On Tue, Jan 17 2017, Ian Cordasco wrote: > Or, perhaps the last time people complained that the process > documentation was too detailed and the telemetry project decided it > didn't want to have to follow it? If that's the case, following the > embargoed procedures might not be what you want as a project. At that > point, you don't need to work with the VMT and you can immediately > open the bug to start collaborating on Gerrit. You of course open up > all of your deployers to being targeted, but that's the project's call > in the end I guess.
Yeah it sucks, though if you have little help (resources) from the deployers, that's what is going to happen sooner or later. > I would think that if you want the "vulnerability:managed" tag, you > might be willing to follow the process outlined. Perhaps it's verbose, > but it is verbose for good reason. OpenStack's handling of embargoed > issues is pretty much as good as it gets for a project the size of > OpenStack. It benefits deployers and users by making the issue AND the > fix known at the same time which gives deployers the ability to > immediately consume the fix. Yeah don't read me wrong (though I was not precise :-) but we don't have any problem with _respecting_ the procedure. I think small projects like us have it is nearly impossible to _apply_ the procedure on our own: requesting CVE, OSSA, OSSN, getting the right classification, publishing, getting in touch with downstream… is too much work for such small teams. -- Julien Danjou ;; Free Software hacker ;; https://julien.danjou.info
signature.asc
Description: PGP signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev