)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"f782b1b9b9ecfe78ace71e44970f16e9ae63811c","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"819668e4_b9607ec9","updated":"2026-01-12 14:49:47.000000000","message":"Suggestion inline to address Jay\u0027s point.","commit_id":"59792bf0d431103a5abe96fc7deb650436324a86"}],"doc/source/reporting.rst":[{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"d9e5d52d3f98c3277151142d51d24a717be5272e","unresolved":true,"context_lines":[{"line_number":45,"context_line":"Automated Reports"},{"line_number":46,"context_line":"-----------------"},{"line_number":47,"context_line":""},{"line_number":48,"context_line":"Please don\u0027t submit reports that are merely the result of running a source code"},{"line_number":49,"context_line":"analyzer, dependency checker, LLM, or network scanner on OpenStack Git"},{"line_number":50,"context_line":"repositories and services. It\u0027s fine to use those sorts of tools in order to"},{"line_number":51,"context_line":"identify potential bugs and areas of concern, but at least make some attempt to"}],"source_content_type":"text/x-rst","patch_set":1,"id":"9e8f75b6_98be66fe","line":48,"updated":"2026-01-08 16:38:05.000000000","message":"I think we could probably word this to be as comprehensive but less antagonistic.\n\n\"Direct output from automated tooling such as source code analysis, dependency checkers, LLM or network scanners are not valid bug reports. Many issues reported by these tools are not practical exploits, are nonsensical for a hosted cloud project such as OpenStack, or highlight valid administrative features as security issues. Please ensure any bugs derived with the use of automated tooling are exploitable against a deployment of OpenStack.\"\n\nOn reflection after rewriting this, I think I just really dislike that my eye is just constantly dawn to \"theoretical bug reports waste maintainer time\". I just would prefer a more gently worded admonishment (and I think the \"no bug bounties\" addition upstream will curb some of the bad behavior, too)","commit_id":"59792bf0d431103a5abe96fc7deb650436324a86"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"f782b1b9b9ecfe78ace71e44970f16e9ae63811c","unresolved":true,"context_lines":[{"line_number":50,"context_line":"repositories and services. It\u0027s fine to use those sorts of tools in order to"},{"line_number":51,"context_line":"identify potential bugs and areas of concern, but at least make some attempt to"},{"line_number":52,"context_line":"confirm they can be exploited on a real deployment or installation of the"},{"line_number":53,"context_line":"software. Theoretical bug reports waste maintainer time, something we have"},{"line_number":54,"context_line":"precious little of, which could be better spent addressing actual confirmed"},{"line_number":55,"context_line":"bugs in the software."}],"source_content_type":"text/x-rst","patch_set":1,"id":"b2cb7597_1ec947f5","line":55,"range":{"start_line":53,"start_character":10,"end_line":55,"end_character":21},"updated":"2026-01-12 14:49:47.000000000","message":"Maybe you can address Jay\u0027s point by replacing the \"waste of time\" sentence with something like this:\n\nFor example, take a look at https://bugs.launchpad.net/cinder/+bug/2125395\n\n- Two non-OpenStack packages are reported as \"Security Risks\".  Before reporting this, make sure you are familiar with OpenStack\u0027s stance with respect to the security of third-party packages, https://docs.openstack.org/requirements/latest/#security-warning\nThis is only an issue for OpenStack if the maintainers of the packages is question have either stopped maintaining the project, or have refused to fix the risk.  To assist OpenStack developers, please be clear about exactly what the issue here is and what action you, as a community member, recommend.  Additionally, be aware \n- Three non-OpenStack packages are reported as \"License Risks\".  Verify that reported license is in fact the licence of the package (we have seen instances where the scan is incorrect) and verify that it is in fact a problem for OpenStack (see https://governance.openstack.org/tc/reference/licensing.html ).  If so, has the project license change recently?  Make sure you include that information in your bug report to the OpenStack Requirements Team.\n- Forty (!) packages \"have been flagged for operational risk. These may be outdated, deprecated, vulnerable, or unmaintained.\"  Don\u0027t just dump a list here for somebody else to sort through, especially since outdated, deprecated or vulnerable packages may not be relevant (again, make sure you are familiar with https://docs.openstack.org/requirements/latest/#security-warning ).  For an unmaintained package, it would be helpful to know the length of non-maintenance, how many open bugs there are, what would be a suitable replacement, etc.\n\nWe appreciate your interest in keeping OpenStack secure; keep in mind that you are a community member, and by taking the time to understand the implications of an automated scan before filing a bug, you can provide a real service to OpenStack.","commit_id":"59792bf0d431103a5abe96fc7deb650436324a86"}]}