[Openstack-security] Fwd: Adding 'SecurityImpact' tag to OpenStack Blue prints
Bryan D. Payne
bdpayne at acm.org
Fri Aug 30 15:25:24 UTC 2013
> That's certainly not true of every project. I wouldn't want to start
>> doing it for nova, either. It seems like completely unnecessary
>> duplication.
>>
>> The distinction we are making on Keystone is that the Bug describes the
> problem, and the Blueprint describes a solution. It allows vetting
> competing solutions for the same issue at design time.
>
Based on this conversation, I'd say that *if* projects use this method of
Bug + Blueprint(s), then tagging the bugs for security impact seems
reasonable and is a nice way to start engaging the security community at
this earlier stage in the process. In short, please tag away (as
appropriate)!
For the remaining projects, we can continue to think about this and find
ways to engage the security community with those as well. One thing that
can always be done is to have someone on the project simply contact this
mailing list and ask for eyes / help. A manual process, while not perfect,
is certainly better than no process at all.
Cheers,
-bryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20130830/c4be9ee2/attachment.html>
More information about the Openstack-security
mailing list