Open Stack

Sriram,

There is a difference.

OSSG is looking to groom people to help improve the security of the
projects by (1) being an active developer on the project, and (2) providing
a security voice for issues that come up on the project (think
architectural / design issues).  This is all about being proactive about
improving the security of the codebase through best practices.

VMT is looking for each project to pick some people from the core devs to
help triage and fix reported security vulnerabilities.  That is what
Russell is talking about in this thread.

To put it another way.  If OSSG does it's job well, then there will be less
work for VMT :-)

Cheers,
-bryan





On Mon, Nov 18, 2013 at 10:00 PM, Sriram Subramanian
<sriram at sriramhere.com>wrote:

> Dear OSSG,
>
> I am seeing some kind of duplication of efforts here or did I miss
> something? My understanding was, we were also looking for people with
> strong project expertise to be security reviewers. This call for volunteers
> appears to be the same. What am i missing here?
>
> thanks,
> -Sriram
>
> ---------- Forwarded message ----------
> From: Jeremy Stanley <fungi at yuggoth.org>
> Date: Mon, Nov 18, 2013 at 12:20 PM
> Subject: Re: [openstack-dev] [Nova] Security vulnerability contacts
> To: openstack-dev at lists.openstack.org
>
>
> On 2013-11-18 11:27:28 -0800 (-0800), Sriram Subramanian wrote:
> > Thanks for the initiative. We at the OpenStack Security Group are
> > doing large part of these tasks now and are looking for more help
> > (particularly around reviews from people that are intimate to the
> > project internals). Here are some pointers on how to get involved.
> > You probably are inviting more volunteers for OSSG, I am just
> > trying to make it clearer. If not, we need to work to make sure
> > the efforts are aligned and not duplicated.
>
> As I understood his initial E-mail, he's looking for experienced
> Nova core reviewers with some background in security so that the
> vulnerability management team can use them as an initial point of
> contact to help develop, backport or review proposed fixes for
> embargoed security vulnerabilities prior to their announcement.
>
> Note that this is not something we're (VMT hat on) only seeking from
> Nova. All the official OpenStack projects which receive security
> support are strongly encouraged to groom core security
> developers/reviewers so that we can have some redundancy and
> additional bandwidth on those sorts of interactions (rather than now
> where we usually just contact the PTL and hope he/she is around). As
> discussed at the summit, we're going to work on putting together a
> more detailed prerequisites list for determining whether a given
> project is under security support.
>
>     https://etherpad.openstack.org/p/IcehouseVMT
> --
> Jeremy Stanley
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
> --
> Thanks,
> -Sriram
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131118/2b97b6b4/attachment.html>