On 2016-09-21 15:41:11 +1000 (+1000), Tony Breeds wrote:
> On Tue, Sep 20, 2016 at 11:57:26AM +0100, Daniel P. Berrange wrote:
> >   (3) Do nothing, leave the bug unfixed in stable/liberty
> > 
> > While this is a security bug, it is one that has existed in every single
> > openstack release ever, and it is not a particularly severe bug. Even if
> > we fixed in liberty, it would still remain unfixed in every release before
> > liberty. We're in the verge of releasing Newton at which point liberty
> > becomes less relevant. So I question whether it is worth spending more
> > effort on dealing with this in liberty upstream.  Downstream vendors
> > still have the option to do either (1) or (2) in their own private
> > branches if they so desire, regardless of whether we fix it upstream.
> I think 3 is the least worst option.

At least from my perspective with my VMT hat on, declaring that we
have a security vulnerability severe enough to fix in stable/mitaka
but unfixable in stable/liberty calls into question whether the
latter is actually maintainable by our general definition as a
project or is ready for EOL.
Jeremy Stanley

Attachment: signature.asc
Description: Digital signature

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

Reply via email to