In the Liberty cycle Neutron is mandating the splitting out of "third-party" plugins and drivers into separate repositories, see [1]. These external repositories will be managed by the maintainers of the code, who are independent from the neutron core maintainers.
The question now arises about what to do when a security issue is found in such an external repository that integrates with Neutron. - How should such security issues be managed? - Should the OpenStack security team be involved? - Does a CVE need to be filed? - Do the maintainers need to publish OSSN or equivalent documents? - Anything else to consider here? [1] https://review.openstack.org/187267 __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
