Open Stack

On Mon, 2014-01-13 at 08:24 -0800, Nathan Kinder wrote:
> Hi,

Hi Nathan, 

> 
> I have started to put together a wiki page skeleton outlining the
> process to follow when writing a new Security Note (OSSN).  I think it's
> far enough along to share.  Any feedback and suggestions would be
> appreciated!  The new page is available here:
> 
>     https://wiki.openstack.org/wiki/Security/Security_Note_Process
> 
> There are a few things that I think need to be added or clarified:
> 
> - Do we want to change the numbering scheme?  We've discussed using
> something similar to the OSSA numbering scheme (YYYY-XX).  This would be
> an improvement over what we currently use (Launchpad bug #).
> 

I have no strong opinion about a numbering system. My only concern would
be if people get confused about the difference between an OSSA and a
OSSN. One thing I would like to start doing is to track OSSA & OSSN in a
more 'computer friendly' format. For example rubysec keeps advisories in
github in yaml format. This allows tooling to be built around ensuring
deployments are secure, and also allows us to see trends in what we are
getting wrong as developers.  



> - When is a CVE needed, and how is CVE filing handled?  Should we
> consult with the VMT team and let them make the determination?
> 

The VMT process is documented here:
 https://wiki.openstack.org/wiki/VulnerabilityManagement

Anything that is considered a vulnerability should be reported to the
VMT. If it is deemed that a CVE is not warranted a OSSN may be issued. 


HTH

- Grant.


> Thanks,
> -NGK
> 
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security