On 2019-02-20 19:36:28 +0100 (+0100), Sylvain Bauza wrote: [...]
The last item is interesting, because the OIP draft at the moment shows more technical requirements than the Foundation ones. For example, VMT is - at the moment I'm writing those lines - quoted as a common best practice, which is something we don't ask for our projects. That's actually a good food for thoughts : security is crucial and shouldn't be just a tag [3]. OpenStack is mature and it's our responsibility to care about CVEs. [...]
Leaving aside the assertion that "caring about CVEs" is the same thing as caring about security, it's worth mentioning that the centralized OpenStack VMT doesn't (and can't) easily scale. It publishes a set of guidelines, process documents and templates which any team can follow to achieve similar results, but the governance tag we have right now serves mostly to set the scope of the centralized VMT (and in turn expresses some fairly strict criteria for expanding that scope to indicate direct oversight of more deliverables). I'm open to suggestions for how the OpenStack TC can better promote good security practices within teams. I have some thoughts as well, though it probably warrants a separate thread at a later date when I have more time to assemble words on the subject. -- Jeremy Stanley