[all][requirements][stable] requests version bump on stable brances {pike|queens} for CVE-2018-18074

Jeremy Stanley fungi at yuggoth.org
Mon May 13 13:51:03 UTC 2019

On 2019-05-13 09:42:30 -0400 (-0400), Jean-Philippe Evrard wrote:
> I agree with Jesse, we should do as much upstream as we can, so
> that the whole community benefits from it. If things are updated
> on a best effort basis in u-c, more than a single project benefits
> from this. If things are not updated on a best effort basis, then
> source based deployment projects should discuss together on making
> this a reality. In all cases, this deserves documentation if it's
> not documented already (I totally missed that part of the
> documentation myself).

I don't see anything wrong with a best-effort attempt by folks who
build or rely on source-based deployments from stable branches, my
primary concerns remain:

1. This goal is tangential to (and even conflicting with) the
purpose of the requirements repository's upper-constraints.txt file
so should probably be managed independently of that.

2. As a project we should be clear that this is a not-at-all-timely
post-hoc attempt at reflecting somewhat secure deployment sets and
can't guarantee we will always be able to find a solution for (or
perhaps even notice) many future vulnerabilities in the transitive
dependency tree where stable branches of our software are concerned.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190513/dd094df3/attachment.sig>

More information about the openstack-discuss mailing list