On 2016-09-21 14:05:51 -0400 (-0400), Sean Dague wrote:
> Well, the risk profile of what has to be changed for stable/liberty
> (given that all the actual code is buried in libraries which have tons
> of other changes). Special cherry-picked library versions would be
> needed to fix this without openning up a ton of risk for breaking
> stable/liberty badly.
> That is the bit of work that no one seems to really have picked up.

Makes sense. It's also possible in that case that it's not a sign of
stable/liberty being unmaintainable, but rather implies that the
vulnerability as fixed in stable/mitaka falls below the effective
severity threshold to warrant a security advisory.

Put another way, I'd like to find some reasonable means to explain
the lack of a fix in a "supported" stable branch. If the VMT and
stable branch maintainers need accept the possibility that something
can be treated as a vulnerability by the OpenStack community but
only fixed in some supported branches, that introduces a lot of
additional uncertainty for downstream consumers of our advisory
process and the associated patches tracked by it.
Jeremy Stanley

Attachment: signature.asc
Description: Digital signature

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

Reply via email to