[openstack-dev] Security bug in diskimage-builder

Emilien Macchi emilien at redhat.com
Mon May 29 13:43:43 UTC 2017

On Wed, May 24, 2017 at 7:45 PM, Ben Nemec <openstack at nemebean.com> wrote:
> On 05/17/2017 10:46 AM, Jeremy Stanley wrote:
>> On 2017-05-17 15:57:16 +0300 (+0300), George Shuklin wrote:
>>> There is a bug in diskimage-builder I reported it at 2017-03-10 as
>>> 'private
>>> security'. I think this bug is a medium severity.
>>> So far there was no reaction at all. I plan to change this bug to public
>>> security on next Monday. If someone is interested in bumping up CVE count
>>> for DIB, please look at
>>> https://bugs.launchpad.net/diskimage-builder/+bug/1671842 (private-walled
>>> for security group).
>> Thanks for the heads up! One thing we missed in the migration of DIB
>> from TripleO to Infra team governance is that the bug tracker for it
>> was still under TripleO team control (I just now leveraged my
>> OpenStack Administrator membership on LP to fix that), so the bug
>> was only visible to https://launchpad.net/~tripleo until moments
>> ago.
>> That said, a "private" bug report visible to the 86 people who are
>> members of that LP team doesn't really qualify as private in my book
>> so there's probably no additional harm in just switching it to
>> public security while I work on triaging it with the DIB devs.
>> Going forward, private security bugs filed for DIB are only visible
>> to the 18 people who make up the diskimage-builder-core and
>> openstack-ci-core teams on LP, which is still more than it probably
>> should be but it's a start at least.
> Hmm, this points out a valid issue that we don't have a security group for
> tripleo at all.  We use the tripleo group to include basically all tripleo
> developers so it's definitely not appropriate for this purpose.
> Emilien, I think we should create a tripleo-coresec group in launchpad that
> can be used for this.  We have had tripleo-affecting security bugs in the
> past and I imagine we will again.  I'm happy to help out with that, although
> I will admit my launchpad-fu is kind of weak so I don't know off the top of
> my head how to do it.

That or re-use an existing Launchpad group used by OpenStack VMT?

fungi, thoughts?
Emilien Macchi

More information about the OpenStack-dev mailing list