)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":7118,"name":"Ian Wienand","email":"iwienand@redhat.com","username":"iwienand"},"change_message_id":"d4245b1b327c6931c5fca8dce788cd4b29a2a2dc","unresolved":true,"context_lines":[{"line_number":10,"context_line":"testing on Ubuntu nodes, which normally requires a paid"},{"line_number":11,"context_line":"subscription. The \"token\" field of the \"openstack_ubuntu_fips\""},{"line_number":12,"context_line":"secret supplied here can be applied to a test node early during job"},{"line_number":13,"context_line":"setup by calling \"pro attach {{ token }}\" as root."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"The secret will be replaced periodically, in order to make any"},{"line_number":16,"context_line":"entitlement exfiltrated from job nodes unattractive for production"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"855dc3a3_43a0ea1d","line":13,"updated":"2022-11-14 22:25:19.000000000","message":"These secrets can\u0027t be used in a \"pre-review\" pipeline, though?  So I feel like this doesn\u0027t work?","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"03b938af4f38b1a94f70a2eb9fb7dc507c5a342b","unresolved":true,"context_lines":[{"line_number":12,"context_line":"secret supplied here can be applied to a test node early during job"},{"line_number":13,"context_line":"setup by calling \"pro attach {{ token }}\" as root."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"The secret will be replaced periodically, in order to make any"},{"line_number":16,"context_line":"entitlement exfiltrated from job nodes unattractive for production"},{"line_number":17,"context_line":"use."},{"line_number":18,"context_line":""}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"dbea995c_d6fe8224","line":15,"updated":"2022-11-07 13:22:05.000000000","message":"What\u0027s the expected interval for this? (Just a rough estimate, like weekly maybe or rather once every 5 years?) Trying to judge the expected impact on reviewers and admins.\n\nDoes the secret have an inherent limited lifetime or how will this be coordinated with Canonical? Can rotation happen in a way that will not break jobs between generation of the new token and updating the secret?","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":7118,"name":"Ian Wienand","email":"iwienand@redhat.com","username":"iwienand"},"change_message_id":"fe43e4e1814d1427a61d4e5c3d02b87e3c47088a","unresolved":true,"context_lines":[],"source_content_type":"","patch_set":1,"id":"0c713771_a5115fa0","updated":"2022-11-22 22:52:17.000000000","message":"\u003e If the playbook using them is also in the project-config repo, then post-review pipeline triggering isn\u0027t mandatory.\n\nIs this playbook written yet?  Basically the plan is to add a \"ubuntu-fips-enable\" type role in here?","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"9eeace7d04ef9732734465d4ed2da84d7362aea9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"06aa4a6b_584b37da","updated":"2022-11-14 14:40:54.000000000","message":"\u003e Patch Set 1:\n\u003e \n\u003e Would you be more comfortable if we simply put the plaintext version of the token into the fips job definition(s) rather than obscuring it with a zuul secret?\n\nThat would at least allow contributors to run local tests if needed, assuming that that would be considered fair use somehow. Still not really open, but might be o.k. as a compromise. I wonder what Canonical would think about that, too.\n\nBut maybe it is also a good idea to have a word from the TC about how their position is on this conflict between wanting to support consumer wishes and staying open. I\u0027ll put the topic up in their channel.","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"},{"author":{"_account_id":9914,"name":"Ade Lee","email":"alee@redhat.com","username":"alee"},"change_message_id":"3c49a23fc3d4ac4811b4028ad451bec21a72fd49","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"ec90e3ab_47ca7d0c","updated":"2022-11-28 09:39:23.000000000","message":"Hey all,\n\nDo we have enough of a consensus to move this forward?\nThanks,\n\nAde","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"8233df799cd438737484dd26c0026e8bdf53bb55","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"18c0d46f_708fe2b3","updated":"2022-11-22 19:52:50.000000000","message":"I agree to go with this because of seeing other options we have currently for FIPS testing. For centos stream, we already discussed even with centos stream team and decided to test it in periodic was as that is something we can keep a voting job in gate.\n\nIf we get any other distro open license tp test FIPS we can update our testing but meanwhile let\u0027s start the testing with this.\n","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"a86c9d611f71b345183e0bf4d2f88820a7dc3cb4","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"29c4c434_558fb64b","updated":"2022-11-29 16:21:27.000000000","message":"I don\u0027t want to let the perfect be the enemy of the good here.  It\u0027s better to have the FIPS jobs running than not running (e.g., see [0]), and when having them running it\u0027s desirable that they be running on the same platform as other CI jobs so we can easily compare results.  So at the present time, that means running Ubuntu in FIPS mode.\n\nIt seems like third-party CIs could also consume this secret, and given that most of them run Ubuntu for easy comparison with upstream CI results, that shouldn\u0027t be too difficult to do.\n\nThe alternative would be to get everything running in something like Rocky Linux or Debian (where FIPS would be free), but that doesn\u0027t seem like a reasonable short-term goal.\n\nSo my opinion is that we should move forward with this now so we can have both FIPS and non-FIPS CI coverage, because we do want OpenStack to be able to run on FIPS platforms.\n\n[0] https://bugs.launchpad.net/os-brick/+bug/1967790","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"384a07e98ac4d76a4d91e8fcb233dbb6544f102d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"5b2912c9_a702f012","updated":"2022-11-22 19:37:47.000000000","message":"IMHO, this is massively better than the alternatives of (a) not having any FIPS coverage and (b) having to use CentOS-Stream to get it.\n\nThere are other ways to test for FIPS issues if we need to debug these jobs, although I do not think we\u0027re likely to end up with difficult FIPS-specific issues that require more in-depth local troubleshooting.\n\nThat, and we\u0027ve been very quick to make FIPS jobs non-voting when issues arise, and I would think we\u0027d continue that behavior with these, especially if it\u0027s something non-trivial to address.","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"8ba757489a7a1c2eb8a8a8ce73a90ee7874eccfc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"ed942ca9_e0b2bbbc","updated":"2022-11-14 14:42:37.000000000","message":"My preferred solution in the current situation would be for someone to run these jobs in a 3rd party CI.","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"},{"author":{"_account_id":7118,"name":"Ian Wienand","email":"iwienand@redhat.com","username":"iwienand"},"change_message_id":"9dc0f146c09917b83f699511aededd0598c9a6a0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"385069be_d4d35c2e","updated":"2022-11-29 03:34:34.000000000","message":"Shouldn\u0027t the TC really make the call on this?\n\n\"Truly open source software is not feature or performance limited. There will be no “Enterprise Edition”.\" [1]\n\nThat FIPS is only tested on what is essentially an \"enterprise edition\" seems to be skirting too close to this for me to put +w on this by myself...\n\nTechnically, OK +2 in that this should work and is probably slightly better than plain-text in code (so every github bot finds it) or slightly obfuscated in code (base64 encoded or something; c.f. first point).\n\n[1] https://governance.openstack.org/tc/reference/opens.html\n","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"f8234b07b05b12c82f6bf25b0107f59173bee023","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"3320c7fc_53fe79e0","updated":"2022-11-22 18:02:57.000000000","message":"This isn\u0027t the first secret for less open things that openstack has added (the github mirror sync secret is the classic example). I think it is ok to add this secret and use it to figure out if this can be made to work or is otherwise feasible. Openstack should consider Frickler\u0027s concerns if this becomes something that openstack wants to require or test broadly though.","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"a7998c7375ad0663ff5c849a843fd5ec8a18079a","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"a35630fc_7ce95275","updated":"2022-11-14 10:01:51.000000000","message":"To me, this sounds too non-open and sets a bad precedent, this isn\u0027t what I would see as open development. It also raises questions like \"how would we need to restrict access to held nodes using this secret?\".\n\nI would prefer us to not follow this path.","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"},{"author":{"_account_id":4146,"name":"Clark Boylan","email":"cboylan@sapwetik.org","username":"cboylan"},"change_message_id":"f98b036d485b00c447fcb42700d53ae66e3561b1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"80511ebf_680cba60","in_reply_to":"29c4c434_558fb64b","updated":"2022-11-29 16:27:03.000000000","message":"\u003e It seems like third-party CIs could also consume this secret, and given that most of them run Ubuntu for easy comparison with upstream CI results, that shouldn\u0027t be too difficult to do.\n\nNote, I\u0027m not sure this is true for two reasons. The first is that encryption keys are not shared by CI systems. Second is I\u0027m not sure if we\u0027ve been given permission for other CI system to use the key?\n\n\u003e \n\u003e The alternative would be to get everything running in something like Rocky Linux or Debian (where FIPS would be free), but that doesn\u0027t seem like a reasonable short-term goal.\n\nUbuntu runs Firefox out of a snap which makes using tools like selenium for browser content testing difficult. Horizon has been looking at switching jobs that use selenium over to Debian in response to this. Not directly related, but wanted to call out another location where this has become helpful.","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"},{"author":{"_account_id":4393,"name":"Dan Smith","email":"dms@danplanet.com","username":"danms"},"change_message_id":"af981929c230459d5761ea8dcb09490fd0e06069","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"d52ea064_a7bc725e","in_reply_to":"385069be_d4d35c2e","updated":"2022-11-29 15:14:49.000000000","message":"\u003e Shouldn\u0027t the TC really make the call on this?\n\nTwo of us have voted - I\u0027m not sure we need anything too formal, but we can highlight it to the rest of them to see if they want to comment.\n\n\u003e \"Truly open source software is not feature or performance limited. There will be no “Enterprise Edition”.\" [1]\n\nWe\u0027re looking to use ubuntu\u0027s offering for this because it\u0027s the closest to the rest of the jobs we have. We\u0027ve tried on Centos Stream, which is totally free, but other issues with that distro have made it challenging. We could test it with debian, but we just recently had problems with that job (mostly because it\u0027s not our primary, IMHO). The ubuntu entitlement is more of a support/certification thing, and I\u0027m pretty sure OpenStack\u0027s mission has always been friendly to freely-available software with paid vendor support :)\n\nTo me, this is a convenience to do the thing we want to do, which is test with FIPS enabled. There are other ways to do it, we\u0027ve explored one already, and the pain from that has led us here.","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"}],"zuul.d/secrets.yaml":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"642b35d0173ac908b878bcc6eea6d96a8ec09c89","unresolved":false,"context_lines":[{"line_number":729,"context_line":"          FtiR0LGtDxKM1bdi57Qc3f43P4jzY3Px07SSKVFKSkuI1zSLnsZSbmWg/wBHcjllsA73L"},{"line_number":730,"context_line":"          l0HItpoMi3S3KDsFajJbk2UE6NhCBD7kmsSB69L6yb7VJdKZqMAHS2BSSXIRdA\u003d"},{"line_number":731,"context_line":""},{"line_number":732,"context_line":"# Periodically rotated throw-away entitlement for FIPS support on Ubuntu"},{"line_number":733,"context_line":"# (last issued 2022-10-14)"},{"line_number":734,"context_line":"- secret:"},{"line_number":735,"context_line":"    name: openstack_ubuntu_fips"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"4c70a846_ede29507","line":732,"updated":"2022-11-15 21:29:02.000000000","message":"I can expand this code comment with quotes from Canonical representatives on their acquiescence to this approach, if maintainers feel that would be helpful to include.","commit_id":"97c7084cd7eec08e46d10976b6ad4b8b8b2ec85c"}]}