Issue with Linux Foundation and expectations on ODL projects
I have been trying to get a new release of the Plastic sub-project out for 3 weeks now and have been clogged up in LF helpdesk.
LF is not allowing newer release of Plastic 2.1.7 that fixes 3rd party vulnerabilities already in 2.1.6 release.
LF wants ODL after-the-fact approval for Plastic 2.1.6 that is already publicly available.
Both LF tooling (Nexus IQ) and vulnerability process is broken.
Here is the sequence of events AFAIKT:
I would like to release Plastic 2.1.7. It has improvements and fixes violations in 3rd party libraries.
It has been languishing and holding up the next major release.
I would like a release process that understands when “the horse has left the barn” and that thinks it is a good thing when a new release fixes vulnerabilities in an old release.