[openstack-dev] [Fuel] Packaging CI for Fuel

Jeremy Stanley fungi at yuggoth.org
Sat Mar 19 18:53:27 UTC 2016 

On 2016-03-19 05:10:18 -0500 (-0500), Monty Taylor wrote:
[...]
> It would also be good to tie off with the security team about
> this. One of the reasons we stopped publishing debs years ago is
> that it made us a de-facto derivative distro. People were using
> our packages in production, including backports we'd built in
> support of those packages, but our backports were not receiving
> security/CVE attention, so we were concerned that we were causing
> people to be exposed to issues. Of course. "we" was thierry,
> soren, jeblair and I, which is clearly not enough people. Now we
> have a whole security team and people who DO track CVEs - so if
> they're willing to at least keep an eye on things we publish in a
> repo, then I think we're in good shape to publish a repo with
> backports in it.
[...]

Please be aware that the VMT's direct support for triaging, tracking
and announcing vulnerabilities/fixes only extends to a very small
subset of OpenStack already. With both my VMT and Infra hats on, I
really don't feel like we have either the workforce nor expertise to
make security guarantees about our auto-built packages. We'll make a
best effort attempt to rebuild packages as soon as possible after
patches merge to their corresponding repos, assuming the toolchain
and our CI are having a good day.

I'm not against building and publishing packages, but we need to
make big ugly disclaimers everywhere we can that these are not
security supported by us, not intended for production use, and if
they break your deployment you get to keep all the pieces. Users of
legitimate distros need to consider those packages superior to ours
in every way, since I really don't want to be on the hook to support
them for more than validation purposes.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160319/58857c5d/attachment.pgp>

More information about the OpenStack-dev mailing list