On 3/9/20 4:18 PM, Jeremy Stanley wrote:
On 2020-03-09 15:51:12 -0500 (-0500), Ben Nemec wrote:
I just noticed that the Oslo core security team includes a number of people no longer active in Oslo and also only me for current cores. We should really clean that up so random people aren't getting notified of private security bugs and ideally add some current cores so we have more eyes on said security bugs.
It's been languishing on my to do list to remind all projects with the vulnerability:managed governance tag to review those group memberships in LP regularly and keep them groomed to fit the recommendations in requirement #2 here:
https://governance.openstack.org/tc/reference/tags/vulnerability_managed.htm...
2. The deliverable must have a dedicated point of contact for security issues (which could be shared by multiple deliverables in a given project-team if needed), so that the VMT can engage them to triage reports of potential vulnerabilities. Deliverables with more than five core reviewers should (so as to limit the unnecessary exposure of private reports) settle on a subset of these to act as security core reviewers whose responsibility it is to be able to confirm whether a bug report is accurate/applicable or at least know other subject matter experts they can in turn subscribe to perform those activities in a timely manner. They should also be able to review and provide pre-approval of patches attached to private bugs, which is why at least a majority are expected to be core reviewers for the deliverable. These should be members of a group contact (for example a <something>-coresec team) in the deliverable’s defect tracker so that the VMT can easily subscribe them to new bugs."
We're also trying to keep the liaisons and links to corresponding security teams tracked here for faster VMT response:
https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_managemen...
How do we go about doing that?
A group member marked as an "administrator" for it should add and remove members as needed. Generally this group would include the current PTL or active liaison for vulnerability reports as an administrative member to take care of the duty of maintaining group membership, including proper hand-off during transitions of leadership.
I see it's owned by the OpenStack Administrators team, so do I put in a request with the changes or can they just make me an administrator for that group?
Since I'm in the OpenStack Administrators group on LP I've gone ahead and flagged your membership in oslo-coresec as having administrative privileges. We require these groups to be owned by OpenStack Administrators so that it can act as a fallback in situations like this where expected group admin hand-off has been forgotten.
Great, thanks! I have something to add to my shiny new Oslo PTL guide. :-)