[openstack-dev] [neutron] How to handle security issues in external repos?

Henry Gessau gessau at cisco.com
Fri Jul 3 20:01:38 UTC 2015

In the Liberty cycle Neutron is mandating the splitting out of "third-party"
plugins and drivers into separate repositories, see [1]. These external
repositories will be managed by the maintainers of the code, who are
independent from the neutron core maintainers.

The question now arises about what to do when a security issue is found in such
an external repository that integrates with Neutron.

 - How should such security issues be managed?
 - Should the OpenStack security team be involved?
 - Does a CVE need to be filed?
 - Do the maintainers need to publish OSSN or equivalent documents?
 - Anything else to consider here?

[1] https://review.openstack.org/187267

More information about the OpenStack-dev mailing list