[openstack-dev] [security] [salt] Removal of Security and OpenStackSalt project teams from the Big Tent

Rob C hyakuhei at gmail.com
Wed Sep 21 12:17:07 UTC 2016

For my part, I missed the elections, that's my bad. I normally put a
calendar item in for that issue. I don't think that my missing the election
date should result in the group being treated in this way. Members of the
TC have contacted me about unrelated things recently, I have always been
available however my schedule has made it hard for me to sift through -dev
recently and I missed the volley of nomination emails. This is certainly a
failing on my part.

It's certainly true that the security team, and our cores tend not to pay
as much attention to the -dev mailing list as we should. The list is pretty
noisy and  traditionally we always had a separate list that we used for
security and since moving away from that we tend to focus on IRC or direct
emails. Though as can be seen with our core announcements etc, we do try to
do things the "openstack way"

However, to say we're not active I think is a bit unfair. Theirry and
others regularly mail me directly about things like rooms for the summit
and I typically respond in good time, I think what's happened here is more
an identification of the fact that we need to focus more on doing things
"the openstack way" rather than being kicked out of the big tent.

We regularly work with the VMT on security issues, we issue large amounts
of guidance on our own, we have been working hard on an asset based threat
analysis process for OpenStack teams who are looking to be security
managed, we've reviewed external TA documentation and recently in our
midcycle (yes, we're dedicated enough to fly to Texas and meet up to work
on such issues) we created the first real set of security documents for an
OpenStack project,  we worked with Barbican to apply the asset based threat
analysis that we'd like to engage other teams in [1], [2]

Here's a couple of the things that we've been doing in this cycle:
* Issuing Security Notes for Glance, Nova, Horizon, Bandit, Neutron and
* Updating the security guide (the book we wrote on securing OpenStack)[4]
* Hosting a midcycle and inducting new members
* Supporting the VMT with several embargoed and complex vulnerabilities
* Building up a security blog[5]
* Making OpenStack the biggest open source project to ever receive the Core
Infrastructure Initative Best Practices Badge[6][7]
* Working on the OpenStack Security Whitepaper [8]
* Developing CI security tooling such as Bandit [9]

We are a very active team, working extremely hard on trying to make one
OpenStack secure. This is often a thankless task, we provide a lot of what
customers are asking for from OpenStack but as we don't drive individual
flagship features our contributions are often overlooked. However, above is
just a selection of what we've been doing throughout the last cycle.

If it's too late for these comments to have an influence then sobeit but
this is failure of appropriate levels of email filtering and perhaps a
highlight of how we need to alter our culture somewhat to partipate more in
-dev in general than it is any indication of a lack of dedication, time,
effort or contribution on the part of the Security Project.  We have
dedicate huge amounts of efforts to OpenStack and to relegate us to a
working group would be massively detrimental for one reason above all
others. We get corporate participation, time and effort in terms of
employee hours and contributions because we're an official part of
OpenStack, we've had to build this up over time. If you remove the Security
Project from the big tent I believe that participation in Security for
OpenStack will drop off significantly.

We are active, we are helping to make OpenStack secure and we (I) suck at
keeping ontop of email. Don't kick us out for that. If needs be we can find
another PTL or otherwise take special steps to ensure that missing
elections doesn't happen.

Apart from missing elections, I think we do a huge amount for the community
and removing us from OpenStack would in no way be beneficial to either the
Security Project or OpenStack as a whole.


[1] https://review.openstack.org/#/c/357978/5
[2] https://etherpad.openstack.org/p/barbican-threat-analysis
[3] https://wiki.openstack.org/wiki/Security_Notes
[4] http://docs.openstack.org/sec/
[5] https://openstack-security.github.io/
[6] https://bestpractices.coreinfrastructure.org/
[8] https://www.openstack.org/software/security/
[9] https://wiki.openstack.org/wiki/Security/Projects/Bandit

On Wed, Sep 21, 2016 at 12:23 PM, Thierry Carrez <thierry at openstack.org>

> Hi everyone,
> As announced previously[1][2], there were no PTL candidates within the
> election deadline for a number of official OpenStack project teams:
> Astara, UX, OpenStackSalt and Security.
> In the Astara case, the current team working on it would like to abandon
> the project (and let it be available for any new team who wishes to take
> it away). A change should be proposed really soon now to go in that
> direction.
> In the UX case, the current PTL (Piet Kruithof) very quickly reacted,
> explained his error and asked to be considered for the position for
> Ocata. The TC will officialize his nomination at the next meeting,
> together with the newly elected PTLs.
> That leaves us with OpenStackSalt and Security, where nobody reacted to
> the announcement that we are missing PTL candidates. That points to a
> real disconnect between those teams and the rest of the community. Even
> if you didn't have the election schedule in mind, it was pretty hard to
> miss all the PTL nominations in the email last week.
> The majority of TC members present at the meeting yesterday suggested
> that those project teams should be removed from the Big Tent, with their
> design summit space allocation slightly reduced to match that (and make
> room for other not-yet-official teams).
> In the case of OpenStackSalt, it's a relatively new addition, and if
> they get their act together they could probably be re-proposed in the
> future. In the case of Security, it points to a more significant
> disconnect (since it's not the first time the PTL misses the nomination
> call). We definitely still need to care about Security (and we also need
> a home for the Vulnerability Management team), but I think the "Security
> team" acts more like a workgroup than as an official project team, as
> evidenced by the fact that nobody in that team reacted to the lack of
> PTL nomination, or the announcement that the team missed the bus.
> The suggested way forward there would be to remove the "Security project
> team", have the Vulnerability Management Team file to be its own
> official project team (in the same vein as the stable maintenance team),
> and have Security be just a workgroup rather than a project team.
> Thoughts, comments ?
> [1]
> http://lists.openstack.org/pipermail/openstack-dev/2016-
> September/103904.html
> [2]
> http://lists.openstack.org/pipermail/openstack-dev/2016-
> September/103939.html
> --
> Thierry Carrez (ttx)
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160921/6beb8f89/attachment.html>

More information about the OpenStack-dev mailing list