Hi OpenStack community,
I’m working on OpenStack project under my employee company.
In OpenStack, few of projects (e.g. Cinder and Ironic) uses vendor supplied library in it.
This means vendor-neutral base code of project is hosted under OpenStack project repository
but vendor hardware specific logic is delegated to vendor library which is called by base code
and is maintained by each hardware vendor under their repository.
In the past, I faced situation to handle vulnerability in which cause of vulnerability is in
vendor library but, to handle vulnerability, both OpenStack code and vendor library code
should be modified.
To handle this, I consulted community member and asked them to coordinate to fix vulnerability
in private way (i.e. review patch and prepare commit in not public but private as usual security
handling manner). However member are not willing to working on together because cause of
vulnerability is in vendor provided library.
I felt it’s better for community to, at least, be open to working on such vulnerability because that policy
may benefit community. So I think it’s better to include policy in VMT document[1] like
“Community is encouraged to make effort to be open to handling vulnerability in which both
OpenStack community code and vendor provided code should be modified”.
How do you think about this?
Regards,
Vanou Ishii