[openstack-dev] [nova][stable/liberty] Backport impasse: "virt: set address space & CPU time limits when running qemu-img"
Jeremy Stanley
fungi at yuggoth.org
Wed Sep 21 18:03:09 UTC 2016
On 2016-09-21 15:41:11 +1000 (+1000), Tony Breeds wrote:
> On Tue, Sep 20, 2016 at 11:57:26AM +0100, Daniel P. Berrange wrote:
[...]
> > (3) Do nothing, leave the bug unfixed in stable/liberty
> >
> > While this is a security bug, it is one that has existed in every single
> > openstack release ever, and it is not a particularly severe bug. Even if
> > we fixed in liberty, it would still remain unfixed in every release before
> > liberty. We're in the verge of releasing Newton at which point liberty
> > becomes less relevant. So I question whether it is worth spending more
> > effort on dealing with this in liberty upstream. Downstream vendors
> > still have the option to do either (1) or (2) in their own private
> > branches if they so desire, regardless of whether we fix it upstream.
>
> I think 3 is the least worst option.
[...]
At least from my perspective with my VMT hat on, declaring that we
have a security vulnerability severe enough to fix in stable/mitaka
but unfixable in stable/liberty calls into question whether the
latter is actually maintainable by our general definition as a
project or is ready for EOL.
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160921/6bf35f42/attachment.pgp>
More information about the OpenStack-dev
mailing list