+1 for adding Jon to core security. It will be a valuable addition and being PTL, I feel his presence is important to orchestrate the security discussions.
Regarding the cores being removed, I agree with Brian that they haven't been active for the past couple of cycles and it is important to keep the core security group small. Not to forget, the members are still Cinder cores and we would be happy to get their feedback on any security issue if required. Thanks for all your contributions Ivan, Walt and Sean!
+1 to both proposals
On Fri, Apr 5, 2024 at 8:22 PM Jeremy Stanley fungi@yuggoth.org wrote:
On 2024-04-05 10:00:46 -0400 (-0400), Brian Rosmaita wrote:
The “Cinder Core security contacts” team [0] is a proper subset of the cinder core team who are notified when the OpenStack VMT assigns a
private
security bug to cinder following the vulnerability management process
[1].
The VMT prefers that this group be kept small, so often adding someone entails removing someone else.
[...]
If you have any comments or concerns, please reply on the mailing list before 12:00 UTC Friday 12 April 2024.
No concerns from me (VMT hat squarely on), but I did want to comment that I really appreciate you reviewing/refreshing that group and encourage all other project teams to do the same with some regularity. Thanks! -- Jeremy Stanley