[security-sig] Broken Security Link on Website and general bad discoverability of security related information

Sean Mooney smooney at redhat.com
Thu Feb 25 18:41:23 UTC 2021


On Thu, 2021-02-25 at 15:06 +0000, Jeremy Stanley wrote:
> > So I guess the base distro is also affected, as these are core
> > openstack components imho?
> 
> There is no "base distro" of OpenStack. Red Hat and SUSE both
> produce distributions of OpenStack which, strictly speaking, means
> OpenStack software combined with other software such as OpenStack's
> dependencies and an operating system to run it all on. So in those
> cases it's the Python interpreters in their distributions which the
> vulnerabilities you linked are affecting, but not the OpenStack
> software which they're also including in the distributions.
ya with my downstream hat on the python interpreter and standard libs are not considerd to be part of the openstack porduct
they are part of the base operating system distrbution and we just use them in the openstack product.
i would not consider CVEs in the python interpreation to be a CVE in openstack.
openstack would cerntely be affected by it but its outside of the openstack prodcution tems hands to fix.
from an upstream perespective i also agree there is no base distibution of openstack + and interpreter.

there is the upstream repostiorys of the openstack project hosted on https://opendev.org but we do not distribute a python runtime
or all of the external libvaries aht openstack depends on as a signel distibution so those CVE appear to be outside
the scope of the openstack vulnerablity team to adress. that does not mean the openstack comunity does not care about them
they just are not part of the softwaere we maintaine and devleop.





More information about the openstack-discuss mailing list