Hi Jeremy,
Thanks for reply. I have already fixed that vulnerability and fix patch was merged into OpenStack project. In that case, patch review was held in public even that patch was related to vulnerability fix.
What I would like to say is following:
"I think it's good idea to add policy to OpenStack security document[1]. That policy is OpenStack community is encouraged to be open to handle vulnerability which needs fix both in OpenStack code and vendor library code if that vendor library takes good role in that OpenStack project."
Above idea comes because when I consulted OpenStack project member about vulnerability fix whose root cause is in vendor library but both OpenStack code and vendor library, member was not open to collaborate working on vulnerability.
Is such addition to OpenStack security document reasonable? I ask this because there was discussion, in my colleague team, about there is no explicit description to openness to working on such situation in OpenStack doc.
I believe there is a difference of impression as well, which can impact perception of openness. An explicit statement or policy document requirement won't fix the impression or perception which may result.
There can be agreement to fix an issue, but disagreement on the process or the constraints. For example, in OpenStack, we have specific policies to handle the behavior of backports in terms of breaking changes. It means for such fixes, we have a very narrow path we can walk, and the more consensus and community buy-in we generate in that process makes everyone's job easier. Yet, the original proposed fix may not meet the policy requirements and usage constraints, and that push back can leave an impression of refusal to collaborate, which is not the intent. The key is in a dialog.
Dialog is often required and it requires mutual compromise and respect for boundaries. Depending on a project's context, it may be that what is being asked of them is bordering on a feature because an end user may still need to make a choice and the prior insecure path may still need to be supported. This all can leave differing impressions, which is definitely difficult to navigate and only compounded with competing demands on contributor's time.
-Julia
Regards,
Vanou
[1] https://security.openstack.org
-----Original Message-----
From: Jeremy Stanley <fungi@yuggoth.org>
Sent: Tuesday, April 18, 2023 11:46 PM
To: openstack-discuss@lists.openstack.org
Cc: Ishii, Vanou/石井 伴旺 <ishii.vanou@fujitsu.com>
Subject: Re: [security-sig] Ask base recommendation for handling vulnerability which affects both OpenStack code and vendor code
[I'm Cc'ing you since you don't appear to be subscribed to openstack-discuss, but please reply to the list rather than to me directly.]
On 2023-04-18 12:42:46 +0000 (+0000), Vanou Ishii (Fujitsu) wrote:
[...]
> In the past, I faced situation to handle vulnerability in which cause
> of vulnerability is in vendor library but, to handle vulnerability,
> both OpenStack code and vendor library code should be modified. To
> handle this, I consulted community member and asked them to coordinate
> to fix vulnerability in private way (i.e.
> review patch and prepare commit in not public but private as usual
> security handling manner). However member are not willing to working
> on together because cause of vulnerability is in vendor provided
> library. I felt it’s better for community to, at least, be open to
> working on such vulnerability because that policy may benefit
> community. So I think it’s better to include policy in VMT document[1]
> like “Community is encouraged to make effort to be open to handling
> vulnerability in which both OpenStack community code and vendor
> provided code should be modified”.
>
> How do you think about this?
[...]
I think it depends a great deal on the specifics of the bug and the proposed solution. OpenStack has backport policies which attempt to avoid introducing regressions or disruptive behavior changes in stable branches, so there are limits as to what can be changed through the backporting process. For fixing in the version of OpenStack services under development (currently 2023.2 "bobcat"), there is more leniency but it's still up to the core reviewers of that project as to what sorts of solutions they're willing to incorporate into their software in order to cater to changes in externally-developed device drivers.
It sounds like you have a security vulnerability in a device driver, and fixing it will also require some changes to an OpenStack service, is that correct? If so, follow the recommended reporting process[*] ideally opening a bug in Launchpad or creating a story in StoryBoard depending on where that project's defect tracking is managed. If the affected repository is not officially overseen[**] by the OpenStack Vulnerability Management Team, you can still explicitly subscribe them (~openstack-vuln-mgmt in Launchpad or openstack-security in StoryBoard) and we'll try to assist with coordination on a best effort basis.
[*] https://security.openstack.org/#how-to-report-security-issues-to-openstack
[**] https://security.openstack.org/repos-overseen.html
--
Jeremy Stanley