osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[requirements][requests] security update for requests in stable branches


On 2019-02-15 13:06:21 -0500 (-0500), Jim Rollenhagen wrote:
[...]
> I know openstack-ansible and kolla both (optionally?) deploy from source,
> so maybe it's time to start talking about it. Or should those projects
> handle security fixes themselves when deploying from source?

If they're aggregating non-OpenStack software (that is, acting as a
full software distribution) then they ought to be tracking and
managing vulnerabilities in that software. I don't see that as being
the job of the Requirements team to manage it for them. This is
especially true in cases where the output is something like server
or container images which include plenty of other software not even
tracked by the requirements repository at all, any of which could
have security vulnerabilities as well.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190215/73125502/attachment.sig>