[openstack-dev] [kolla][security] Obtaining the vulnerability:managed tag

Steven Dake (stdake) stdake at cisco.com
Tue Mar 1 19:11:21 UTC 2016 


On 3/1/16, 10:47 AM, "Tristan Cacqueray" <tdecacqu at redhat.com> wrote:

>On 03/01/2016 05:12 PM, Ryan Hallisey wrote:
>> Hello,
>> 
>> I have experience writing selinux policy. My plan was to write the
>>selinux policy for Kolla in the next cycle.  I'd be interested in
>>joining if that fits the criteria here.
>> 
>
>Hello Ryan,
>
>While knowing howto write SELinux policy is a great asset for a coresec
>team member, it's not a requirement. Such team purpose isn't to
>implement core security features, but rather be responsive about private
>security bug to confirm the issue and discuss the scope of any
>vulnerability along with potential solutions.
>
>
>
>> Thanks,
>> -Ryan
>> 
>> ----- Original Message -----
>> From: "Steven Dake (stdake)" <stdake at cisco.com>
>> To: "OpenStack Development Mailing List (not for usage questions)"
>><openstack-dev at lists.openstack.org>
>> Sent: Tuesday, March 1, 2016 11:55:55 AM
>> Subject: [openstack-dev] [kolla][security] Obtaining
>>the	vulnerability:managed tag
>> 
>> Core reviewers, 
>> 
>> Please review this document:
>> 
>>https://github.com/openstack/governance/blob/master/reference/tags/vulner
>>ability_managed.rst
>> 
>> It describes how vulnerability management is handled at a high level
>>for Kolla. When we are ready, I want the kolla delivery repos
>>vulnerabilities to be managed by the VMT team. By doing this, we
>>standardize with other OpenStack processes for handling security
>>vulnerabilities. 
>> 
>For reference, the full process is described here:
>https://security.openstack.org/vmt-process.html
>
>> The first step is to form a kolla-coresec team, and create a separate
>>kolla-coresec tracker. I have already created the tracker for
>>kolla-coresec and the kolla-coresec team in launchpad:
>> 
>> https://launchpad.net/~kolla-coresec
>> 
>> https://launchpad.net/kolla-coresec
>> 
>> I have a history of security expertise, and the PTL needs to be on the
>>team as an escalation point as described in the VMT tagging document
>>above. I also need 2-3 more volunteers to join the team. You can read
>>the requirements of the job duties in the vulnerability:managed tag.
>> 
>> If your interested in joining the VMT team, please respond on this
>>thread. If there are more then 4 individuals interested in joining this
>>team, I will form the team from the most active members based upon
>>liberty + mitaka commits, reviews, and PDE spent.
>> 
>Note that the VMT team is global to openstack, I guess you are referring
>to the Kolla VMT team (now known as kolla-coresec).

Yes that is correct.  Thanks Tristan for clarifying.
>
>
>Regards,
>-Tristan
>
>

More information about the OpenStack-dev mailing list