On 2015-05-29 11:47:36 +0200 (+0200), Thierry Carrez wrote: [...] > As far as vulnerability management goes, we already publish the > "master" fix as part of the advisory, so people can easily find > that. The only thing the VMT might want to reconsider is: when an > issue is /only/ present in the master branch and was never part of > a release, it currently gets fixed silently there, without an > advisory being published. I guess that could be evolved to > "publish an advisory if the issue was in any released version". > That would still not give users of intermediary versions a pure > backport for their version, but give them notice and a patch to > apply. I also suspect that for critical issues Ironic would issue > a new intermediary release sooner rather than later.
This is what we've historically done for master-branch-only projects anyway, so I don't see it as a new process. Works just fine, but as you say we should make sure we know at the time of writing the advisory what the next release version number will be (and hopefully it comes along shortly after the fix merges so people can just upgrade to it). -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
