#openstack-horizon log

15:00:12 <vishalmanchanda> #startmeeting horizon
15:00:13 <opendevmeet> Meeting started Wed Nov 30 15:00:12 2022 UTC and is due to finish in 60 minutes.  The chair is vishalmanchanda. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:13 <opendevmeet> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:13 <opendevmeet> The meeting name has been set to 'horizon'
15:01:41 <vishalmanchanda> hello, anyone around for horizon weekly meeting?
15:05:17 <vishalmanchanda> Looks like no one around.
15:05:21 <rdopiera> o/
15:05:54 <rdopiera> but I don't really have anything...
15:06:07 <vishalmanchanda> rdopiera: np.
15:06:18 <vishalmanchanda> I got two updates
15:06:30 <vishalmanchanda> agenda of meeting can be found here https://etherpad.opendev.org/p/horizon-release-priorities#L31
15:06:44 <vishalmanchanda> I have no announcement for this week.
15:07:00 <vishalmanchanda> moving to Release priorities topic
15:07:08 <vishalmanchanda> #topic Release priorities
15:07:36 <vishalmanchanda> Patch to migrate CI job to 2023.1 runtime https://review.opendev.org/c/openstack/horizon/+/865453 is ready for review
15:07:45 <vishalmanchanda> rdopiera: please take a look
15:08:43 <vishalmanchanda> I have migrated nodeset to Debian 11 which pass the CI jobs
15:09:07 <vishalmanchanda> It is also runtime for 2023.1 cycle.
15:09:15 <vishalmanchanda> https://governance.openstack.org/tc/reference/runtimes/2023.1.html
15:09:38 <rdopiera> vishalmanchanda: what is firefox-esr?
15:10:50 <vishalmanchanda> rdopiera: you mean why these job not fail on debian?
15:11:23 <vishalmanchanda> rdopiera: actually some issue with snap package with firefox on ubuntu.
15:11:24 <rdopiera> no, you are adding an extra entry in bindep.txt
15:11:45 <rdopiera> I know why firefox is failing on ubuntu, and I'm pretty happy about switching to debian
15:11:52 <rdopiera> snaps are cancer
15:12:47 <vishalmanchanda> rdopiera: ok, that is because in case of debian firefox package avaialble as 'firefox-esr'
15:13:03 <rdopiera> oh, I see, thanks
15:13:41 <vishalmanchanda> Please add your vote and suggestion on the patch.
15:14:13 <vishalmanchanda> moving to next topic.
15:14:48 <vishalmanchanda> Drop nodejs 16 jobs
15:15:25 <vishalmanchanda> As you can see in patch https://review.opendev.org/c/openstack/horizon/+/865293
15:15:42 <vishalmanchanda> nodejs18 passing in horizon and all plugins.
15:15:56 <vishalmanchanda> So now we can drop nodejs 16 jobs.
15:16:11 <vishalmanchanda> here is patch for that https://review.opendev.org/c/openstack/horizon/+/865661
15:16:50 <vishalmanchanda> please take a look once you have time.
15:17:24 <vishalmanchanda> that's all update from my side for this week.
15:17:30 <vishalmanchanda> moving to next topic
15:17:43 <vishalmanchanda> #topic open-discussion
15:17:57 <vishalmanchanda> I have one patch to discuss.
15:18:57 <vishalmanchanda> I was thinking if should migrate django to 4.0 version
15:19:21 <vishalmanchanda> Initial patch for that is https://review.opendev.org/c/openstack/horizon/+/851261
15:20:00 <vishalmanchanda> rdopiera: Could you take a look at it and once it merged. I will resolve merge conflict for other 2 patches in series.
15:20:48 <rdopiera> didn't we just migrate to 3.0
15:20:55 <rdopiera> I'm not ready
15:21:19 <vishalmanchanda> rdopiera: hehe yeah that was in last cycle I guess.
15:22:34 <vishalmanchanda> rdopiera: I was asking because if we support django 4.x then horizon can also support FIP.
15:23:24 <rdopiera> I suppose the earier we do it, the less painful it will be
15:24:31 <rdopiera> by the way, did you see that security issue about websso and the referer headers?
15:24:41 <vishalmanchanda> true, but there is no harm in doing it now.
15:25:04 <vishalmanchanda> rdopiera: nope, I forgot
15:25:36 <rdopiera> I wanted to look into it, but I can't find any documentation on websso itself
15:25:52 <vishalmanchanda> rdopiera: is it a private bug?
15:26:01 <rdopiera> so I am not sure if it actually requires the referer
15:26:27 <rdopiera> it's launchpad 1980349
15:26:51 <amotoki> I think there is no document on websso implementation
15:27:06 <rdopiera> I mean the specification for the protocol
15:27:12 <rdopiera> not our implementatin
15:27:17 <rdopiera> o
15:27:17 <amotoki> I tried to understand the implementation when I glanced that bug, but could have enough time :-(
15:27:41 <amotoki> got it
15:28:14 <rdopiera> we know what our code does, but how do we know if that's correct?
15:30:53 <vishalmanchanda> rdopiera: sorry, I completely forgot about this bug. will a look at it tomorrow.
15:33:51 <vishalmanchanda> rdopiera: are you able to reproduce this bug?
15:34:22 <rdopiera> No , I don't have a setup with websso
15:35:19 <rdopiera> but looking at the code, I see no reason why the exploit wouldn't work
15:35:26 <amotoki> it seems https://review.opendev.org/c/openstack/keystone-specs/+/133529/ is the original design of our websso.
15:35:57 <amotoki> commit 7b57608ad000bd099f29ee9f9fa31d36b725cfea implemented it in horizon
15:36:13 <rdopiera> great find, thank you
15:37:41 <vishalmanchanda> amotoki: thanks for the links
15:38:11 <amotoki> vishalmanchanda: back to Django 4.0 topic, why do we need to migrate to Django 4.0?
15:38:36 <amotoki> Django 4.0 is NOT an LTS version, so we should keep the support for Django 3.2 at least.
15:39:18 <amotoki> extra support of Django 4.0 is okay (as long as we have a bandwidth to do it) but it is completely optional
15:41:40 <vishalmanchanda> amotoki: the only reason I am asking is because we can support FIPs tests then
15:41:41 <vishalmanchanda> https://review.opendev.org/c/openstack/horizon/+/825875
15:41:53 <vishalmanchanda> if django 4.0 support is added in horizon
15:43:32 <vishalmanchanda> There is some issue with django and FIPS which is fixed in django 4.0
15:43:40 <vishalmanchanda> that's why I am asking
15:44:37 <amotoki> I am okay with either. Perhaps my patch series fixes UT at least. I don't know more though.
15:46:45 <vishalmanchanda> Does anyone have any other topic to discuss?
15:48:28 <vishalmanchanda> if nothing more to discuss, let's end this meeting.
15:48:36 <vishalmanchanda> Thanks everyone for joing!
15:49:05 <vishalmanchanda> #endmeeting