[openstack-dev] [security] [telemetry] How to handle security bugs

Ian Cordasco sigmavirus24 at gmail.com
Tue Jan 17 14:53:09 UTC 2017


On Tue, Jan 17, 2017 at 8:02 AM, Julien Danjou <julien at danjou.info> wrote:
> On Tue, Jan 17 2017, Adam Heczko wrote:
>
>> Hi Julien, I think that you should follow this [1] workflow.
>>
>> TL;DR: Pls make sure that if the bug is serious make it private on LP so
>> that only core team members can access it and propose patches. Please do
>> not send patches to Gerrit review queue but rather attach it to LP bug
>> ticket and discuss there. Contact VMT members to get more details on how to
>> get Telemetry project covered by VMT.
>>
>> [1] https://security.openstack.org/vmt-process.html
>
> IMHO that's a problem. The page is so long and the process so complex
> that if nobody has the time to do all of that, it'll never be fixed or
> I'll just send the patch to Gerrit to get it fix and be done with it.
>
> At first glance Telemetry matches all requirements to get covered by
> VMT. IIRC last time we asked for it we get punted because there was
> already too much work for the VMT team. But if that's possible, we'd be
> glad to apply again. :-)

Or, perhaps the last time people complained that the process
documentation was too detailed and the telemetry project decided it
didn't want to have to follow it? If that's the case, following the
embargoed procedures might not be what you want as a project. At that
point, you don't need to work with the VMT and you can immediately
open the bug to start collaborating on Gerrit. You of course open up
all of your deployers to being targeted, but that's the project's call
in the end I guess.

I would think that if you want the "vulnerability:managed" tag, you
might be willing to follow the process outlined. Perhaps it's verbose,
but it is verbose for good reason. OpenStack's handling of embargoed
issues is pretty much as good as it gets for a project the size of
OpenStack. It benefits deployers and users by making the issue AND the
fix known at the same time which gives deployers the ability to
immediately consume the fix.

-- 
Ian Cordasco



More information about the OpenStack-dev mailing list