2016-09-22 15:58 GMT+02:00 Matt Riedemann :
> 1. We don't bump minimums just because a new thing comes out in a given
> release, we only bump minimums when something that uses that dependency
> needs a higher minimum version.
>
> 2. Looking at this:
>
> https://github.com/openstack/releases/blob/ma
On Tue, Sep 20, 2016 at 12:48:49PM +0200, Kashyap Chamarthy wrote:
> The said patch in question fixes a CVE[x] in stable/liberty.
>
> We currently have two options, both of them have caused an impasse with
> the Nova upstream / stable maintainers. We've had two-ish months to
> mull over this. I'
On 9/22/2016 8:05 AM, Alan Pevec wrote:
We have:
* global-requirements.txt:
origin/stable/liberty : oslo.concurrency>=2.3.0 # Apache-2.0
But wasn't that wrong from the start?
First Liberty release of oslo.concurrency was 2.6.0 why was that not
bumped in g-r ?
Cheers,
Alan
___
> We have:
> * global-requirements.txt:
> origin/stable/liberty : oslo.concurrency>=2.3.0 # Apache-2.0
But wasn't that wrong from the start?
First Liberty release of oslo.concurrency was 2.6.0 why was that not
bumped in g-r ?
Cheers,
Alan
On Thu, Sep 22, 2016 at 04:25:00PM +1000, Tony Breeds wrote:
> On Wed, Sep 21, 2016 at 02:05:51PM -0400, Sean Dague wrote:
>
> > Well, the risk profile of what has to be changed for stable/liberty
> > (given that all the actual code is buried in libraries which have tons
> > of other changes). Spe
On Wed, Sep 21, 2016 at 02:05:51PM -0400, Sean Dague wrote:
> Well, the risk profile of what has to be changed for stable/liberty
> (given that all the actual code is buried in libraries which have tons
> of other changes). Special cherry-picked library versions would be
> needed to fix this witho
On 2016-09-21 14:05:51 -0400 (-0400), Sean Dague wrote:
[...]
> Well, the risk profile of what has to be changed for stable/liberty
> (given that all the actual code is buried in libraries which have tons
> of other changes). Special cherry-picked library versions would be
> needed to fix this with
On 09/21/2016 02:03 PM, Jeremy Stanley wrote:
> On 2016-09-21 15:41:11 +1000 (+1000), Tony Breeds wrote:
>> On Tue, Sep 20, 2016 at 11:57:26AM +0100, Daniel P. Berrange wrote:
> [...]
>>> (3) Do nothing, leave the bug unfixed in stable/liberty
>>>
>>> While this is a security bug, it is one that
On 2016-09-21 15:41:11 +1000 (+1000), Tony Breeds wrote:
> On Tue, Sep 20, 2016 at 11:57:26AM +0100, Daniel P. Berrange wrote:
[...]
> > (3) Do nothing, leave the bug unfixed in stable/liberty
> >
> > While this is a security bug, it is one that has existed in every single
> > openstack release
On Tue, Sep 20, 2016 at 11:57:26AM +0100, Daniel P. Berrange wrote:
> On Tue, Sep 20, 2016 at 12:48:49PM +0200, Kashyap Chamarthy wrote:
> > The said patch in question fixes a CVE[x] in stable/liberty.
> >
> > We currently have two options, both of them have caused an impasse with
> > the Nova ups
On 9/20/2016 4:17 PM, Matt Riedemann wrote:
On 9/20/2016 7:38 AM, Alan Pevec wrote:
2016-09-20 13:27 GMT+02:00 Kashyap Chamarthy :
(3) Do nothing, leave the bug unfixed in stable/liberty
That was the unspoken third option, thanks for spelling it out. :-)
Yes, let's abandon both reviews.
On 9/20/2016 7:38 AM, Alan Pevec wrote:
2016-09-20 13:27 GMT+02:00 Kashyap Chamarthy :
(3) Do nothing, leave the bug unfixed in stable/liberty
That was the unspoken third option, thanks for spelling it out. :-)
Yes, let's abandon both reviews.
Cheers,
Alan
___
2016-09-20 13:27 GMT+02:00 Kashyap Chamarthy :
>> (3) Do nothing, leave the bug unfixed in stable/liberty
>
> That was the unspoken third option, thanks for spelling it out. :-)
Yes, let's abandon both reviews.
Cheers,
Alan
__
On Tue, Sep 20, 2016 at 11:57:26AM +0100, Daniel P. Berrange wrote:
> On Tue, Sep 20, 2016 at 12:48:49PM +0200, Kashyap Chamarthy wrote:
[...]
> > The two options at hand:
> >
> > (1) Nova backport from master (that also adds a check for the presence
> > of 'ProcessLimits' attribute which is
On Tue, Sep 20, 2016 at 12:48:49PM +0200, Kashyap Chamarthy wrote:
> The said patch in question fixes a CVE[x] in stable/liberty.
>
> We currently have two options, both of them have caused an impasse with
> the Nova upstream / stable maintainers. We've had two-ish months to
> mull over this. I'
The said patch in question fixes a CVE[x] in stable/liberty.
We currently have two options, both of them have caused an impasse with
the Nova upstream / stable maintainers. We've had two-ish months to
mull over this. I'd prefer to get this out of a limbo, & bring this to
a logical conclusion.
T
16 matches
Mail list logo