| gouthamr | https://wiki.openstack.org/wiki/OSSN/OSSN-0095 was published, index updated. will wait to send the email notification during UTC afternoon | 05:10 |
|---|---|---|
| mikal | Out of curiousity -- how, if at all, does OpenStack / probably the requirements repo handle a requirement in the version pins for a given release containing a known vulnerability? My mental model is that those pins are locked in stone and not updated, but is that actually true? | 10:21 |
| fungi | mikal: there is a comment at the top of the file about exactly that | 12:16 |
| fungi | https://opendev.org/openstack/requirements/src/branch/master/upper-constraints.txt | 12:17 |
| fungi | "OpenStack makes no security guarantees about third-party dependencies listed here, and does not keep track of any vulnerabilities they contain. Versions of these dependencies are frozen at each coordinated release in order to stabilize upstream testing, and can contain known vulnerabilities. Consumers are STRONGLY encouraged to rely on curated distributions of OpenStack | 12:18 |
| fungi | or manage security patching of dependencies themselves." | 12:18 |
| fungi | it appears at the begining of the README.rst in that repository too, and the global-requirements.txt file | 12:18 |
| mikal | Its slightly embarrassing that I didn't notice that, but I am going to pretend I totally knew that already. So it comes down to packagers are expected to somehow redo stable branch CI with updated requirements as required? | 12:18 |
| fungi | we assume (have always assumed) that distributions are packaging openstack alongside other software and need dependencies to be flexible. typically they freeze a version of software and then backport fixes to it as needed | 12:20 |
| fungi | that's at least how linux distros have worked for as long as i can remember | 12:20 |
| fungi | since we can't do the same thing, due to lack of people dedicated to it, we just freeze the versions we're testing with on stable branches, as the closest approximation to testing with something like what they're packaging | 12:21 |
| fungi | also maybe it isn't entirely obvious, but we can't do downstream's testing for them even if we wanted and had the capacity to do so, because their packages of our software aren't going to install the same way or with the same configurations, so they're going to run their own testing regardless | 14:47 |
| gouthamr | fungi: the OSSN email may be in openstack-announce's moderation queue | 18:47 |
| fungi | oops! released | 18:49 |
| fungi | thanks for the reminder | 18:49 |
| gouthamr | ty! :) will close the LP task | 19:06 |
Generated by irclog2html.py 4.1.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!