On 2016-03-19 05:10:18 -0500 (-0500), Monty Taylor wrote: [...] > It would also be good to tie off with the security team about > this. One of the reasons we stopped publishing debs years ago is > that it made us a de-facto derivative distro. People were using > our packages in production, including backports we'd built in > support of those packages, but our backports were not receiving > security/CVE attention, so we were concerned that we were causing > people to be exposed to issues. Of course. "we" was thierry, > soren, jeblair and I, which is clearly not enough people. Now we > have a whole security team and people who DO track CVEs - so if > they're willing to at least keep an eye on things we publish in a > repo, then I think we're in good shape to publish a repo with > backports in it. [...]
Please be aware that the VMT's direct support for triaging, tracking and announcing vulnerabilities/fixes only extends to a very small subset of OpenStack already. With both my VMT and Infra hats on, I really don't feel like we have either the workforce nor expertise to make security guarantees about our auto-built packages. We'll make a best effort attempt to rebuild packages as soon as possible after patches merge to their corresponding repos, assuming the toolchain and our CI are having a good day. I'm not against building and publishing packages, but we need to make big ugly disclaimers everywhere we can that these are not security supported by us, not intended for production use, and if they break your deployment you get to keep all the pieces. Users of legitimate distros need to consider those packages superior to ours in every way, since I really don't want to be on the hook to support them for more than validation purposes. -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
