On Tue, May 16, 2017 at 02:08:07PM +0200, Thierry Carrez wrote: > > I totally subscribe to the concerns around publishing binaries (under > any form), and the expectations in terms of security maintenance that it > would set on the publisher. At the same time, we need to have images > available, for convenience and testing. So what is the best way to > achieve that without setting strong security maintenance expectations > for the OpenStack community ? We have several options: > > 1/ Have third-parties publish images > It is the current situation. The issue is that the Kolla team (and > likely others) would rather automate the process and use OpenStack > infrastructure for it. > > 2/ Have third-parties publish images, but through OpenStack infra > This would allow to automate the process, but it would be a bit weird to > use common infra resources to publish in a private repo. > > 3/ Publish transient (per-commit or daily) images > A "daily build" (especially if you replace it every day) would set > relatively-limited expectations in terms of maintenance. It would end up > picking up security updates in upstream layers, even if not immediately. >
I share the concerns around implying support for any of these. But I also think they could be incredibly useful, and if we don't do it, there is even more of a chance of multiple "bad" images being published by others. I agree having an automated daily image published should give a reasonable expectation that there is not long term maintenance for these. > 4/ Publish images and own them > Staff release / VMT / stable team in a way that lets us properly own > those images and publish them officially. > > Personally I think (4) is not realistic. I think we could make (3) work, > and I prefer it to (2). If all else fails, we should keep (1). > > -- > Thierry Carrez (ttx) > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev