[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[requirements][requests] security update for requests in stable branches

On 19-02-15 13:32:34, Jim Rollenhagen wrote:
> On Fri, Feb 15, 2019 at 1:18 PM Jeremy Stanley <fungi at> wrote:
> > On 2019-02-15 13:06:21 -0500 (-0500), Jim Rollenhagen wrote:
> > [...]
> > > I know openstack-ansible and kolla both (optionally?) deploy from source,
> > > so maybe it's time to start talking about it. Or should those projects
> > > handle security fixes themselves when deploying from source?
> >
> > If they're aggregating non-OpenStack software (that is, acting as a
> > full software distribution) then they ought to be tracking and
> > managing vulnerabilities in that software. I don't see that as being
> > the job of the Requirements team to manage it for them. This is
> > especially true in cases where the output is something like server
> > or container images which include plenty of other software not even
> > tracked by the requirements repository at all, any of which could
> > have security vulnerabilities as well.
> >
> That's fair - I had to ask, given I believe they just take what the
> requirements.txt file gives them. Hopefully those projects are
> aware of this policy already. :)

I bugged OSA about it.  What I'd like to do is to do updates on a
best-effort basis (in this case a user reported the bug to us).
You can't rely on requirements to monitor upper-constraints for
security issues.

Matthew Thode
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>