I've reviewed the requirements, and it's my intention to set Ironic as under the VMT. I'll wait until it can be announced at Monday's meeting to make it official so folks can have a chance to object if they wish.

-
Jay Faulkner
Ironic PTL
TC Member

On Mon, Feb 27, 2023 at 10:26 AM Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2023-02-27 08:16:50 -0800 (-0800), Jay Faulkner wrote:
[...]
> Is there any reason Ironic should not be vulnerability-managed? Is the
> security team willing to have us?

As long as you make sure you're good with this checklist, just
propose the specific repositories in question as an update to the
top section of the document (in openstack/ossa):

https://security.openstack.org/repos-overseen.html#requirements

> The only potential complication is that Ironic may receive reports
> for vendor libraries used by Ironic but not maintained by
> Ironic -- I was hoping there might already be some historical
> precedent for how we handle those; it can't be that unique to
> Ironic.
[...]

    2. The VMT will not track or issue advisories for external
    software components. Only source code provided by official
    OpenStack project teams is eligible for oversight by the VMT.
    For example, base operating system components included in a
    server/container image or libraries vendored into compiled
    binary artifacts are not within the VMT’s scope.

Receiving bug reports about such things is fine, but the VMT doesn't
coordinate those reports nor issue official security advisories
about them since they need fixing by their upstream maintainers with
whom we have no direct relationship. You can still propose security
notes urging operators to update software in those situations, if it
seems appropriate to do so:

https://wiki.openstack.org/wiki/Security_Notes

--
Jeremy Stanley