On 2021-02-18 12:39:52 -0600 (-0600), Ben Nemec wrote: [...]
Okay, I did that. I think we may need to audit all of the Oslo projects because the spot check I did on oslo.policy also did not have the needed sharing, and did have someone who doesn't even work on OpenStack anymore with access to private security bugs(!). I don't appear to have permission to change that either. :-/
Aha, thanks, that explains why the VMT members wouldn't have been notified (or even able to see the bug at all). If you put together a list of which ones need fixing, I think I have a backdoor via being a member of the group which is the owner of the groups which are listed as maintainer or owner of many of those projects, so should be able to temporarily add myself to a group which has access to adjust the sharing on them. Also at the moment, the only Oslo deliverables which are listed as having explicit VMT oversight are castellan and oslo.config. If there are others you want our proactive help with, please add this tag to them: https://governance.openstack.org/tc/reference/tags/vulnerability_managed.htm...
The other issue is probably that the Oslo projects are not part of the openstack org on launchpad. We did that because of the number of projects made it easier to keep track of them if they were their own org, but it does mean they wouldn't show up under a query for the openstack org, unfortunately. [...]
And also means that our periodic reviews of Private Security bugs for projects which are "part of OpenStack" on LP wouldn't have seen it even if we'd had permission. -- Jeremy Stanley