On Fri, Feb 15, 2019 at 1:18 PM Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2019-02-15 13:06:21 -0500 (-0500), Jim Rollenhagen wrote: [...]
I know openstack-ansible and kolla both (optionally?) deploy from source, so maybe it's time to start talking about it. Or should those projects handle security fixes themselves when deploying from source?
If they're aggregating non-OpenStack software (that is, acting as a full software distribution) then they ought to be tracking and managing vulnerabilities in that software. I don't see that as being the job of the Requirements team to manage it for them. This is especially true in cases where the output is something like server or container images which include plenty of other software not even tracked by the requirements repository at all, any of which could have security vulnerabilities as well.
That's fair - I had to ask, given I believe they just take what the requirements.txt file gives them. Hopefully those projects are aware of this policy already. :) // jim