)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1ff1f18aa37f5fcd84066a114eade1960e2998a9","unresolved":true,"context_lines":[{"line_number":13,"context_line":"nowadays considered a security hole, because it is extremely"},{"line_number":14,"context_line":"easy to brute-force. So this patch is switching to SHA-512,"},{"line_number":15,"context_line":"dropping support for distros that don\u0027t support that (though"},{"line_number":16,"context_line":"it would be not reasonable to use such a distro)."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Change-Id: I6b5e9282806961180a11a7f0b0607233bf4fd700"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"57b3c571_e803cc78","line":16,"updated":"2024-11-19 11:30:41.000000000","message":"wether we would condeier this a bug fix is debatable but\nunless we make the hash configuratble this is not backportabel as it reducing the set of supported distors in the guest.\n\ni know that is unlikely that we will have distos that done support sha-512 but if you cant opt in/out of this change it cant be backported","commit_id":"95e79e4224b5d3e6f864bf8d81d60e4a0fd7c680"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1ff1f18aa37f5fcd84066a114eade1960e2998a9","unresolved":true,"context_lines":[{"line_number":14,"context_line":"easy to brute-force. So this patch is switching to SHA-512,"},{"line_number":15,"context_line":"dropping support for distros that don\u0027t support that (though"},{"line_number":16,"context_line":"it would be not reasonable to use such a distro)."},{"line_number":17,"context_line":""},{"line_number":18,"context_line":"Change-Id: I6b5e9282806961180a11a7f0b0607233bf4fd700"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":2,"id":"2f2b4146_68d8c797","line":17,"updated":"2024-11-19 11:30:41.000000000","message":"if you want this to be backported upstream this would have to be tracaked as a bug.","commit_id":"95e79e4224b5d3e6f864bf8d81d60e4a0fd7c680"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"6c10aea4527c8456a1541e9da34a8bd95d276953","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"04e7f543_9a0ccd73","updated":"2024-11-18 13:44:16.000000000","message":"* Please add a release notes about the change\n* Please adapt the unit test nova.tests.unit.virt.disk.test_inject.VirtDiskTest.test_inject_admin_password","commit_id":"8148e59e57f9f4875a6b2ccb4b0881d6da068c21"},{"author":{"_account_id":6476,"name":"Thomas Goirand","email":"thomas@goirand.fr","username":"thomas-goirand"},"change_message_id":"d928104d74789d96822a7b06cf5298e8a571b01b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"e8f127d4_dac367d1","in_reply_to":"04e7f543_9a0ccd73","updated":"2024-11-18 14:30:42.000000000","message":"Done!","commit_id":"8148e59e57f9f4875a6b2ccb4b0881d6da068c21"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"7de1456feeb0a42331c6d89af72c7b7329d9a3d3","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"8d4f381e_2d6e113b","updated":"2024-11-18 15:07:48.000000000","message":"Can we use https://review.opendev.org/c/openstack/oslo.utils/+/931899 instead, to avoid maintaining the same code in multiple places ?","commit_id":"95e79e4224b5d3e6f864bf8d81d60e4a0fd7c680"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"fe757a255a6468da29ec740e153fd6fab906ddda","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"b3f4b194_25f7eec9","updated":"2024-11-18 15:54:38.000000000","message":"I agree that if the distro uses MD5 to hash its password then we might not want to support it.","commit_id":"95e79e4224b5d3e6f864bf8d81d60e4a0fd7c680"},{"author":{"_account_id":6476,"name":"Thomas Goirand","email":"thomas@goirand.fr","username":"thomas-goirand"},"change_message_id":"22272ee279e50a9efd6f86ef267feea1ca75e8be","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"3612ef92_b7aecd37","updated":"2024-11-19 07:31:23.000000000","message":"recheck","commit_id":"95e79e4224b5d3e6f864bf8d81d60e4a0fd7c680"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"363b83b0db875b636c3812bd6438d86bb4f669fc","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"ff7c6928_8f58f913","in_reply_to":"05af7eda_398dc33c","updated":"2024-11-19 08:12:55.000000000","message":"So do you intend to backport this to Dalmatian in upstream or only in Debian ? I\u0027m unsure if we really want to backport this to upstream Dalmatian in current state because it has upgrade impact (for deployments with Python \u003c 3.13. I know it\u0027s not very likely that people are using such old distros requiring DES/MD5 alrogithm but removing support for these is \"breaking\").\n\nIf not then I don\u0027t know how much benefit this may give you as we likely overwrite the implementation soon in this cycle.","commit_id":"95e79e4224b5d3e6f864bf8d81d60e4a0fd7c680"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"79c5fa6fe08d1104caa8433943967e4b74b6199a","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"72347d71_8586cdfb","in_reply_to":"1d00314f_3669c588","updated":"2024-11-23 12:29:56.000000000","message":"The feature has been deprecated for some time (based on the discussion in a different thread) and I\u0027m unsure if we really want to fix it instead of just discouraging users to use it.\n\nI would not block this and defer the decision to current nova cores but I\u0027m still skeptical about the benefit of having this change given the fact that Dalmatian backport in upstream is not quite acceptable.","commit_id":"95e79e4224b5d3e6f864bf8d81d60e4a0fd7c680"},{"author":{"_account_id":6476,"name":"Thomas Goirand","email":"thomas@goirand.fr","username":"thomas-goirand"},"change_message_id":"22272ee279e50a9efd6f86ef267feea1ca75e8be","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"05af7eda_398dc33c","in_reply_to":"7498f18b_3534a369","updated":"2024-11-19 07:31:23.000000000","message":"As Gibi wrote, I intend to use your patch once it is merged. Unfortunately, it will be harder to backport to Dalmatian if I use this patch right now as a Depends-On, and my intention is to get this patch into Dalmatian, which is where I\u0027m having the trouble in Debian (ie: Dalmatian is in Debian unstable and will be in Trixie with Python 3.13).\n\nSo yeah, at the end, the code will be removed in favor of your oslo.utils new feature that I just copy/pasted here, but that\u0027s on purpose, as reflected by the comment.","commit_id":"95e79e4224b5d3e6f864bf8d81d60e4a0fd7c680"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"fe757a255a6468da29ec740e153fd6fab906ddda","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"7498f18b_3534a369","in_reply_to":"8d4f381e_2d6e113b","updated":"2024-11-18 15:54:38.000000000","message":"I think eventually we want to use the oslo.utils fix. But for that we need to land the fix, release it, and bump it into global reqs, which will take time. I don\u0027t know how urgent this is for Thomas / Debian.","commit_id":"95e79e4224b5d3e6f864bf8d81d60e4a0fd7c680"},{"author":{"_account_id":6476,"name":"Thomas Goirand","email":"thomas@goirand.fr","username":"thomas-goirand"},"change_message_id":"217c421f0b8fd01fb6037ab6090802d89ddb53d3","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":2,"id":"1d00314f_3669c588","in_reply_to":"ff7c6928_8f58f913","updated":"2024-11-19 14:20:14.000000000","message":"To me, backporting this patch will fix a security hole in Dalmatian (ie: it\u0027s been a long time we shouldn\u0027t be using MD5). I\u0027m in fact considering contacting the VMT and get a CVE opened for this...","commit_id":"95e79e4224b5d3e6f864bf8d81d60e4a0fd7c680"}],"nova/virt/disk/api.py":[{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"6c10aea4527c8456a1541e9da34a8bd95d276953","unresolved":false,"context_lines":[{"line_number":606,"context_line":"    return \u0027\u0027.join([random.choice(salt_set) for c in salt])"},{"line_number":607,"context_line":""},{"line_number":608,"context_line":""},{"line_number":609,"context_line":"# This is to be removed whenever"},{"line_number":610,"context_line":"# https://review.opendev.org/c/openstack/oslo.utils/+/931899"},{"line_number":611,"context_line":"# is merged."},{"line_number":612,"context_line":"if ctypes.util.find_library(\"crypt\"):"},{"line_number":613,"context_line":"    _libcrypt \u003d ctypes.CDLL(ctypes.util.find_library(\"crypt\"), use_errno\u003dTrue)"},{"line_number":614,"context_line":"    _crypt \u003d _libcrypt.crypt"},{"line_number":615,"context_line":"    _crypt.argtypes \u003d (ctypes.c_char_p, ctypes.c_char_p)"},{"line_number":616,"context_line":"    _crypt.restype \u003d ctypes.c_char_p"},{"line_number":617,"context_line":"else:"},{"line_number":618,"context_line":"    _crypt \u003d None"},{"line_number":619,"context_line":""},{"line_number":620,"context_line":""},{"line_number":621,"context_line":"def _crypt_password(key, salt):"},{"line_number":622,"context_line":"    \"\"\"Encrtpt password string and generate the value in /etc/shadow format"},{"line_number":623,"context_line":"    This is provided as a replacement of crypt.crypt method because crypt"}],"source_content_type":"text/x-python","patch_set":1,"id":"0f67cec2_434b3a61","line":620,"range":{"start_line":609,"start_character":0,"end_line":620,"end_character":0},"updated":"2024-11-18 13:44:16.000000000","message":"OK this is along the line with the oslo.utils proposal.","commit_id":"8148e59e57f9f4875a6b2ccb4b0881d6da068c21"},{"author":{"_account_id":9708,"name":"Balazs Gibizer","display_name":"gibi","email":"gibizer@gmail.com","username":"gibi"},"change_message_id":"6c10aea4527c8456a1541e9da34a8bd95d276953","unresolved":true,"context_lines":[{"line_number":648,"context_line":""},{"line_number":649,"context_line":"    salt \u003d _generate_salt()"},{"line_number":650,"context_line":""},{"line_number":651,"context_line":"    # Let\u0027s use SHA-512, as all other algo are to be considered insecure."},{"line_number":652,"context_line":"    # Note that this drop supports for any distro that still lags behind"},{"line_number":653,"context_line":"    # and hasn\u0027t upgraded its crypt support."},{"line_number":654,"context_line":"    encrypted_passwd \u003d _crypt_password(admin_passwd, algos[\u0027SHA-512\u0027] + salt)"}],"source_content_type":"text/x-python","patch_set":1,"id":"2f29419a_3377e4fa","line":651,"updated":"2024-11-18 13:44:16.000000000","message":"Is SHA-256 considered insecure as well?","commit_id":"8148e59e57f9f4875a6b2ccb4b0881d6da068c21"},{"author":{"_account_id":6476,"name":"Thomas Goirand","email":"thomas@goirand.fr","username":"thomas-goirand"},"change_message_id":"d928104d74789d96822a7b06cf5298e8a571b01b","unresolved":true,"context_lines":[{"line_number":648,"context_line":""},{"line_number":649,"context_line":"    salt \u003d _generate_salt()"},{"line_number":650,"context_line":""},{"line_number":651,"context_line":"    # Let\u0027s use SHA-512, as all other algo are to be considered insecure."},{"line_number":652,"context_line":"    # Note that this drop supports for any distro that still lags behind"},{"line_number":653,"context_line":"    # and hasn\u0027t upgraded its crypt support."},{"line_number":654,"context_line":"    encrypted_passwd \u003d _crypt_password(admin_passwd, algos[\u0027SHA-512\u0027] + salt)"}],"source_content_type":"text/x-python","patch_set":1,"id":"41a6cb86_c5ac1fae","line":651,"in_reply_to":"2f29419a_3377e4fa","updated":"2024-11-18 14:30:42.000000000","message":"Yes, only SHA-512 is considered safe.","commit_id":"8148e59e57f9f4875a6b2ccb4b0881d6da068c21"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"79c5fa6fe08d1104caa8433943967e4b74b6199a","unresolved":true,"context_lines":[{"line_number":648,"context_line":""},{"line_number":649,"context_line":"    salt \u003d _generate_salt()"},{"line_number":650,"context_line":""},{"line_number":651,"context_line":"    # Let\u0027s use SHA-512, as all other algo are to be considered insecure."},{"line_number":652,"context_line":"    # Note that this drop supports for any distro that still lags behind"},{"line_number":653,"context_line":"    # and hasn\u0027t upgraded its crypt support."},{"line_number":654,"context_line":"    encrypted_passwd \u003d _crypt_password(admin_passwd, algos[\u0027SHA-512\u0027] + salt)"}],"source_content_type":"text/x-python","patch_set":1,"id":"6b19b488_bc4265cf","line":651,"in_reply_to":"35d021dc_b94abd88","updated":"2024-11-23 12:29:56.000000000","message":"Adding support for newer python version to newer python version violates the core policy of stable branch which prohibits \"new feature\". If we really want it then that should be discussed and approved by TC unless nova is willing to remove stable policy tag.","commit_id":"8148e59e57f9f4875a6b2ccb4b0881d6da068c21"},{"author":{"_account_id":6476,"name":"Thomas Goirand","email":"thomas@goirand.fr","username":"thomas-goirand"},"change_message_id":"22272ee279e50a9efd6f86ef267feea1ca75e8be","unresolved":true,"context_lines":[{"line_number":648,"context_line":""},{"line_number":649,"context_line":"    salt \u003d _generate_salt()"},{"line_number":650,"context_line":""},{"line_number":651,"context_line":"    # Let\u0027s use SHA-512, as all other algo are to be considered insecure."},{"line_number":652,"context_line":"    # Note that this drop supports for any distro that still lags behind"},{"line_number":653,"context_line":"    # and hasn\u0027t upgraded its crypt support."},{"line_number":654,"context_line":"    encrypted_passwd \u003d _crypt_password(admin_passwd, algos[\u0027SHA-512\u0027] + salt)"}],"source_content_type":"text/x-python","patch_set":1,"id":"e4b99aec_b7fb8112","line":651,"in_reply_to":"363a1227_23fcbbbb","updated":"2024-11-19 07:31:23.000000000","message":"Hi Sean,\n\nFirst, I don\u0027t think you can remove this feature, because of windows instances that need it. But this can be discussed separately (ie: not in this patch).\n\nAnyway, if you want to remove it, please do this *after* this patch is merged, so I have a chance to:\n1/ fix crypt.crypt usage in Dalmatian by backporting this patch\n2/ fix the use of MD5 in Dalmatian, which is by nature insecure and must be removed\n\nAs you know with the current workflow, I must have this patch merged into master in order to have it backported and maintained in stable/dalmatian. And long term, it\u0027d be nice if Dalmatian could gain gating on Python 3.13 after all of my patches are merged.","commit_id":"8148e59e57f9f4875a6b2ccb4b0881d6da068c21"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"3e9740f5972fcb5129c28f0a3b0ac8f2cb238114","unresolved":true,"context_lines":[{"line_number":648,"context_line":""},{"line_number":649,"context_line":"    salt \u003d _generate_salt()"},{"line_number":650,"context_line":""},{"line_number":651,"context_line":"    # Let\u0027s use SHA-512, as all other algo are to be considered insecure."},{"line_number":652,"context_line":"    # Note that this drop supports for any distro that still lags behind"},{"line_number":653,"context_line":"    # and hasn\u0027t upgraded its crypt support."},{"line_number":654,"context_line":"    encrypted_passwd \u003d _crypt_password(admin_passwd, algos[\u0027SHA-512\u0027] + salt)"}],"source_content_type":"text/x-python","patch_set":1,"id":"363a1227_23fcbbbb","line":651,"in_reply_to":"41a6cb86_c5ac1fae","updated":"2024-11-18 20:23:39.000000000","message":"i think we shoudl be removing this funcitonltiy entirly.\n\npassword inject via file injection has been deprecated as part of the file injection deprecatoin for a ver very long time.\n\nthe only non deprecated way to  set the admin password today is via the qemu guest agent.\n\nas such instead fo this can we not just remove this codepath entirly?\n\nthat is what i proposed at the ptg.","commit_id":"8148e59e57f9f4875a6b2ccb4b0881d6da068c21"},{"author":{"_account_id":6476,"name":"Thomas Goirand","email":"thomas@goirand.fr","username":"thomas-goirand"},"change_message_id":"217c421f0b8fd01fb6037ab6090802d89ddb53d3","unresolved":true,"context_lines":[{"line_number":648,"context_line":""},{"line_number":649,"context_line":"    salt \u003d _generate_salt()"},{"line_number":650,"context_line":""},{"line_number":651,"context_line":"    # Let\u0027s use SHA-512, as all other algo are to be considered insecure."},{"line_number":652,"context_line":"    # Note that this drop supports for any distro that still lags behind"},{"line_number":653,"context_line":"    # and hasn\u0027t upgraded its crypt support."},{"line_number":654,"context_line":"    encrypted_passwd \u003d _crypt_password(admin_passwd, algos[\u0027SHA-512\u0027] + salt)"}],"source_content_type":"text/x-python","patch_set":1,"id":"35d021dc_b94abd88","line":651,"in_reply_to":"ab34e951_359a8535","updated":"2024-11-19 14:20:14.000000000","message":"Same answer as to Takashi: backporting this patch will in fact fix a security hole where we\u0027re using MD5.\nAnd yes, I do intend to have the full of OpenStack Dalmatian to support Python 3.13 in Debian, and I thought that perhaps, it\u0027d be a nice thing to have all of my patches also upstreamed. If all patches are backported upstream, then why not enabling a Python 3.13 gate once we have it up and working for master? That\u0027s for a not-so-far future, of course (ie: not for now), but I\u0027m preparing things for this eventuality that we shouldn\u0027t just dismiss because it wasn\u0027t supported when Dalmatian was released.","commit_id":"8148e59e57f9f4875a6b2ccb4b0881d6da068c21"},{"author":{"_account_id":11604,"name":"sean mooney","email":"smooney@redhat.com","username":"sean-k-mooney"},"change_message_id":"1ff1f18aa37f5fcd84066a114eade1960e2998a9","unresolved":true,"context_lines":[{"line_number":648,"context_line":""},{"line_number":649,"context_line":"    salt \u003d _generate_salt()"},{"line_number":650,"context_line":""},{"line_number":651,"context_line":"    # Let\u0027s use SHA-512, as all other algo are to be considered insecure."},{"line_number":652,"context_line":"    # Note that this drop supports for any distro that still lags behind"},{"line_number":653,"context_line":"    # and hasn\u0027t upgraded its crypt support."},{"line_number":654,"context_line":"    encrypted_passwd \u003d _crypt_password(admin_passwd, algos[\u0027SHA-512\u0027] + salt)"}],"source_content_type":"text/x-python","patch_set":1,"id":"ab34e951_359a8535","line":651,"in_reply_to":"e4b99aec_b7fb8112","updated":"2024-11-19 11:30:41.000000000","message":"this patch is not upstream backpoartable to dalmation as it reduces the sset fo distos supproted and its a non confirmabel behivor change.\n\nPython 3.13 is not a supported release even for master. \n\nits not even on the optional testing list \nhttps://github.com/openstack/governance/blob/master/reference/runtimes/2025.1.rst\nthe first release that will officially support it is 2025.2\n\nI\u0027m not against enabling early testing of 3.13 on master but it likely won\u0027t be gating on master this cycle, that can be discussed but im not sure we could do more than basic unit/functional tests tempets testing with 3.13 is unlikely to happen till next cycle.\n\nwe need to discuss this as a wider team before moving forward with this.\n\nI\u0027m aware that Debian is not aligned to the slurp cadence and that is motivating this work, i run debian testing as my main os so i can perhaps try and test some of your other changes but im not conviced we should be backporting this support.","commit_id":"8148e59e57f9f4875a6b2ccb4b0881d6da068c21"}]}