openstack team mailing list archive
Mailing list archive
Re: [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)
Robert Collins wrote:
> What if we were to always do a release after a security advisory?
We don't do a server "stable release" after each security advisory as it
doesn't significantly help spreading the fix, but I agree that for
client libraries (where the PyPI releases are the main form of
downstream consumption of the fix) it makes sense to tag and trigger a
new PyPI release after each security advisory.
These were the first advisories on client libraries, but with Keystone
middleware being shipped within python-keystoneclient, I expect more in
Thierry Carrez (ttx)
OpenStack Vulnerability Management Team