[Openstack-security] Security Note (OSSN) Process
Daniel P. Berrange
berrange at redhat.com
Mon Jan 20 16:45:31 UTC 2014
On Mon, Jan 20, 2014 at 04:37:55PM +0000, Clark, Robert Graham wrote:
>
> Thanks Daniel, I think you raise some good points but perhaps you are
> blurring the lines between security notes (OSSN) and security
> advisories (OSSA) a little too much. It's worth keeping in mind that
> we are not talking about how OpenStack handles security advisories, we
> are talking about OpenStack Security Notes that provide guidance around
> configuration and software choices that have potential security impact
> to OpenStack deployments.
>
> ( fwiw I think that OSSAs probably should be published in CVRF 1.1 )
>
> In many cases we wont have metadata such as 'reported date,' a 'fix
> commit', or even a 'broken in' date. Often we are not talking about
> specific defects but potential bad combinations of software, bad
> configurations (user end) etc. In fact we are almost never referring
> directly to a vulnerability in the OpenStack framework with an OSSN.
>
> We don't have the same downstream consumers of OSSNs that libvirt LSNs
> or for that matter, that OpenStack OSSA's have. We don't necessarily
> need a format that's easily machine read - OSSNs are usually very
> subjective and require the reader to make an evaluation on the impact
> to their deployment. (I suppose I can see an opportunity for some
> future project that makes use of OSSNs as part of an automated
> checklist for an OpenStack deployment, but OSSNs are so broad that
> almost every one would be liable to generate false positives.) I'm not
> completely against having a machine readable format that can be parsed
> out into various languages but I think it might be a bit over-the-top
> for what our requirements are.
>
> Your offer to relicense the scripts etc that are used by the libvirt
> project is greatly appreciated, having tooling available significantly
> lowers the bar in terms of adopting it, I think perhaps this is
> something that we should consider discussing at the weekly security
> meeting.
Doh, I was in fact mixing up OSSNs and OSSAs. As you say, OSSNs obviously
don't require the same level of detail for metadata. I do wonder, however,
if there is some value is using related data formats for both ? eg perhaps
an OSSN could use the same core schema as OSSAs, but with a number of the
metadata pieces omitted, so similar tools could deal with both types of
document more easily ?
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the Openstack-security
mailing list