<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/22/2013 05:00 PM, Sriram
Subramanian wrote:<br>
</div>
<blockquote
cite="mid:CAP6wb7+jJpgCoQBjRJTGS5S56Ku1gFhWj3kOhSa3ncKjouKGjQ@mail.gmail.com"
type="cite">
<div dir="ltr">Followup from today's meeting
<div><br>
</div>
<div>1) Appears that there is not an easy way as of now to add a
tag to blueprints. <br>
</div>
</div>
</blockquote>
<br>
Each Blueprint should have a bug. If it is a new feature, it should
be a Wishlist bug. Tag the bug.<br>
<blockquote
cite="mid:CAP6wb7+jJpgCoQBjRJTGS5S56Ku1gFhWj3kOhSa3ncKjouKGjQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>2) What are your thoughts on documenting the 'how' part of
getting OSSG involved during design?</div>
</div>
</blockquote>
<br>
<br>
<br>
<blockquote
cite="mid:CAP6wb7+jJpgCoQBjRJTGS5S56Ku1gFhWj3kOhSa3ncKjouKGjQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
<div>thanks,</div>
<div>-Sriram</div>
<div><br>
<div class="gmail_quote">---------- Forwarded message
----------<br>
From: <b class="gmail_sendername">Thierry Carrez</b> <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:thierry@openstack.org">thierry@openstack.org</a>></span><br>
Date: Thu, Aug 22, 2013 at 1:30 PM<br>
Subject: Re: Adding 'SecurityImpact' tag to OpenStack Blue
prints<br>
To: Sriram Subramanian <<a moz-do-not-send="true"
href="mailto:sriram@sriramhere.com">sriram@sriramhere.com</a>><br>
Cc: Bryan Payne <<a moz-do-not-send="true"
href="mailto:bdpayne@acm.org">bdpayne@acm.org</a>><br>
<br>
<br>
<div class="im">Sriram Subramanian wrote:<br>
> At today's OSSG meeting, it was discussed that it
would be great to<br>
> introduce security review during design stage itself.
As a starter, it<br>
</div>
> was suggested to tag blueprints with '*SecurityImpact*'
so that security<br>
<div class="im">> could be brought into design
discussions or as a followup. Is there an<br>
> easy way to do this?<br>
<br>
</div>
Launchpad blueprints do not support tagging.<br>
<div class="im"><br>
> If not, is it possible to add such tagging<br>
> capability to blueprints?<br>
<br>
</div>
It's a bit difficult to propose code to Launchpad and get it
merged<br>
there. I mean, you can try... but blueprints are the ugly
stepchild of<br>
Launchpad and they are in a sad state. I'm working on a
replacement that<br>
will have blueprints tags, but it's still a long way away.<br>
<div class="im"><br>
> I can also think of using WhiteBoard free text area
to add such tags,<br>
> but there is a possibility of typo or variations in
usage. If tagging is<br>
> absolutely not possible, could we use this area to
this effect then?<br>
<br>
</div>
You could add keywords to the whiteboard, but those are not
easily<br>
searchable, so it's non-trivial to make them generate
alerts.<br>
<br>
In this precise case (and until we get proper tagging for
blueprints) I<br>
think we should just document and communicate *how* to get
the OSSG<br>
involved in early security design, and then encourage people
to make use<br>
of that resource (for example by spotting blueprints which
would have<br>
benefited from it early on and publicly blame their authors
for not<br>
doing it :)<br>
<br>
Cheers,<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Thierry Carrez (ttx)<br>
</font></span></div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div>Thanks,</div>
<div>-Sriram</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openstack-security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a>
</pre>
</blockquote>
<br>
</body>
</html>