Open Stack

Hi Jeremy,

Thanks for reply. I have already fixed that vulnerability and fix patch was merged into OpenStack project. In that case, patch review was held in public even that patch was related to vulnerability fix.
What I would like to say is following:

"I think it's good idea to add policy to OpenStack security document[1]. That policy is OpenStack community is encouraged to be open to handle vulnerability which needs fix both in OpenStack code and vendor library code if that vendor library takes good role in that OpenStack project."

Above idea comes because when I consulted OpenStack project member about vulnerability fix whose root cause is in vendor library but both OpenStack code and vendor library, member was not open to collaborate working on vulnerability.
Is such addition to OpenStack security document reasonable? I ask this because there was discussion, in my colleague team, about there is no explicit description to openness to working on such situation in OpenStack doc.

Regards,
Vanou

[1] https://security.openstack.org

-----Original Message-----
From: Jeremy Stanley <fungi at yuggoth.org> 
Sent: Tuesday, April 18, 2023 11:46 PM
To: openstack-discuss at lists.openstack.org
Cc: Ishii, Vanou/石井 伴旺 <ishii.vanou at fujitsu.com>
Subject: Re: [security-sig] Ask base recommendation for handling vulnerability which affects both OpenStack code and vendor code

[I'm Cc'ing you since you don't appear to be subscribed to openstack-discuss, but please reply to the list rather than to me directly.]

On 2023-04-18 12:42:46 +0000 (+0000), Vanou Ishii (Fujitsu) wrote:
[...]
> In the past, I faced situation to handle vulnerability in which cause 
> of vulnerability is in vendor library but, to handle vulnerability, 
> both OpenStack code and vendor library code should be modified. To 
> handle this, I consulted community member and asked them to coordinate 
> to fix vulnerability in private way (i.e.
> review patch and prepare commit in not public but private as usual 
> security handling manner). However member are not willing to working 
> on together because cause of vulnerability is in vendor provided 
> library. I felt it’s better for community to, at least, be open to 
> working on such vulnerability because that policy may benefit 
> community. So I think it’s better to include policy in VMT document[1] 
> like “Community is encouraged to make effort to be open to handling 
> vulnerability in which both OpenStack community code and vendor 
> provided code should be modified”.
> 
> How do you think about this?
[...]

I think it depends a great deal on the specifics of the bug and the proposed solution. OpenStack has backport policies which attempt to avoid introducing regressions or disruptive behavior changes in stable branches, so there are limits as to what can be changed through the backporting process. For fixing in the version of OpenStack services under development (currently 2023.2 "bobcat"), there is more leniency but it's still up to the core reviewers of that project as to what sorts of solutions they're willing to incorporate into their software in order to cater to changes in externally-developed device drivers.

It sounds like you have a security vulnerability in a device driver, and fixing it will also require some changes to an OpenStack service, is that correct? If so, follow the recommended reporting process[*] ideally opening a bug in Launchpad or creating a story in StoryBoard depending on where that project's defect tracking is managed. If the affected repository is not officially overseen[**] by the OpenStack Vulnerability Management Team, you can still explicitly subscribe them (~openstack-vuln-mgmt in Launchpad or openstack-security in StoryBoard) and we'll try to assist with coordination on a best effort basis.

[*] https://security.openstack.org/#how-to-report-security-issues-to-openstack
[**] https://security.openstack.org/repos-overseen.html
--
Jeremy Stanley