On 2025-04-10 09:46:07 -0300 (-0300), Winicius Allan wrote:
What you could do is to build your own image [...]
This is highly encouraged for production systems and other sensitive deployments regardless. The OpenStack community does not have resources to track or manage problems like security vulnerabilities in the various non-OpenStack software contained in these images, and the container images published by the community are therefore meant as examples for testing and non-critical prototyping. The frozen dependency constraints on stable OpenStack branches are going to fall progressively out of date as time moves forward, and this is intentional as they're a snapshot in time for the purposes of stabilizing upstream testing processes; these frozen dependency versions will accumulate more and more known vulnerabilities over time. Production deployments should be done with images you build and test, using versions of dependencies you track and audit for potential security risks so that you can directly mitigate or patch them accordingly. -- Jeremy Stanley