On 2016-09-21 15:41:11 +1000 (+1000), Tony Breeds wrote: > On Tue, Sep 20, 2016 at 11:57:26AM +0100, Daniel P. Berrange wrote: [...] > > (3) Do nothing, leave the bug unfixed in stable/liberty > > > > While this is a security bug, it is one that has existed in every single > > openstack release ever, and it is not a particularly severe bug. Even if > > we fixed in liberty, it would still remain unfixed in every release before > > liberty. We're in the verge of releasing Newton at which point liberty > > becomes less relevant. So I question whether it is worth spending more > > effort on dealing with this in liberty upstream. Downstream vendors > > still have the option to do either (1) or (2) in their own private > > branches if they so desire, regardless of whether we fix it upstream. > > I think 3 is the least worst option. [...]
At least from my perspective with my VMT hat on, declaring that we have a security vulnerability severe enough to fix in stable/mitaka but unfixable in stable/liberty calls into question whether the latter is actually maintainable by our general definition as a project or is ready for EOL. -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
