)]}'
{"reference/tags/vulnerability_managed.rst":[{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"9b311c9fc6a86eb11faa392adfb66eab317ba739","unresolved":false,"context_lines":[{"line_number":85,"context_line":""},{"line_number":86,"context_line":"5. Projects are encouraged to undertake a review, audit, or threat"},{"line_number":87,"context_line":"   analysis looking for obvious signs of insecure design or risky"},{"line_number":88,"context_line":"   implementation in the deliverable which could imply a large"},{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_fe78faf7","line":88,"updated":"2019-12-17 20:24:44.000000000","message":"Done.","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":28011,"name":"Nicholas Tait","email":"ntait@redhat.com","username":"nickthetait"},"change_message_id":"fccfcc5b4744e3e973eba77446675669ec2a9a9b","unresolved":false,"context_lines":[{"line_number":84,"context_line":"   public disclosure."},{"line_number":85,"context_line":""},{"line_number":86,"context_line":"5. Projects are encouraged to undertake a review, audit, or threat"},{"line_number":87,"context_line":"   analysis looking for obvious signs of insecure design or risky"},{"line_number":88,"context_line":"   implementation in the deliverable which could imply a large"},{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_f6dd3313","line":88,"range":{"start_line":87,"start_character":12,"end_line":88,"end_character":20},"updated":"2019-08-29 17:30:05.000000000","message":"replace with \"of\" (see my next comment)","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"9b311c9fc6a86eb11faa392adfb66eab317ba739","unresolved":false,"context_lines":[{"line_number":86,"context_line":"5. Projects are encouraged to undertake a review, audit, or threat"},{"line_number":87,"context_line":"   analysis looking for obvious signs of insecure design or risky"},{"line_number":88,"context_line":"   implementation in the deliverable which could imply a large"},{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_9e7d46e8","line":89,"updated":"2019-12-17 20:24:44.000000000","message":"Done and done.","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":28011,"name":"Nicholas Tait","email":"ntait@redhat.com","username":"nickthetait"},"change_message_id":"fccfcc5b4744e3e973eba77446675669ec2a9a9b","unresolved":false,"context_lines":[{"line_number":86,"context_line":"5. Projects are encouraged to undertake a review, audit, or threat"},{"line_number":87,"context_line":"   analysis looking for obvious signs of insecure design or risky"},{"line_number":88,"context_line":"   implementation in the deliverable which could imply a large"},{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_56ce875b","line":89,"range":{"start_line":89,"start_character":42,"end_line":89,"end_character":43},"updated":"2019-08-29 17:30:05.000000000","message":"Only thing I think is missing from #5 is an indication of time. When is a good opportunity for a team to do a review (for example after a release)?","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":28011,"name":"Nicholas Tait","email":"ntait@redhat.com","username":"nickthetait"},"change_message_id":"fccfcc5b4744e3e973eba77446675669ec2a9a9b","unresolved":false,"context_lines":[{"line_number":85,"context_line":""},{"line_number":86,"context_line":"5. Projects are encouraged to undertake a review, audit, or threat"},{"line_number":87,"context_line":"   analysis looking for obvious signs of insecure design or risky"},{"line_number":88,"context_line":"   implementation in the deliverable which could imply a large"},{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_56c9a757","line":89,"range":{"start_line":88,"start_character":37,"end_line":89,"end_character":41},"updated":"2019-08-29 17:30:05.000000000","message":"This is written from perspective of the VMT itself, instead use \"to proactively identify security risks.\" or similar","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"9b311c9fc6a86eb11faa392adfb66eab317ba739","unresolved":false,"context_lines":[{"line_number":87,"context_line":"   analysis looking for obvious signs of insecure design or risky"},{"line_number":88,"context_line":"   implementation in the deliverable which could imply a large"},{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"},{"line_number":93,"context_line":"   measure to keep the VMT\u0027s workload down, since it is by necessity"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_be8282c6","line":90,"updated":"2019-12-17 20:24:44.000000000","message":"Done.","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"fd800dea4828feea517f3179b681393a2104ec3e","unresolved":false,"context_lines":[{"line_number":87,"context_line":"   analysis looking for obvious signs of insecure design or risky"},{"line_number":88,"context_line":"   implementation in the deliverable which could imply a large"},{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"},{"line_number":93,"context_line":"   measure to keep the VMT\u0027s workload down, since it is by necessity"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_1534c9ab","line":90,"updated":"2019-08-26 15:15:17.000000000","message":"The prior wording was explicit, but I wanted to get rid of the constant repetition of the phrase \"review, audit, or threat analysis,\" especially considering it\u0027s no longer an actual requirement. This stub is being retained 1. because we don\u0027t want to give the impression we don\u0027t value community threat analyses, and 2. so that old references to \"requirement #5\" don\u0027t suddenly start referring to what used to be requirement #6 below. Anything we can do to shorten/simplify it will help offset the additional reading added by newer entries.","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"6b5b85bbef15ffac8bf86c1734149f90878ef592","unresolved":false,"context_lines":[{"line_number":87,"context_line":"   analysis looking for obvious signs of insecure design or risky"},{"line_number":88,"context_line":"   implementation in the deliverable which could imply a large"},{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"},{"line_number":93,"context_line":"   measure to keep the VMT\u0027s workload down, since it is by necessity"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_354f856b","line":90,"range":{"start_line":90,"start_character":8,"end_line":90,"end_character":15},"updated":"2019-08-26 15:09:49.000000000","message":"also \"performs\"","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"6b5b85bbef15ffac8bf86c1734149f90878ef592","unresolved":false,"context_lines":[{"line_number":87,"context_line":"   analysis looking for obvious signs of insecure design or risky"},{"line_number":88,"context_line":"   implementation in the deliverable which could imply a large"},{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"},{"line_number":93,"context_line":"   measure to keep the VMT\u0027s workload down, since it is by necessity"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_553241f4","line":90,"range":{"start_line":90,"start_character":16,"end_line":90,"end_character":18},"updated":"2019-08-26 15:09:49.000000000","message":"nit: I preferred the wording before, as \"...performs the review, audit, or threat analysis, the...\"\n\nCould also do \"..the project team performs this, ...\"","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"366a43b347996b94076177595b11d094c310b146","unresolved":false,"context_lines":[{"line_number":87,"context_line":"   analysis looking for obvious signs of insecure design or risky"},{"line_number":88,"context_line":"   implementation in the deliverable which could imply a large"},{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"},{"line_number":93,"context_line":"   measure to keep the VMT\u0027s workload down, since it is by necessity"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_7d37e64c","line":90,"in_reply_to":"7faddb67_1534c9ab","updated":"2019-08-29 15:08:54.000000000","message":"Sure, works for me!","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"9b311c9fc6a86eb11faa392adfb66eab317ba739","unresolved":false,"context_lines":[{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"},{"line_number":93,"context_line":"   measure to keep the VMT\u0027s workload down, since it is by necessity"},{"line_number":94,"context_line":"   a group of constrained size and some of its processes simply"},{"line_number":95,"context_line":"   can\u0027t be scaled safely. If possible, the results should be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_5e67ce53","line":92,"updated":"2019-12-17 20:24:44.000000000","message":"Done.","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":14288,"name":"Matthew Thode","display_name":"prometheanfire","email":"mthode@mthode.org","username":"prometheanfire"},"change_message_id":"0eb01602615a087b6ddb48655af4aad626c81571","unresolved":false,"context_lines":[{"line_number":88,"context_line":"   implementation in the deliverable which could imply a large"},{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"},{"line_number":93,"context_line":"   measure to keep the VMT\u0027s workload down, since it is by necessity"},{"line_number":94,"context_line":"   a group of constrained size and some of its processes simply"},{"line_number":95,"context_line":"   can\u0027t be scaled safely. If possible, the results should be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_5b0fe02e","line":92,"range":{"start_line":91,"start_character":17,"end_line":92,"end_character":38},"updated":"2019-08-25 18:38:47.000000000","message":"I think this should be rephrased (the section in parens)","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"48b57a84f1c6b7bdf5a042f05ce039c3eeb73bcd","unresolved":false,"context_lines":[{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"},{"line_number":93,"context_line":"   measure to keep the VMT\u0027s workload down, since it is by necessity"},{"line_number":94,"context_line":"   a group of constrained size and some of its processes simply"},{"line_number":95,"context_line":"   can\u0027t be scaled safely. If possible, the results should be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_fb4d6c99","line":92,"updated":"2019-08-25 23:04:58.000000000","message":"What is it saying that it shouldn\u0027t, or vice versa? I could just end it in \"... the results should ideally also be validated by a separate party\" and drop the parenthetical altogether.","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"6b5b85bbef15ffac8bf86c1734149f90878ef592","unresolved":false,"context_lines":[{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"},{"line_number":93,"context_line":"   measure to keep the VMT\u0027s workload down, since it is by necessity"},{"line_number":94,"context_line":"   a group of constrained size and some of its processes simply"},{"line_number":95,"context_line":"   can\u0027t be scaled safely. If possible, the results should be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_556001d0","line":92,"in_reply_to":"7faddb67_1f170a57","updated":"2019-08-26 15:09:49.000000000","message":"++, I like \"which\"","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":14288,"name":"Matthew Thode","display_name":"prometheanfire","email":"mthode@mthode.org","username":"prometheanfire"},"change_message_id":"69c307e7ab546c42ad72543c8aa17dfc13d51c3a","unresolved":false,"context_lines":[{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"},{"line_number":93,"context_line":"   measure to keep the VMT\u0027s workload down, since it is by necessity"},{"line_number":94,"context_line":"   a group of constrained size and some of its processes simply"},{"line_number":95,"context_line":"   can\u0027t be scaled safely. If possible, the results should be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_1f170a57","line":92,"in_reply_to":"7faddb67_df53b215","updated":"2019-08-26 14:19:24.000000000","message":"ya, something like that would make it flow better (it just felt awkward to read is all)","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":4257,"name":"Zane Bitter","email":"zbitter@redhat.com","username":"zaneb"},"change_message_id":"8a2003d9f1dcd919ac7cb19f4f27511a1ef5e159","unresolved":false,"context_lines":[{"line_number":89,"context_line":"   number of future vulnerability reports. In the event the project"},{"line_number":90,"context_line":"   team peforms it, the results should ideally also be validated by"},{"line_number":91,"context_line":"   a third party (could just be other members of the community not"},{"line_number":92,"context_line":"   involved directly in that project). As much as anything this is a"},{"line_number":93,"context_line":"   measure to keep the VMT\u0027s workload down, since it is by necessity"},{"line_number":94,"context_line":"   a group of constrained size and some of its processes simply"},{"line_number":95,"context_line":"   can\u0027t be scaled safely. If possible, the results should be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_df53b215","line":92,"in_reply_to":"7faddb67_fb4d6c99","updated":"2019-08-26 13:49:07.000000000","message":"adding \"which\" at the beginning could go a long way","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"9b311c9fc6a86eb11faa392adfb66eab317ba739","unresolved":false,"context_lines":[{"line_number":111,"context_line":"   which it is not an author (for example, base operating system"},{"line_number":112,"context_line":"   components included in a server/container image or libraries"},{"line_number":113,"context_line":"   vendored into compiled binary artifacts), the VMT will not track"},{"line_number":114,"context_line":"   or issue advisories for these external software components. VMT"},{"line_number":115,"context_line":"   coordination is limited in scope to only software whose source"},{"line_number":116,"context_line":"   code is produced directly by official OpenStack project teams."},{"line_number":117,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_7e640a4e","line":114,"updated":"2019-12-17 20:24:44.000000000","message":"Done.","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":28011,"name":"Nicholas Tait","email":"ntait@redhat.com","username":"nickthetait"},"change_message_id":"fccfcc5b4744e3e973eba77446675669ec2a9a9b","unresolved":false,"context_lines":[{"line_number":110,"context_line":"7. In the event that a team distributes additional software for"},{"line_number":111,"context_line":"   which it is not an author (for example, base operating system"},{"line_number":112,"context_line":"   components included in a server/container image or libraries"},{"line_number":113,"context_line":"   vendored into compiled binary artifacts), the VMT will not track"},{"line_number":114,"context_line":"   or issue advisories for these external software components. VMT"},{"line_number":115,"context_line":"   coordination is limited in scope to only software whose source"},{"line_number":116,"context_line":"   code is produced directly by official OpenStack project teams."},{"line_number":117,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_361aebc5","line":114,"range":{"start_line":113,"start_character":45,"end_line":114,"end_character":62},"updated":"2019-08-29 17:30:05.000000000","message":"This is a long sentence! Might help reordering. \"The VMT will not track or issue advisories for external software components. Only source code provided by official OpenStack project teams is eligible for support from VMT.\"","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"15f869286cd018ccef2c004c2438771fe789552f","unresolved":false,"context_lines":[{"line_number":114,"context_line":"   or issue advisories for these external software components. VMT"},{"line_number":115,"context_line":"   coordination is limited in scope to only software whose source"},{"line_number":116,"context_line":"   code is produced directly by official OpenStack project teams."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"8. Deliverables must tag releases to qualify for VMT oversight."},{"line_number":119,"context_line":"   Vulnerabilities warrant advisories if they appear in official"},{"line_number":120,"context_line":"   releases or on supported stable branches. Vulnerabilities only"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_ad3b2f37","line":117,"updated":"2019-08-26 13:27:34.000000000","message":"It\u0027s not intended to be a change in policy. When the VMT was first formed, OpenStack did not distribute binary artifacts at all, and the deliverables which are presently overseen are implemented in pure Python so are effectively only releasing source code. As of https://governance.openstack.org/tc/resolutions/20170530-binary-artifacts.html the TC allows official teams to release some binary artifacts under specific conditions, and so projects which engage in that kind of activity may seek out VMT coordination for vulnerabilities in their deliverables. Entry #7 here is less of a requirement, and more of a safeguard to set expectations for those projects that the VMT won\u0027t be issuing advisories for, say, a vulnerable version of glibc in one of their published container images.","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":17068,"name":"Jean-Philippe Evrard","email":"openstack@a.spamming.party","username":"evrardjp"},"change_message_id":"f1134ea03a1343db5192708bcb5e0b038578bfea","unresolved":false,"context_lines":[{"line_number":114,"context_line":"   or issue advisories for these external software components. VMT"},{"line_number":115,"context_line":"   coordination is limited in scope to only software whose source"},{"line_number":116,"context_line":"   code is produced directly by official OpenStack project teams."},{"line_number":117,"context_line":""},{"line_number":118,"context_line":"8. Deliverables must tag releases to qualify for VMT oversight."},{"line_number":119,"context_line":"   Vulnerabilities warrant advisories if they appear in official"},{"line_number":120,"context_line":"   releases or on supported stable branches. Vulnerabilities only"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_0cdfe93a","line":117,"updated":"2019-08-26 09:54:37.000000000","message":"Sorry I am new to this topic, and I am not really sure if this is a change of policy or not.\n\nIf it\u0027s a change of policy (ignore the rest of my comment otherwise), does this make sense to be able to assert the tag \"vulnerability:managed\" if some part of the code cannot be managed for vulnerabilities (the compiled binary artifacts)?\nIn other words, I understand why we would limit in scope of only the software code we produce, but does it make sense to be able to assert the tag that we \"manage\" vulns if we don\u0027t fully do it? (I am concerned about sending a wrong message).","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"9b311c9fc6a86eb11faa392adfb66eab317ba739","unresolved":false,"context_lines":[{"line_number":124,"context_line":"   milestones are not considered official releases for the purpose"},{"line_number":125,"context_line":"   of this policy."},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"9. A maximum embargo period of 90 days must be respected for"},{"line_number":128,"context_line":"   privately-reported vulnerabilities. Except under unusual"},{"line_number":129,"context_line":"   circumstances the private report will be switched to public for"},{"line_number":130,"context_line":"   continued work on solutions even if no advisory can yet be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"3fa7e38b_1e71560e","line":127,"updated":"2019-12-17 20:24:44.000000000","message":"Done.","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"},{"author":{"_account_id":28011,"name":"Nicholas Tait","email":"ntait@redhat.com","username":"nickthetait"},"change_message_id":"fccfcc5b4744e3e973eba77446675669ec2a9a9b","unresolved":false,"context_lines":[{"line_number":124,"context_line":"   milestones are not considered official releases for the purpose"},{"line_number":125,"context_line":"   of this policy."},{"line_number":126,"context_line":""},{"line_number":127,"context_line":"9. A maximum embargo period of 90 days must be respected for"},{"line_number":128,"context_line":"   privately-reported vulnerabilities. Except under unusual"},{"line_number":129,"context_line":"   circumstances the private report will be switched to public for"},{"line_number":130,"context_line":"   continued work on solutions even if no advisory can yet be"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_36a50ba0","line":127,"range":{"start_line":127,"start_character":3,"end_line":127,"end_character":12},"updated":"2019-08-29 17:30:05.000000000","message":"Shorten to \"Embargos shall not last more than 90 days except under unusual circumstances. After that deadline reports will be publicly visible regardless if an advisory has been issued.\"?","commit_id":"f3c273ac5e0b38b8761f7a25fbb9fd668db35cf5"}]}