[openstack-dev] [release][requirements][packaging][summit] input needed on summit discussion about global requirements

Jeremy Stanley fungi at yuggoth.org
Wed Apr 20 17:24:27 UTC 2016

On 2016-04-19 11:30:38 -0500 (-0500), Ian Cordasco wrote:
> I've argued with different downstream distributors about their own
> judgment of what portions of the patch to apply in order to fix an
> issue with an assigned CVE. It took much longer than should have
> been necessary in at least one of those cases where it did affect
> OpenStack

I won't disagree that it's a double-edged sword, but on balance
having established, organized distros managing security backporting
for their packages helps in a lot more situations of lax upstream
security posture than it hinders responsive upstreams (probably
because there are a lot more of the former than the latter). At
least it's seemed to me that a majority of vulnerability
announcements posted on the oss-sec ML come from distro security
teams as compared to upstream security teams, though this also may
just be due to having a lot more low-popularity projects packaged in
major distros and written by small teams who don't have experience
handling vulnerability reports.
Jeremy Stanley

More information about the OpenStack-dev mailing list