On 14/11/14 11:25 +0000, stuart.mcla...@hp.com wrote:

On 2014-11-13 18:28:14 +0100 (+0100), Ihar Hrachyshka wrote:
I think those who maintain glance_store module in downstream
distributions will cherry-pick the security fix into their
packages, so there is nothing to do in terms of stable branches to
handle the security issue.

As a counterargument, some Oslo libs have grown stable branches for
security backports and cut corresponding point releases on an
as-needed basis so as to avoid introducing new features in stable
server deployments.
Jeremy Stanley

The current glance stable/juno requirement for glance_store is >= 0.1.1.

If you run stable/juno against glance_store 0.1.1 and try
to create an image, you get (multi-tenant store):


Before glance_store was separated out it would have been straightforward
to backport the relevant fixes to Glance's tightly coupled in-tree store code.

I'm neutral on the mechanics, but I think we need to get to a point where
if someone is running stable/juno and has a version of glance_store which
satisfies what's specified in requirements.txt they should have secure,
working code.

I think releasing glance_store now with the security fix is fine.
Distro packages will be updated as soon as 2014.2.1 is released and
the change introduced is backwards compatible.

FWIW, we're adapting glance_store's development to follow oslo
libraries policies even for releases and versioning.


Flavio Percoco

Attachment: pgpW7NsATDPbZ.pgp
Description: PGP signature

OpenStack-dev mailing list

Reply via email to