Re: [openstack-dev] We should move strutils.mask_password back into oslo-incubator
Excerpts from Matt Riedemann's message of 2015-10-09 09:51:28 -0500: > > On 10/9/2015 1:49 AM, Paul Carlton wrote: > > > > On 08/10/15 16:49, Doug Hellmann wrote: > >> Excerpts from Matt Riedemann's message of 2015-10-07 14:38:07 -0500: > >>> Here's why: > >>> > >>> https://review.openstack.org/#/c/220622/ > >>> > >>> That's marked as fixing an OSSA which means we'll have to backport the > >>> fix in nova but it depends on a change to strutils.mask_password in > >>> oslo.utils, which required a release and a minimum version bump in > >>> global-requirements. > >>> > >>> To backport the change in nova, we either have to: > >>> > >>> 1. Copy mask_password out of oslo.utils and add it to nova in the > >>> backport or, > >>> > >>> 2. Backport the oslo.utils change to a stable branch, release it as a > >>> patch release, bump minimum required version in stable g-r and then > >>> backport the nova change and depend on the backported oslo.utils stable > >>> release - which also makes it a dependent library version bump for any > >>> packagers/distros that have already frozen libraries for their stable > >>> releases, which is kind of not fun. > >> Bug fix releases do not generally require a minimum version bump. The > >> API hasn't changed, and there's nothing new in the library in this case, > >> so it's a documentation issue to ensure that users update to the new > >> release. All we should need to do is backport the fix to the appropriate > >> branch of oslo.utils and release a new version from that branch that is > >> compatible with the same branch of nova. > >> > >> Doug > >> > >>> So I'm thinking this is one of those things that should ultimately live > >>> in oslo-incubator so it can live in the respective projects. If > >>> mask_password were in oslo-incubator, we'd have just fixed and > >>> backported it there and then synced to nova on master and stable > >>> branches, no dependent library version bumps required. > >>> > >>> Plus I miss the good old days of reviewing oslo-incubator > >>> syncs...(joking of course). > >>> > >> __ > >> > >> OpenStack Development Mailing List (not for usage questions) > >> Unsubscribe: > >> openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > I've been following this discussion, is there now a consensus on the way > > forward? > > > > My understanding is that Doug is suggesting back porting my oslo.utils > > change to the stable juno and kilo branches? > > > > It means you'll have to backport the oslo.utils change to each stable > branch that you also backport the nova change to, which probably goes > back to stable/juno (so liberty->kilo->juno backports in both projects). > That sounds right. Ping the Oslo team in #openstack-oslo for reviews on those stable branches as you prepare them and I'm sure we can help expedite the updates. Doug __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] We should move strutils.mask_password back into oslo-incubator
On 10/9/2015 1:49 AM, Paul Carlton wrote: On 08/10/15 16:49, Doug Hellmann wrote: Excerpts from Matt Riedemann's message of 2015-10-07 14:38:07 -0500: Here's why: https://review.openstack.org/#/c/220622/ That's marked as fixing an OSSA which means we'll have to backport the fix in nova but it depends on a change to strutils.mask_password in oslo.utils, which required a release and a minimum version bump in global-requirements. To backport the change in nova, we either have to: 1. Copy mask_password out of oslo.utils and add it to nova in the backport or, 2. Backport the oslo.utils change to a stable branch, release it as a patch release, bump minimum required version in stable g-r and then backport the nova change and depend on the backported oslo.utils stable release - which also makes it a dependent library version bump for any packagers/distros that have already frozen libraries for their stable releases, which is kind of not fun. Bug fix releases do not generally require a minimum version bump. The API hasn't changed, and there's nothing new in the library in this case, so it's a documentation issue to ensure that users update to the new release. All we should need to do is backport the fix to the appropriate branch of oslo.utils and release a new version from that branch that is compatible with the same branch of nova. Doug So I'm thinking this is one of those things that should ultimately live in oslo-incubator so it can live in the respective projects. If mask_password were in oslo-incubator, we'd have just fixed and backported it there and then synced to nova on master and stable branches, no dependent library version bumps required. Plus I miss the good old days of reviewing oslo-incubator syncs...(joking of course). __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev I've been following this discussion, is there now a consensus on the way forward? My understanding is that Doug is suggesting back porting my oslo.utils change to the stable juno and kilo branches? It means you'll have to backport the oslo.utils change to each stable branch that you also backport the nova change to, which probably goes back to stable/juno (so liberty->kilo->juno backports in both projects). -- Thanks, Matt Riedemann __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] We should move strutils.mask_password back into oslo-incubator
On 08/10/15 16:49, Doug Hellmann wrote: Excerpts from Matt Riedemann's message of 2015-10-07 14:38:07 -0500: Here's why: https://review.openstack.org/#/c/220622/ That's marked as fixing an OSSA which means we'll have to backport the fix in nova but it depends on a change to strutils.mask_password in oslo.utils, which required a release and a minimum version bump in global-requirements. To backport the change in nova, we either have to: 1. Copy mask_password out of oslo.utils and add it to nova in the backport or, 2. Backport the oslo.utils change to a stable branch, release it as a patch release, bump minimum required version in stable g-r and then backport the nova change and depend on the backported oslo.utils stable release - which also makes it a dependent library version bump for any packagers/distros that have already frozen libraries for their stable releases, which is kind of not fun. Bug fix releases do not generally require a minimum version bump. The API hasn't changed, and there's nothing new in the library in this case, so it's a documentation issue to ensure that users update to the new release. All we should need to do is backport the fix to the appropriate branch of oslo.utils and release a new version from that branch that is compatible with the same branch of nova. Doug So I'm thinking this is one of those things that should ultimately live in oslo-incubator so it can live in the respective projects. If mask_password were in oslo-incubator, we'd have just fixed and backported it there and then synced to nova on master and stable branches, no dependent library version bumps required. Plus I miss the good old days of reviewing oslo-incubator syncs...(joking of course). __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev I've been following this discussion, is there now a consensus on the way forward? My understanding is that Doug is suggesting back porting my oslo.utils change to the stable juno and kilo branches? -- Paul Carlton Software Engineer Cloud Services Hewlett Packard BUK03:T242 Longdown Avenue Stoke Gifford Bristol BS34 8QZ Mobile:+44 (0)7768 994283 Email:mailto:paul.carlt...@hpe.com Hewlett-Packard Limited registered Office: Cain Road, Bracknell, Berks RG12 1HN Registered No: 690597 England. The contents of this message and any attachments to it are confidential and may be legally privileged. If you have received this message in error, you should delete it from your system immediately and advise the sender. To any recipient of this message within HP, unless otherwise stated you should consider this message and attachments as "HP CONFIDENTIAL". __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] We should move strutils.mask_password back into oslo-incubator
Excerpts from Matt Riedemann's message of 2015-10-07 14:38:07 -0500: > Here's why: > > https://review.openstack.org/#/c/220622/ > > That's marked as fixing an OSSA which means we'll have to backport the > fix in nova but it depends on a change to strutils.mask_password in > oslo.utils, which required a release and a minimum version bump in > global-requirements. > > To backport the change in nova, we either have to: > > 1. Copy mask_password out of oslo.utils and add it to nova in the > backport or, > > 2. Backport the oslo.utils change to a stable branch, release it as a > patch release, bump minimum required version in stable g-r and then > backport the nova change and depend on the backported oslo.utils stable > release - which also makes it a dependent library version bump for any > packagers/distros that have already frozen libraries for their stable > releases, which is kind of not fun. Bug fix releases do not generally require a minimum version bump. The API hasn't changed, and there's nothing new in the library in this case, so it's a documentation issue to ensure that users update to the new release. All we should need to do is backport the fix to the appropriate branch of oslo.utils and release a new version from that branch that is compatible with the same branch of nova. Doug > > So I'm thinking this is one of those things that should ultimately live > in oslo-incubator so it can live in the respective projects. If > mask_password were in oslo-incubator, we'd have just fixed and > backported it there and then synced to nova on master and stable > branches, no dependent library version bumps required. > > Plus I miss the good old days of reviewing oslo-incubator > syncs...(joking of course). > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] We should move strutils.mask_password back into oslo-incubator
> On 08 Oct 2015, at 16:51, Matt Riedemann wrote: > > > > On 10/8/2015 9:25 AM, Jeremy Stanley wrote: >> On 2015-10-08 08:58:06 -0500 (-0500), Matt Riedemann wrote: >> [...] >>> I don't know how many operators are tracking patch releases of >>> dependencies on stable branches unless there is a new minimum >>> requirement on those, especially if they aren't getting their >>> updates from a distro provider. So while nova wouldn't be broken >>> w/o the patched oslo.utils on stable, the OSSA wouldn't be fixed >>> in that case. >> >> The OSSA will link to https://review.openstack.org/220620 as part of >> the stable/liberty fix and mention something along the lines of >> "included in an upcoming oslo.utils 2.5.1 release" (in which case >> operators _should_ check whether they are running a new enough >> version of the library). >> > > OK, that works for me. I'll end this thread and just move forward with the > necessary changes for #2 w/o bumping a minimum required version of oslo.utils > in g-r on stable. One of the reasons why you don’t want to bump on CVE is that a lot of distributions choose to cherry-pick just that CVE fix and not rebase on top of an unknown, previously untested version, even if it ships from stable branches. In that case, their pbr version stays the same, and version bump would break them (of course that’s assuming they consider requirements.txt versions in their packaging). Ihar signature.asc Description: Message signed with OpenPGP using GPGMail __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] We should move strutils.mask_password back into oslo-incubator
On 10/8/2015 9:25 AM, Jeremy Stanley wrote: On 2015-10-08 08:58:06 -0500 (-0500), Matt Riedemann wrote: [...] I don't know how many operators are tracking patch releases of dependencies on stable branches unless there is a new minimum requirement on those, especially if they aren't getting their updates from a distro provider. So while nova wouldn't be broken w/o the patched oslo.utils on stable, the OSSA wouldn't be fixed in that case. The OSSA will link to https://review.openstack.org/220620 as part of the stable/liberty fix and mention something along the lines of "included in an upcoming oslo.utils 2.5.1 release" (in which case operators _should_ check whether they are running a new enough version of the library). OK, that works for me. I'll end this thread and just move forward with the necessary changes for #2 w/o bumping a minimum required version of oslo.utils in g-r on stable. -- Thanks, Matt Riedemann __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] We should move strutils.mask_password back into oslo-incubator
On 2015-10-08 08:58:06 -0500 (-0500), Matt Riedemann wrote: [...] > I don't know how many operators are tracking patch releases of > dependencies on stable branches unless there is a new minimum > requirement on those, especially if they aren't getting their > updates from a distro provider. So while nova wouldn't be broken > w/o the patched oslo.utils on stable, the OSSA wouldn't be fixed > in that case. The OSSA will link to https://review.openstack.org/220620 as part of the stable/liberty fix and mention something along the lines of "included in an upcoming oslo.utils 2.5.1 release" (in which case operators _should_ check whether they are running a new enough version of the library). -- Jeremy Stanley __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] We should move strutils.mask_password back into oslo-incubator
On 10/8/2015 4:21 AM, Julien Danjou wrote: On Wed, Oct 07 2015, Matt Riedemann wrote: 2. Backport the oslo.utils change to a stable branch, release it as a patch release, bump minimum required version in stable g-r and then backport the nova change and depend on the backported oslo.utils stable release - which also makes it a dependent library version bump for any packagers/distros that have already frozen libraries for their stable releases, which is kind of not fun. You should not need to bump the minimum version in g-r. The minimum version there should be the minimal version to have working code. If you start bumping dependencies or dependencies of dependencies each time they release because a bug or a security issue is fixed, it's going to a never ending useless job. When you're an operator, you know you need to always run the latest stable version of the things you have in prod' to have all the fixes. That's common good sense. I don't know how many operators are tracking patch releases of dependencies on stable branches unless there is a new minimum requirement on those, especially if they aren't getting their updates from a distro provider. So while nova wouldn't be broken w/o the patched oslo.utils on stable, the OSSA wouldn't be fixed in that case. -- Thanks, Matt Riedemann __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] We should move strutils.mask_password back into oslo-incubator
On Wed, Oct 07 2015, Matt Riedemann wrote: > 2. Backport the oslo.utils change to a stable branch, release it as a patch > release, bump minimum required version in stable g-r and then backport the > nova > change and depend on the backported oslo.utils stable release - which also > makes it a dependent library version bump for any packagers/distros that have > already frozen libraries for their stable releases, which is kind of not fun. You should not need to bump the minimum version in g-r. The minimum version there should be the minimal version to have working code. If you start bumping dependencies or dependencies of dependencies each time they release because a bug or a security issue is fixed, it's going to a never ending useless job. When you're an operator, you know you need to always run the latest stable version of the things you have in prod' to have all the fixes. That's common good sense. -- Julien Danjou // Free Software hacker // https://julien.danjou.info signature.asc Description: PGP signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] We should move strutils.mask_password back into oslo-incubator
On 10/7/2015 6:00 PM, Robert Collins wrote: On 8 October 2015 at 08:38, Matt Riedemann wrote: Here's why: https://review.openstack.org/#/c/220622/ That's marked as fixing an OSSA which means we'll have to backport the fix in nova but it depends on a change to strutils.mask_password in oslo.utils, which required a release and a minimum version bump in global-requirements. To backport the change in nova, we either have to: 1. Copy mask_password out of oslo.utils and add it to nova in the backport or, 2. Backport the oslo.utils change to a stable branch, release it as a patch release, bump minimum required version in stable g-r and then backport the nova change and depend on the backported oslo.utils stable release - which also makes it a dependent library version bump for any packagers/distros that have already frozen libraries for their stable releases, which is kind of not fun. So I'm thinking this is one of those things that should ultimately live in oslo-incubator so it can live in the respective projects. If mask_password were in oslo-incubator, we'd have just fixed and backported it there and then synced to nova on master and stable branches, no dependent library version bumps required. Plus I miss the good old days of reviewing oslo-incubator syncs...(joking of course). Whats wrong with 2? I mean, other than the work needed *because* we made branches of oslo.utils: something I hope we can stop doing in M (I have a draft spec up about this...) Libraries have security bugs too, and packagers/distros need to update them as well as the API servers: this is one of the reasons we have backpressure on libraries being admitted into our dependency chain. -Rob The work involved isn't the problem, I was more concerned about raising the minimum required version of a library on stable. But I guess it can happen and packagers/deployers/distros can update their packages on stable or patch them as needed (that's probably what we'd do internally since we have to legally clear each package we ship ourselves and version bumps are generally not fun for us on stable). -- Thanks, Matt Riedemann __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] We should move strutils.mask_password back into oslo-incubator
On 8 October 2015 at 08:38, Matt Riedemann wrote: > Here's why: > > https://review.openstack.org/#/c/220622/ > > That's marked as fixing an OSSA which means we'll have to backport the fix > in nova but it depends on a change to strutils.mask_password in oslo.utils, > which required a release and a minimum version bump in global-requirements. > > To backport the change in nova, we either have to: > > 1. Copy mask_password out of oslo.utils and add it to nova in the backport > or, > > 2. Backport the oslo.utils change to a stable branch, release it as a patch > release, bump minimum required version in stable g-r and then backport the > nova change and depend on the backported oslo.utils stable release - which > also makes it a dependent library version bump for any packagers/distros > that have already frozen libraries for their stable releases, which is kind > of not fun. > > So I'm thinking this is one of those things that should ultimately live in > oslo-incubator so it can live in the respective projects. If mask_password > were in oslo-incubator, we'd have just fixed and backported it there and > then synced to nova on master and stable branches, no dependent library > version bumps required. > > Plus I miss the good old days of reviewing oslo-incubator syncs...(joking of > course). Whats wrong with 2? I mean, other than the work needed *because* we made branches of oslo.utils: something I hope we can stop doing in M (I have a draft spec up about this...) Libraries have security bugs too, and packagers/distros need to update them as well as the API servers: this is one of the reasons we have backpressure on libraries being admitted into our dependency chain. -Rob -- Robert Collins Distinguished Technologist HP Converged Cloud __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] We should move strutils.mask_password back into oslo-incubator
Isn't #2 the right approach? Even if it might be more 'work' I personally would prefer #2 and do it right (and make it easier to do the right thing in the future via scripts, automation, other) vs. the other mentioned approaches. If we were consuming, say a 3rd party library and that 3rd party library had/has a security issue, isn't the above the same thing that you would have to do? My 2 cents. Matt Riedemann wrote: Here's why: https://review.openstack.org/#/c/220622/ That's marked as fixing an OSSA which means we'll have to backport the fix in nova but it depends on a change to strutils.mask_password in oslo.utils, which required a release and a minimum version bump in global-requirements. To backport the change in nova, we either have to: 1. Copy mask_password out of oslo.utils and add it to nova in the backport or, 2. Backport the oslo.utils change to a stable branch, release it as a patch release, bump minimum required version in stable g-r and then backport the nova change and depend on the backported oslo.utils stable release - which also makes it a dependent library version bump for any packagers/distros that have already frozen libraries for their stable releases, which is kind of not fun. So I'm thinking this is one of those things that should ultimately live in oslo-incubator so it can live in the respective projects. If mask_password were in oslo-incubator, we'd have just fixed and backported it there and then synced to nova on master and stable branches, no dependent library version bumps required. Plus I miss the good old days of reviewing oslo-incubator syncs...(joking of course). __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] We should move strutils.mask_password back into oslo-incubator
Matt, My vote is for #1, as we should kill oslo-incubator in Mitaka. Thanks, Dims On Wed, Oct 7, 2015 at 3:38 PM, Matt Riedemann wrote: > Here's why: > > https://review.openstack.org/#/c/220622/ > > That's marked as fixing an OSSA which means we'll have to backport the fix > in nova but it depends on a change to strutils.mask_password in oslo.utils, > which required a release and a minimum version bump in global-requirements. > > To backport the change in nova, we either have to: > > 1. Copy mask_password out of oslo.utils and add it to nova in the backport > or, > > 2. Backport the oslo.utils change to a stable branch, release it as a > patch release, bump minimum required version in stable g-r and then > backport the nova change and depend on the backported oslo.utils stable > release - which also makes it a dependent library version bump for any > packagers/distros that have already frozen libraries for their stable > releases, which is kind of not fun. > > So I'm thinking this is one of those things that should ultimately live in > oslo-incubator so it can live in the respective projects. If mask_password > were in oslo-incubator, we'd have just fixed and backported it there and > then synced to nova on master and stable branches, no dependent library > version bumps required. > > Plus I miss the good old days of reviewing oslo-incubator syncs...(joking > of course). > > -- > > Thanks, > > Matt Riedemann > > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] We should move strutils.mask_password back into oslo-incubator
Here's why: https://review.openstack.org/#/c/220622/ That's marked as fixing an OSSA which means we'll have to backport the fix in nova but it depends on a change to strutils.mask_password in oslo.utils, which required a release and a minimum version bump in global-requirements. To backport the change in nova, we either have to: 1. Copy mask_password out of oslo.utils and add it to nova in the backport or, 2. Backport the oslo.utils change to a stable branch, release it as a patch release, bump minimum required version in stable g-r and then backport the nova change and depend on the backported oslo.utils stable release - which also makes it a dependent library version bump for any packagers/distros that have already frozen libraries for their stable releases, which is kind of not fun. So I'm thinking this is one of those things that should ultimately live in oslo-incubator so it can live in the respective projects. If mask_password were in oslo-incubator, we'd have just fixed and backported it there and then synced to nova on master and stable branches, no dependent library version bumps required. Plus I miss the good old days of reviewing oslo-incubator syncs...(joking of course). -- Thanks, Matt Riedemann __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
