Open Stack

On Mon, Jan 20, 2014 at 04:37:55PM +0000, Clark, Robert Graham wrote:
> 
> Thanks Daniel, I think you raise some good points but perhaps you are 
> blurring the lines between security notes (OSSN) and security 
> advisories (OSSA) a little too much.  It's worth keeping in mind that 
> we are not talking about how OpenStack handles security advisories, we 
> are talking about OpenStack Security Notes that provide guidance around 
> configuration and software choices that have potential security impact 
> to OpenStack deployments.
> 
> ( fwiw I think that OSSAs probably should be published in CVRF 1.1 )
> 
> In many cases we wont have metadata such as  'reported date,' a 'fix 
> commit', or even a 'broken in' date. Often we are not talking about 
> specific defects but potential bad combinations of software, bad 
> configurations (user end) etc. In fact we are almost never referring 
> directly to a vulnerability in the OpenStack framework with an OSSN.
> 
> We don't have the same downstream consumers of OSSNs that libvirt LSNs 
> or for that matter, that OpenStack OSSA's have. We don't necessarily 
> need a format that's easily machine read - OSSNs are usually very 
> subjective and require the reader to make an evaluation on the impact 
> to their deployment. (I suppose I can see an opportunity for some 
> future project that makes use of OSSNs as part of an automated 
> checklist for an OpenStack deployment, but OSSNs are so broad that 
> almost every one would be liable to generate false positives.) I'm not 
> completely against having a machine readable format that can be parsed 
> out into various languages but I think it might be a bit over-the-top 
> for what our requirements are.
> 
> Your offer to relicense the scripts etc that are used by the libvirt 
> project is greatly appreciated, having tooling available significantly 
> lowers the bar in terms of adopting it, I think perhaps this is 
> something that we should consider discussing at the weekly security 
> meeting.

Doh, I was in fact mixing up OSSNs and OSSAs. As you say, OSSNs obviously
don't require the same level of detail for metadata. I do wonder, however,
if there is some value is using related data formats for both ? eg perhaps
an OSSN could use the same core schema as OSSAs, but with a number of the
metadata pieces omitted, so similar tools could deal with both types of
document more easily ?

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|