← Back to team overview

openstack team mailing list archive

Re: [OSSA 2013-013] Keystone client local information disclosure (CVE-2013-2013)


Robert Collins wrote:
> What if we were to always do a release after a security advisory?

We don't do a server "stable release" after each security advisory as it
doesn't significantly help spreading the fix, but I agree that for
client libraries (where the PyPI releases are the main form of
downstream consumption of the fix) it makes sense to tag and trigger a
new PyPI release after each security advisory.

These were the first advisories on client libraries, but with Keystone
middleware being shipped within python-keystoneclient, I expect more in
the future.

Thierry Carrez (ttx)
OpenStack Vulnerability Management Team