osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[requirements][requests] security update for requests in stable branches


On Fri, Feb 15, 2019 at 1:18 PM Jeremy Stanley <fungi at yuggoth.org> wrote:

> On 2019-02-15 13:06:21 -0500 (-0500), Jim Rollenhagen wrote:
> [...]
> > I know openstack-ansible and kolla both (optionally?) deploy from source,
> > so maybe it's time to start talking about it. Or should those projects
> > handle security fixes themselves when deploying from source?
>
> If they're aggregating non-OpenStack software (that is, acting as a
> full software distribution) then they ought to be tracking and
> managing vulnerabilities in that software. I don't see that as being
> the job of the Requirements team to manage it for them. This is
> especially true in cases where the output is something like server
> or container images which include plenty of other software not even
> tracked by the requirements repository at all, any of which could
> have security vulnerabilities as well.
>

That's fair - I had to ask, given I believe they just take what the
requirements.txt file gives them. Hopefully those projects are
aware of this policy already. :)

// jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190215/089ff93f/attachment.html>