Open Stack

On 21 September 2016 at 19:20, Chivers, Doug <doug.chivers at hpe.com> wrote:

> My concern is with the original wording “The suggested way forward there
> would be to remove the "Security project team"”.
>
> This seems like a move to instantly reduce investment in OpenStack
> security, because the majority of members of the Security Project are
> corporately funded, which will be significantly impacted by the removal of
> the security project. I have no knowledge over the difference between a
> working group and a project, like everyone else on the project we are
> simply here to contribute to OpenStack security, drive innovation in
> security, deliver documentation like OSSNs, etc, rather than get involved
> in the politics of OpenStack.
>
> In response to the various questions of why no-one from our project
> noticed that we didn’t have a nomination for the PTL, we assumed that was
> taken care of. Realistically maybe two or three people on the security
> project have the availability to be PTL, one being our current PTL, for all
> the rest of us its simply not a concern until we need to vote.
>
> On a personal note, reading –dev is unfortunately a lower priority than
> designing architectures, responding to customers and sales teams, closing
> tickets, writing decks and on the afternoon or so I can spend each week,
> working on my upstream projects (this week it was:
> https://review.openstack.org/#/c/357978/5 - thanks to the Barbican team
> for all their work). Possibly this is wrong, but I didn’t sign up as a
> contributor to spend all my spare time reading mailing lists.
>
>
<SNIP>

Honestly, I can only echo this.  I've been around the OSSP(G) since 2013,
but only really been active in the last 18 months or so.  It's been pretty
clear that when Security moved from a Group to a Project, investment
towards security grew dramatically.

The meetings are well run with real objectives achieved with members
focused on constant outreach to other projects.  For reference, the email
that started this thread was picked up and discussed by some members of the
OSSP within *minutes* of it being sent... and those people were pretty
outraged.

I'm sure it wasn't intended, but the original email could be read as quite
insulting.. "That points to a real disconnect between those teams and the
rest of the community".  I think this is an unfair statement based on
minimal observation of a point of order.

The OSSP spends a significant amount of its time on outreach, which is the
whole underlying principle of the project.  This can be seen with efforts
such as bandit gate coverage, Threat Analysis and OSSN's.

Further, reducing the summit timetable for Security and "have Security be
just a workgroup".. really sends the wrong message about Security being a
first class citizen in OpenStack.

OSSP ticks all the 4 opens, and stating that "The leadership is chosen by
the contributors to the project".. it is convention that a nomination email
is sent to -dev, but that shouldn't be assumed that the contributors have
not considered their leader.

I think people working on the OSSP assumed it would be Rob again, and were
happy with this.  It isn't because of lack of community engagement or
interest IMO.

So.. other than someone failing to nominate for PTL in the time-frame, what
else justifies the statement of "points[ing] to a real disconnect between
those teams and the rest of the community".. or shows that OSSG no longer
meets the 4 opens?

--
Kind Regards,
Dave Walker
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160921/357d88ab/attachment.html>