[openstack-dev] [kolla][security][release] Obtaining the vulnerability:managed tag

Steven Dake (stdake) stdake at cisco.com
Thu Mar 3 23:57:04 UTC 2016


Flying a bit by the seat of my pants here.  I can't find a simple
check-list of how exactly you get a project managed by the VMT :)  If
anything in this email is wrong, feel free to correct me and get us on the
right track.

The kolla-coresec team consists of the following folks:
Martin Andre
Steven Dake

Ryan Hallisey
Michal Jastrzebski
Michal Rostecki
Sam Yaple

That is one more person then the guidelines recommend, but they are
guidelines not hard and fast rules.  I was not able to include everyone
that asked to be included.  I'd ask for these folks to be active on the
bug triage for security for Kolla.

The next step is for us to locate a security expert to do a security audit
of the codebase including potential security issues with how we use
dependencies.  I'll be reaching out to the security team for guidance, but
have someone in mind (Dave Mccowan) who is a security expert and knows a
bit about containers and Kolla as well :)  If the security team would find
this acceptable and Dave would as well, we can proceed down that path, or
we could take recommendations from the security team instead.  Also Red
Hat has a great infosec team that audits every bit of code that goes into
Red Hat products, so perhaps Ryan or Mandre can reach out to them to audit
our code base in their copious spare time. :)

If the security audit turns up anything existing in the code base, we will
have to fix the bugs and attach them to the bug triage tool as * PRIVATE *
bugs and attachments.  I'll be seeking more guidance from the security
team as to how to proceed prior, during, and after ODS.  The long term
goal is to obtain the vulnerability:managed tag in the governance repo.
After that is achieved, this kolla-coresec team will still be responsible
for fixing problems found in the codebase and working with the OpenStack
VMT (vulnerability management team) to  release the changes in a
synchronized fashion.


On 3/1/16, 12:11 PM, "Steven Dake (stdake)" <stdake at cisco.com> wrote:

>On 3/1/16, 10:47 AM, "Tristan Cacqueray" <tdecacqu at redhat.com> wrote:
>>On 03/01/2016 05:12 PM, Ryan Hallisey wrote:
>>> Hello,
>>> I have experience writing selinux policy. My plan was to write the
>>>selinux policy for Kolla in the next cycle.  I'd be interested in
>>>joining if that fits the criteria here.
>>Hello Ryan,
>>While knowing howto write SELinux policy is a great asset for a coresec
>>team member, it's not a requirement. Such team purpose isn't to
>>implement core security features, but rather be responsive about private
>>security bug to confirm the issue and discuss the scope of any
>>vulnerability along with potential solutions.
>>> Thanks,
>>> -Ryan
>>> ----- Original Message -----
>>> From: "Steven Dake (stdake)" <stdake at cisco.com>
>>> To: "OpenStack Development Mailing List (not for usage questions)"
>>><openstack-dev at lists.openstack.org>
>>> Sent: Tuesday, March 1, 2016 11:55:55 AM
>>> Subject: [openstack-dev] [kolla][security] Obtaining
>>>the	vulnerability:managed tag
>>> Core reviewers,
>>> Please review this document:
>>> It describes how vulnerability management is handled at a high level
>>>for Kolla. When we are ready, I want the kolla delivery repos
>>>vulnerabilities to be managed by the VMT team. By doing this, we
>>>standardize with other OpenStack processes for handling security
>>For reference, the full process is described here:
>>> The first step is to form a kolla-coresec team, and create a separate
>>>kolla-coresec tracker. I have already created the tracker for
>>>kolla-coresec and the kolla-coresec team in launchpad:
>>> https://launchpad.net/~kolla-coresec
>>> https://launchpad.net/kolla-coresec
>>> I have a history of security expertise, and the PTL needs to be on the
>>>team as an escalation point as described in the VMT tagging document
>>>above. I also need 2-3 more volunteers to join the team. You can read
>>>the requirements of the job duties in the vulnerability:managed tag.
>>> If your interested in joining the VMT team, please respond on this
>>>thread. If there are more then 4 individuals interested in joining this
>>>team, I will form the team from the most active members based upon
>>>liberty + mitaka commits, reviews, and PDE spent.
>>Note that the VMT team is global to openstack, I guess you are referring
>>to the Kolla VMT team (now known as kolla-coresec).
>Yes that is correct.  Thanks Tristan for clarifying.
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe

More information about the OpenStack-dev mailing list