I'm mostly a stalker on this list, but if anyone's input is welcome, then a big fat +1 to George's comments from me. I just patched Bash versions from EL 4 systems for Shellshock. The least we can do is patch one-ago versions for vulnerabilities.
-Erik On Sep 29, 2014 7:41 PM, "George Shuklin" <[email protected]> wrote: > > On 09/30/2014 01:55 AM, Jeremy Stanley wrote: > >> On 2014-09-29 21:59:32 +0300 (+0300), George Shuklin wrote: >> >>> Means no fixes for havana? >>> >> [...] >> >> Yes, that should have just said "Versions: up to 2014.1.2" as havana >> is already past the end of support from the OpenStack vulnerability >> management team and stable branch managers. I'm presently working on >> the patches to our CI to tear out testing for it, and the >> stable/havana branches of all our projects will most likely be >> tagged "havana-eol" and deleted some time this week. >> > I think this is just _NOT_RIGHT_. I'm understand 'end of bugfixes' idea. > Or software suites you perfectly, or you upgrade. > > But security and data loss bugs are different from normal. They can hit > even if user completely happy with software functionality and harm really > badly not only user, but everyone around. > > Saying 'you should upgrade your all infrastructure at least once every > year' is bad idea. Lot of stuff changed at every new release and it not > like 'upgrade nginx from 1.1 to 1.4 - no one will notice'. Openstack > upgrade is always huge: changes in configuration, sometimes manual database > migration, deprecation and 'new recommended' stuff in all places. > > Security fixes should be continued at least twice longer than normal > bugfixes. > > This model (all important bugfixes released and than no any kind of > security fixes at all) is just looking like yummy cake for 'redistributors' > - but no one know if they are capable to backport all new fixes or not... > > You can say 'go and upgrade', but usually fresh version of openstack is > just too raw and buggy. Example: bug in neutron (havana) which cause > instances to loose networking on reboot was fixed year after initial > release. And security support was dropped right after that release. > > > > > > _______________________________________________ > OpenStack-operators mailing list > [email protected] > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators >
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
