On 2015-09-01 18:56:38 + (+), Jeremy Stanley wrote:
[...]
> In the spirit of proper transparency, I'm initiating a frank and
> open dialogue on what our criteria for direct vulnerability
> management within the VMT would require of a deliverable and its
> controlling project-team.
[...]
On 2015-09-02 17:47:20 + (+), Tristan Cacqueray wrote:
[...]
> Any supported programming language by the openstack project should/could
> also be accepted for vulnerability management.
> As long as there is a way to test patch, I think the VMT can support
> other languages like Go or
Thanks you Jeremy for starting this discussion :-)
Proposed criteria works for me and they concurs with what have been
discussed in Vancouver.
My comments on the open-question below.
On 09/01/2015 06:56 PM, Jeremy Stanley wrote:
> A. Can the VMT accept deliverables in any programming language?
Some out-of-context quotes and comments below:
Jeremy Stanley wrote:
> [...]
> 1. Since the vulnerability:managed governance tag applies to
> deliverables, all repos within a given deliverable must meet the
> qualifying criteria. This means that if some repos in a deliverable
> are in good enough
Bringing OpenStack vulnerability management processes to the Big
Top started a couple months ago with creation of a deliverable tag
called vulnerability:managed, the definition of which can be found
at:
http://governance.openstack.org/reference/tags/vulnerability_managed.html
Its initial