[openstack-dev] [ptl] [security][tc] Tidy up language in section 5 of the vulnerability:managed tag

Steven Dake (stdake) stdake at cisco.com
Sat Apr 2 14:40:57 UTC 2016


Apologies for not copying the [ptl] tag, since this change affects mostly the PTLs and the projects for which they facilitate.

Note PTL's the purpose of this change is to make your lives easier and streamline the VMT application process, but keep the spirit of the original requirement in place.  Given that this change is to help make he lives of the PTL and security team easier, if both could weigh in ion the review, I'd appreciate it.  I'd like to get the language correct so we don't have to keep changing section 5 of this tag or special case it to death since that is an anti-pattern in the governance repository.

If PTLs, project partiicipants, or anyone else for that matter have any wording changes, feel free to propose them - IANAL and writing these things correctly is hard to do properly ); involving the community around the pain points of the tagging process is what I'm after.

Regards
-steve

From: Steven Dake <stdake at cisco.com<mailto:stdake at cisco.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: Friday, April 1, 2016 at 5:04 PM
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: [openstack-dev] [security][tc] Tidy up language in section 5 of the vulnerability:managed tag

Please see my review here as requested in this thread [1]:

https://review.openstack.org/300698


The purpose of this review is two fold:

  1.  Permit sponsoring companies of single vendor projects or projects with low company affiliation diversity to allow their own security experts to sign off on a threat analysis, acting as a third party..
  2.  Enable scaling of the OSSA and VMT processes by permitting projects to self-audit, self-review, or self-threat analyze with the condition that an impartial third party take responsibility for approving the audit, review, or threat analysis.

[1] http://lists.openstack.org/pipermail/openstack-dev/2016-March/091075.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160402/05c27a80/attachment.html>


More information about the OpenStack-dev mailing list