Open Stack

On Wed, 2013-08-14 at 12:35 -0300, Thierry Carrez wrote:
> Simo Sorce wrote:
> >> During today's project status meeting [1], the state of KDS was
> >> discussed [2]. To quote ttx directly: "we've been bitten in the past
> >> with late security-sensitive stuff" and "I'm a bit worried to ship
> >> late code with such security implications as a KDS."
> > 
> > Is ttx going to review any "security implications" ? The code does not
> > mature just because is sit there untouched for more or less time.
> 
> This is me wearing my vulnerability management hat on. The trick is that
> we (the VMT) have to support security issues for code that will be
> shipped in stable/havana. The most embarrassing security issues we had
> in the past were with code that didn't see a fair amount of time in
> master before we had to start supporting it.
> 
> So for us there is a big difference between landing the KDS now and have
> it security-supported after one month of usage, and landing it in a few
> weeks and have it security-supported after 7 months of usage. After 7
> months I'm pretty sure most of the embarrassing issues will be ironed out.
> 
> I don't really want us to repeat the mistakes of the past where we
> shipped really new code in keystone that ended up not really usable, but
> which we still had to support security-wise due to our policy.
> 
> By "security implications", I mean that this is a domain (like, say,
> token expiration) where even basic bugs can easily create a
> vulnerability. We just don't have the bandwidth to ship an embargoed
> security advisory for every bug that will be found in the KDS one month
> from now.

I understand and appreciate that, so are you saying you want to veto KDS
introduction in Havana on this ground ?

> > I would agree to this only if you can name individuals that are going to
> > do a "security review", otherwise I see no real reason to delay, as it
> > will cost time to keep patches up to date, and I'd rather not do that if
> > no one is lining up to do a "security review".
> >
> > FWIW I did circulate the design for the security mechanism internally in
> > Red Hat to some people with some expertise in crypto matters.
> 
> Are you saying it won't have significantly less issues in 7 months just
> by the virtue of being landed in master and put into use in various
> projects ? Or that it was so thoroughly audited that my fears are
> unwarranted ?

Bugs can always happen, and whether 7 month of being used in development
makes a difference when it comes to security relevant bugs I can't say.
I certainly am not going to claim my work flawless, I know better than
that :)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York