[openstack-dev] [release][requirements][packaging][summit] input needed on summit discussion about global requirements

Matthew Thode prometheanfire at gentoo.org
Tue Apr 19 16:38:07 UTC 2016

On 04/19/2016 11:30 AM, Ian Cordasco wrote:
>> On 2016-04-19 14:59:19 +0200 (+0200), Thomas Goirand wrote:
>>> On 04/19/2016 01:01 PM, Chris Dent wrote:
>>>> On Tue, 19 Apr 2016, Thomas Goirand wrote:
>> [...]
>>>>> Most users are consuming packages from distributions. Also, if
>>>>> you're using containers, probably you will also prefer using
>>>>> these packages to build your containers: that's the most easy,
>>>>> safe and fast way to build your containers.
>>>> I predict that that is not going to last.
>>> That's what everyone says, but I'm convinced the majority will be
>>> proven wrong! :)
>> [...]
>> Could just be that my beard has gotten a little too grey, but I
>> still very much prefer using stabilized software packaged by
>> traditional Linux distributions or similar Unix derivatives and
>> covered under security patched backports. My hope has always been
>> that as the rapid pace of development at the center of OpenStack
>> starts to cool (and as the press moves on and OpenStack becomes a
>> lot more boring to talk about), we'll approach the sort of ecosystem
>> stabilization needed to make that less awkward downstream.
> Perhaps my beard is not grey enough, but as a developer and maintainer of several of OpenStack's dependencies (some of which have needed security backports) I've argued with different downstream distributors about their own judgment of what portions of the patch to apply in order to fix an issue with an assigned CVE. It took much longer than should have been necessary in at least one of those cases where it did affect OpenStack, so perhaps I am too confident in my ability to use tooling outside of distribution provided packages but to date I've had better luck using the source with the *complete* fixes.

Well, as one of those downstream packagers I hope I'm not in that list.
 This is my ordering of how I try and remediate a sec issue.

1. I try to apply the entire patch to affected versions.
2. If that doesn't work and I can remove the bad versions I do that.
3. If that doesn't work I have to start getting creative :D

-- Matthew Thode (prometheanfire)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160419/c6a084ab/attachment.pgp>

More information about the OpenStack-dev mailing list