[openstack-dev] [security] Security SIG

Thierry Carrez thierry at openstack.org
Mon Oct 30 13:53:52 UTC 2017


Luke Hinds wrote:
> On Fri, Oct 27, 2017 at 6:08 PM, Jeremy Stanley <fungi at yuggoth.org
> <mailto:fungi at yuggoth.org>> wrote:
> 
>> On 2017-10-27 15:30:34 +0200 (+0200), Thierry Carrez wrote:
>>> [...]
>>> I think the Security project team would benefit from becoming a
>>> proper SIG.
>>> [...]
>> I tend to agree, though it's worth also considering what the
>> implications are for vulnerability management under the new model.
>> The VMT tended to act as an independent task force in the
>> beforetime, until the big t^W^Wproject reform of 2014, and then
>> allied itself with the newly-formed Security Team while continuing
>> operation autonomously under a fairly independent mandate. Does this
>> still make sense in a Security SIG context, or should we be
>> considering alternative (perhaps more formal?) governance for the
>> VMT in that scenario? I don't have especially cogent thoughts around
>> this yet, so interested to hear what others in the community think. 

So the activity of the Security project team can be split into a number
of things:

- Security advisories for supported projects (ossa by the VMT subteam)
- General security notices / information (ossn)
- Promotion of secure coding practices (bandit, syntribos)
- Promotion of secure operations (security-doc, anchor)
- Audit activities (security-analysis)

The only thing here that is not performed by an open group is the VMT
stuff. It also happens to be the most "upstream" of all the team
activity: it's closely related to stable branch maintenance.

Personally I think the VMT would be better split off from a Security SIG
-- it's suboptimal to have a part of a SIG to be a restricted group. It
could be made it's own team, or attached to an existing group (stable
branch maintenance) or converted to a TC-owned "workgroup" (a TC
delegation of power, like it's always been).

> We discussed the SIG proposal on the security meeting and I planned to
> invite you in for a session to discuss Thierry (apologies for being late
> for getting this together). 
> 
> Overall folks thought it an idea worth while enough to explore further.
> 
> My own view is that if its leads to getting more eyes on security, then
> its a good thing. With that in mind, I had the idea that we could run a
> "Security SIG" in parallel to the security project and see if it gains
> traction and security minded people from the wider community do actually
> come forward to get involved and merit the change worth while (and it's
> not just the Security Project rearranging the furniture). We could then
> review how its gone at the end of the Queens cycle and if a success (not
> sure how we would define that as yet), then implement the change at the
> juncture of a new release.

Sure, we can definitely try it out and keep the project team around
while we try. The only issue I see with that approach is that it's a bit
confusing, and not as strong of a statement compared to saying "all the
security activity now happens there". But if you feel more comfortable
that way, we can definitely follow that road.

-- 
Thierry Carrez (ttx)



More information about the OpenStack-dev mailing list