Open Stack

Jeremy Stanley wrote:
> If this is something the community is keen on, we can discuss
> options within the VMT to enact a policy change like this (comments,
> Thierry? Mikal?).

I would really like to get to the point where we can have at least a
target time-to-fix based on the vulnerability severity (like "High
should be fixed and pushed out in less than 20 days"). That way we can
at least measure how good or bad we are doing. The key to that, IMHO, is
to have someone whose *primary* job is to make sure we reach those
objectives - a security coordinator. I'm confident we'll soon have the
resources to make that happen.

And before anyone says "hey, I can help", please consider it's an
extremely specific and time-consuming job. I'd definitely consider new
candidates, but we have had a number of people trying to help the VMT in
the past and most of them failed to handle more than one vulnerability
over the course of their involvement... so I'm getting picky. People
with open source SRT experience are definitely preferred, since they
know what this thankless job is about :)

> Keep in mind, however, that we don't delay
> advisories and fixes at the request of an outside party or for
> public image reasons. [...]

Right, the current policy is a middle ground reflecting what our
community is capable of delivering. As we improve on that we'll be able
to cover a larger scope and have more aggressive deadlines... but there
is no point in promising things that our community isn't capable of
delivering.

-- 
Thierry Carrez (ttx)