[openstack-dev] Lack of quota - security bug or not?
ihrachys at redhat.com
Thu Dec 11 10:53:29 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 10/12/14 22:12, Jeremy Stanley wrote:
> On 2014-12-10 16:07:35 -0500 (-0500), Jay Pipes wrote:
>> On 12/10/2014 04:05 PM, Jeremy Stanley wrote:
>>> I think the bigger question is whether the lack of a quota
>>> implementation for everything a tenant could ever possibly
>>> create is something we should have reported in secret, worked
>>> under embargo, backported to supported stable branches, and
>>> announced via high-profile security advisories once fixed.
>> Sure, fine.
> Any tips for how to implement new quota features in a way that the
> patches won't violate our stable backport policies?
If we consider it a security issue worth CVE, then security concerns
generally beat stability concerns. We'll obviously need to document
the change in default behaviour in release notes though, and maybe
provide a documented way to disable the change for stable releases (I
suspect we already have a way to disable specific quotas, but we
should make sure it's the case and we provide operators commands ready
to be executed to achieve this).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
-----END PGP SIGNATURE-----
More information about the OpenStack-dev