As for our work and updates, using system-wide packages is an excellent
solution in this regard, as we get maintenance and updates for free. For
instance, if there is a security issue in one of the JavaScript
libraries, we don't need to patch Horizon -- the patch that is prepared
for that specific library and applied system-wide is sufficient.

But for distributions that package Horizon itself, don't they
effectively need to patch Horizon? Namely, don't they need to install
on their build systems fixed JavaScript distribution packages to
address the security issue and then they need to rebuild Horizon itself
even if there are no Horizon source code changes.

From a Horizon end-user perspective who relies on the distribution's
packages to get Horizon, they'll get the security fix but it seems
distributors will still need to rebuild and deliver Horizon for every
upstream JavaScript fix whether the files come from XStatic, Bower, or
some other method.

OpenStack Development Mailing List (not for usage questions)

Reply via email to