On 2019-02-15 13:06:21 -0500 (-0500), Jim Rollenhagen wrote:
[...]
> I know openstack-ansible and kolla both (optionally?) deploy from source,
> so maybe it's time to start talking about it. Or should those projects
> handle security fixes themselves when deploying from source?

If they're aggregating non-OpenStack software (that is, acting as a
full software distribution) then they ought to be tracking and
managing vulnerabilities in that software. I don't see that as being
the job of the Requirements team to manage it for them. This is
especially true in cases where the output is something like server
or container images which include plenty of other software not even
tracked by the requirements repository at all, any of which could
have security vulnerabilities as well.