Folks,
In light of the recent VPP Security Vulnerability, the FD.io TSC
discussed and would like to recommend that each project adopt and
publish a retention policy for packages uploaded to
https:packagecloud.io/fdio.
The Security Response Team is recommending that any package which was
built from source that contains a public vulnerability in the form of a
published CVE record be removed from packagecloud.io/fdio as soon as
practicable after publication.
Additional factors to consider for a retention policy, is the
availability of CI infrastructure to generate build artifacts. CI jobs
for releases which are no longer supported are removed shortly after the
release has passed the End-Of-Life date. In the TSC discussion, it was
agreed that it made sense to remove the associated release and stable
branch artifacts at the time the CI infrastructure was removed. For the
most part, artifacts uploaded to packagecloud.io are either consumed by
the CI (e.g. CSIT performance tests), or are made available for
newcomers to evaluate FD.io software without having to build it from
scratch. It would be best to encourage all consumers to use supported
software by retaining only those artifacts in packagecloud.io that are
based on supported releases.
As it currently stands, packagecloud.io/fdio has artifacts that date
back to early FD.io VPP releases (circa VPP 17.01). FD.io projects are
encouraged to be kind to packagecloud.io who is generously donating
storage for Open Source project artifacts for free by removing
antiquated build artifacts.
For VPP artifacts, let's discuss this at tomorrow's VPP Community Meeting.
Thanks,
-daw-
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#22588): https://lists.fd.io/g/vpp-dev/message/22588
Mute This Topic: https://lists.fd.io/mt/96954107/21656
Group Owner: vpp-dev+ow...@lists.fd.io
Unsubscribe: https://lists.fd.io/g/vpp-dev/leave/1480452/21656/631435203/xyzzy
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
