On 2017-05-16 11:46:14 -0700 (-0700), Michał Jastrzębski wrote: [...] > So CVE tracking might not be required by us. Since we still use > distro packages under the hood, we can just use these. [...]
I think the question is how I, as a semi-clueful downstream user of your images, can tell whether the image I'm deploying has fixes for some specific recently disclosed vulnerability. It sounds like your answer is that I should compare the package manifest against the versions listed on the distro's CVE tracker or similar service? That should be prominently documented, perhaps in a highly visible FAQ list. > Since we'd rebuild daily, that alone would ensure timely update to > our containers. What we can promise to potential users is that > containers out there were built lately (24hrs) [...] As outlined elsewhere in the thread, there are a myriad of reasons why this could end up not being the case from time to time so I can only assume your definition of "promise" differs from mine (and unfortunately, from most people who might be trying to decide whether it's safe to rely on these images in a sensitive/production environment). -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev