[all][security-sig][meta-sig] Forum summary: Expose SIGs and WGs

Adam Spiers aspiers at suse.com
Wed Dec 12 13:20:44 UTC 2018 

Matt Riedemann <mriedemos at gmail.com> wrote: 
>On 12/3/2018 11:42 AM, Rico Lin wrote: 
>>We also have some real story (Luzi's story) for people to get a 
>>better understanding of why current workflow can look like for 
>>someone who tries to help. 
>
>I looked over the note on this in the etherpad. 

Me too - in case anyone missed the link to this initiative around 
image encryption, it's near the bottom of: 

    https://etherpad.openstack.org/p/expose-sigs-and-wgs

And BTW it sounds like a really cool initiative to me!  In fact I 
think it could nicely complement the work I am doing on adding AMD SEV 
support to nova: 

    https://review.openstack.org/#/c/609779/

>They did what they 
>were asked and things have stalled. At this point, I think it comes 
>down to priorities, and in order to prioritize something big like this 
>that requires coordinated work across several projects, we are going 
>to need more stakeholders coming forward and saying they also want 
>this feature so the vendors who are paying the people to work upstream 
>can be given specific time to give this the attention it needs. And 
>that ties back into getting the top 1 or 2 wishlist items from each 
>SIG and trying to sort those based on what is the highest rated most 
>common need for the greatest number of people - sort of like what we 
>see happening with the resource delete API community wide goal 
>proposal.

Agreed.  The Security SIG sounds like a natural home for it.  I'm going 
to wildly speculate that maybe part of the reason it stalled is that it 
was perceived as coming from a couple of individuals rather than a SIG. 
If the initiative had been backed by the Security SIG as something worth 
prioritising, then maybe it could have received wider attention. 

Also maybe copying a couple of tricks from the Self-healing SIG might 
(or might not) help.  Firstly, try to find one or two security-minded 
people from each involved project who are willing to act as liasons 
with the Security SIG: 

    https://wiki.openstack.org/wiki/Self-healing_SIG#Project_liasons

Those people won't necessarily need to commit any time to development 
themselves, but hopefully they could volunteer to review specs 
specific to their project, and later patches too. 

Secondly, track all work on StoryBoard so that the current status is 
always clearly visible. 

A couple of other things struck me about this initiative: 

  - They were requested to propose separate specs for each involved
    project (Nova, Cinder and Glance in this case).  This resulted in
    quite a bit of duplication between the specs, but maybe that was
    unavoidable.

  - The question where to put the shared encryption and decryption code
    remained unresolved, even though of the three options proposed, only
    the oslo option had no cons listed:

       https://etherpad.openstack.org/p/library-for-image-encryption-and-decryption

    oslo seems like a natural place to put it, so maybe the solution is
    to submit this spec to oslo?

    Although if the initiative was hosted by the Security SIG, then as
    a last resort the SIG could set up a git repository to host the
    code, at least as a temporary measure.

More information about the openstack-discuss mailing list