Open Stack

On 2/15/19, 6:20 PM, "Jeremy Stanley" <fungi at yuggoth.org> wrote:

    On 2019-02-15 13:06:21 -0500 (-0500), Jim Rollenhagen wrote:
    [...]
    > I know openstack-ansible and kolla both (optionally?) deploy from source,
    > so maybe it's time to start talking about it. Or should those projects
    > handle security fixes themselves when deploying from source?

If I read the situation correctly, requests posted a CVE. Given that requests is a non-OpenStack python library , while it is part of our ecosystem, it is not directly curated by the OpenStack community.

From the OSA standpoint, as long as upper-constraints updates the version to include the fix, we inherit it. I think that packagers and us, along with ansible-helm and kolla, all rely on that mechanism - however, if the stance is that non-OpenStack libraries are not something managed through the requirements team then we (OSA) can work around it because we have our own override mechanisms... but those are meant to only be for temporary purposes. Any OSA community member should be proposing changes to the requirements repo if something like this comes up.

I would also hope that generally devstack tests would desire would be to test with the same thing that everyone is using to validate whether those new library versions might break things.

Personally, I think a 'best effort' approach is good enough. If CVE's are discovered in the community, then ideally we should cater to test with the updated libraries as far up the chain as possible. We should all be making the effort, however, to adhere to https://governance.openstack.org/tc/reference/principles.html#openstack-first-project-team-second-company-third - improving OpenStack for the greater good of the community.