[openstack-dev] [Fuel] Packaging CI for Fuel

Tristan Cacqueray tdecacqu at redhat.com
Tue Mar 22 15:20:22 UTC 2016

On 03/19/2016 06:53 PM, Jeremy Stanley wrote:
> On 2016-03-19 05:10:18 -0500 (-0500), Monty Taylor wrote:
> [...]
>> It would also be good to tie off with the security team about
>> this. One of the reasons we stopped publishing debs years ago is
>> that it made us a de-facto derivative distro. People were using
>> our packages in production, including backports we'd built in
>> support of those packages, but our backports were not receiving
>> security/CVE attention, so we were concerned that we were causing
>> people to be exposed to issues. Of course. "we" was thierry,
>> soren, jeblair and I, which is clearly not enough people. Now we
>> have a whole security team and people who DO track CVEs - so if
>> they're willing to at least keep an eye on things we publish in a
>> repo, then I think we're in good shape to publish a repo with
>> backports in it.
> [...]
> Please be aware that the VMT's direct support for triaging, tracking
> and announcing vulnerabilities/fixes only extends to a very small
> subset of OpenStack already. With both my VMT and Infra hats on, I
> really don't feel like we have either the workforce nor expertise to
> make security guarantees about our auto-built packages. We'll make a
> best effort attempt to rebuild packages as soon as possible after
> patches merge to their corresponding repos, assuming the toolchain
> and our CI are having a good day.

With only my VMT hat on, this makes me wonder why the packaging needs
special care. Is there a reason why stable branch aren't built continuously?

Otherwise I agree with Jeremy, VMT is already quite busy supporting
vulnerability:managed projects' master branch along with supported
stable branch. Adding more branches to track doesn't seem like the right


> I'm not against building and publishing packages, but we need to
> make big ugly disclaimers everywhere we can that these are not
> security supported by us, not intended for production use, and if
> they break your deployment you get to keep all the pieces. Users of
> legitimate distros need to consider those packages superior to ours
> in every way, since I really don't want to be on the hook to support
> them for more than validation purposes.
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160322/917cc7a9/attachment.pgp>

More information about the OpenStack-dev mailing list