls when creating them, since that could be done easily without any changes to the code (only to the track creation process)15:51
fricklerJayF: ok, then just one issue: the etherpad says Apr 8 for the first session, which would be Monday, but the ptg page shows the slot reserved on Tuesday?15:53
JayFfrickler: I need you to look away for about 30 seconds while I perform some irc-bot slight of hand ;) 15:53
fricklerI can do that, ok15:54
JayFwhat are you talking about?15:54
JayFthe website is accurate15:54
JayFand was accurate before 30 seconds ago :P15:54
JayFlol15:54
JayF(I fixed it)15:54
fricklerfungi: thanks for the technical background. I'm just wondering (once again) whether that decision and the process behind it could (have been/be) made more public15:56
fricklerJayF: thx, seems I was somehow looking the wrong way earlier ;)15:57
JayFIt happens. SO easy to just swap out a Tuesday for a Monday without even noticing ;) 15:57
fungifrickler: yeah, i thought diablo_rojo had announced that publicly after the discussion we had at the last ptg, but it's possible those details only made it into the communications to team leads and in non-textual places like foundation board meetings and openinfra.live episodes15:58
fungifrickler: anyway, the background is that teams can, as always, override the videoconference url for their track to whatever they want (a specific zoom room they also use for other meetings, bluejeans, google meet, whatever). if a team does decide they need zoom instead of using meetpad but doesn't have a zoom room to use, the ptg organizers can get one allocated for them. the overhead of16:03
fungisetting up a slew of zoom rooms most of which sat unused was time-consuming and the licensing was quite costly, so with opendev already maintaining meetpad (we designed it specifically for the ptg use case after all), it seems like a good default option16:03
fungiprobably the biggest feature difference with meetpad is that we only have its recording option set up for client-initiated recordings. someone will need to remember to start the recording and there is a size limit which practically means teams need to take a break at least once an hour and stop the recording, starting a new recording at the end of the break16:05
fricklerfungi: I couldn't agree more, I've been saying that for some time now, but a lot of teams seemed to either actively prefer zoom or were too lazy to change the default. so the zoom option will still be there16:05
fungithe organizers observed that on average about 2% of ptg sessions have recordings requested, so if a team really needs zoom's feature where the account holder can automatically upload a recording to youtube or something, then that can be accommodated on a case-by-case basis16:06
fricklerenforcing breaks that way is a side-effect I also don't object to ;) but then I don't think recording those sessions is a good idea in the first place16:07
JayFI used to feel that way, feeling less that way after the recent magnum disputes.16:07
fungithe magnum team had the option of recording that session. they could have also just more clearly documented the discussion in their notes and/or discussed it on the mailing list afterward. i don't know that a recording would have been much help anyway since the party who objected to the outcome didn't participate in the session16:09
fungiwould they have watched the recording if it existed? it seems like they didn't read the notes from the session until linked during the latest debate16:10
fricklerrecording a session isn't a substitute for proper note taking, I agree16:11
*** clarkb1 is now known as clarkb16:55
clarkbI think it is also important to note that just because a decision was made $time ago doesn't mean project teams can't make newer decisions16:56
clarkbSo even if we had a recording and notes that say we're going to do things in X way instead of Y way it is entirely possible Y happens and X doesn't for reasons due to the passage of time (different team members now, or maybe problems discovered in X in that were unanticipated)16:57
clarkbthese aren't binding decisions we can never change course on. Intead events like the PTG are aimed at helping build consensus and direction. But it isn't the end all decider of these things16:58
clarkbmajor exaple: OpenDev tried to move container image hosting into quay. Then discovered that docker can only have "mirrors" of docker hub and not other registries whcih breaks speculative container hosting for anything hosted outside of dockerhub17:08
clarkbthis led us to moving everything back to docker hub17:08
clarkbunexpected problems, life, priorities, people all change over time and as a result decisions we make may have to accomodate17:09
frickleralso decisions made exclusively at a PTG would exclude anyone that for whatever reasons wasn't able to participate directly17:10
fricklerso whereever possible/applicable something like specs or RFEs that can be tracked in gerrit or elsewhere should be used17:12
* frickler wonders whether we have some docs location where one could write these things up for a bit17:13
fricklerok, two more things that might require some escalation sooner or later, I'm simply mentioning them here for now17:44
fricklera) python-aodhclient is blocking the current oslo.db version in its requirements, so they are not co-installable, creating an issue for distros. I've proposed a patch at https://review.opendev.org/c/openstack/python-aodhclient/+/910865 that could possibly solve this 17:46
fricklerb) similarly some other projects might be broken (again) by that oslo.db release https://lists.openstack.org/archives/list/openstack-discuss@lists.openstack.org/message/Z6ZWJRC32EPM4TJUZHTLTDFGQRLNRWP4/17:51
SvenKieskeit looks like there is a workaround in place wrt bcrypt?17:56
SvenKieske2024-03-05 16:06:22.664213 2024-03-05 16:06:22.663 1012 DEBUG passlib.handlers.bcrypt [None req-65773efd-6242-43ac-9a44-8144861c0726 - - - - - -] 'bcrypt' backend lacks $2$ support, enabling workaround _finalize_backend_mixin /var/lib/kolla/venv/lib/python3.10/site-packages/passlib/handlers/bcrypt.py:406\x1b[00m17:56
SvenKieskeah my bad, wrong channel17:57
fricklertc-members: one final thing from me for today: we are unsure in the release team how to best handle python-muranoclient, for which a release has already been made for this cycle, please comment on https://review.opendev.org/c/openstack/releases/+/911415 if you have some opinion19:58
JayFI +1'd it, seems like a sensible compromise19:59
gmannyeah, it is more of  not doing any further release in this cycle if any already released we cannot undo that anyways20:00
spotz[m]Yeah we discussed Murano this morning in the RDO meeting as it was breaking CI so it's removed there as well, we were leaving things another cycle for people to move off provided an inactive project passed CI20:36
fungiit's a shame the reported vulnerability for it is still set private, or we'd have something to point to in order to tell deployers they should basically be disabling or uninstalling it20:58
spotz[m]Knowing it had an issue plus failing CI was an easy decision for us21:08
fungiyeah, at the moment my concerns in order are 1. making sure people don't keep installing it, and 2. making sure people who already have it installed have sufficient information to know to disable the impacted functionality21:09
spotz[m]Removing it helps with 1 but not  knowing the fullinformation makes doing 2 hard21:10
fungiexactly21:12
JayFtc-members: if there is no objection stated by this time tomorrow, I'm going to ask fungi to assign the murano closed bug to me and I will open it on behalf of the TC21:12
spotz[m]None from me21:13
JayFThe bug is set to private for obvious reasons; we are unlikely to ever fix it so we need to shine a light21:13
dansmithI'm not sure if I've seen it so I don't know how big the vulnerability is21:13
JayFfungi: ^ I'll get you outta the pinch tomorrow unless someone screams no at me :)21:13
JayFdansmith: I've not seen it either; but murano devs don't exist to fix it, unless someone is going to volunteer to fix it we need to at least be transparent about the vulnerability21:13
dansmithnot asking to see it, but if your estimation is that it's not a 10/10 sort of end of the world thing, I see no better resolution than opening it21:13
JayFdansmith: and fungi indicated in here and elsewhere that experienced murano deployers have indicated their workaround is to disable a large % of the service's capabilitiies21:14
dansmithJayF: well, the reason I say that is that if it's so bad that anyone running murano will be exposing a root shell to the world in five minutes after disclosure it might be better to handle it differently21:14
JayFfungi: ^ Can you address that question?21:14
JayFalthough from another perspective: unless we're going to fix it, we have an obligation to open it IMO21:14
dansmithJayF: right I know I just want to make an educated decision.. if it's something that could jeopardize all the current public clouds, "who is going to fix this" might be different21:15
dansmithI'm totally on the side of "just open it and tell people to uninstall"21:15
spotz[m]It's definitely a we don't know what we don't know situation21:15
dansmithI'm just saying...21:15
fungidansmith: yeah, i'm not a murano user so the best gauge i have is that one of the operators subscribed to it said their approach in production was likely going to be just disabling a significant portion of its functionality21:15
JayFthat's why I redirected that question to someone who has seen the bug :)21:15
fungiwhether disabling that makes it entirely useless to some deployments, i'm not certain, but i'd wager yes in many cases21:16
dansmithfungi: to be clear, I'm sure that's the only real solution, and not actually fixing it.. what I mean is if the vuln is "poke this special url and you get a root shell" we might want to handle it differently, like do a release where the code is replaced with 'return 1'21:17
dansmithand tell people to disable it before we tell them why21:17
fungii also don't know how frequently murano is installed, maybe the user survey has data on that21:17
dansmithif it's less severe than that, then I doubt it matters21:17
fungiit's normal authenticated users able to run things as murano's service account21:18
fungion the control plane21:18
dansmithrun things like spawn an executable?21:18
JayFoh my21:18
spotz[m]eeep21:19
dansmithhow about you add JayF and me and we can have a quick chat about it being in the know21:19
fungiyes, run arbitrary commands on the server where the murano service is installed, it looks like21:19
JayFthat is almost as bad as dansmith's fake worst case 21:19
JayFwell, that *is* the worst case21:19
dansmithJayF: yeah, that's pretty bad21:19
JayFgah21:19
dansmithJayF: it leads to the worst case pretty much, at least21:19
dansmithI dunno if murano uses rootwrap or privsep, but if so there's probably a path to root there21:19
spotz[m]I think just from that much info we need to tell folks to disable and uninstall21:19
fungihence why i've been trying to raise the alarm when the only active volunteer for murano said there was probably nobody to fix it21:19
JayFspotz[m]: dansmith's suggestion of "do a release that makes the service nonfunctional" is not a terrible idea if it is that's bad21:20
JayFadd a config option of "i accept the security risk" or else sys.exit(1) immediately (this started as a joke but maybe isn't a terrible idea)21:20
dansmithyeah my thought was just that a release is maybe our best mechanism to communicate something that will get attentuion21:20
spotz[m]JayF: I's not IF we can get it to pass CI21:21
dansmithnah we can do a release with no CI21:21
JayF++21:21
JayFto no ci21:21
JayF"confirmed not working" ✅21:21
fungiJayF: dansmith: i believe i've subscribed your typically-used lp accounts to https://launchpad.net/bugs/204811421:21
dansmithfungi: ack thanks21:22
dansmithfungi: JayF: video chat in a few minutes to scheme?21:22
fungii can audio, if that's sufficient. don't have my camera hooked up21:22
spotz[m]Let me know if you need me, I'm free for a but21:23
dansmithfungi: I figured, you never have video21:23
dansmithafaik you're no longer three dimensional21:23
* fungi is 11-dimensional21:23
spotz[m]hehe21:23
fungitake that in whatever numeric base you prefer21:24
dansmithlooks like boring old 3-dimensional in my binary view21:24
fungi(classical quantum string theory uses 11 dimensions decimal, fwiw)21:25
JayFsorry it took me a while to join, laptop decided to die as you asked that :D 21:46
JayFtc-members: the plan is: fungi will draft a redacted OSSN, urging OpenStack users to disable/uninstall their Murano services and information that we'll be opening the bug and providing details in a week. After that week passes, we'll unredact the OSSN and open the bug and really, really hope that users were listening.21:54
JayFtc-members: if you object to this plan, you have probably about a day to say so before we'll execute it21:54
rosmaitaJayF: plan sounds good to me22:15
fungiyeah, i'd prefer to send it out tomorrow. we try to avoid communicating security issues on fridays, weekends, mondays or major holidays, for visibility reasons, so if we miss tomorrow then tuesday the 12th is the next opportunity22:24
spotz[m]+122:25
rosmaitafungi: lmk if you need reviewing/proofreading assistance22:25
dansmith++22:26
JayFrosmaita: Heads up; I'll be PTO the first week of April. It's unlikely we'll have a new Chair/VC by then, so you'll need to run that meeting. I'm also going to make a more concerted effort than usual to stay outta IRC/chat/etc22:26
rosmaitaJayF: ok, though i may no longer be on the TC at that point (though, nothing says anywhere that the TC meetings must be chaired by a TC member)22:27
JayFoh, that's a good point22:27
JayFyou aren't even running, are you?22:27
JayFso you're guaranteed not on TC by then22:27
rosmaitano, decided to step aside so that red hat would not force a diversity requirement exception22:28
rosmaitaplus, i have done enough damage22:28
JayFheh22:28
JayFI do not intend to run again22:28
fungii'll just post a link to the draft in here once i have it. there won't be any sensitive information in it anyway with the current plan22:28
rosmaitafungi: ack22:28
fungiJayF: dansmith: rosmaita: i haven't added it to the ossn index yet, but https://wiki.openstack.org/wiki/OSSN/OSSN-009322:41
JayF> any deployments with Murano functionality accessible to untrusted users22:42
JayFis almost weakening the message too much22:42
JayFI would just remove "accessible to untrusted users"22:43
JayFbecause trust is a strange concept, and I doubt people would connect how much trust they need to have for it to be Ok in that case22:43
gmannJayF: rosmaita: let me know if you need help, I can volunteer to chair meeting. 22:43
fungisure. i mean, there are openstack deployments where the only users are also administrators, but meh. they know what they're doing i guess22:43
JayFgmann: I was likely going to ask you :) 22:43
rosmaitagmann: you are my first choice!22:44
JayFgmann: so sure, I'll have you pencil'd in if we don't get a new chair by then22:44
gmann:)22:44
fungialso i suppose clouds where all users are admins probably have limited use for services like murano anyway22:44
gmannJayF: sounds good. 22:44
fungiJayF: that read any better?22:45
JayFfungi: pretty much exactly what I was thinknig ++22:46
rosmaitafungi: my only suggestion would be to s/There is currently no fix/Given that the Murano project is inactive, there is currently no fix/22:47
fungioh, good point, it's officially listed as inactive now22:48
gmannalso, we should merge this as we are mentioning about its status as Inactive https://review.opendev.org/c/openstack/governance/+/90885922:48
gmannJayF: ^^22:48
JayFI can't land it, I'm the only vote on it22:49
gmannis it? I see 5 votes there22:49
JayFpost-rebase I am the only vote22:49
JayFpatchset 4 is me only22:49
JayFyou should at least vote on it too while here22:49
*** kopecmartin_ is now known as kopecmartin22:50
gmannJayF: I think i observed the same sometime but have no evidence exactly how it goes in gerrit.22:50
rosmaitai see 5 +1s on that patch22:50
gmannJayF: but I see all previous votes are carry forward in this, at least i see in my gerrit Rollcall-Vote button at top22:50
JayFthe script doesn't agree, let me look22:50
gmannJayF: can you refresh it or so22:50
JayFI'm happy to land it if it's good to land22:50
gmannohk22:50
gmannI voted though 22:51
JayFyep, comment from >  Mar 05 9:53 AM 22:51
JayFindicates the votes were carried over22:51
JayFUI for rollcall votes is tough22:51
JayFlanding it22:52
gmannI think it is little weird view on gerrit 22:52
rosmaita\o/22:52
fungirosmaita: how's the current rewrite look wrt mentioning murano's inactive?22:52
rosmaitasorry, saw a squirrel22:53
clarkbif you hover over the votes you get a listing of who made them22:53
rosmaitalooks good ... only suggestion would be to put all occurrences of "Thursday, March 14, 2024" in bold font22:53
rosmaitabut the content LGTM22:54
rosmaitafungi: ^^22:54
fungirosmaita: i will get out my bold pen22:54
rosmaita:D22:54
fungithough it likely won't come across very well in plaintext e-mail to mailing lists ;)22:54
fungirosmaita: bold applied. took me a few minutes to remember mediawiki markup for that (wrap in tripled apostrophes)22:59
rosmaitalooks good!22:59
opendevreviewMerged openstack/governance master: Mark Murano project inactive  https://review.opendev.org/c/openstack/governance/+/90885923:00
JayFclarkb: I don't see RC votes show up anywhere in zuul UI except for on the comments23:01
JayFclarkb: and when those comments are tied to an older patchset, AFAICT, the only way to know it carried over is to find the comment saying so23:01
JayFclarkb: please tell me I'm wrong and there's a better way I've missed :)23:02
clarkbJayF: I assume you mean gerrit not zuul. On https://review.opendev.org/c/openstack/governance/+/908859 it says Rollcall-Vote +1 under Trigger votes. Hover your mouse on that and you get all of the votes made to that label23:02
JayFclarkb: that is the better way I didn't know existed until now()23:03
JayFthank you23:03
fungithough it looks like that's still only reflecting the latest patchset23:03
clarkbyou can hover submit requirements votes for a similar pop up view but that one will also show you the conditions that satisfy the requirement23:03
fungieven if you switch patchsets the trigger votes box shows the most recent patchset23:04
clarkbfungi: all votes on the change summary section are for the current patchset23:04
clarkbs/current/most recent/23:04
fungiexactly, that's what i was saying23:04
clarkbI think gerrit has done that since like 2.823:04
clarkbwhenever they changed from the old old change screen to the new old one23:04
fungiso it doesn't cover JayF's point about being unable to get an easy list of which votes were made on a prior patchset, but yes that hasn't been possible for a long time23:05
JayFCan't we just run Gerrit Train forever and keep all the UI exactly like I'm used to it /s23:05
JayFfungi: No, my problem was more, identifying if older votes are still relevant, clark solved that for me23:05
fungiaha23:05
JayFfungi: I don't have a real need to know if a non-current patchset was approved23:05
rosmaitafungi: clarkb: while you are both here, is there a way to tell gerrit UI to sort this list in dependency order?  https://review.opendev.org/q/topic:%22fujitsu-driver-update%22-is:abandoned+after:2023-1-123:06
gmannI tried to make Rollcall-Vote as 'Submit Requirements' but that did not seems working https://review.opendev.org/c/openstack/project-config/+/86851223:07
clarkbrosmaita: no sorting is always done by most recently updated in the change listing pages23:07
fungirosmaita: what is dependency order?23:07
clarkbrosmaita: if you open a change though it should show a list of changes in relationship order23:07
rosmaitaright, what clarkb said23:07
clarkbfor example on https://review.opendev.org/c/openstack/cinder/+/907777 top right under "relation chain" click show all23:07
gmannyeah click SHOW ALL, otherwise it was confusing 23:08
rosmaitaclarkb: thanks ... i knew about that one, but wondered if there was a more convenient display23:08
fungigertty ;)23:08
rosmaitaglad to know there isn't, so i won't try to figure it out23:08
fungigertty "threads" the change list23:09
clarkbin older gerrit you could reverse the order (oldest first) but now you can't even do that23:09
clarkbfungi: rosmaita: reading that notice one thing I wonder about is what happens to applications deployed by murano. I don't know that any of us know the answer to that23:17
clarkbbut we may get the question23:17
clarkbIn theory you can manually manage the underlying resources deployed by it? And shutting down services won't remove resources from the cloud23:18
JayFclarkb: from the chat dansmith, fungi and I had in video chat; we basically don't have enough knowledge/information about murano to address it to that degree. That's why we're suggesting to shut it down.23:19
clarkbright but if shutting it down means your applications get deleted that isn't good either23:19
JayFIf I, personally, fielded such a question; I'd tell people to not trust *anything* deployed with Murano unless they've personally validated it.23:19
clarkbI don't think that is the case fwiw23:20
fungiyeah, it probably doesn't do anything to the virtual machines that had apps deployed onto them already, but i can't say that with 100% certainty23:22
fungiwe could have dropped murano back when we retired the app catalog, but some people wanted to keep developing it at the time23:23
clarkbI guess the distinction is that peopel can manage their own independent app catalogs with murano in local deployments?23:24
dansmithtbh I think "uninstall murano" is the only reasonable course of action from what I saw23:25
JayF++++++++++23:28
dansmithI've typed about five "unless I did this" or "maybe if I jailed it like that" but kept deleting them and thinking, nope, I can't really see doing any of that23:30
fungiJayF: dansmith: see latest bug comment, clarkb saw the initial report because the project config in lp at the time cc'd it to ~openstack-admins, and he brought up some related concerns about similar projects, we might want to push out the disclosure timeline slightly to give folks from those projects an opportunity to look it over and determine if they need to make any changes23:50
JayFI am +1 to disclosing the issue to PTLs/their designates in those projects23:51
fungiyeah, just looking them up now23:53
JayFtkajinam is the heat ptl23:54
JayFIIRC23:54
fungii'll subscribe him directly for now since heat's using storyboard (we can open a separate private heat story for this if it is deemed relevant)23:55
fungithe other project mentioned i'll also just subscribe the ptl. they use launchpad but don't have a coresec team and their drivers team has only one person who i know is not active in openstack any longer23:56
« Tuesday, 2024-03-05 Index Thursday, 2024-03-07 »

Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!