[oslo][security-sig] Please revisit your open vulnerability report

Jeremy Stanley fungi at yuggoth.org
Mon Apr 12 16:36:35 UTC 2021 

On 2021-03-26 16:52:52 -0500 (-0500), Ben Nemec wrote:
[...]
> I have added the openstack-vuln-mgmt team to most of the Oslo
> projects.

Great, happy to help there.

> I apparently don't have permission to change settings in
> oslo.policy,

This is maintained by oslo-policy-core which has Adam as its owner
and only administrator, so he's currently the only one who can add
more members to that group though any one of the group members could
help us by switching the oslo.core maintainer to some other group
owned by openstack-admins if Adam can't be reached to make
openstack-admins the owner of oslo-policy-core.

> oslo.windows,

Similarly, maintainer is oslo-windows-drivers which has Claudiu as
its owner and only administrator, but the project maintainer could
optionally be adjusted to another group by Alessandro if Claudiu
can't be reached.

> and taskflow,

Maintained by the taskflow-dev group for which Joshua is the owner
and only administrator, but there are a lot of group members one of
whom could switch the project maintainer for you.

> so I will need help with that. After going through all of the
> projects, my guess is that the individual people who have access
> to the private security bugs are the ones who created the project
> in the first place. I guess that's fine, but there's an argument
> to be made that some of those should be cleaned up too.

In all three cases, I expect the people who have access to these are
no longer active in OpenStack, so yes getting them fixed would be a
"good idea."

> I also noticed that oslo-coresec is not listed in most of the
> projects. Is there any sort of global setting that should give
> coresec memebers access to private security bugs, or do I need to
> add that to each project?

You'd have to add it separately to each of them, yes. Though for any
with VMT oversight, we suggest you not do that and instead let one
of the vulnerability coordinators subscribe your security reviewer
group after we've confirmed the report isn't misdirected at the
wrong project, in order to minimize unnecessary initial spread of
sensitive information.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210412/8f5612f4/attachment-0001.sig>

More information about the openstack-discuss mailing list