[openstack-dev] [Security]Would people see a value in the cve-check-tool?

Jeremy Stanley fungi at yuggoth.org
Tue Aug 11 21:20:57 UTC 2015


On 2015-08-11 20:42:26 +0000 (+0000), Bhandaru, Malini K wrote:
[...]
> Another place I see value is running periodically against past
> releases – Icehouse, Juno etc to catch any vulnerabilities in
> production systems. When we issue security notes we typically
> specify any past releases that carry the vulnerability and this
> would be on par with that.
[...]

I don't see how this would help. We cap the versions of libraries we
support from PyPI solely for the benefit of our stable branch
testing. We can't support changing those upper bounds in already
existing stable releases since the vast majority of them don't have
similar stable backport policies for security fixes. So while this
tool might be able to *detect* that our prior releases only work
with vulnerable versions of dependencies, we could never *fix* those
ourselves so they'd be forever alerting on every run thereafter.

This is the sort of work which downstream package maintainers and
distributors are well equipped to take care of, and something which
we really can't control upstream at all.
-- 
Jeremy Stanley



More information about the OpenStack-dev mailing list