Open Stack

On 2015-02-12 17:20:37 +0100 (+0100), Alan Pevec wrote:
> Discussing CVEs in private came up few times but I'm not sure IRC
> is secure enough for that. IMHO discussion about embargoed issues
> must be kept in private Launchpad bugs but I'd like to hear from
> VMT team.

I do from time to time /msg a security review liaison for some
particular project to bring a new vulnerability report to their
attention or prod them to put a status update in an embargoed bug. I
connect to IRC via SSL/TLS, authenticate and protect my nick through
the network's nickserv bot and hope most of them follow the same
precautions. Nevertheless I do try not to discuss specifics, but
rather keep those brief exchanges vague/general.

In the end I'm not sure private, encrypted, authenticated discussion
in IRC is substantially less secure than having a bug set to private
in launchpad though (after all, I and the rest of the project
infrastructure admins don't run either freenode nor launchpad so
we're beholden to them to keep their services above board
regardless).

The VMT also do collectively have brief private discussions with one
another via a variety of secured media around logistics/coordination
efforts and to perform last-minute checks of our advisory texts prior
to disclosure, but I don't want to paint the VMT in a special light
here and feel that the point of all this is that the result of any
such discussions should be reflected in public as soon as it is safe
to do so (be that making the bug visible to everyone, sending an
OSSA to various mailing lists, pushing patches into Gerrit, et
cetera).
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150212/4c6902aa/attachment.pgp>