On 2017-05-24 14:22:14 +0200 (+0200), Thierry Carrez wrote: [...] > we ship JARs already: > http://tarballs.openstack.org/ci/monasca-common/ [...]
Worth pointing out, those all have "SNAPSHOT" in their filenames which by Apache Maven convention indicates they're not official releases. Also they're only being hosted from our tarballs.openstack.org site, not published to the Maven Central Repository (the equivalent of DockerHub in this analogy). > That said, only a small fraction of our current OpenStack deliverables > are supported by the VMT and therefore properly security-maintained "by > the community" with strong guarantees and processes. So I don't see > adding such binary deliverables (maintained by their respective teams) > as a complete revolution. I'd expect the VMT to require a lot more > staffing (like dedicated people to track those deliverables content) > before they would consider those security-supported. The Kolla team _has_ expressed interest in attaining vulnerability:managed for at least some of their deliverables in the future, but exactly what that would look like from a coverage standpoint has yet to be ironed out. I don't expect we would actually cover general vulnerabilities present in any container images, and would only focus on direct vulnerabilities in the Kolla source repositories instead. Rather than extending the VMT to track vulnerable third-party software present in images, it's more likely the Kolla team would form their own notifications subgroup to track and communicate such risks downstream. -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev