-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings,
Over the last few days there has been some unwelcome activity around the release of OSSA-2012-017. The Essex patch wasn't ready when the advisory was published. After that we discovered that the patches for Folsom and Grizzly were incomplete. This points to flaws in our process, which we are now working to correct. The vulnerability management team has been working with the OpenStack CI team to come up with an improved process for handling security patches. Before a security vulnerability is publicized, all patches and discussion about the patch have been happening in a private bug on launchpad. There are two problems with this. The first is that launchpad bug comments are not nearly as efficient for code review as gerrit. Second, the patch never hits all of the testing in jenkins until release day. What we're planning to have is a private instance of gerrit that will be used for security patches. We'll have much more efficient code review there with clearer history. We will also get the patches running through jenkins in advance of the release. This improved process should help us be much more confident that patches for vulnerabilities are complete and that getting them merged on release day should not run into unexpected problems. Thank you, - -- Russell Bryant OpenStack Vulnerability Management Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCdE8UACgkQFg9ft4s9SAbg7wCfcd+4perGKL2ksWwMN/EBaofB dsEAnicOwucy8XBrVplXsZGdJX8EzdGy =9m8m -----END PGP SIGNATURE----- _______________________________________________ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
