On Fri, Feb 15, 2019 at 1:02 PM Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2019-02-15 01:27:49 -0600 (-0600), Matthew Thode wrote:
Recently it was reported to us that requests had a recent release that addressed a CVE (CVE-2018-18074). Requests has no stable branches so the only way to update openstack stable branches is to update to 2.20.1 in this case. [...]
In the past we've assumed that folks consuming stable branches are doing so on distributions which are backporting security fixes for our dependencies anyway, so treating requirements for stable branches as a snapshot in time (even if that snapshot includes versions of dependencies with known vulnerabilities) is acceptable.
Interesting, I didn't realize this. I know openstack-ansible and kolla both (optionally?) deploy from source, so maybe it's time to start talking about it. Or should those projects handle security fixes themselves when deploying from source? // jim