[openstack-dev] [keystone] [oslo] postpone key distribution bp until icehouse?

Thierry Carrez thierry at openstack.org
Wed Aug 14 15:35:42 UTC 2013 

Simo Sorce wrote:
>> During today's project status meeting [1], the state of KDS was
>> discussed [2]. To quote ttx directly: "we've been bitten in the past
>> with late security-sensitive stuff" and "I'm a bit worried to ship
>> late code with such security implications as a KDS."
> 
> Is ttx going to review any "security implications" ? The code does not
> mature just because is sit there untouched for more or less time.

This is me wearing my vulnerability management hat on. The trick is that
we (the VMT) have to support security issues for code that will be
shipped in stable/havana. The most embarrassing security issues we had
in the past were with code that didn't see a fair amount of time in
master before we had to start supporting it.

So for us there is a big difference between landing the KDS now and have
it security-supported after one month of usage, and landing it in a few
weeks and have it security-supported after 7 months of usage. After 7
months I'm pretty sure most of the embarrassing issues will be ironed out.

I don't really want us to repeat the mistakes of the past where we
shipped really new code in keystone that ended up not really usable, but
which we still had to support security-wise due to our policy.

By "security implications", I mean that this is a domain (like, say,
token expiration) where even basic bugs can easily create a
vulnerability. We just don't have the bandwidth to ship an embargoed
security advisory for every bug that will be found in the KDS one month
from now.

> I would agree to this only if you can name individuals that are going to
> do a "security review", otherwise I see no real reason to delay, as it
> will cost time to keep patches up to date, and I'd rather not do that if
> no one is lining up to do a "security review".
>
> FWIW I did circulate the design for the security mechanism internally in
> Red Hat to some people with some expertise in crypto matters.

Are you saying it won't have significantly less issues in 7 months just
by the virtue of being landed in master and put into use in various
projects ? Or that it was so thoroughly audited that my fears are
unwarranted ?

-- 
Thierry Carrez (ttx)

More information about the OpenStack-dev mailing list