)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"2c9909b02abefe4107ce104b275510e6f3d64d0f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"18ce6179_1636be4a","updated":"2024-11-22 01:33:37.000000000","message":"LGTM, one minor note, but really it is trivial.","commit_id":"a2ec92fef52914ea81b8619d9000dbdd58bf1d2a"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"53d82c2b6975375aa633997d889205d72363ddc8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"18ff3f1c_27bb2f64","updated":"2024-11-22 19:09:19.000000000","message":"recheck transient network failure","commit_id":"e4646842884941a30f4b77f53b2978c2ae6aafa9"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"0be0579c08006412e7fd08da71fe7d642cf682b8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"a83b7b7c_84354189","updated":"2025-01-07 11:23:55.000000000","message":"I see your point, but it\u0027s also can be seen as an API regression, so I\u0027d rather not do it accidentally (and backport to all releases, which we\u0027ve done, I guess).\n\nOn the point of trusting local users, I\u0027d keep the checksum support opt-in. If you give Ironic a world-writeable location, it\u0027s really on you.","commit_id":"b827c7bf72b02f88d8d899568bac1d2b07c371ab"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"eb165259ec6ec1fc9b0e424af2a79444a874a5de","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"062c63f9_bbb26be5","updated":"2025-01-07 11:25:04.000000000","message":"The patch had 2x +2 previously, and the only diff is in the release note and an inline comment. Since it\u0027s a potential API regression, fast-tracking the approval.","commit_id":"b827c7bf72b02f88d8d899568bac1d2b07c371ab"}],"ironic/common/checksum_utils.py":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"2c9909b02abefe4107ce104b275510e6f3d64d0f","unresolved":true,"context_lines":[{"line_number":166,"context_line":"            checksum_algo \u003d \"sha256\""},{"line_number":167,"context_line":"            image_path \u003d urlparse.urlparse(image_source).path"},{"line_number":168,"context_line":"            checksum \u003d fileutils.compute_file_checksum("},{"line_number":169,"context_line":"                image_path, algorithm\u003dchecksum_algo)"},{"line_number":170,"context_line":""},{"line_number":171,"context_line":"        elif is_checksum_url(checksum):"},{"line_number":172,"context_line":"            checksum \u003d get_checksum_from_url(checksum, image_source)"}],"source_content_type":"text/x-python","patch_set":1,"id":"95d57a95_8c541ef2","line":169,"updated":"2024-11-22 01:33:37.000000000","message":"So in a sense, it could just return here with a checksum and an algo, because the rest of this method is just some basic fingerprinting/checking","commit_id":"a2ec92fef52914ea81b8619d9000dbdd58bf1d2a"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"9612e4763c5ed4ee41e1532b682ef163de70b9a7","unresolved":false,"context_lines":[{"line_number":158,"context_line":"        checksum \u003d instance_info.get(\u0027image_checksum\u0027)"},{"line_number":159,"context_line":"        image_source \u003d instance_info.get(\u0027image_source\u0027)"},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"        # NOTE(stevebaker): metalsmith prevents checksum being set"},{"line_number":162,"context_line":"        # for file:// images [1] but it is now mandatory for validation."},{"line_number":163,"context_line":"        # The only practical option is to calculate it here."},{"line_number":164,"context_line":"        # [1] https://opendev.org/openstack/metalsmith/src/branch/master/metalsmith/sources.py#L222 # noqa"}],"source_content_type":"text/x-python","patch_set":2,"id":"9f81dec8_bd3b5905","line":161,"updated":"2025-01-06 12:19:26.000000000","message":"It\u0027s not just metalsmith, requiring checksums for files is a bug.","commit_id":"e4646842884941a30f4b77f53b2978c2ae6aafa9"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"24e9cb41b3b24cda2e639db7275472fc15270a6c","unresolved":false,"context_lines":[{"line_number":158,"context_line":"        checksum \u003d instance_info.get(\u0027image_checksum\u0027)"},{"line_number":159,"context_line":"        image_source \u003d instance_info.get(\u0027image_source\u0027)"},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"        # NOTE(stevebaker): metalsmith prevents checksum being set"},{"line_number":162,"context_line":"        # for file:// images [1] but it is now mandatory for validation."},{"line_number":163,"context_line":"        # The only practical option is to calculate it here."},{"line_number":164,"context_line":"        # [1] https://opendev.org/openstack/metalsmith/src/branch/master/metalsmith/sources.py#L222 # noqa"}],"source_content_type":"text/x-python","patch_set":2,"id":"d10e60fd_3ca06824","line":161,"in_reply_to":"2a697ecc_44789e7a","updated":"2025-01-06 20:06:55.000000000","message":"Done","commit_id":"e4646842884941a30f4b77f53b2978c2ae6aafa9"},{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"046da194a01531845e23ab00de338f6e1b68f39f","unresolved":false,"context_lines":[{"line_number":158,"context_line":"        checksum \u003d instance_info.get(\u0027image_checksum\u0027)"},{"line_number":159,"context_line":"        image_source \u003d instance_info.get(\u0027image_source\u0027)"},{"line_number":160,"context_line":""},{"line_number":161,"context_line":"        # NOTE(stevebaker): metalsmith prevents checksum being set"},{"line_number":162,"context_line":"        # for file:// images [1] but it is now mandatory for validation."},{"line_number":163,"context_line":"        # The only practical option is to calculate it here."},{"line_number":164,"context_line":"        # [1] https://opendev.org/openstack/metalsmith/src/branch/master/metalsmith/sources.py#L222 # noqa"}],"source_content_type":"text/x-python","patch_set":2,"id":"2a697ecc_44789e7a","line":161,"in_reply_to":"9f81dec8_bd3b5905","updated":"2025-01-06 16:58:46.000000000","message":"I have mixed feelings on requirement being viewed as a bug, since the lack of upfront requirement for interaction is partly how we ended up on the path of the CVE. Systems are inherently multiuser and we\u0027re trusting the file path is properly secured. Otherwise, the contract Ironic has is you supply a checksum somehow, either through the image service metadata or on the data supplied by the API consumer.\n\nBut, that is separate from the overall challenge being balancing the user experience and not \"throwing shade\" and as presently framed, I think it makes sense to revise the text as Dmitry asks.","commit_id":"e4646842884941a30f4b77f53b2978c2ae6aafa9"}],"releasenotes/notes/missing_file_checksum-4931c98031951486.yaml":[{"author":{"_account_id":11655,"name":"Julia Kreger","email":"juliaashleykreger@gmail.com","username":"jkreger","status":"Flying to the moon with a Jetpack!"},"change_message_id":"013fbd1b11413437ae3a9954523aed452f0aa2bb","unresolved":true,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"issues:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The fix for CVE-2024-47211 results in image checksum being required in all"},{"line_number":5,"context_line":"    cases. However Metalsmith enforces that there be no checksum for file://"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"68142c09_6122fb3d","line":2,"updated":"2024-11-22 01:35:51.000000000","message":"Oh, this should be a fix, not an outstanding issue.","commit_id":"a2ec92fef52914ea81b8619d9000dbdd58bf1d2a"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"354d65ede6dd2440a5a062bbabeaf8c892e4b017","unresolved":false,"context_lines":[{"line_number":1,"context_line":"---"},{"line_number":2,"context_line":"issues:"},{"line_number":3,"context_line":"  - |"},{"line_number":4,"context_line":"    The fix for CVE-2024-47211 results in image checksum being required in all"},{"line_number":5,"context_line":"    cases. However Metalsmith enforces that there be no checksum for file://"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"1690dc29_2ea131e9","line":2,"in_reply_to":"68142c09_6122fb3d","updated":"2024-11-22 01:51:37.000000000","message":"Done","commit_id":"a2ec92fef52914ea81b8619d9000dbdd58bf1d2a"}]}
