← Back to team overview

openstack team mailing list archive

Upcoming Improvements to Security Patch Handling

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Greetings,

Over the last few days there has been some unwelcome activity around
the release of OSSA-2012-017. The Essex patch wasn't ready when the
advisory was published. After that we discovered that the patches for
Folsom and Grizzly were incomplete. This points to flaws in our
process, which we are now working to correct. The vulnerability
management team has been working with the OpenStack CI team to come up
with an improved process for handling security patches.

Before a security vulnerability is publicized, all patches and
discussion about the patch have been happening in a private bug on
launchpad. There are two problems with this. The first is that
launchpad bug comments are not nearly as efficient for code review as
gerrit. Second, the patch never hits all of the testing in jenkins
until release day.

What we're planning to have is a private instance of gerrit that will be
used for security patches. We'll have much more efficient code review
there with clearer history. We will also get the patches running
through jenkins in advance of the release. This improved process should
help us be much more confident that patches for vulnerabilities are
complete and that getting them merged on release day should not run into
unexpected problems.

Thank you,

- -- 
Russell Bryant
OpenStack Vulnerability Management Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCdE8UACgkQFg9ft4s9SAbg7wCfcd+4perGKL2ksWwMN/EBaofB
dsEAnicOwucy8XBrVplXsZGdJX8EzdGy
=9m8m
-----END PGP SIGNATURE-----