On 16 May 2017 at 12:36, Jeremy Stanley <fu...@yuggoth.org> wrote: > On 2017-05-16 11:46:14 -0700 (-0700), Michał Jastrzębski wrote: > [...] >> So CVE tracking might not be required by us. Since we still use >> distro packages under the hood, we can just use these. > [...] > > I think the question is how I, as a semi-clueful downstream user of > your images, can tell whether the image I'm deploying has fixes for > some specific recently disclosed vulnerability. It sounds like your > answer is that I should compare the package manifest against the > versions listed on the distro's CVE tracker or similar service? That > should be prominently documented, perhaps in a highly visible FAQ > list.
One thing we've been working on prior to summit was manifesto of versions - I think we can provide single file with all the versions of packages in container, we can add track of CI jobs that led containers to this place, all the informations that semi-careful downstream user can use to help him/her to determine what's that they're getting. I'm all for that kind of features. >> Since we'd rebuild daily, that alone would ensure timely update to >> our containers. What we can promise to potential users is that >> containers out there were built lately (24hrs) > [...] > > As outlined elsewhere in the thread, there are a myriad of reasons > why this could end up not being the case from time to time so I can > only assume your definition of "promise" differs from mine (and > unfortunately, from most people who might be trying to decide > whether it's safe to rely on these images in a sensitive/production > environment). By "promise" I mean clear documentation of where containers came from and what did they pass. After that, take it or leave it. > -- > Jeremy Stanley > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
