Shellshocked cloud images

Robyn Bergeron rbergero at redhat.com
Tue Sep 30 13:40:42 UTC 2014



----- Original Message -----
> From: "Matthew Miller" <mattdm at fedoraproject.org>
> To: jzb at redhat.com, "Fedora Cloud SIG" <cloud at lists.fedoraproject.org>
> Sent: Tuesday, September 30, 2014 5:27:16 AM
> Subject: Re: Shellshocked cloud images
> 
> On Tue, Sep 30, 2014 at 07:07:46AM -0500, Joe Brockmeier wrote:
> > > The security team didn't ask us to, as they did with heartbleed. I
> > > expect it's because a yum update _without_ a reboot is sufficient in
> > > this case, but maybe it's worth doing anyway....
> > +1
> > Do we need to file a ticket with rel-eng on this?
> 
> Yeah, that's probably the best approach. Might put out a call for QA as
> well?

I think it might be useful to actually have a process in place for how we handle things like this. 

1) How we decide whether or not a security update merits refreshed images (both in terms of "who decides" and "what's the criteria")
2) What the expected content of an updated image should be, which relates to the QA angle. If we're going to "hey, might as well update everything" - that may need more QA attention than a respin with just the bug fix. Maybe not.
3) Who files the ticket with rel-eng (or if it should just be part of the rel-eng process for "when there's a security update", period, so a ticket doesn't need filing every time)
4) I *think* AMI IDs are now auto-replaced on the website - but if they aren't, then filing ticket to hand off to websites team

The expected content/QA angle is also helpful from a "when (sadly) we can't discuss it widely in the community yet" POV. Establishes an expected norm, doesn't leave people wondering what the best course of action is and wouldn't it be helpful if we had the knowledge of $person. But sometimes things are embargoed, and so having more permanent guidance around might be a good idea. 

And this is me totally not volunteering to write it. Sorry! Just suggesting to save sanity in the long run. <3

-robyn


> 
> 
> --
> Matthew Miller
> <mattdm at fedoraproject.org>
> Fedora Project Leader
> _______________________________________________
> cloud mailing list
> cloud at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/cloud
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> 


More information about the cloud mailing list