Hi OpenStack community,
I’m working on OpenStack project under my employee company. In OpenStack, few of projects (e.g. Cinder and Ironic) uses vendor supplied library in it. This means vendor-neutral base code of project is hosted under OpenStack project repository but vendor hardware specific logic is delegated to vendor library which is called by base code and is maintained by each hardware vendor under their repository.
In the past, I faced situation to handle vulnerability in which cause of vulnerability is in vendor library but, to handle vulnerability, both OpenStack code and vendor library code should be modified. To handle this, I consulted community member and asked them to coordinate to fix vulnerability in private way (i.e. review patch and prepare commit in not public but private as usual security handling manner). However member are not willing to working on together because cause of vulnerability is in vendor provided library. I felt it’s better for community to, at least, be open to working on such vulnerability because that policy may benefit community. So I think it’s better to include policy in VMT document[1] like “Community is encouraged to make effort to be open to handling vulnerability in which both OpenStack community code and vendor provided code should be modified”.
How do you think about this?
Regards, Vanou Ishii