On 09/21/2016 02:03 PM, Jeremy Stanley wrote:
> On 2016-09-21 15:41:11 +1000 (+1000), Tony Breeds wrote:
>> On Tue, Sep 20, 2016 at 11:57:26AM +0100, Daniel P. Berrange wrote:
>>> (3) Do nothing, leave the bug unfixed in stable/liberty
>>> While this is a security bug, it is one that has existed in every single
>>> openstack release ever, and it is not a particularly severe bug. Even if
>>> we fixed in liberty, it would still remain unfixed in every release before
>>> liberty. We're in the verge of releasing Newton at which point liberty
>>> becomes less relevant. So I question whether it is worth spending more
>>> effort on dealing with this in liberty upstream. Downstream vendors
>>> still have the option to do either (1) or (2) in their own private
>>> branches if they so desire, regardless of whether we fix it upstream.
>> I think 3 is the least worst option.
> At least from my perspective with my VMT hat on, declaring that we
> have a security vulnerability severe enough to fix in stable/mitaka
> but unfixable in stable/liberty calls into question whether the
> latter is actually maintainable by our general definition as a
> project or is ready for EOL.
Well, the risk profile of what has to be changed for stable/liberty
(given that all the actual code is buried in libraries which have tons
of other changes). Special cherry-picked library versions would be
needed to fix this without openning up a ton of risk for breaking
That is the bit of work that no one seems to really have picked up.
OpenStack Development Mailing List (not for usage questions)