15:00:12 #startmeeting horizon 15:00:13 Meeting started Wed Nov 30 15:00:12 2022 UTC and is due to finish in 60 minutes. The chair is vishalmanchanda. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:13 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:13 The meeting name has been set to 'horizon' 15:01:41 hello, anyone around for horizon weekly meeting? 15:05:17 Looks like no one around. 15:05:21 o/ 15:05:54 but I don't really have anything... 15:06:07 rdopiera: np. 15:06:18 I got two updates 15:06:30 agenda of meeting can be found here https://etherpad.opendev.org/p/horizon-release-priorities#L31 15:06:44 I have no announcement for this week. 15:07:00 moving to Release priorities topic 15:07:08 #topic Release priorities 15:07:36 Patch to migrate CI job to 2023.1 runtime https://review.opendev.org/c/openstack/horizon/+/865453 is ready for review 15:07:45 rdopiera: please take a look 15:08:43 I have migrated nodeset to Debian 11 which pass the CI jobs 15:09:07 It is also runtime for 2023.1 cycle. 15:09:15 https://governance.openstack.org/tc/reference/runtimes/2023.1.html 15:09:38 vishalmanchanda: what is firefox-esr? 15:10:50 rdopiera: you mean why these job not fail on debian? 15:11:23 rdopiera: actually some issue with snap package with firefox on ubuntu. 15:11:24 no, you are adding an extra entry in bindep.txt 15:11:45 I know why firefox is failing on ubuntu, and I'm pretty happy about switching to debian 15:11:52 snaps are cancer 15:12:47 rdopiera: ok, that is because in case of debian firefox package avaialble as 'firefox-esr' 15:13:03 oh, I see, thanks 15:13:41 Please add your vote and suggestion on the patch. 15:14:13 moving to next topic. 15:14:48 Drop nodejs 16 jobs 15:15:25 As you can see in patch https://review.opendev.org/c/openstack/horizon/+/865293 15:15:42 nodejs18 passing in horizon and all plugins. 15:15:56 So now we can drop nodejs 16 jobs. 15:16:11 here is patch for that https://review.opendev.org/c/openstack/horizon/+/865661 15:16:50 please take a look once you have time. 15:17:24 that's all update from my side for this week. 15:17:30 moving to next topic 15:17:43 #topic open-discussion 15:17:57 I have one patch to discuss. 15:18:57 I was thinking if should migrate django to 4.0 version 15:19:21 Initial patch for that is https://review.opendev.org/c/openstack/horizon/+/851261 15:20:00 rdopiera: Could you take a look at it and once it merged. I will resolve merge conflict for other 2 patches in series. 15:20:48 didn't we just migrate to 3.0 15:20:55 I'm not ready 15:21:19 rdopiera: hehe yeah that was in last cycle I guess. 15:22:34 rdopiera: I was asking because if we support django 4.x then horizon can also support FIP. 15:23:24 I suppose the earier we do it, the less painful it will be 15:24:31 by the way, did you see that security issue about websso and the referer headers? 15:24:41 true, but there is no harm in doing it now. 15:25:04 rdopiera: nope, I forgot 15:25:36 I wanted to look into it, but I can't find any documentation on websso itself 15:25:52 rdopiera: is it a private bug? 15:26:01 so I am not sure if it actually requires the referer 15:26:27 it's launchpad 1980349 15:26:51 I think there is no document on websso implementation 15:27:06 I mean the specification for the protocol 15:27:12 not our implementatin 15:27:17 o 15:27:17 I tried to understand the implementation when I glanced that bug, but could have enough time :-( 15:27:41 got it 15:28:14 we know what our code does, but how do we know if that's correct? 15:30:53 rdopiera: sorry, I completely forgot about this bug. will a look at it tomorrow. 15:33:51 rdopiera: are you able to reproduce this bug? 15:34:22 No , I don't have a setup with websso 15:35:19 but looking at the code, I see no reason why the exploit wouldn't work 15:35:26 it seems https://review.opendev.org/c/openstack/keystone-specs/+/133529/ is the original design of our websso. 15:35:57 commit 7b57608ad000bd099f29ee9f9fa31d36b725cfea implemented it in horizon 15:36:13 great find, thank you 15:37:41 amotoki: thanks for the links 15:38:11 vishalmanchanda: back to Django 4.0 topic, why do we need to migrate to Django 4.0? 15:38:36 Django 4.0 is NOT an LTS version, so we should keep the support for Django 3.2 at least. 15:39:18 extra support of Django 4.0 is okay (as long as we have a bandwidth to do it) but it is completely optional 15:41:40 amotoki: the only reason I am asking is because we can support FIPs tests then 15:41:41 https://review.opendev.org/c/openstack/horizon/+/825875 15:41:53 if django 4.0 support is added in horizon 15:43:32 There is some issue with django and FIPS which is fixed in django 4.0 15:43:40 that's why I am asking 15:44:37 I am okay with either. Perhaps my patch series fixes UT at least. I don't know more though. 15:46:45 Does anyone have any other topic to discuss? 15:48:28 if nothing more to discuss, let's end this meeting. 15:48:36 Thanks everyone for joing! 15:49:05 #endmeeting