[openstack-dev] SecurityImpact tagging in gerrit

Daniel P. Berrange berrange at redhat.com
Fri Jun 21 16:21:53 UTC 2013


On Fri, Jun 21, 2013 at 12:08:43PM -0400, Yun Mao wrote:
> Interesting. Does it automatically make the commit in "stealth mode" so
> that it's not seen in public? Thanks,

This tag is about asking for design input / code review from people with
security expertize for new work. As such the code is all public.

Fixes for security flaws in existing code which need to be kept private
should not be sent via Gerrit. They should be reported privately as per
the guidelines here:

  http://www.openstack.org/projects/openstack-security/

> On Fri, Jun 21, 2013 at 11:26 AM, Bryan D. Payne <bdpayne at acm.org> wrote:
> 
> > This is a quick note to announce that the OpenStack gerrit system supports
> > a SecurityImpact tag.  If you are familiar with the DocImpact tag, this
> > works in a similar fashion.
> >
> > Please use this in the commit message for any commits that you feel would
> > benefit from a security review.  Commits with this tag in the commit
> > message will automatically trigger an email message to the OpenStack
> > Security Group, allowing you to quickly tap into some of the security
> > expertise in our community.
> >
> > PTLs -- Please help spread the word an encourage use of this within your
> > projects.
> >
> > Cheers,
> > -bryan


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|



More information about the OpenStack-dev mailing list