On Tue, 2024-08-13 at 13:11 +0000, Jeremy Stanley wrote:
Just a heads up that I approved all of these posts through moderation in the interest of transparency (the authors were not subscribers to the list and so their posts were automatically held).
I personally inspected each every report before approving, and have confirmed that every recorded instance is either of test vectors or examples in code comments, and in the case of the cinder and manila repos some drivers have fallback or placeholder credential values for communicating with certain devices/protocols.
None of these appears to represent any exploitable risk, but if contributors want to take this as an opportunity to add further code comments stating this, I suppose it might help avoid similar confusion in the future.
Thanks for your diligence here, i was concerned they were public disclosures of a security vulnerability to the list which would obviously be very damaging to the comuinty and users alike.
If this sort of reporting continues, list moderators may begin to reject further posts on the grounds that it's noise and not contributing useful information to our community.
in its current form i woudl agree this is already a little spam but not teribly so. it would have been better fi they filed a singel bug and added all affected projec or included the project [nova] header in the subject. if this was an actual vulnerably then our normal process of reporting security issues should have been followed.