> On 08 Oct 2015, at 16:51, Matt Riedemann <mrie...@linux.vnet.ibm.com> wrote: > > > > On 10/8/2015 9:25 AM, Jeremy Stanley wrote: >> On 2015-10-08 08:58:06 -0500 (-0500), Matt Riedemann wrote: >> [...] >>> I don't know how many operators are tracking patch releases of >>> dependencies on stable branches unless there is a new minimum >>> requirement on those, especially if they aren't getting their >>> updates from a distro provider. So while nova wouldn't be broken >>> w/o the patched oslo.utils on stable, the OSSA wouldn't be fixed >>> in that case. >> >> The OSSA will link to https://review.openstack.org/220620 as part of >> the stable/liberty fix and mention something along the lines of >> "included in an upcoming oslo.utils 2.5.1 release" (in which case >> operators _should_ check whether they are running a new enough >> version of the library). >> > > OK, that works for me. I'll end this thread and just move forward with the > necessary changes for #2 w/o bumping a minimum required version of oslo.utils > in g-r on stable.
One of the reasons why you don’t want to bump on CVE is that a lot of distributions choose to cherry-pick just that CVE fix and not rebase on top of an unknown, previously untested version, even if it ships from stable branches. In that case, their pbr version stays the same, and version bump would break them (of course that’s assuming they consider requirements.txt versions in their packaging). Ihar
signature.asc
Description: Message signed with OpenPGP using GPGMail
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
