On 2025-04-10 09:46:07 -0300 (-0300), Winicius Allan wrote:

> What you could do is to build your own image

[...]

This is highly encouraged for production systems and other sensitive

deployments regardless. The OpenStack community does not have

resources to track or manage problems like security vulnerabilities

in the various non-OpenStack software contained in these images, and

the container images published by the community are therefore meant

as examples for testing and non-critical prototyping. The frozen

dependency constraints on stable OpenStack branches are going to

fall progressively out of date as time moves forward, and this is

intentional as they're a snapshot in time for the purposes of

stabilizing upstream testing processes; these frozen dependency

versions will accumulate more and more known vulnerabilities over

time.

Production deployments should be done with images you build and

test, using versions of dependencies you track and audit for

potential security risks so that you can directly mitigate or patch

them accordingly.

Thanks for this clear explanation, Jeremy. This is something that everyone using OpenStack in production must be aware of.

Best regards,

Alberto