[openstack-dev] [kolla][security] Obtaining the vulnerability:managed tag

Tristan Cacqueray tdecacqu at redhat.com
Tue Mar 1 17:47:39 UTC 2016 

On 03/01/2016 05:12 PM, Ryan Hallisey wrote:
> Hello,
> 
> I have experience writing selinux policy. My plan was to write the selinux policy for Kolla in the next cycle.  I'd be interested in joining if that fits the criteria here.
> 

Hello Ryan,

While knowing howto write SELinux policy is a great asset for a coresec
team member, it's not a requirement. Such team purpose isn't to
implement core security features, but rather be responsive about private
security bug to confirm the issue and discuss the scope of any
vulnerability along with potential solutions.



> Thanks,
> -Ryan
> 
> ----- Original Message -----
> From: "Steven Dake (stdake)" <stdake at cisco.com>
> To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org>
> Sent: Tuesday, March 1, 2016 11:55:55 AM
> Subject: [openstack-dev] [kolla][security] Obtaining the	vulnerability:managed tag
> 
> Core reviewers, 
> 
> Please review this document: 
> https://github.com/openstack/governance/blob/master/reference/tags/vulnerability_managed.rst 
> 
> It describes how vulnerability management is handled at a high level for Kolla. When we are ready, I want the kolla delivery repos vulnerabilities to be managed by the VMT team. By doing this, we standardize with other OpenStack processes for handling security vulnerabilities. 
> 
For reference, the full process is described here:
https://security.openstack.org/vmt-process.html

> The first step is to form a kolla-coresec team, and create a separate kolla-coresec tracker. I have already created the tracker for kolla-coresec and the kolla-coresec team in launchpad: 
> 
> https://launchpad.net/~kolla-coresec 
> 
> https://launchpad.net/kolla-coresec 
> 
> I have a history of security expertise, and the PTL needs to be on the team as an escalation point as described in the VMT tagging document above. I also need 2-3 more volunteers to join the team. You can read the requirements of the job duties in the vulnerability:managed tag. 
> 
> If your interested in joining the VMT team, please respond on this thread. If there are more then 4 individuals interested in joining this team, I will form the team from the most active members based upon liberty + mitaka commits, reviews, and PDE spent. 
> 
Note that the VMT team is global to openstack, I guess you are referring
to the Kolla VMT team (now known as kolla-coresec).


Regards,
-Tristan


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160301/8812afc3/attachment.pgp>

More information about the OpenStack-dev mailing list