Open Stack

Simo Sorce wrote:
> On Wed, 2013-08-14 at 12:35 -0300, Thierry Carrez wrote:
>> Simo Sorce wrote:
>>>> During today's project status meeting [1], the state of KDS was
>>>> discussed [2]. To quote ttx directly: "we've been bitten in the past
>>>> with late security-sensitive stuff" and "I'm a bit worried to ship
>>>> late code with such security implications as a KDS."
>>>
>>> Is ttx going to review any "security implications" ? The code does not
>>> mature just because is sit there untouched for more or less time.
>>
>> This is me wearing my vulnerability management hat on. The trick is that
>> we (the VMT) have to support security issues for code that will be
>> shipped in stable/havana. The most embarrassing security issues we had
>> in the past were with code that didn't see a fair amount of time in
>> master before we had to start supporting it.
>>
>> So for us there is a big difference between landing the KDS now and have
>> it security-supported after one month of usage, and landing it in a few
>> weeks and have it security-supported after 7 months of usage. After 7
>> months I'm pretty sure most of the embarrassing issues will be ironed out.
>>
>> I don't really want us to repeat the mistakes of the past where we
>> shipped really new code in keystone that ended up not really usable, but
>> which we still had to support security-wise due to our policy.
>>
>> By "security implications", I mean that this is a domain (like, say,
>> token expiration) where even basic bugs can easily create a
>> vulnerability. We just don't have the bandwidth to ship an embargoed
>> security advisory for every bug that will be found in the KDS one month
>> from now.
> 
> I understand and appreciate that, so are you saying you want to veto KDS
> introduction in Havana on this ground ?

It's more of a trade-off: I want the benefits to exceed the drawbacks.
Since I see this drawback, I'd like to understand the benefits so that
we can collectively make the good trade-off... Does this really need to
be in havana and why ? Or is it preferable to have it really early in
icehouse ?

Note that I can't really "veto" anything as long as the PTL wants it in :)

>> Are you saying it won't have significantly less issues in 7 months just
>> by the virtue of being landed in master and put into use in various
>> projects ? Or that it was so thoroughly audited that my fears are
>> unwarranted ?
> 
> Bugs can always happen, and whether 7 month of being used in development
> makes a difference when it comes to security relevant bugs I can't say.
> I certainly am not going to claim my work flawless, I know better than
> that :)

Damn, you escaped my trap :)

-- 
Thierry Carrez (ttx)