[openstack-dev] [keystone] [oslo] postpone key distribution bp until icehouse?

Adam Young ayoung at redhat.com
Wed Aug 14 13:24:18 UTC 2013

On 08/13/2013 06:20 PM, Dolph Mathews wrote:
> With regard to: 
> https://blueprints.launchpad.net/keystone/+spec/key-distribution-server
> During today's project status meeting [1], the state of KDS was 
> discussed [2]. To quote ttx directly: "we've been bitten in the past 
> with late security-sensitive stuff" and "I'm a bit worried to ship 
> late code with such security implications as a KDS." I share the same 
> concern, especially considering the API only recently went up for 
> formal review [3], and the WIP implementation is still failing 
> smokestack [4].

Since KDS is a security tightening in acase where there is no security 
at all, adding it in can only improve security.

It is a relatively simple extension from the keystone side.  THe 
corresponding change is in the client, and that has already merged.

> I'm happy to see the reviews in question continue to receive their 
> fair share of attention over the next few weeks, but can (and should?) 
> merging be delayed until icehouse while more security-focused eyes 
> have time to review the code?
> Ceilometer and nova would both be affected by a delay, as both have 
> use cases for consuming trusted messaging [5] (a dependency of the bp 
> in question).
> Thanks for you feedback!
> [1]: 
> http://eavesdrop.openstack.org/irclogs/%23openstack-meeting/%23openstack-meeting.2013-08-13.log
> [2]: http://paste.openstack.org/raw/44075/
> [3]: https://review.openstack.org/#/c/40692/
> [4]: https://review.openstack.org/#/c/37118/
> [5]: https://blueprints.launchpad.net/oslo/+spec/trusted-messaging
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130814/2bfe82f9/attachment.html>

More information about the OpenStack-dev mailing list