You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order for an Envoy distributor to update a downstream consumer, it's often necessary to have Docker images staged publicly due to the distribution model at many vendors. In addition, Envoy changes are visible to downstream consumers, even in PaaS environments, as the sidecar runs inside the same container as an application.
There are a number of open questions.
1 .Does a binary release violate embargo? In principle and practice it does, since it's easy to bindiff and reverse engineer fixes.
2. How can distributors securely stage images for release at the embargo date?
3. How can distributors perform staged rollouts? E.g. large PaaS operators may require 1+ week to rollout across all zones.
3. How can distributors canary their fix releases?
Would be great to hear from distributors on these issues.
In order for an Envoy distributor to update a downstream consumer, it's often necessary to have Docker images staged publicly due to the distribution model at many vendors. In addition, Envoy changes are visible to downstream consumers, even in PaaS environments, as the sidecar runs inside the same container as an application.
There are a number of open questions.
1 .Does a binary release violate embargo? In principle and practice it does, since it's easy to bindiff and reverse engineer fixes.
2. How can distributors securely stage images for release at the embargo date?
3. How can distributors perform staged rollouts? E.g. large PaaS operators may require 1+ week to rollout across all zones.
3. How can distributors canary their fix releases?
Would be great to hear from distributors on these issues.
Action item for CVE-2019-9900
Action item for CVE-2019-9901
The text was updated successfully, but these errors were encountered: