)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"64bf120fc8bdf3b667d164f56e91d4bf85215546","unresolved":false,"context_lines":[{"line_number":11,"context_line":"This patch changes the behavior to only raise a RuntimeError exception"},{"line_number":12,"context_line":"when openssl returns a non-zero exit code. Regardless of the exit code"},{"line_number":13,"context_line":"a warning will always be logged with stderr details if stderr is not"},{"line_number":14,"context_line":"None. Note that processutils.execute will now raise a"},{"line_number":15,"context_line":"processutils.ProcessExecutionError exception for any non-zero exit code"},{"line_number":16,"context_line":"since we are passing check_exit_code\u003dTrue."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Thanks to Dimitri John Ledkov \u003cxnox@ubuntu.com\u003e for the initial"},{"line_number":19,"context_line":"version of this patch."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"9fdfeff1_a9dc5574","line":16,"range":{"start_line":14,"start_character":6,"end_line":16,"end_character":42},"updated":"2019-02-08 20:39:34.000000000","message":"...but we\u0027re trapping that and converting it to RuntimeError","commit_id":"73c5e27f6d774205f8c76355f8171ae0fcea5565"},{"author":{"_account_id":11805,"name":"Corey Bryant","email":"corey.bryant@canonical.com","username":"coreycb"},"change_message_id":"9f70ffb9b249d6b981c672191a2d4a67cdfb8d3d","unresolved":false,"context_lines":[{"line_number":11,"context_line":"This patch changes the behavior to only raise a RuntimeError exception"},{"line_number":12,"context_line":"when openssl returns a non-zero exit code. Regardless of the exit code"},{"line_number":13,"context_line":"a warning will always be logged with stderr details if stderr is not"},{"line_number":14,"context_line":"None. Note that processutils.execute will now raise a"},{"line_number":15,"context_line":"processutils.ProcessExecutionError exception for any non-zero exit code"},{"line_number":16,"context_line":"since we are passing check_exit_code\u003dTrue."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Thanks to Dimitri John Ledkov \u003cxnox@ubuntu.com\u003e for the initial"},{"line_number":19,"context_line":"version of this patch."}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"9fdfeff1_095fa172","line":16,"range":{"start_line":14,"start_character":6,"end_line":16,"end_character":42},"in_reply_to":"9fdfeff1_a9dc5574","updated":"2019-02-08 21:21:57.000000000","message":"Good point, thanks.","commit_id":"73c5e27f6d774205f8c76355f8171ae0fcea5565"}],"nova/virt/xenapi/agent.py":[{"author":{"_account_id":14070,"name":"Eric Fried","email":"openstack@fried.cc","username":"efried"},"change_message_id":"2952cb94ec1ee2cd938eca6fa86a40f0cf11abe6","unresolved":false,"context_lines":[{"line_number":426,"context_line":"               \u0027pass:%s\u0027 % self._shared, \u0027-nosalt\u0027]"},{"line_number":427,"context_line":"        if decrypt:"},{"line_number":428,"context_line":"            cmd.append(\u0027-d\u0027)"},{"line_number":429,"context_line":"        out, err \u003d processutils.execute("},{"line_number":430,"context_line":"            *cmd, process_input\u003dencodeutils.safe_encode(text))"},{"line_number":431,"context_line":"        if err and err not in _WHITELIST_OPENSSL_ERRORS:"},{"line_number":432,"context_line":"            raise RuntimeError(_(\u0027OpenSSL error: %s\u0027) % err)"},{"line_number":433,"context_line":"        return out"},{"line_number":434,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"9fdfeff1_b35ffbe3","line":431,"range":{"start_line":429,"start_character":0,"end_line":431,"end_character":56},"updated":"2019-02-07 16:34:11.000000000","message":"If the issue is that the command succeeds (exit code 0 presumably) despite printing to stderr, perhaps the right answer is to base your failure condition on the exit code rather than the emptiness of the stderr stream.\n\nOne way to do this would be:\n\n try:\n     out, err \u003d processutils.execute(..., check_exit_code\u003dTrue)\n     if err:\n         LOG.warning(\"OpenSSL stderr: %s\", err)\n     return out\n except processutils.ProcessExecutionError as e:\n     raise RuntimeError(\n         _(\u0027OpenSSL errored with exit code %(exit_code)d: %(stderr)s\u0027) %\n         {\u0027exit_code\u0027: e.exit_code, \u0027stderr\u0027: e.stderr})","commit_id":"26a3a718cbdaa6d3aa5121b684c5752724a572d6"},{"author":{"_account_id":11805,"name":"Corey Bryant","email":"corey.bryant@canonical.com","username":"coreycb"},"change_message_id":"2d4c3fde02e7e7be5a92e153e7d2baa1f72d3804","unresolved":false,"context_lines":[{"line_number":426,"context_line":"               \u0027pass:%s\u0027 % self._shared, \u0027-nosalt\u0027]"},{"line_number":427,"context_line":"        if decrypt:"},{"line_number":428,"context_line":"            cmd.append(\u0027-d\u0027)"},{"line_number":429,"context_line":"        out, err \u003d processutils.execute("},{"line_number":430,"context_line":"            *cmd, process_input\u003dencodeutils.safe_encode(text))"},{"line_number":431,"context_line":"        if err and err not in _WHITELIST_OPENSSL_ERRORS:"},{"line_number":432,"context_line":"            raise RuntimeError(_(\u0027OpenSSL error: %s\u0027) % err)"},{"line_number":433,"context_line":"        return out"},{"line_number":434,"context_line":""}],"source_content_type":"text/x-python","patch_set":1,"id":"9fdfeff1_ff6c629d","line":431,"range":{"start_line":429,"start_character":0,"end_line":431,"end_character":56},"in_reply_to":"9fdfeff1_b35ffbe3","updated":"2019-02-07 19:29:43.000000000","message":"Eric, thanks for the suggestion. Looks good to me. I\u0027ll resubmit with that change.","commit_id":"26a3a718cbdaa6d3aa5121b684c5752724a572d6"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"2c1c5d71d4a1429d5865d420b19e1e348e955090","unresolved":false,"context_lines":[{"line_number":417,"context_line":"        self._shared \u003d pow(other, self._private, self._prime)"},{"line_number":418,"context_line":"        return self._shared"},{"line_number":419,"context_line":""},{"line_number":420,"context_line":"    def _run_ssl(self, text, decrypt\u003dFalse):"},{"line_number":421,"context_line":"        cmd \u003d [\u0027openssl\u0027, \u0027aes-128-cbc\u0027, \u0027-A\u0027, \u0027-a\u0027, \u0027-pass\u0027,"},{"line_number":422,"context_line":"               \u0027pass:%s\u0027 % self._shared, \u0027-nosalt\u0027]"},{"line_number":423,"context_line":"        if decrypt:"}],"source_content_type":"text/x-python","patch_set":3,"id":"5fc1f717_e8435c6b","line":420,"range":{"start_line":420,"start_character":7,"end_line":420,"end_character":16},"updated":"2019-04-02 16:00:12.000000000","message":"general question why are we not using a python lib to do this like pyOpenSSL","commit_id":"891568eade76a3f559b7191e17d90d6b53b7b4e7"},{"author":{"_account_id":11805,"name":"Corey Bryant","email":"corey.bryant@canonical.com","username":"coreycb"},"change_message_id":"c21c7f1952a1d33328189a19b00f6ccede8d0219","unresolved":false,"context_lines":[{"line_number":417,"context_line":"        self._shared \u003d pow(other, self._private, self._prime)"},{"line_number":418,"context_line":"        return self._shared"},{"line_number":419,"context_line":""},{"line_number":420,"context_line":"    def _run_ssl(self, text, decrypt\u003dFalse):"},{"line_number":421,"context_line":"        cmd \u003d [\u0027openssl\u0027, \u0027aes-128-cbc\u0027, \u0027-A\u0027, \u0027-a\u0027, \u0027-pass\u0027,"},{"line_number":422,"context_line":"               \u0027pass:%s\u0027 % self._shared, \u0027-nosalt\u0027]"},{"line_number":423,"context_line":"        if decrypt:"}],"source_content_type":"text/x-python","patch_set":3,"id":"5fc1f717_f91d5977","line":420,"range":{"start_line":420,"start_character":7,"end_line":420,"end_character":16},"in_reply_to":"5fc1f717_0b38223b","updated":"2019-04-03 17:14:17.000000000","message":"I would argue that we go with the current approach because it is likely a more backport-able approach as we need this back to bionic, and then move to a library based approach after. Although I can\u0027t guarantee we\u0027ll contribute that so I don\u0027t know how convincing my argument is..","commit_id":"891568eade76a3f559b7191e17d90d6b53b7b4e7"},{"author":{"_account_id":11805,"name":"Corey Bryant","email":"corey.bryant@canonical.com","username":"coreycb"},"change_message_id":"d1c29a7ef15dd913d1cbd6926f71337e7ca934f0","unresolved":false,"context_lines":[{"line_number":417,"context_line":"        self._shared \u003d pow(other, self._private, self._prime)"},{"line_number":418,"context_line":"        return self._shared"},{"line_number":419,"context_line":""},{"line_number":420,"context_line":"    def _run_ssl(self, text, decrypt\u003dFalse):"},{"line_number":421,"context_line":"        cmd \u003d [\u0027openssl\u0027, \u0027aes-128-cbc\u0027, \u0027-A\u0027, \u0027-a\u0027, \u0027-pass\u0027,"},{"line_number":422,"context_line":"               \u0027pass:%s\u0027 % self._shared, \u0027-nosalt\u0027]"},{"line_number":423,"context_line":"        if decrypt:"}],"source_content_type":"text/x-python","patch_set":3,"id":"5fc1f717_794de997","line":420,"range":{"start_line":420,"start_character":7,"end_line":420,"end_character":16},"in_reply_to":"5fc1f717_e8435c6b","updated":"2019-04-03 17:11:46.000000000","message":"I have no idea. We\u0027re just trying to fix the existing code because basically xenapi+openssl1.1.1 doesn\u0027t work on Ubuntu bionic onward.","commit_id":"891568eade76a3f559b7191e17d90d6b53b7b4e7"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"898ad80413ed3bf90fba031706359a4bb073cebe","unresolved":false,"context_lines":[{"line_number":417,"context_line":"        self._shared \u003d pow(other, self._private, self._prime)"},{"line_number":418,"context_line":"        return self._shared"},{"line_number":419,"context_line":""},{"line_number":420,"context_line":"    def _run_ssl(self, text, decrypt\u003dFalse):"},{"line_number":421,"context_line":"        cmd \u003d [\u0027openssl\u0027, \u0027aes-128-cbc\u0027, \u0027-A\u0027, \u0027-a\u0027, \u0027-pass\u0027,"},{"line_number":422,"context_line":"               \u0027pass:%s\u0027 % self._shared, \u0027-nosalt\u0027]"},{"line_number":423,"context_line":"        if decrypt:"}],"source_content_type":"text/x-python","patch_set":3,"id":"5fc1f717_0b38223b","line":420,"range":{"start_line":420,"start_character":7,"end_line":420,"end_character":16},"in_reply_to":"5fc1f717_e8435c6b","updated":"2019-04-02 16:40:41.000000000","message":"for what its worth\nthis funciton is jsut used to encyrpt or decypet the input text\n\nso if i do \n\necho test | openssl aes-128-cbc -A -a -pass pass:word -nosalt \n\ni get \"7UgeP/hxDoFyM8kW5TZElw\u003d\u003d\" and if we decrypt by passin -d\n\n\necho 7UgeP/hxDoFyM8kW5TZElw\u003d\u003d | openssl aes-128-cbc -A -a -pass pass:word -nosalt -d\n\nwe get back \"test\"\n\nwe already have a depency on the cryptography in the nova crypto.py model. not using the cli for security work is better the handelig deprecation warning form the cli.\n\ni would strongly consider uisin the cryptography package here instead.\n\ngiven the gudidence here \nhttps://security.openstack.org/guidelines/dg_strong-crypto.html\n\ni think this is covered by point 3\n\"Use established, reputable libraries with active maintenance in preference to implementing your own algorithms.\"\n\ni think we should take this opertunity to make the conversion.","commit_id":"891568eade76a3f559b7191e17d90d6b53b7b4e7"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"c515d3470b54050d9c32a279226b775ce371cd9f","unresolved":false,"context_lines":[{"line_number":417,"context_line":"        self._shared \u003d pow(other, self._private, self._prime)"},{"line_number":418,"context_line":"        return self._shared"},{"line_number":419,"context_line":""},{"line_number":420,"context_line":"    def _run_ssl(self, text, decrypt\u003dFalse):"},{"line_number":421,"context_line":"        cmd \u003d [\u0027openssl\u0027, \u0027aes-128-cbc\u0027, \u0027-A\u0027, \u0027-a\u0027, \u0027-pass\u0027,"},{"line_number":422,"context_line":"               \u0027pass:%s\u0027 % self._shared, \u0027-nosalt\u0027]"},{"line_number":423,"context_line":"        if decrypt:"}],"source_content_type":"text/x-python","patch_set":3,"id":"5fc1f717_83911255","line":420,"range":{"start_line":420,"start_character":7,"end_line":420,"end_character":16},"in_reply_to":"5fc1f717_f91d5977","updated":"2019-04-05 15:39:03.000000000","message":"so if you change the commit to say partial-bug instead of close i would be ok with this change as a temproy fix that could be backproted and swap to using the python libs after.\ni assume you want to resolve this for stein?","commit_id":"891568eade76a3f559b7191e17d90d6b53b7b4e7"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"2c1c5d71d4a1429d5865d420b19e1e348e955090","unresolved":false,"context_lines":[{"line_number":418,"context_line":"        return self._shared"},{"line_number":419,"context_line":""},{"line_number":420,"context_line":"    def _run_ssl(self, text, decrypt\u003dFalse):"},{"line_number":421,"context_line":"        cmd \u003d [\u0027openssl\u0027, \u0027aes-128-cbc\u0027, \u0027-A\u0027, \u0027-a\u0027, \u0027-pass\u0027,"},{"line_number":422,"context_line":"               \u0027pass:%s\u0027 % self._shared, \u0027-nosalt\u0027]"},{"line_number":423,"context_line":"        if decrypt:"},{"line_number":424,"context_line":"            cmd.append(\u0027-d\u0027)"},{"line_number":425,"context_line":"        try:"}],"source_content_type":"text/x-python","patch_set":3,"id":"5fc1f717_a87474d1","line":422,"range":{"start_line":421,"start_character":8,"end_line":422,"end_character":51},"updated":"2019-04-02 16:00:12.000000000","message":"could these args ever be loged output to stderr by openssl","commit_id":"891568eade76a3f559b7191e17d90d6b53b7b4e7"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"2c1c5d71d4a1429d5865d420b19e1e348e955090","unresolved":false,"context_lines":[{"line_number":428,"context_line":"                process_input\u003dencodeutils.safe_encode(text),"},{"line_number":429,"context_line":"                check_exit_code\u003dTrue)"},{"line_number":430,"context_line":"            if err:"},{"line_number":431,"context_line":"                LOG.warning(\"OpenSSL stderr: %s\", err)"},{"line_number":432,"context_line":"            return out"},{"line_number":433,"context_line":"        except processutils.ProcessExecutionError as e:"},{"line_number":434,"context_line":"            raise RuntimeError("}],"source_content_type":"text/x-python","patch_set":3,"id":"5fc1f717_887bb8bc","line":431,"range":{"start_line":431,"start_character":16,"end_line":431,"end_character":54},"updated":"2019-04-02 16:00:12.000000000","message":"if so this would print the shared password to the warning log","commit_id":"891568eade76a3f559b7191e17d90d6b53b7b4e7"},{"author":{"_account_id":11805,"name":"Corey Bryant","email":"corey.bryant@canonical.com","username":"coreycb"},"change_message_id":"d2e3fca196182a7f2579876b30c6d0b9182c2e04","unresolved":false,"context_lines":[{"line_number":428,"context_line":"                process_input\u003dencodeutils.safe_encode(text),"},{"line_number":429,"context_line":"                check_exit_code\u003dTrue)"},{"line_number":430,"context_line":"            if err:"},{"line_number":431,"context_line":"                LOG.warning(\"OpenSSL stderr: %s\", err)"},{"line_number":432,"context_line":"            return out"},{"line_number":433,"context_line":"        except processutils.ProcessExecutionError as e:"},{"line_number":434,"context_line":"            raise RuntimeError("}],"source_content_type":"text/x-python","patch_set":3,"id":"5fc1f717_9c61a3d6","line":431,"range":{"start_line":431,"start_character":16,"end_line":431,"end_character":54},"in_reply_to":"5fc1f717_887bb8bc","updated":"2019-04-03 17:22:24.000000000","message":"That is a good question but I\u0027d have to guess that openssl developers are responsible enough to know better than logging security sensitive data.","commit_id":"891568eade76a3f559b7191e17d90d6b53b7b4e7"}]}