[openstack-dev] [Ironic] [TC] Discussion: changing Ironic's release model

Thierry Carrez thierry at openstack.org
Fri May 29 09:47:36 UTC 2015


Lucas Alvares Gomes wrote:
>>> - OpenStack coordinated releases are taken from latest independent release
>>> - that release will then get backports & stable maintenance, other
>>> independent releases don't
>>
>> So no stable branch for other independent releases? What if serious security
>> issue is found in one of these? Will we advice users to downgrade to the
>> latest coordinated release?
> 
> Good point, but I think that would extremely hard and costly to
> maintain a bunch of stable branches at once. So having a stable branch
> every 6 months to follow the OpenStack model seems enough. If we find
> a serious security issue, we could advice the user to downgrade to the
> last coordinate release which the fix was backported or if the user is
> following the feature based release of Ironic we can fix the problem
> and cut a new release and advice the user to use that instead.

Right, there is no way under our current setup to support more than a
(common) stable branch every 6 months. That means if people use
intermediary releases and a vulnerability is found, they can either
backport the fix to their code, workaround the issue until the next
version is released, or downgrade to tracking the last stable branch.

As far as vulnerability management goes, we already publish the "master"
fix as part of the advisory, so people can easily find that. The only
thing the VMT might want to reconsider is: when an issue is /only/
present in the master branch and was never part of a release, it
currently gets fixed silently there, without an advisory being
published. I guess that could be evolved to "publish an advisory if the
issue was in any released version". That would still not give users of
intermediary versions a pure backport for their version, but give them
notice and a patch to apply. I also suspect that for critical issues
Ironic would issue a new intermediary release sooner rather than later.

-- 
Thierry Carrez (ttx)



More information about the OpenStack-dev mailing list