[security-sig][ironic] Ironic + the VMT
Jeremy Stanley
fungi at yuggoth.org
Mon Feb 27 18:17:22 UTC 2023
On 2023-02-27 08:16:50 -0800 (-0800), Jay Faulkner wrote:
[...]
> Is there any reason Ironic should not be vulnerability-managed? Is the
> security team willing to have us?
As long as you make sure you're good with this checklist, just
propose the specific repositories in question as an update to the
top section of the document (in openstack/ossa):
https://security.openstack.org/repos-overseen.html#requirements
> The only potential complication is that Ironic may receive reports
> for vendor libraries used by Ironic but not maintained by
> Ironic -- I was hoping there might already be some historical
> precedent for how we handle those; it can't be that unique to
> Ironic.
[...]
2. The VMT will not track or issue advisories for external
software components. Only source code provided by official
OpenStack project teams is eligible for oversight by the VMT.
For example, base operating system components included in a
server/container image or libraries vendored into compiled
binary artifacts are not within the VMT’s scope.
Receiving bug reports about such things is fine, but the VMT doesn't
coordinate those reports nor issue official security advisories
about them since they need fixing by their upstream maintainers with
whom we have no direct relationship. You can still propose security
notes urging operators to update software in those situations, if it
seems appropriate to do so:
https://wiki.openstack.org/wiki/Security_Notes
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230227/a9942377/attachment.sig>
More information about the openstack-discuss
mailing list