On 2014-11-13 18:28:14 +0100 (+0100), Ihar Hrachyshka wrote: [...] I think those who maintain glance_store module in downstream distributions will cherry-pick the security fix into their packages, so there is nothing to do in terms of stable branches to handle the security issue. [...]
As a counterargument, some Oslo libs have grown stable branches for security backports and cut corresponding point releases on an as-needed basis so as to avoid introducing new features in stable server deployments. -- Jeremy Stanley
The current glance stable/juno requirement for glance_store is >= 0.1.1. If you run stable/juno against glance_store 0.1.1 and try to create an image, you get (multi-tenant store): $ glance image-create --name image1 --container-format bare --disk-format raw <html> <head> <title>410 Gone</title> </head> <body> <h1>410 Gone</h1> Error in store configuration. Adding images to store is disabled.<br /><br /> </body> </html> (HTTP N/A) With the latest (0.1.9) glance_store, you get: $ glance image-create --name image1 --container-format bare --disk-format raw <html> <head> <title>500 Internal Server Error</title> </head> <body> <h1>500 Internal Server Error</h1> Failed to upload image 702d5865-8925-4d0d-b52c-c93833dc5eaa<br /><br /> </body> </html> (HTTP 500) Before glance_store was separated out it would have been straightforward to backport the relevant fixes to Glance's tightly coupled in-tree store code. I'm neutral on the mechanics, but I think we need to get to a point where if someone is running stable/juno and has a version of glance_store which satisfies what's specified in requirements.txt they should have secure, working code. -Stuart _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
