[openstack-dev] [all] Criteria for applying vulnerability:managed tag

Jeremy Stanley fungi at yuggoth.org
Sun Sep 6 20:00:29 UTC 2015


On 2015-09-02 17:47:20 +0000 (+0000), Tristan Cacqueray wrote:
[...]
> Any supported programming language by the openstack project should/could
> also be accepted for vulnerability management.
> As long as there is a way to test patch, I think the VMT can support
> other languages like Go or Puppet.

Okay, so for me that implies an extra criterion: the repos for the
deliverable covered should have testing. Great point, it seems
pretty important really and was absent from my initial list.

> The risk is to divide downstream communities, and managing different
> lists sounds like overkill for now. One improvement would be to maintain
> that list publicly like xen do for their pre-disclosure list:
>   http://www.xenproject.org/security-policy.html
[...]
> With a public stakeholder list, we can clarify our vmt-process to be
> directly usable without vmt supervision.
[...]

Unlike many communities, our commercial popularity and corresponding
desire from many vendors to make their involvement in OpenStack as
obvious as possible leads to a bit of a "me too" situation whenever
we create public lists of organizations. I'm all for making our
stakeholder *criteria* clearly documented, but worry that turning
the list of who gets advance notification of embargoed vulnerability
fixes into a public roster will put undue pressure on vendors to be
seen as one of the "privileged few" (creating additional work for
the VMT and potentially resulting in downstream stakeholders who
don't actually intend to make use of the notification and so
needlessly increase the risk of leaks and premature disclosure).

An alternative solution we've discussed to make reaching downstream
stakeholders easier for our developers is adding them to a private
mailing list reserved only for advance notification of embargoed
vulnerability fixes. The VMT could control manual subscription of
new stakeholders and moderate posts to ensure that subsequent
discussion is pushed back to the embargoed bug reports themselves
(we should also probably create a corresponding stakeholders group
in the bug tracker so they can be subscribed to private bugs at the
same time advance notifications are sent, and start including the
bug links in those downstream notifications).
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150906/8d628cea/attachment.pgp>


More information about the OpenStack-dev mailing list