On 03/19/2016 06:53 PM, Jeremy Stanley wrote: > On 2016-03-19 05:10:18 -0500 (-0500), Monty Taylor wrote: > [...] >> It would also be good to tie off with the security team about >> this. One of the reasons we stopped publishing debs years ago is >> that it made us a de-facto derivative distro. People were using >> our packages in production, including backports we'd built in >> support of those packages, but our backports were not receiving >> security/CVE attention, so we were concerned that we were causing >> people to be exposed to issues. Of course. "we" was thierry, >> soren, jeblair and I, which is clearly not enough people. Now we >> have a whole security team and people who DO track CVEs - so if >> they're willing to at least keep an eye on things we publish in a >> repo, then I think we're in good shape to publish a repo with >> backports in it. > [...] > > Please be aware that the VMT's direct support for triaging, tracking > and announcing vulnerabilities/fixes only extends to a very small > subset of OpenStack already. With both my VMT and Infra hats on, I > really don't feel like we have either the workforce nor expertise to > make security guarantees about our auto-built packages. We'll make a > best effort attempt to rebuild packages as soon as possible after > patches merge to their corresponding repos, assuming the toolchain > and our CI are having a good day. >
With only my VMT hat on, this makes me wonder why the packaging needs special care. Is there a reason why stable branch aren't built continuously? Otherwise I agree with Jeremy, VMT is already quite busy supporting vulnerability:managed projects' master branch along with supported stable branch. Adding more branches to track doesn't seem like the right approach. -Tristan > I'm not against building and publishing packages, but we need to > make big ugly disclaimers everywhere we can that these are not > security supported by us, not intended for production use, and if > they break your deployment you get to keep all the pieces. Users of > legitimate distros need to consider those packages superior to ours > in every way, since I really don't want to be on the hook to support > them for more than validation purposes. > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
