On 14/11/14 11:25 +0000, [email protected] wrote:
On 2014-11-13 18:28:14 +0100 (+0100), Ihar Hrachyshka wrote: [...] I think those who maintain glance_store module in downstream distributions will cherry-pick the security fix into their packages, so there is nothing to do in terms of stable branches to handle the security issue. [...]As a counterargument, some Oslo libs have grown stable branches for security backports and cut corresponding point releases on an as-needed basis so as to avoid introducing new features in stable server deployments. -- Jeremy StanleyThe current glance stable/juno requirement for glance_store is >= 0.1.1. If you run stable/juno against glance_store 0.1.1 and try to create an image, you get (multi-tenant store):
[snip]
Before glance_store was separated out it would have been straightforward to backport the relevant fixes to Glance's tightly coupled in-tree store code. I'm neutral on the mechanics, but I think we need to get to a point where if someone is running stable/juno and has a version of glance_store which satisfies what's specified in requirements.txt they should have secure, working code.
I think releasing glance_store now with the security fix is fine. Distro packages will be updated as soon as 2014.2.1 is released and the change introduced is backwards compatible. FWIW, we're adapting glance_store's development to follow oslo libraries policies even for releases and versioning. Cheers, Flavio -- @flaper87 Flavio Percoco
pgpW7NsATDPbZ.pgp
Description: PGP signature
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
