)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"990d347ff1bcbf67e962561aa7183c0caa8e562f","unresolved":true,"context_lines":[{"line_number":9,"context_line":"So far, we could create an empty secret on tsig creation."},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"While in theory an empty string is valid for a secret, it is highly not"},{"line_number":12,"context_line":"recommended."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This patch adds a configuration option to enable/disable empty secrets"},{"line_number":15,"context_line":"on tsig creation, to maintain compatibility."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"f79f6352_21eb3c33","line":12,"updated":"2024-08-07 09:05:51.000000000","message":"IMO \"highly not recommended\" is not enough of a reason for an API change, even if I have no idea whether or not this might actually be a valid use case for anyone","commit_id":"bc3449ad1af9478d3ae4259cf44b1576d26e0908"},{"author":{"_account_id":31664,"name":"Omer Schwartz","email":"oschwart@redhat.com","username":"oschwart"},"change_message_id":"b962aa361bf461fa58ca63e98448d9e989467ab2","unresolved":false,"context_lines":[{"line_number":9,"context_line":"So far, we could create an empty secret on tsig creation."},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"While in theory an empty string is valid for a secret, it is highly not"},{"line_number":12,"context_line":"recommended."},{"line_number":13,"context_line":""},{"line_number":14,"context_line":"This patch adds a configuration option to enable/disable empty secrets"},{"line_number":15,"context_line":"on tsig creation, to maintain compatibility."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"564fc320_5e19a5a4","line":12,"in_reply_to":"f79f6352_21eb3c33","updated":"2024-08-19 12:06:24.000000000","message":"ok, so I changed that config option to True, i.e. I am not changing the API.","commit_id":"bc3449ad1af9478d3ae4259cf44b1576d26e0908"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":31664,"name":"Omer Schwartz","email":"oschwart@redhat.com","username":"oschwart"},"change_message_id":"d4c6d9147b8559531b6f35e3238493cee11b7e37","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"e8acaaa0_7ab45a5c","updated":"2024-07-17 13:46:01.000000000","message":"recheck non related time outs","commit_id":"d019fbe826612873a32e8af630e0e373ed2d3286"},{"author":{"_account_id":31664,"name":"Omer Schwartz","email":"oschwart@redhat.com","username":"oschwart"},"change_message_id":"de2a8750005c5685eb90227e216b5f2e2fdcc350","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"14ac4283_5d94e828","updated":"2024-08-08 09:59:02.000000000","message":"I can switch it to default\u003dtrue, so we don\u0027t change the API and allow operators to enforce this policy if they wish to do so.","commit_id":"bc3449ad1af9478d3ae4259cf44b1576d26e0908"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"28a4a89bed58cc031cde67b55934c79497f3af3f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1e10d483_1e7f5f04","updated":"2024-08-06 00:50:45.000000000","message":"I had reviewed this before, but wanted to think more about the default\u003dFalse.\nI\u0027m still a little on the fence on this one. I hope others will also comment.","commit_id":"bc3449ad1af9478d3ae4259cf44b1576d26e0908"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"990d347ff1bcbf67e962561aa7183c0caa8e562f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"43037b5a_9cc2886b","updated":"2024-08-07 09:05:51.000000000","message":"I\u0027m not convinced that this is a valid bug, I\u0027m also not a fan of API changes in general. what would break if we just did not apply this change?","commit_id":"bc3449ad1af9478d3ae4259cf44b1576d26e0908"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"5d1d2a12138a8f415e5ec59ef7200f76197880a8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"93cf614c_1aedb5ca","updated":"2024-08-07 23:20:09.000000000","message":"My understanding of what will happen is a key of all 0\u0027s will be used as it should pad up to the hash size.\n\nThe RFC 8945 says the following:\nUse of strong, random shared secrets is essential to the security of TSIG. See [RFC4086] for a discussion of this issue. The secret SHOULD be at least as long as the keyed hash output [RFC2104].\n\nRFC 2104 says:\nThe key for HMAC can be of any length (keys longer than B bytes are\nfirst hashed using H).  However, less than L bytes is strongly\ndiscouraged as it would decrease the security strength of the\nfunction.\n\nSo, my read is a length of zero is allowed, but not recommended.\n\nI guess the question is, should we add this setting to allow operators to enforce non-empty keys should they desire, or should we leave this as a user problem if they don\u0027t specify a key.","commit_id":"bc3449ad1af9478d3ae4259cf44b1576d26e0908"},{"author":{"_account_id":31664,"name":"Omer Schwartz","email":"oschwart@redhat.com","username":"oschwart"},"change_message_id":"b41a264c3561ae76909c455731063195cdead1bb","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"dc23a0da_e2d3e75d","updated":"2024-08-09 14:48:43.000000000","message":"I forgot to update the test as well","commit_id":"8c49b07590f6f3c2abb05ca0f18f257dbea0fccb"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"60778920cc2c5ace7a492e3aa359492b7443cab8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"d5149ade_05518daf","updated":"2024-08-08 17:33:41.000000000","message":"LGTM\nI am ok with letting the operator decide this and not breaking the existing API behavior.","commit_id":"8c49b07590f6f3c2abb05ca0f18f257dbea0fccb"},{"author":{"_account_id":31664,"name":"Omer Schwartz","email":"oschwart@redhat.com","username":"oschwart"},"change_message_id":"ab7c0ab81bbb477d8db5cdca0744603a6ad20ff8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"e43ebfe3_1a27fe5e","updated":"2024-08-08 16:57:49.000000000","message":"Maybe the current version of this patch will be more aligned to what we have discussed","commit_id":"8c49b07590f6f3c2abb05ca0f18f257dbea0fccb"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"d2014f1bad1624b07f0aa49c8cba43a73eea7e3b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"81d6786c_12b6c24b","updated":"2024-08-22 22:59:27.000000000","message":"LGTM","commit_id":"e6e1487c0fa80b57f1ec326ee06021582b3659d3"},{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"5254de7873746fc21aedf0a2d2a66ee4d903c699","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":5,"id":"fb4120d1_ec5bcaa7","updated":"2024-08-27 23:35:14.000000000","message":"This has had a +2 for a while and maintains backward compatibility. I think it\u0027s good to merge.","commit_id":"e6e1487c0fa80b57f1ec326ee06021582b3659d3"}],"designate/conf/api.py":[{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"28a4a89bed58cc031cde67b55934c79497f3af3f","unresolved":true,"context_lines":[{"line_number":60,"context_line":"    cfg.BoolOpt(\u0027quotas_verify_project_id\u0027, default\u003dFalse,"},{"line_number":61,"context_line":"                help\u003d\u0027Verify that the requested Project ID for quota target \u0027"},{"line_number":62,"context_line":"                     \u0027is a valid project in Keystone.\u0027),"},{"line_number":63,"context_line":"    cfg.BoolOpt(\u0027allow_empty_secrets_for_tsig\u0027, default\u003dFalse,"},{"line_number":64,"context_line":"                help\u003d\u0027Allow tsig creation with empty secrets. While in theory \u0027"},{"line_number":65,"context_line":"                     \u0027an empty string is valid for tsig secrets, it is highly \u0027"},{"line_number":66,"context_line":"                     \u0027not recommended\u0027),"}],"source_content_type":"text/x-python","patch_set":2,"id":"34b41307_ab56b49b","line":63,"updated":"2024-08-06 00:50:45.000000000","message":"This is a change in API behavior, so we have to be careful here.\nThere is an argument that this should default to True to maintain compatibility with the previous API behavior. But this is a security risk.","commit_id":"bc3449ad1af9478d3ae4259cf44b1576d26e0908"},{"author":{"_account_id":31664,"name":"Omer Schwartz","email":"oschwart@redhat.com","username":"oschwart"},"change_message_id":"b962aa361bf461fa58ca63e98448d9e989467ab2","unresolved":false,"context_lines":[{"line_number":60,"context_line":"    cfg.BoolOpt(\u0027quotas_verify_project_id\u0027, default\u003dFalse,"},{"line_number":61,"context_line":"                help\u003d\u0027Verify that the requested Project ID for quota target \u0027"},{"line_number":62,"context_line":"                     \u0027is a valid project in Keystone.\u0027),"},{"line_number":63,"context_line":"    cfg.BoolOpt(\u0027allow_empty_secrets_for_tsig\u0027, default\u003dFalse,"},{"line_number":64,"context_line":"                help\u003d\u0027Allow tsig creation with empty secrets. While in theory \u0027"},{"line_number":65,"context_line":"                     \u0027an empty string is valid for tsig secrets, it is highly \u0027"},{"line_number":66,"context_line":"                     \u0027not recommended\u0027),"}],"source_content_type":"text/x-python","patch_set":2,"id":"d3248d6b_f42a840f","line":63,"in_reply_to":"34b41307_ab56b49b","updated":"2024-08-19 12:06:24.000000000","message":"Thanks for the input. I changed that config option to True, i.e. I am not changing the API.","commit_id":"bc3449ad1af9478d3ae4259cf44b1576d26e0908"}],"releasenotes/notes/Add-Tsig-secret-validation-5d2f3875d32efd83.yaml":[{"author":{"_account_id":11628,"name":"Michael Johnson","email":"johnsomor@gmail.com","username":"johnsom"},"change_message_id":"28a4a89bed58cc031cde67b55934c79497f3af3f","unresolved":true,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    So far, Tsig could have been created with empty secrets. This"},{"line_number":5,"context_line":"    patch adds a configuration option to enable/disable empty secrets"},{"line_number":6,"context_line":"    on tsig creation, to maintain compatibility."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"442c100a_b561b92b","line":6,"updated":"2024-08-06 00:50:45.000000000","message":"If we leave the default as \"False\", we need to call out in the release notes that upgrading will change the API behavior.","commit_id":"bc3449ad1af9478d3ae4259cf44b1576d26e0908"},{"author":{"_account_id":31664,"name":"Omer Schwartz","email":"oschwart@redhat.com","username":"oschwart"},"change_message_id":"b962aa361bf461fa58ca63e98448d9e989467ab2","unresolved":false,"context_lines":[{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    So far, Tsig could have been created with empty secrets. This"},{"line_number":5,"context_line":"    patch adds a configuration option to enable/disable empty secrets"},{"line_number":6,"context_line":"    on tsig creation, to maintain compatibility."}],"source_content_type":"text/x-yaml","patch_set":2,"id":"d812209c_836d6422","line":6,"in_reply_to":"442c100a_b561b92b","updated":"2024-08-19 12:06:24.000000000","message":"Ok, so I changed that config option to True, i.e. I am not changing the API.","commit_id":"bc3449ad1af9478d3ae4259cf44b1576d26e0908"}]}