Open Stack

On 2019-07-05 17:29:55 +0100 (+0100), Rodolfo Alonso wrote:
[...]
> I know that in stable releases, the policy established [3] is only
> to modify those external libraries in case of security related
> issues. This is not exactly a security breach but can tear down a
> server along the time.
[...]
> [3] https://docs.openstack.org/project-team-guide/stable-branches.html
[...]

You're referring to policy about backporting fixes for bugs in
OpenStack software, and so necessitates patch-level version
increases for the affected OpenStack components in
upper-constraints.txt to make sure we test other software against
that newer version.

The policy so far regarding stable branch upper-constraints.txt
entries for external dependencies of OpenStack has been to not
change them even if they include known security vulnerabilities or
other critical bugs, unless those bugs impact our ability to
reliably test proposed changes to stable branches of OpenStack
software for possible regressions.

It's a common misconception, but that upper-constraints.txt file is
purely a reflection of the (basically frozen in the case of stable
branches) set of dependency versions from PyPI against which changes
to our software are tested. It is not a good idea to deploy
production environments from the PyPI packages corresponding to the
versions listed there, for a variety of reasons (most important of
which is that they aren't a security-supported distribution, nor can
they ever even remotely become one).
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190706/31383d54/attachment.sig>