[openstack-dev] [glance] security and swift multi-tenant fixes on stable branch

Flavio Percoco flavio at redhat.com
Fri Nov 14 15:50:14 UTC 2014


On 14/11/14 11:25 +0000, stuart.mclaren at hp.com wrote:
>
>>>On 2014-11-13 18:28:14 +0100 (+0100), Ihar Hrachyshka wrote:
>>>[...]
>>>I think those who maintain glance_store module in downstream
>>>distributions will cherry-pick the security fix into their
>>>packages, so there is nothing to do in terms of stable branches to
>>>handle the security issue.
>>>[...]
>
>>As a counterargument, some Oslo libs have grown stable branches for
>>security backports and cut corresponding point releases on an
>>as-needed basis so as to avoid introducing new features in stable
>>server deployments.
>>-- 
>>Jeremy Stanley
>
>The current glance stable/juno requirement for glance_store is >= 0.1.1.
>
>If you run stable/juno against glance_store 0.1.1 and try
>to create an image, you get (multi-tenant store):
>

[snip]

>Before glance_store was separated out it would have been straightforward
>to backport the relevant fixes to Glance's tightly coupled in-tree store code.
>
>I'm neutral on the mechanics, but I think we need to get to a point where
>if someone is running stable/juno and has a version of glance_store which
>satisfies what's specified in requirements.txt they should have secure,
>working code.

I think releasing glance_store now with the security fix is fine.
Distro packages will be updated as soon as 2014.2.1 is released and
the change introduced is backwards compatible.

FWIW, we're adapting glance_store's development to follow oslo
libraries policies even for releases and versioning.

Cheers,
Flavio

-- 
@flaper87
Flavio Percoco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141114/1c3a9ab6/attachment.pgp>


More information about the OpenStack-dev mailing list