Thursday, 2026-06-04

« Wednesday, 2026-06-03 Index Friday, 2026-06-05 »
fricklerone venus cleanup patch is still open, I didn't want to just self-approve, maybe someone can give it a second look? https://review.opendev.org/c/openstack/venus/+/98194707:29
opendevreviewJeremy Stanley proposed openstack/openstack-manuals master: Correct links to OpenStack Security site  https://review.opendev.org/c/openstack/openstack-manuals/+/99164113:43
fricklerwow, the keystone ossa from a week ago is already rotated out of the list of "latest 5" on that site ... :-/14:40
fungijust wait until the advisory volume *really* picks up14:41
fungibut yeah, we can easily expand the window on the main page to latest 10 or something14:41
clarkbmaybe you need a "5 of X" tracker with a clear link to a full list?14:45
clarkb(maybe that already exists)14:45
fungithe link to the full list is already there just below the recent summary14:46
frickleryes, I think this is fine, I just stumbled about it when checking the above docs patch and then thought "wow what a busy week"14:49
fungiit's been a busy many weeks. keep in mind some of those advisories are roll-ups of multiple bugs/fixes too (take a look at the mistral one for example)14:51
sean-k-mooneythe keyston one is like 5 or 6 in one15:30
sean-k-mooneyalthough that may have been one of the ones that rotated15:31
fungithis year so far (and the year's not even half over!) the vmt has published more than 10x as many advisories as we did in all of last year, just to put it in perspective15:49
fungithis is the first time in a decade we've published double-digit advisories in a year (next highest was 8 in 2020), and we're well on track to exceed the busiest year we ever had for advisories in the history of openstack, which was 41 published in 2014 back in the heyday15:52
dansmithhoo boy.17:36
Mike--such is the age of AI17:37
sean-k-mooneyfor better or worse im happy that we are activly improvign openstack for our users even if we all would have prefed to not have the security issue in the first place18:42
sean-k-mooneybut yes its been a major effort for the vmt so far18:43
JayFI've been modeling it as a tsunami. I don't think the high rate of incoming security issues will continue, but it'll peter out after a while.18:54
fungii'm not so optimistic about that, i don't see bugs as being limited in supply, and am just hoping the interest in searching for them trails off before we burn everyone out with it18:55
clarkbin theory if the machines make it easier to write tons of code we're just filling up the queue on the backend as we drain it on the frontend18:58
clarkbI've already had to fix one production software crash that I can directly attribute to claude18:58
fungialso the machines have proven to be really efficient at creating new bugs19:01
clarkbright thats what I mean. We're fixing existing/old bugs but everyone is racing to add new ones at hte same time19:02
fungier, yeah i was continuing my thought about the supply of bugs not being limited, but you did indeed mention the same problem19:03
dansmithfungi: I'm with you.. I think it's "new normal"19:09
fungipessimist club19:09
dansmithI saw that as we've got CVEs on previous CVE fixes19:09
fungiand that's not even a new phenomenon we can blame on the llm craze, but it has scaled up along with everything else19:10
gouthamrwith one of the reporters it's their investigation pattern.. which, i thought was pretty cool 19:10
fungibut also the availability of the tools means anyone with some spare token credits who has read an article on searching for security holes in open source software is now doing it, even if they have no real understanding of vulnerability handling practices or open source developer workflows19:11
fungiwhich, i'll try to put this politely... adds to our education burden19:12
dansmithyeah, I can see the pressure leading to writing better stuff in the first place, so the tide may recede because of that, but not because I think the pressure will go away like a fad19:13
gouthamron the burden, yeah.. no matter what they've found and how they've found it, we triage and process everything responsibly.. and it's a long and painful process for good reason.. and i'm seeing more of us doing it this year because of this influx... education all around :) 19:16
JayF"pessimist club" <-- exactly why I left this conversation, bluntly. Discussions of potential relief fights burnout; just chatting in IRC about how terrible everything is creates more burnout imo :(19:17
gouthamrJayF: You can check out any time you like But you can never leave19:19
fungii took your keys19:22
dansmithJayF: I'm not at burnout level (on the security things) yet so I guess I don't see it as "everything is getting worse." any time we're fixing a security bug I feel pretty good, usually better than features19:35
dansmithlike sean-k-mooney said above, I'm happy these are getting found and fixed19:36
dansmithbut I can totally see why people could be sick of it already (and/or that we could all get that way at some point)19:36
JayFI'm happy too, in general. But also tired.19:36
fungimy main concern is that it's sapping our collective bandwidth to get other things done, and most of the people dealing with this new increase in workload are the same ones who are/were taking care of central commons maintenance in our projects19:39
fungisearching for security vulnerabilities has become interesting to people, but fixing them or pitching in on other boring maintenance tasks have not suddenly become interesting enough to balance that out19:40
dansmithyeah, but as the former becomes easier to do, the glory may wear off a bit. but, you're not wrong19:41
fungijust wondering if we'll all look back on hibiscus as the (first?) cycle where "all" we got done was plug security holes19:42
sean-k-mooneyfor what its wroth there are a lot of small bug that were valid that we never used to get to before that i feel like we are now actully starting to burn donw19:43
sean-k-mooneyindepently of the high profile secuirty ones19:43
fungithat's reassuring to hear!19:43
sean-k-mooneyat least in project with extensive testing like nova its a lot esier no to take a bug report and create a repoducer quickly to demonstate it and then work on a fix then it was in the past19:44
sean-k-mooneyin cyborg the last of test ifnra is a bit painful but its another motivation to actully build it19:44
opendevreviewJay Faulkner proposed openstack/security-doc master: [OSSN-0099] Service DoS in Ironic  https://review.opendev.org/c/openstack/security-doc/+/99172919:46
opendevreviewJay Faulkner proposed openstack/security-doc master: [OSSN-0099] Service DoS in Ironic  https://review.opendev.org/c/openstack/security-doc/+/99172919:47
opendevreviewJay Faulkner proposed openstack/security-doc master: [OSSN-0099] Service DoS in Ironic  https://review.opendev.org/c/openstack/security-doc/+/99172919:50
JayFAnother! Another Security vulnerability! A-ha-ha-ha19:52
fungiJayF is now known as TheCount19:52
* fungi wants to start singing round of "99 security notes on the wall"19:53
JayFhttps://www.youtube.com/watch?v=2AoxCkySv34#t=45s VMT members counting OSS*s19:54
JayFhttps://www.youtube.com/watch?v=vC0uvUuXVh8#t=45s is actually what I wanted to link! How dare I post an inferior sesame street clip lol19:54
opendevreviewJay Faulkner proposed openstack/security-doc master: [OSSN-0099] Service DoS in Ironic  https://review.opendev.org/c/openstack/security-doc/+/99172919:56
opendevreviewJay Faulkner proposed openstack/security-doc master: [OSSN-0099] Service DoS in Ironic  https://review.opendev.org/c/openstack/security-doc/+/99172920:02
*** elodilles is now known as elodilles_OoO20:17
opendevreviewJay Faulkner proposed openstack/security-doc master: [OSSN-0099] Service DoS in Ironic  https://review.opendev.org/c/openstack/security-doc/+/99172920:41
opendevreviewJay Faulkner proposed openstack/security-doc master: [OSSN-0099] Service DoS in Ironic  https://review.opendev.org/c/openstack/security-doc/+/99172921:05
« Wednesday, 2026-06-03 Index Friday, 2026-06-05 »

Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!