Open Stack

So I talked about this during the summit.

But my plan for this release is to build out a vulnerability database.

I put some more descriptive info on that work effort here:

http://secstack.org/2013/04/havana/

I don't have anything blueprint worthy yet.  Right now I am working on
setting up a schema for datasets.  When I have that laid out I'll ping the
list again looking for input and I'll probably start building wiki space
out on the openstack wiki at that time.

Right now I am doing dataset collection and investigation to help me design
an extensible schema.

The ultimate goal is to have a database of vulnerability information that
tracks openstack core, openstack candidates, and secondary dependency
vulnerabilities.

Then we can provide an REST API for interfacing with that database.

This should allow deployers and packaging at distributors ( redhat,
cloudscaling, etc ) to poll as a gate test against the db for possible
vulnerabilities applicable to them.

There are some fundamental questions about scope of what data to include.
It can get dicey when we start talking about redhat specific
vulnerabilities and nebula or piston specific vulnerabilities.

So I'd love to hear thoughts on that.

Anyways.  I am already working on schemas.  I'll post updates shortly.

Just wanted to keep the list in the loop.  Not everyone is at the summit.

-Matt Joyce
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20130423/3f30047a/attachment.html>