Hey all,

A recent topic at Ironic meetings the last couple of weeks have been around vulnerability management. Ironic has not been using the OpenStack VMT traditionally; for reasons that AFAICT are lost to time.

Is there any reason Ironic should not be vulnerability-managed? Is the security team willing to have us?

The only potential complication is that Ironic may receive reports for vendor libraries used by Ironic but not maintained by Ironic -- I was hoping there might already be some historical precedent for how we handle those; it can't be that unique to Ironic.

What do folks think?

Thanks,

Jay Faulkner

Ironic PTL

TC Member