Open Stack

On 2019-02-20 19:36:28 +0100 (+0100), Sylvain Bauza wrote:
[...]
> The last item is interesting, because the OIP draft at the moment
> shows more technical requirements than the Foundation ones. For
> example, VMT is - at the moment I'm writing those lines - quoted
> as a common best practice, which is something we don't ask for our
> projects. That's actually a good food for thoughts : security is
> crucial and shouldn't be just a tag [3]. OpenStack is mature and
> it's our responsibility to care about CVEs.
[...]

Leaving aside the assertion that "caring about CVEs" is the same
thing as caring about security, it's worth mentioning that the
centralized OpenStack VMT doesn't (and can't) easily scale. It
publishes a set of guidelines, process documents and templates which
any team can follow to achieve similar results, but the governance
tag we have right now serves mostly to set the scope of the
centralized VMT (and in turn expresses some fairly strict criteria
for expanding that scope to indicate direct oversight of more
deliverables).

I'm open to suggestions for how the OpenStack TC can better promote
good security practices within teams. I have some thoughts as well,
though it probably warrants a separate thread at a later date when I
have more time to assemble words on the subject.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190225/ce32ff57/attachment.sig>