[openstack-dev] [neutron] How to handle security issues in external repos?
gessau at cisco.com
Fri Jul 3 20:01:38 UTC 2015
In the Liberty cycle Neutron is mandating the splitting out of "third-party"
plugins and drivers into separate repositories, see . These external
repositories will be managed by the maintainers of the code, who are
independent from the neutron core maintainers.
The question now arises about what to do when a security issue is found in such
an external repository that integrates with Neutron.
- How should such security issues be managed?
- Should the OpenStack security team be involved?
- Does a CVE need to be filed?
- Do the maintainers need to publish OSSN or equivalent documents?
- Anything else to consider here?
More information about the OpenStack-dev