[Openstack-security] OSSN-0013 ready for review

Nathan Kinder nkinder at redhat.com
Thu May 8 16:47:23 UTC 2014 


On 05/05/2014 06:38 PM, Bhandaru, Malini K wrote:
> In the wiki we could say "work in progress" .. so they do not feel they are missing an OSSN when they encounter OSSN holes.

I've gone ahead and outlined this procedure on the Security Note process
page here:

https://wiki.openstack.org/wiki/Security/Security_Note_Process#Number_Assignment

Thanks,
-NGK

> 
> Sure thing, I shall rename my OSSN. Please provide comments on the current one and then I shall publish for OSSN-0014.
> 
> -----Original Message-----
> From: Nathan Kinder [mailto:nkinder at redhat.com] 
> Sent: Monday, May 05, 2014 2:16 PM
> To: Clark, Robert Graham; Rob Crittenden; Bryan D. Payne
> Cc: openstack-security at lists.openstack.org
> Subject: Re: [Openstack-security] OSSN-0013 ready for review
> 
> 
> 
> On 05/05/2014 02:06 PM, Clark, Robert Graham wrote:
>>> -----Original Message-----
>>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>>> Sent: 05 May 2014 22:04
>>> To: Bryan D. Payne; Nathan Kinder
>>> Cc: openstack-security at lists.openstack.org
>>> Subject: Re: [Openstack-security] OSSN-0013 ready for review
>>>
>>> Bryan D. Payne wrote:
>>>> I think it makes sense to assign the OSSN number as early as
>> possible.
>>>>   If they are published out of order... I'm not too worried about
>> that.
>>>
>>> Yeah, I think that would follow the CVE model as well.
>>>
>>> rob
>>
>> +1 No problem there. Grabbing the page on the wiki seems like an easy
>> way to do things.
> 
> Works for me.  I'll add a note to the "Security Note Process" page [1] that covers this.  Thanks to everyone for weighing in on this.
> 
> Thanks
> -NGK
> 
> [1] https://wiki.openstack.org/wiki/Security/Security_Note_Process
> 
>>
>>
>>>
>>>>
>>>>
>>>> On Mon, May 5, 2014 at 12:59 PM, Nathan Kinder <nkinder at redhat.com 
>>>> <mailto:nkinder at redhat.com>> wrote:
>>>>
>>>>
>>>>
>>>>     On 05/05/2014 12:39 PM, Bhandaru, Malini K wrote:
>>>>      > We have two OSSN-0013s making their way!
>>>>      > Need a better number reservation system. :-)
>>>>
>>>>     Let's let Rob take OSSN-0013, and the one you are working on can
>> be
>>>>     OSSN-0014.
>>>>
>>>>     If we want to reserve a number, we could grab it on the OSSN
>> wiki page
>>>>     ahead of time.  My concern with this is that  someone could grab
>> a
>>>>     number to start writing a security note, then disappear for some
>> time
>>>>     (or the issue takes a lot of back and forth to get through
>> review).  In
>>>>     the meantime, other notes might be written and published.  This
>> will
>>>>     result in the numbers being out of sequence.  It's not the end
>> of the
>>>>     world, but it is a bit confusing.  This isn't a theoretical
>> situation
>>>>     either, as OSSN-0010 was published after OSSN-0011 and
>> OSSN-0012:
>>>>
>>>>     https://wiki.openstack.org/wiki/Security_Notes
>>>>
>>>>     The alternative is that we assign the number at publishing time.
>> This
>>>>     requires more diligence at patch approval time to ensure that we
>> don't
>>>>     duplicate a number and might require patch rework to renumber
>> things
>>>>     (which is what we're going through right now).
>>>>
>>>>     What preferences do others have on this?
>>>>
>>>>     Thanks,
>>>>     -NGK
>>>>
>>>>      > Malini
>>>>      >
>>>>      > -----Original Message-----
>>>>      > From: Clark, Robert Graham [mailto:robert.clark at hp.com
>>>>     <mailto:robert.clark at hp.com>]
>>>>      > Sent: Friday, May 02, 2014 1:51 AM
>>>>      > To: openstack-security at lists.openstack.org
>>>>     <mailto:openstack-security at lists.openstack.org>
>>>>      > Subject: [Openstack-security] OSSN-0013 ready for review
>>>>      >
>>>>      > https://review.openstack.org/#/c/91755/
>>>>      >
>>>>      > _______________________________________________
>>>>      > Openstack-security mailing list
>>>>      > Openstack-security at lists.openstack.org
>>>>     <mailto:Openstack-security at lists.openstack.org>
>>>>      >
>>>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>>      >
>>>>      > _______________________________________________
>>>>      > Openstack-security mailing list
>>>>      > Openstack-security at lists.openstack.org
>>>>     <mailto:Openstack-security at lists.openstack.org>
>>>>      >
>>>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>>      >
>>>>
>>>>     _______________________________________________
>>>>     Openstack-security mailing list
>>>>     Openstack-security at lists.openstack.org
>>>>     <mailto:Openstack-security at lists.openstack.org>
>>>>
>>>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Openstack-security mailing list
>>>> Openstack-security at lists.openstack.org
>>>>
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>>>
>>>
>>>
>>> _______________________________________________
>>> Openstack-security mailing list
>>> Openstack-security at lists.openstack.org
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-securit
>>> y
> 
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>

More information about the Openstack-security mailing list