#compliance (2023-08)

Discuss topics related to compliance. See also <#CBXSAR45Bsecurity>.




Sean avatar

For keeping up with CVEs and Hotfixes, I’m curious if any one keeps separate “maintenance” environments for that fast development/testing.

For a simple example, lets say you have environments:

• dev

• test

• stage

• prod But then you get a CVE which needs to be patched fast, but there are unstable/unapproved features in dev+test:

so you can’t promote the current build up to stage/prod, even if it is patched Instead you need another “maintenance” environment which holds the same version as stage+prod and you do any hotfix/CVE testing there. In my case, I’d need 2 environment: “maintenance dev” and “maintenance test”

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

From an application release engineering perspective, we offer a hot fix environment, which is pre production, but post staging. In other words a way to test changes to a current release, even if trunk has moved forward. We have not tried this with infrastructure.

Sean avatar

Thanks. Our challenge is a large cluster with 150+ namespaces and some heavy resource requirements. So some development can’t be done locally. To develop the fixes (for the code we write, not third-party images) we appear to need additional environments.