<div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace"><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Sep 9, 2013 at 1:20 PM, Jarret Raim <span dir="ltr"><<a href="mailto:jarret.raim@rackspace.com" target="_blank">jarret.raim@rackspace.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im"><br>
<br>
On 9/9/13 9:25 AM, "Russell Bryant" <<a href="mailto:rbryant@redhat.com">rbryant@redhat.com</a>> wrote:<br>
<br>
>On 09/09/2013 04:57 AM, Thierry Carrez wrote:<br>
>> Russell Bryant wrote:<br>
>>> I would be good with the exception for this, assuming that:<br>
>>><br>
>>> 1) Those from nova-core that have reviewed the code are still happy<br>
>>>with<br>
>>> it and would do a final review to get it merged.<br>
>>><br>
>>> 2) There is general consensus that the simple config based key manager<br>
>>> (single key) does provide some amount of useful security. I believe it<br>
>>> does, just want to make sure we're in agreement on it. Obviously we<br>
>>> want to improve this in the future.<br>
>><br>
>> +1<br>
>><br>
>> I think this is sufficiently self-contained that the regression risk is<br>
>> extremely limited. It's also nice to have a significant hardening<br>
>> improvement in the Havana featurelist. I would just prefer if it landed<br>
>> ASAP since I would like as much usage around it as we can get, to make<br>
>> sure the previous audits didn't miss an obvious bug/security hole in it.<br>
>><br>
><br>
>The response seems positive from everyone so far. I think we should<br>
>approve this and try to get it merged ASAP (absolutely this week, and<br>
>hopefully in the first half of the week).<br>
><br>
>ACK on the FFE from me.<br>
<br>
<br>
</div>Me as well for what it's worth. While I understand the concerns around key<br>
management, Barbican will have our 1.0 release for Havana and it should be<br>
relatively easy to integrate the proposed patches with Barbican at that<br>
time. Even so, the current version does offer some security and gives us<br>
the ability to have the code tested before we introduce another moving<br>
part.<br>
<br>
<br>
Thanks,<br>
Jarret Raim<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br></div><div class="gmail_extra"><div class="gmail_default" style="font-family:'courier new',monospace">Fine on the Cinder side for the related components there.</div><br></div>
</div>