[openstack-dev] [release][tc][infra][security][stable] Proposal for shipping binaries and containers
thierry at openstack.org
Wed May 24 12:22:14 UTC 2017
Doug Hellmann wrote:
> Excerpts from Davanum Srinivas (dims)'s message of 2017-05-23 10:44:30 -0400:
>> For projects based on Go and Containers we need to ship binaries, for
> Can you elaborate on the use of the term "need" here. Is that because
> otherwise the projects can't be consumed? Is it the "norm" for
> projects from those communities? Something else?
dims will likely answer directly, but I would say because it is the
"norm" there. If we were a Java project, we would definitely be
publishing JARs, for the exact same reason. Oh, wait. We actually do
Java stuff, so we ship JARs already:
>> example Kubernetes, etcd both ship binaries and maintain stable
>> branches as well.
>> Kubernetes for example ships container images to public registeries as well:
> What are the support lifetimes for those images? Who maintains them?
That's a good question. Due to various bundling and dependency
inclusion, security maintenance on those artifacts is definitely more
costly than our usual artifacts. Here by default I would say it's
probably best effort from the teams themselves.
That said, only a small fraction of our current OpenStack deliverables
are supported by the VMT and therefore properly security-maintained "by
the community" with strong guarantees and processes. So I don't see
adding such binary deliverables (maintained by their respective teams)
as a complete revolution. I'd expect the VMT to require a lot more
staffing (like dedicated people to track those deliverables content)
before they would consider those security-supported.
Thierry Carrez (ttx)
More information about the OpenStack-dev