[Openstack-security] OSSN-0013 ready for review

Bhandaru, Malini K malini.k.bhandaru at intel.com
Tue May 6 01:38:22 UTC 2014 

In the wiki we could say "work in progress" .. so they do not feel they are missing an OSSN when they encounter OSSN holes.

Sure thing, I shall rename my OSSN. Please provide comments on the current one and then I shall publish for OSSN-0014.

-----Original Message-----
From: Nathan Kinder [mailto:nkinder at redhat.com] 
Sent: Monday, May 05, 2014 2:16 PM
To: Clark, Robert Graham; Rob Crittenden; Bryan D. Payne
Cc: openstack-security at lists.openstack.org
Subject: Re: [Openstack-security] OSSN-0013 ready for review



On 05/05/2014 02:06 PM, Clark, Robert Graham wrote:
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>> Sent: 05 May 2014 22:04
>> To: Bryan D. Payne; Nathan Kinder
>> Cc: openstack-security at lists.openstack.org
>> Subject: Re: [Openstack-security] OSSN-0013 ready for review
>>
>> Bryan D. Payne wrote:
>>> I think it makes sense to assign the OSSN number as early as
> possible.
>>>   If they are published out of order... I'm not too worried about
> that.
>>
>> Yeah, I think that would follow the CVE model as well.
>>
>> rob
> 
> +1 No problem there. Grabbing the page on the wiki seems like an easy
> way to do things.

Works for me.  I'll add a note to the "Security Note Process" page [1] that covers this.  Thanks to everyone for weighing in on this.

Thanks
-NGK

[1] https://wiki.openstack.org/wiki/Security/Security_Note_Process

> 
> 
>>
>>>
>>>
>>> On Mon, May 5, 2014 at 12:59 PM, Nathan Kinder <nkinder at redhat.com 
>>> <mailto:nkinder at redhat.com>> wrote:
>>>
>>>
>>>
>>>     On 05/05/2014 12:39 PM, Bhandaru, Malini K wrote:
>>>      > We have two OSSN-0013s making their way!
>>>      > Need a better number reservation system. :-)
>>>
>>>     Let's let Rob take OSSN-0013, and the one you are working on can
> be
>>>     OSSN-0014.
>>>
>>>     If we want to reserve a number, we could grab it on the OSSN
> wiki page
>>>     ahead of time.  My concern with this is that  someone could grab
> a
>>>     number to start writing a security note, then disappear for some
> time
>>>     (or the issue takes a lot of back and forth to get through
> review).  In
>>>     the meantime, other notes might be written and published.  This
> will
>>>     result in the numbers being out of sequence.  It's not the end
> of the
>>>     world, but it is a bit confusing.  This isn't a theoretical
> situation
>>>     either, as OSSN-0010 was published after OSSN-0011 and
> OSSN-0012:
>>>
>>>     https://wiki.openstack.org/wiki/Security_Notes
>>>
>>>     The alternative is that we assign the number at publishing time.
> This
>>>     requires more diligence at patch approval time to ensure that we
> don't
>>>     duplicate a number and might require patch rework to renumber
> things
>>>     (which is what we're going through right now).
>>>
>>>     What preferences do others have on this?
>>>
>>>     Thanks,
>>>     -NGK
>>>
>>>      > Malini
>>>      >
>>>      > -----Original Message-----
>>>      > From: Clark, Robert Graham [mailto:robert.clark at hp.com
>>>     <mailto:robert.clark at hp.com>]
>>>      > Sent: Friday, May 02, 2014 1:51 AM
>>>      > To: openstack-security at lists.openstack.org
>>>     <mailto:openstack-security at lists.openstack.org>
>>>      > Subject: [Openstack-security] OSSN-0013 ready for review
>>>      >
>>>      > https://review.openstack.org/#/c/91755/
>>>      >
>>>      > _______________________________________________
>>>      > Openstack-security mailing list
>>>      > Openstack-security at lists.openstack.org
>>>     <mailto:Openstack-security at lists.openstack.org>
>>>      >
>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>      >
>>>      > _______________________________________________
>>>      > Openstack-security mailing list
>>>      > Openstack-security at lists.openstack.org
>>>     <mailto:Openstack-security at lists.openstack.org>
>>>      >
>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>      >
>>>
>>>     _______________________________________________
>>>     Openstack-security mailing list
>>>     Openstack-security at lists.openstack.org
>>>     <mailto:Openstack-security at lists.openstack.org>
>>>
>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Openstack-security mailing list
>>> Openstack-security at lists.openstack.org
>>>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>
>>
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-securit
>> y

_______________________________________________
Openstack-security mailing list
Openstack-security at lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

More information about the Openstack-security mailing list