On 2015-08-11 20:42:26 +0000 (+0000), Bhandaru, Malini K wrote: [...] > Another place I see value is running periodically against past > releases – Icehouse, Juno etc to catch any vulnerabilities in > production systems. When we issue security notes we typically > specify any past releases that carry the vulnerability and this > would be on par with that. [...]
I don't see how this would help. We cap the versions of libraries we support from PyPI solely for the benefit of our stable branch testing. We can't support changing those upper bounds in already existing stable releases since the vast majority of them don't have similar stable backport policies for security fixes. So while this tool might be able to *detect* that our prior releases only work with vulnerable versions of dependencies, we could never *fix* those ourselves so they'd be forever alerting on every run thereafter. This is the sort of work which downstream package maintainers and distributors are well equipped to take care of, and something which we really can't control upstream at all. -- Jeremy Stanley __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
