On 2016-09-21 14:05:51 -0400 (-0400), Sean Dague wrote: [...] > Well, the risk profile of what has to be changed for stable/liberty > (given that all the actual code is buried in libraries which have tons > of other changes). Special cherry-picked library versions would be > needed to fix this without openning up a ton of risk for breaking > stable/liberty badly. > > That is the bit of work that no one seems to really have picked up.
Makes sense. It's also possible in that case that it's not a sign of stable/liberty being unmaintainable, but rather implies that the vulnerability as fixed in stable/mitaka falls below the effective severity threshold to warrant a security advisory. Put another way, I'd like to find some reasonable means to explain the lack of a fix in a "supported" stable branch. If the VMT and stable branch maintainers need accept the possibility that something can be treated as a vulnerability by the OpenStack community but only fixed in some supported branches, that introduces a lot of additional uncertainty for downstream consumers of our advisory process and the associated patches tracked by it. -- Jeremy Stanley
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev