Open Stack

On 05/29/2015 09:23 PM, Ian Cordasco wrote:
> Could you explain this as well? Do you mean fragmentation between what
> distros are offering? In other words, Ubuntu is packaging Kilo @ SHA1 and
> RHEL is at SHA2. I'm not entirely certain that's a bad thing. That seems
> to give the packagers more freedom.

What happens when there's a security patch? Will upstream publish
patches for each and every distro? I don't believe so.

On 05/29/2015 09:23 PM, Ian Cordasco wrote:
> Perhaps I'm wrong, but when a CVE is released, don't the downstream
> packagers usually patch whatever version they have and push that out?

We would like to have a single patch to share between distros.
Fragmenting the work helps nobody.

> Isn't that the point of them being on an private list to receive
> embargoed notifications with the patches?

The point of the embargo is to give time for testing patches and prepare
a new patched version. Sometimes, we discover problems with the provided
patch during the embargo period. Yes, we use the embargo to sometimes
adapt the patch to the version we have in our distributions, but we
would prefer if that work wasn't needed.

Thomas