<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 08/22/2013 05:00 PM, Sriram
      Subramanian wrote:<br>
    </div>
    <blockquote
cite="mid:CAP6wb7+jJpgCoQBjRJTGS5S56Ku1gFhWj3kOhSa3ncKjouKGjQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">Followup from today's meeting
        <div><br>
        </div>
        <div>1) Appears that there is not an easy way as of now to add a
          tag to blueprints. <br>
        </div>
      </div>
    </blockquote>
    <br>
    Each Blueprint should have a bug.  If it is a new feature, it should
    be a Wishlist bug.  Tag the bug.<br>
    <blockquote
cite="mid:CAP6wb7+jJpgCoQBjRJTGS5S56Ku1gFhWj3kOhSa3ncKjouKGjQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div><br>
        </div>
        <div>2) What are your thoughts on documenting the 'how' part of
          getting OSSG involved during design?</div>
      </div>
    </blockquote>
    <br>
    <br>
    <br>
    <blockquote
cite="mid:CAP6wb7+jJpgCoQBjRJTGS5S56Ku1gFhWj3kOhSa3ncKjouKGjQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div><br>
        </div>
        <div><br>
        </div>
        <div>thanks,</div>
        <div>-Sriram</div>
        <div><br>
          <div class="gmail_quote">---------- Forwarded message
            ----------<br>
            From: <b class="gmail_sendername">Thierry Carrez</b> <span
              dir="ltr"><<a moz-do-not-send="true"
                href="mailto:thierry@openstack.org">thierry@openstack.org</a>></span><br>
            Date: Thu, Aug 22, 2013 at 1:30 PM<br>
            Subject: Re: Adding 'SecurityImpact' tag to OpenStack Blue
            prints<br>
            To: Sriram Subramanian <<a moz-do-not-send="true"
              href="mailto:sriram@sriramhere.com">sriram@sriramhere.com</a>><br>
            Cc: Bryan Payne <<a moz-do-not-send="true"
              href="mailto:bdpayne@acm.org">bdpayne@acm.org</a>><br>
            <br>
            <br>
            <div class="im">Sriram Subramanian wrote:<br>
              > At today's OSSG meeting, it was discussed that it
              would be great to<br>
              > introduce security review during design stage itself.
              As a starter, it<br>
            </div>
            > was suggested to tag blueprints with '*SecurityImpact*'
            so that security<br>
            <div class="im">> could be brought into design
              discussions or as a followup. Is there an<br>
              > easy way to do this?<br>
              <br>
            </div>
            Launchpad blueprints do not support tagging.<br>
            <div class="im"><br>
              > If not, is it possible to add such tagging<br>
              > capability to blueprints?<br>
              <br>
            </div>
            It's a bit difficult to propose code to Launchpad and get it
            merged<br>
            there. I mean, you can try... but blueprints are the ugly
            stepchild of<br>
            Launchpad and they are in a sad state. I'm working on a
            replacement that<br>
            will have blueprints tags, but it's still a long way away.<br>
            <div class="im"><br>
              > I can also think of using WhiteBoard free text area
              to add such tags,<br>
              > but there is a possibility of typo or variations in
              usage. If tagging is<br>
              > absolutely not possible, could we use this area to
              this effect then?<br>
              <br>
            </div>
            You could add keywords to the whiteboard, but those are not
            easily<br>
            searchable, so it's non-trivial to make them generate
            alerts.<br>
            <br>
            In this precise case (and until we get proper tagging for
            blueprints) I<br>
            think we should just document and communicate *how* to get
            the OSSG<br>
            involved in early security design, and then encourage people
            to make use<br>
            of that resource (for example by spotting blueprints which
            would have<br>
            benefited from it early on and publicly blame their authors
            for not<br>
            doing it :)<br>
            <br>
            Cheers,<br>
            <span class="HOEnZb"><font color="#888888"><br>
                --<br>
                Thierry Carrez (ttx)<br>
              </font></span></div>
          <br>
          <br clear="all">
          <div><br>
          </div>
          -- <br>
          <div>Thanks,</div>
          <div>-Sriram</div>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Openstack-security mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openstack-security@lists.openstack.org">Openstack-security@lists.openstack.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>