[openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"
Jeremy Stanley
fungi at yuggoth.org
Wed Sep 21 19:06:57 UTC 2016
On 2016-09-21 14:05:51 -0400 (-0400), Sean Dague wrote:
[...]
> Well, the risk profile of what has to be changed for stable/liberty
> (given that all the actual code is buried in libraries which have tons
> of other changes). Special cherry-picked library versions would be
> needed to fix this without openning up a ton of risk for breaking
> stable/liberty badly.
>
> That is the bit of work that no one seems to really have picked up.
Makes sense. It's also possible in that case that it's not a sign of
stable/liberty being unmaintainable, but rather implies that the
vulnerability as fixed in stable/mitaka falls below the effective
severity threshold to warrant a security advisory.
Put another way, I'd like to find some reasonable means to explain
the lack of a fix in a "supported" stable branch. If the VMT and
stable branch maintainers need accept the possibility that something
can be treated as a vulnerability by the OpenStack community but
only fixed in some supported branches, that introduces a lot of
additional uncertainty for downstream consumers of our advisory
process and the associated patches tracked by it.
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160921/2a2982af/attachment.pgp>
More information about the OpenStack-dev
mailing list