On 2019-02-15 13:06:21 -0500 (-0500), Jim Rollenhagen wrote: [...]
I know openstack-ansible and kolla both (optionally?) deploy from source, so maybe it's time to start talking about it. Or should those projects handle security fixes themselves when deploying from source?
If they're aggregating non-OpenStack software (that is, acting as a full software distribution) then they ought to be tracking and managing vulnerabilities in that software. I don't see that as being the job of the Requirements team to manage it for them. This is especially true in cases where the output is something like server or container images which include plenty of other software not even tracked by the requirements repository at all, any of which could have security vulnerabilities as well. -- Jeremy Stanley