Hi folks, in particular operators... We discussed yesterday during the nova meeting [1] about our stable branches and eventually, we were wondering whether we should EOL [2] the stable/train branch for Nova. Why so ? Two points : 1/ The gate is failing at the moment for the branch. 2/ Two CVEs (CVE-2022-47951 [3] and CVE-2023-2088 [4]) aren't fixed in this branch. It would be difficult to fix the CVEs in the upstream branch but hopefully AFAIK all the OpenStack distros already fixed them for their related releases that use Train. So, any concerns ? TBH, I'm not really happy with EOL, but it would be bizarre if we say "oh yeah we support Train backports" but we don't really fix the most important issues... -Sylvain (who will propose the train-eol tag change next week if he doesn't see any concern before) [1] https://meetings.opendev.org/meetings/nova/2023/nova.2023-05-23-16.01.log.html#l-152 [2] https://docs.openstack.org/project-team-guide/stable-branches.html#end-of-life [3] https://security.openstack.org/ossa/OSSA-2023-002.html [4] https://security.openstack.org/ossa/OSSA-2023-003.html -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230524/2b7ba371/attachment.htm>