For a while I've been meaning to raise the topic of dropping requirement #5 from https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html#requirements since it was a high bar to clear and even projects which were previously under vulnerability management before the tag existed did not retroactively undergo threat analysis. While I still think it would be swell to have architectural info on critical OpenStack components, the volume of vulnerability reports we've received in recent years is low enough that I think we could cover more projects even without that. I did bring this up with the other members of the OpenStack VMT and there was no disagreement, so I'll start a thread about that on the ML.
I'll go ahead and draft an impact description since it looks like the stable/stein change is passing and likely to merge, and then request a CVE assignment and prepare to issue an advisory.
For a while I've been meaning to raise the topic of dropping requirement #5 from https:/ /governance. openstack. org/tc/ reference/ tags/vulnerabil ity_managed. html#requiremen ts since it was a high bar to clear and even projects which were previously under vulnerability management before the tag existed did not retroactively undergo threat analysis. While I still think it would be swell to have architectural info on critical OpenStack components, the volume of vulnerability reports we've received in recent years is low enough that I think we could cover more projects even without that. I did bring this up with the other members of the OpenStack VMT and there was no disagreement, so I'll start a thread about that on the ML.
I'll go ahead and draft an impact description since it looks like the stable/stein change is passing and likely to merge, and then request a CVE assignment and prepare to issue an advisory.