[Openstack-security] criteria for downstream stakeholders?
Jeremy Stanley
fungi at yuggoth.org
Tue Feb 17 23:57:29 UTC 2015
On 2015-02-17 15:45:12 -0800 (-0800), Ben Pfaff wrote:
> Have you run into any gray areas?
[...]
Yes, we've in the past had to ask people, "Who are you? We've never
heard of you, sorry."
> The risk here is notifying someone dishonest or careless a few days
> early. It sounds like that's not something you're too worried about?
> I don't know how to judge it, myself.
We definitely care about it, I'm just not able to provide cut and
dried acceptance criteria. It's unfortunately subjective and depends
a lot on whether it's an entity we're aware of with some wide/public
use of or redistribution of our software, whether the individual
requesting access on their behalf can be vetted as actual
representative of that organization, whether someone else from that
same organization already has access making their request
unnecessary/redundant, whether the organization has a track record
of assisting our efforts at improving the software and security
around it (reporting issues themselves, pointing out problems in
patches we've not spotted ourselves)...
So I don't have a simple answer--it depends a lot on your existing
ties with your community.
--
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20150217/09effad1/attachment.sig>
More information about the Openstack-security
mailing list