[openstack-dev] [release][tc][infra][security][stable] Proposal for shipping binaries and containers
fungi at yuggoth.org
Wed May 24 14:54:41 UTC 2017
On 2017-05-24 14:22:14 +0200 (+0200), Thierry Carrez wrote:
> we ship JARs already:
Worth pointing out, those all have "SNAPSHOT" in their filenames
which by Apache Maven convention indicates they're not official
releases. Also they're only being hosted from our
tarballs.openstack.org site, not published to the Maven Central
Repository (the equivalent of DockerHub in this analogy).
> That said, only a small fraction of our current OpenStack deliverables
> are supported by the VMT and therefore properly security-maintained "by
> the community" with strong guarantees and processes. So I don't see
> adding such binary deliverables (maintained by their respective teams)
> as a complete revolution. I'd expect the VMT to require a lot more
> staffing (like dedicated people to track those deliverables content)
> before they would consider those security-supported.
The Kolla team _has_ expressed interest in attaining
vulnerability:managed for at least some of their deliverables in the
future, but exactly what that would look like from a coverage
standpoint has yet to be ironed out. I don't expect we would
actually cover general vulnerabilities present in any container
images, and would only focus on direct vulnerabilities in the Kolla
source repositories instead. Rather than extending the VMT to track
vulnerable third-party software present in images, it's more likely
the Kolla team would form their own notifications subgroup to track
and communicate such risks downstream.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 949 bytes
Desc: Digital signature
More information about the OpenStack-dev