Control: tag -1 moreinfo Hi Thomas,
On Tue, Aug 17, 2021 at 12:57:50PM +0200, Thomas Goirand wrote: > Also, I would like to get Nova upgraded to the latest point > release, to fix numerous small issues. The release notes for > Nova are there: > > https://docs.openstack.org/releasenotes/nova/victoria.html > That looks incomplete? Please include a complete description of the changes you want approved. [...] > [ Risks ] > No risk during upgrade that I know of. > That is.. not reassuring. > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [ ] attach debdiff against the package in (old)stable > [x] the issue is verified as fixed in unstable > > The debdiff being too big, please find it, together with the > built packages, at: > http://shade.infomaniak.ch/bullseye-pu/nova/ > > [ Changes ] > Here's the details of the debian/changelog explained. > > * Tune nova-api-{,metadata-}uwsgi.ini for performance. > > This is a minor tweak to the uwsgi.ini default configuration, > which I've started pushing on all OpenStack packages in Debian. > It's only better with it... > I don't think this is appropriate for stable. There's no information on what environment(s) this is tuned for, or benchmarked in. > * New upstream release. > > See above. > I'll reserve my opinion on that until we have a better description of the changes. It seems plausible, broadly. > * CVE-2021-3654: novnc allows open redirection. Added upstream patch: > Reject_open_redirection_in_the_console_proxy.patch (Closes: #991441). > > This addresses the main issue that mandates the pu. > > * Do not maintain glance_api_servers through debconf (as the default of > reading its URL in the Keystone catalogue is better). > > This avoids tweaking nova.conf on upgrades, which could otherwise > potentially destroy one's deployment. Indeed, one very valid (and in > fact recommended) way to deploy, is to *NOT* set the glance_api_servers > directive. With the debconf code, this forces having something. After > removing the debconf integration for this directive, upgrade to the > proposed update isn't breaking deployments anymore, while leaving already > configured glance_api_servers alone (so not destroying anyone setup). > Shouldn't nova/glance_api_servers be cleaned up from the debconf database if it's no longer used? I'm also not convinced this is appropriate for stable. Cheers, Julien