[security][ironic] Ironic + the VMT
Hey all, A recent topic at Ironic meetings the last couple of weeks have been around vulnerability management. Ironic has not been using the OpenStack VMT traditionally; for reasons that AFAICT are lost to time. Is there any reason Ironic should not be vulnerability-managed? Is the security team willing to have us? The only potential complication is that Ironic may receive reports for vendor libraries used by Ironic but not maintained by Ironic -- I was hoping there might already be some historical precedent for how we handle those; it can't be that unique to Ironic. What do folks think? Thanks, Jay Faulkner Ironic PTL TC Member
On 2023-02-27 08:16:50 -0800 (-0800), Jay Faulkner wrote: [...]
Is there any reason Ironic should not be vulnerability-managed? Is the security team willing to have us?
As long as you make sure you're good with this checklist, just propose the specific repositories in question as an update to the top section of the document (in openstack/ossa): https://security.openstack.org/repos-overseen.html#requirements
The only potential complication is that Ironic may receive reports for vendor libraries used by Ironic but not maintained by Ironic -- I was hoping there might already be some historical precedent for how we handle those; it can't be that unique to Ironic. [...]
2. The VMT will not track or issue advisories for external software components. Only source code provided by official OpenStack project teams is eligible for oversight by the VMT. For example, base operating system components included in a server/container image or libraries vendored into compiled binary artifacts are not within the VMT’s scope. Receiving bug reports about such things is fine, but the VMT doesn't coordinate those reports nor issue official security advisories about them since they need fixing by their upstream maintainers with whom we have no direct relationship. You can still propose security notes urging operators to update software in those situations, if it seems appropriate to do so: https://wiki.openstack.org/wiki/Security_Notes -- Jeremy Stanley
I've reviewed the requirements, and it's my intention to set Ironic as under the VMT. I'll wait until it can be announced at Monday's meeting to make it official so folks can have a chance to object if they wish. - Jay Faulkner Ironic PTL TC Member On Mon, Feb 27, 2023 at 10:26 AM Jeremy Stanley <fungi@yuggoth.org> wrote:
On 2023-02-27 08:16:50 -0800 (-0800), Jay Faulkner wrote: [...]
Is there any reason Ironic should not be vulnerability-managed? Is the security team willing to have us?
As long as you make sure you're good with this checklist, just propose the specific repositories in question as an update to the top section of the document (in openstack/ossa):
https://security.openstack.org/repos-overseen.html#requirements
The only potential complication is that Ironic may receive reports for vendor libraries used by Ironic but not maintained by Ironic -- I was hoping there might already be some historical precedent for how we handle those; it can't be that unique to Ironic. [...]
2. The VMT will not track or issue advisories for external software components. Only source code provided by official OpenStack project teams is eligible for oversight by the VMT. For example, base operating system components included in a server/container image or libraries vendored into compiled binary artifacts are not within the VMT’s scope.
Receiving bug reports about such things is fine, but the VMT doesn't coordinate those reports nor issue official security advisories about them since they need fixing by their upstream maintainers with whom we have no direct relationship. You can still propose security notes urging operators to update software in those situations, if it seems appropriate to do so:
https://wiki.openstack.org/wiki/Security_Notes
-- Jeremy Stanley
participants (2)
-
Jay Faulkner
-
Jeremy Stanley