Open Stack

> On 08 Oct 2015, at 16:51, Matt Riedemann <mriedem at linux.vnet.ibm.com> wrote:
> 
> 
> 
> On 10/8/2015 9:25 AM, Jeremy Stanley wrote:
>> On 2015-10-08 08:58:06 -0500 (-0500), Matt Riedemann wrote:
>> [...]
>>> I don't know how many operators are tracking patch releases of
>>> dependencies on stable branches unless there is a new minimum
>>> requirement on those, especially if they aren't getting their
>>> updates from a distro provider. So while nova wouldn't be broken
>>> w/o the patched oslo.utils on stable, the OSSA wouldn't be fixed
>>> in that case.
>> 
>> The OSSA will link to https://review.openstack.org/220620 as part of
>> the stable/liberty fix and mention something along the lines of
>> "included in an upcoming oslo.utils 2.5.1 release" (in which case
>> operators _should_ check whether they are running a new enough
>> version of the library).
>> 
> 
> OK, that works for me. I'll end this thread and just move forward with the necessary changes for #2 w/o bumping a minimum required version of oslo.utils in g-r on stable.


One of the reasons why you don’t want to bump on CVE is that a lot of distributions choose to cherry-pick just that CVE fix and not rebase on top of an unknown, previously untested version, even if it ships from stable branches. In that case, their pbr version stays the same, and version bump would break them (of course that’s assuming they consider requirements.txt versions in their packaging).

Ihar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20151008/5fc985ee/attachment.pgp>