[openstack-dev] Security bug in diskimage-builder

Ben Nemec openstack at nemebean.com
Tue May 30 13:43:29 UTC 2017



On 05/30/2017 08:00 AM, Emilien Macchi wrote:
> On Mon, May 29, 2017 at 9:02 PM, Jeremy Stanley <fungi at yuggoth.org> wrote:
>> On 2017-05-29 15:43:43 +0200 (+0200), Emilien Macchi wrote:
>>> On Wed, May 24, 2017 at 7:45 PM, Ben Nemec <openstack at nemebean.com> wrote:
>> [...]
>>>> Emilien, I think we should create a tripleo-coresec group in
>>>> launchpad that can be used for this. We have had
>>>> tripleo-affecting security bugs in the past and I imagine we
>>>> will again. I'm happy to help out with that, although I will
>>>> admit my launchpad-fu is kind of weak so I don't know off the
>>>> top of my head how to do it.
>>>
>>> That or re-use an existing Launchpad group used by OpenStack VMT?
>>
>> The OpenStack VMT doesn't triage bugs for deliverables aside from
>> those tagged with vulnerability:managed in governance. For those we
>> recommend private security bugs only be automatically shared with
>> the openstack-vuln-mgmt team in LP, and then we manually subscribe
>> something-coresec to the report once we're sure it was reported
>> against the correct project. For deliverables without VMT oversight,
>> it makes sense to have private security bugs automatically shared
>> with those something-coresec teams directly.
>>
>> https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html
>
> I created https://launchpad.net/~tripleo-coresec
>
> With me (Pacific Time soon), shardy (Europe), bnemec (East coast) and

If by "coast" you mean the Great Lakes then yes, but I'm in the central 
time zone. ;-)

Thanks for getting this set up guys.

> fungi (East coast) for now. If we feel like we need more people we'll
> think about it.
> I'll explore Launchpad to see how we can use this group to handle Security bugs.
>
> Thanks,
>
>> --
>> Jeremy Stanley
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
>



More information about the OpenStack-dev mailing list