On Tue, Sep 20, 2016 at 11:57:26AM +0100, Daniel P. Berrange wrote:
> On Tue, Sep 20, 2016 at 12:48:49PM +0200, Kashyap Chamarthy wrote:
> > The two options at hand:
> > (1) Nova backport from master (that also adds a check for the presence
> > of 'ProcessLimits' attribute which is only present in
> > oslo.concurrency>=2.6.1; and a conditional check for 'prlimit'
> > parameter in qemu_img_info() method.)
> > https://review.openstack.org/#/c/327624/ -- "virt: set address space
> > & CPU time limits when running qemu-img"
> > (2) Or bump global-requirements for 'oslo.concurrency'
> > https://review.openstack.org/#/c/337277/5 -- Bump
> > 'global-requirements' for 'oslo.concurrency' to 2.6.1
> Actually we have 3 options
> (3) Do nothing, leave the bug unfixed in stable/liberty
That was the unspoken third option, thanks for spelling it out. :-)
> While this is a security bug, it is one that has existed in every
> single openstack release ever, and it is not a particularly severe
> bug. Even if we fixed in liberty, it would still remain unfixed in
> every release before liberty. We're in the verge of releasing Newton
> at which point liberty becomes less relevant. So I question whether it
> is worth spending more effort on dealing with this in liberty
> upstream. Downstream vendors still have the option to do either (1)
> or (2) in their own private branches if they so desire, regardless of
> whether we fix it upstream.
Sure, I agree with what you said. This patch started off 2-ish months
ago, at that time it wasn't the "verge of releasing Newton". That said,
if upstream feels it's not really necessary to get this into Liberty,
then I'm fine abandoning it, and close this. That's at least brings
this to a conclusion.
OpenStack Development Mailing List (not for usage questions)