Some questions: What would constitute a vulnerability for openstack-puppet since we're mainly consuming the upstream code? Would having an insecure default value on a parameter meet the criteria? What if the upstream default is also bad? We certainly also have some examples that should never be used in production. On Mon, Aug 31, 2015 at 12:11 PM, Emilien Macchi <emilien at redhat.com> wrote: > Hi, > > I would like the feedback from the community about applying (or not) to > the vulnerability:managed tag [1]. > Being part of OpenStack ecosystem and the big tent, Puppet OpenStack > project might want to follow some other projects in order to be > consistent in Security management procedures. > > I believe we should apply for the tag and start to learn about their > process. I think it would be a great opportunity for us to be more > involved in OpenStack best-practices, and maybe enhance the process by > giving feedback to the security team. > Also, it would make our security bugs managed and tracked in a more > serious way than we used to do before. > > The main impact for our group would be to acknowledge what is documented > here: > https://security.openstack.org/#how-to-report-security-issues-to-openstack > and taking care of the new procedure. > > I think we should start the discussion from here and maybe define a plan > for the following months, if some audits need to be done before. > > Any feedback is welcome, > > [1] > http://governance.openstack.org/reference/tags/vulnerability_managed.html > -- > Emilien Macchi > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150831/db270991/attachment.html>