)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"b0ac9362ca4920d4fb8d6f5cf6eda85e6d846e8d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"a7d0ad35_32409133","updated":"2025-08-21 00:59:44.000000000","message":"Can we give this a chance (tomorrow?) for a couple more cores to see it before it lands? Just ensuring we\u0027re not missing a security implication. \n\nPlease add a release note, as it will be required to backport this change.","commit_id":"b8e1113794af63511d64026e4784044a8eb46818"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"2513be0b25eee0ce32ea2e4855a1905aee14d7ab","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"ed6a047d_8f5591e6","updated":"2025-08-21 12:00:50.000000000","message":"Testing in https://github.com/metal3-io/ironic-image/pull/742","commit_id":"e0ed7c6fe57a9b4c1b168d738fd2f7749ed900b6"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"546fba2a374de2e189a97ee930f9c92d88e1a5bd","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"52b3ac57_8efb12cf","updated":"2025-08-21 15:14:39.000000000","message":"Works really well but I have a concern - see inline.","commit_id":"e0ed7c6fe57a9b4c1b168d738fd2f7749ed900b6"}],"ironic/common/auth_basic.py":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"db577e4321353265e314ffac7cc57deab0523d35","unresolved":true,"context_lines":[{"line_number":106,"context_line":""},{"line_number":107,"context_line":"    # Keep an in-memory cache of bcrypt.checkpw responses to avoid the"},{"line_number":108,"context_line":"    # high CPU cost of repeatedly checking the same values"},{"line_number":109,"context_line":"    args \u003d (password, encrypted)"},{"line_number":110,"context_line":"    checkpw \u003d _MEMOIZE_CHECKPW.get(args)"},{"line_number":111,"context_line":"    if checkpw is None:"},{"line_number":112,"context_line":"        checkpw \u003d bcrypt.checkpw(*args)"},{"line_number":113,"context_line":"        _MEMOIZE_CHECKPW[args] \u003d checkpw"}],"source_content_type":"text/x-python","patch_set":2,"id":"03ddc913_dd221545","line":110,"range":{"start_line":109,"start_character":12,"end_line":110,"end_character":39},"updated":"2025-08-21 13:44:13.000000000","message":"This does make exfiltration attacks against process memory slightly easier since the plaintext password is now guaranteed to reside persistently in a known global-ish data structure. That said, it doesn\u0027t look like any of the auth code previously attempted to sanitize this value after passing it around anyway, so I don\u0027t think it makes it that much worse than it already was.","commit_id":"e0ed7c6fe57a9b4c1b168d738fd2f7749ed900b6"},{"author":{"_account_id":10239,"name":"Dmitry Tantsur","email":"dtantsur@protonmail.com","username":"dtantsur"},"change_message_id":"546fba2a374de2e189a97ee930f9c92d88e1a5bd","unresolved":true,"context_lines":[{"line_number":106,"context_line":""},{"line_number":107,"context_line":"    # Keep an in-memory cache of bcrypt.checkpw responses to avoid the"},{"line_number":108,"context_line":"    # high CPU cost of repeatedly checking the same values"},{"line_number":109,"context_line":"    args \u003d (password, encrypted)"},{"line_number":110,"context_line":"    checkpw \u003d _MEMOIZE_CHECKPW.get(args)"},{"line_number":111,"context_line":"    if checkpw is None:"},{"line_number":112,"context_line":"        checkpw \u003d bcrypt.checkpw(*args)"},{"line_number":113,"context_line":"        _MEMOIZE_CHECKPW[args] \u003d checkpw"}],"source_content_type":"text/x-python","patch_set":2,"id":"1c21d9af_2606043b","line":110,"range":{"start_line":109,"start_character":12,"end_line":110,"end_character":39},"in_reply_to":"03ddc913_dd221545","updated":"2025-08-21 15:14:39.000000000","message":"Do we want to prevent the cache from growing infinitely in case of a potential enumeration attack? You can split the check into a helper function and add https://docs.python.org/3/library/functools.html#functools.lru_cache to it.","commit_id":"e0ed7c6fe57a9b4c1b168d738fd2f7749ed900b6"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"b69b4d38c12f7ef0595a6693ace68a9edd1102f4","unresolved":true,"context_lines":[{"line_number":106,"context_line":""},{"line_number":107,"context_line":"    # Keep an in-memory cache of bcrypt.checkpw responses to avoid the"},{"line_number":108,"context_line":"    # high CPU cost of repeatedly checking the same values"},{"line_number":109,"context_line":"    args \u003d (password, encrypted)"},{"line_number":110,"context_line":"    checkpw \u003d _MEMOIZE_CHECKPW.get(args)"},{"line_number":111,"context_line":"    if checkpw is None:"},{"line_number":112,"context_line":"        checkpw \u003d bcrypt.checkpw(*args)"},{"line_number":113,"context_line":"        _MEMOIZE_CHECKPW[args] \u003d checkpw"}],"source_content_type":"text/x-python","patch_set":2,"id":"fafe51c4_950343b6","line":110,"range":{"start_line":109,"start_character":12,"end_line":110,"end_character":39},"in_reply_to":"1c21d9af_2606043b","updated":"2025-08-21 21:46:42.000000000","message":"Ah, I wanted a decorator approach which didn\u0027t involve writing one or pulling in a dependency. This looks perfect","commit_id":"e0ed7c6fe57a9b4c1b168d738fd2f7749ed900b6"}]}
