Yes, I think we are still on track to drop 2.6 support for the servers in Kilo.
This wasn’t used in the client libraries, right? On Sep 30, 2014, at 10:25 AM, Ben Nemec <openst...@nemebean.com> wrote: > This was also needed for Python 2.6, right? Do we have confirmation > that we can drop that for Kilo? > > -Ben > > On 09/30/2014 08:28 AM, Doug Hellmann wrote: >> I agree, it sounds like option 2 is safe. >> >> Julien, I updated your commit message on >> https://review.openstack.org/#/c/125021/ to point to this thread. >> >> Write-it-down-ly, >> Doug >> >> On Sep 30, 2014, at 7:17 AM, Davanum Srinivas <dava...@gmail.com> wrote: >> >>> Julien, >>> >>> I believe all the lessons learned from defusedxml (see the release >>> dates) have been folded back into the different libraries. For example >>> plain old etree.fromstring() even without any special options is ok >>> with the specially crafted xml bombs that you can find as test cases >>> in defusedxml repo. There is some more information here as well >>> (http://lxml.de/FAQ.html#is-lxml-vulnerable-to-xml-bombs). So at this >>> point, unless we see a new attack vector other than the ones that >>> caused folks to whip up defusedxml, we should be good. So Option #2 is >>> definitely the way to go >>> >>> thanks, >>> dims >>> >>> On Tue, Sep 30, 2014 at 3:45 AM, Julien Danjou <jul...@danjou.info> wrote: >>>> On Mon, Sep 29 2014, Joshua Harlow wrote: >>>> >>>>> Do we know that the users (keystone, neutron...) aren't vulnerable? >>>>> >>>>> From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure >>>>> seems >>>>> like we would likely still have issues if custom implementations are being >>>>> used/created. Perhaps we should just use the defusedxml libraries until >>>>> proven >>>>> otherwise (better to be safe than sorry). >>>> >>>> According to LP#1100282¹, Keystone and Neutron are supposed to not be >>>> vulnerable with different fixes than Nova. >>>> >>>> Since all the solutions are different, I'm not sure it covers the >>>> problem in its entirety in all cases. >>>> >>>> I see 2 options: >>>> 1. Put effort to move all projects to defusedxml >>>> 2. Since XML API are going to be deprecated (at least in Nova), move >>>> xmlutils to Nova and be done with it. >>>> >>>> Solution 1 requires a lot more effort, and I wonder if it's worth it. >>>> >>>> >>>> ¹ https://bugs.launchpad.net/bugs/1100282 >>>> >>>> -- >>>> Julien Danjou >>>> // Free Software hacker >>>> // http://julien.danjou.info >>>> >>>> _______________________________________________ >>>> OpenStack-dev mailing list >>>> OpenStack-dev@lists.openstack.org >>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >>>> >>> >>> >>> >>> -- >>> Davanum Srinivas :: https://twitter.com/dims >>> >>> _______________________________________________ >>> OpenStack-dev mailing list >>> OpenStack-dev@lists.openstack.org >>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> >> _______________________________________________ >> OpenStack-dev mailing list >> OpenStack-dev@lists.openstack.org >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > _______________________________________________ > OpenStack-dev mailing list > OpenStack-dev@lists.openstack.org > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev