| fungi | i pinged them both in irc to hopefully get eyes on that fairly quickly | 00:07 |
|---|---|---|
| JayF | thanks | 00:08 |
| * JayF & | 00:08 | |
| *** gthiemon1e is now known as gthiemonge | 13:36 | |
| *** hberaud_ is now known as hberaud | 13:52 | |
| opendevreview | Elod Illes proposed openstack/openstack-manuals master: [www] Set Xena, Wallaby and Victoria state as Unmaintained https://review.opendev.org/c/openstack/openstack-manuals/+/911861 | 14:56 |
| dansmith | fungi: yeah makes sense to get them to weigh in as well. are those projects under the VMT? | 15:06 |
| fungi | dansmith: heat is, but it looks like maybe the fix needs to happen in a dependency which isn't, discussion continuing in the bug | 15:08 |
| dansmith | ack, catching up | 15:09 |
| fungi | also we still haven't heard back from one of the potentially impacted projects (either in the bug or to my irc /msg to the ptl) | 15:17 |
| dansmith | okay, we can proceed with the murano warning though yeah? | 15:17 |
| frickler | fungi: can you share which project? maybe someone has some other contact | 15:19 |
| fungi | frickler: i guess it can't hurt at this point... mistral | 15:20 |
| dansmith | yeah JayF already exfil'd heat earlier I guess :) | 15:21 |
| frickler | fungi: hmm, good luck with that, I've still to get feedback from avanzaghi regarding some release patches, too ;-/ | 15:21 |
| fungi | dansmith: i think what we proceed with depends on whether we need to keep the bug private long enough to give the other projects a chance to fix it if the impact in them is severe (if they decide it's not severe then we can stick to the previously discussed schedule) | 15:22 |
| dansmith | fungi: okay and/or if we need to add mistral to the early warning | 15:22 |
| fungi | also if the fix happens in the dependency it may solve it for all affected projects | 15:22 |
| dansmith | yeah we probably need someone to decide if that applies to others or not though | 15:23 |
| dansmith | just because it's used in one place of the project doesn't mean every such usage is covered I imagine | 15:23 |
| JayF | fungi: being able to say that requires someone who is expert enough in murano to say so strongly | 15:23 |
| dansmith | and every arrangement or scenario | 15:23 |
| dansmith | JayF: you mean mistral right? | 15:23 |
| fungi | JayF: agreed. basically, i'm hesitant to set a disclosure date of next thursday if there are other projects also impacted (badly enough that we want to not reveal the underlying cause yet) who are actually going to work on a fix | 15:24 |
| JayF | I mean "if the fix happens in the dependency it may solve for all affected projects" <--- as long as we have a person who knows enough about that project to feel confident about that | 15:24 |
| dansmith | I think JayF said or eluded to it before, but what we're seeing here is an excellent example of why we shouldn't let abandoned projects hang around past their expiration date | 15:25 |
| fungi | so i do think the guidance to disable/remove murano from deployments is still a good idea, it's more a question of when do we want to plan to make the details of why public, and i think we don't have enough information just yet to decide | 15:28 |
| dansmith | fungi: we could make that warning without a hard date of when the disclosure is going to happen right? | 15:28 |
| dansmith | sooner rather than later for the murano people can only benefit the situation IMHO | 15:28 |
| fungi | yes, we could say "at a later date" or something | 15:29 |
| JayF | ++ | 15:30 |
| fungi | JayF: dansmith: rosmaita: revised draft removing the specific disclosure date: https://wiki.openstack.org/wiki/OSSN/OSSN-0093 | 15:48 |
| fungi | i'll be afk for the next two hours, but can make whatever additional edits you want and/or send it once i'm back at the keyboard | 15:49 |
| JayF | +1 | 15:49 |
| rosmaita | fungi: ack | 15:49 |
| dansmith | yeah seems okay to me | 15:50 |
| rosmaita | fungi: sorry, was in a meeting, LGTM | 16:17 |
| -opendevstatus- NOTICE: Jobs that fail due to being unable to resolve mirror.dfw.rackspace.opendev.org can be rechecked. This error was an unexpected side effect of some nodepool configuration changes which have been reverted. | 16:55 | |
| fungi | last call for comments on https://wiki.openstack.org/wiki/OSSN/OSSN-0093 before i add it to the ossn index and send copies to openstack-announce, openstack-discuss, and oss-security@lists.openwall.com (our usual notification destinations) at 20:00 utc today (about an hour from now) | 18:57 |
| dansmith | fungi: did I miss it? | 21:38 |
| fungi | dansmith: no, haven't sent it yet but will shortly | 21:46 |
| fungi | did you have any last-minute edits? | 21:46 |
| dansmith | nope | 21:46 |
| fungi | okay, cool | 21:46 |
| fungi | sent to openstack-announce, openstack-discuss, and oss-security@lists.openwall.com | 22:45 |
| fungi | also the ossn index in the wiki has been updated to link to it | 22:45 |
| fungi | if anyone wants to link to it elsewhere: https://lists.openstack.org/archives/list/openstack-announce@lists.openstack.org/thread/4FYM6GSIM5WZSJQIG4TT5Q3UBKQIHLWX/ | 22:47 |
| spotz[m] | Thanks fungi | 22:52 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!