Open Stack

OK, makes sense. I thought at soon we will be doing (2) too. But makes
sense now. Thanks!


On Mon, Nov 18, 2013 at 10:06 PM, Bryan D. Payne <bdpayne at acm.org> wrote:

> Sriram,
>
> There is a difference.
>
> OSSG is looking to groom people to help improve the security of the
> projects by (1) being an active developer on the project, and (2) providing
> a security voice for issues that come up on the project (think
> architectural / design issues).  This is all about being proactive about
> improving the security of the codebase through best practices.
>
> VMT is looking for each project to pick some people from the core devs to
> help triage and fix reported security vulnerabilities.  That is what
> Russell is talking about in this thread.
>
> To put it another way.  If OSSG does it's job well, then there will be
> less work for VMT :-)
>
> Cheers,
> -bryan
>
>
>
>
>
> On Mon, Nov 18, 2013 at 10:00 PM, Sriram Subramanian <
> sriram at sriramhere.com> wrote:
>
>> Dear OSSG,
>>
>> I am seeing some kind of duplication of efforts here or did I miss
>> something? My understanding was, we were also looking for people with
>> strong project expertise to be security reviewers. This call for volunteers
>> appears to be the same. What am i missing here?
>>
>> thanks,
>> -Sriram
>>
>> ---------- Forwarded message ----------
>> From: Jeremy Stanley <fungi at yuggoth.org>
>> Date: Mon, Nov 18, 2013 at 12:20 PM
>> Subject: Re: [openstack-dev] [Nova] Security vulnerability contacts
>> To: openstack-dev at lists.openstack.org
>>
>>
>> On 2013-11-18 11:27:28 -0800 (-0800), Sriram Subramanian wrote:
>> > Thanks for the initiative. We at the OpenStack Security Group are
>> > doing large part of these tasks now and are looking for more help
>> > (particularly around reviews from people that are intimate to the
>> > project internals). Here are some pointers on how to get involved.
>> > You probably are inviting more volunteers for OSSG, I am just
>> > trying to make it clearer. If not, we need to work to make sure
>> > the efforts are aligned and not duplicated.
>>
>> As I understood his initial E-mail, he's looking for experienced
>> Nova core reviewers with some background in security so that the
>> vulnerability management team can use them as an initial point of
>> contact to help develop, backport or review proposed fixes for
>> embargoed security vulnerabilities prior to their announcement.
>>
>> Note that this is not something we're (VMT hat on) only seeking from
>> Nova. All the official OpenStack projects which receive security
>> support are strongly encouraged to groom core security
>> developers/reviewers so that we can have some redundancy and
>> additional bandwidth on those sorts of interactions (rather than now
>> where we usually just contact the PTL and hope he/she is around). As
>> discussed at the summit, we're going to work on putting together a
>> more detailed prerequisites list for determining whether a given
>> project is under security support.
>>
>>     https://etherpad.openstack.org/p/IcehouseVMT
>> --
>> Jeremy Stanley
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>> --
>> Thanks,
>> -Sriram
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>>
>


-- 
Thanks,
-Sriram
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131118/57bd92ac/attachment.html>