[openstack-dev] [glance] [VMT] [Security] Proposal to add Brian Rosmaita to the glance-coresec team

Jeremy Stanley fungi at yuggoth.org
Fri May 13 00:44:09 UTC 2016


On 2016-05-12 17:38:22 -0400 (-0400), Nikhil Komawar wrote:
> On 5/12/16 8:35 AM, Jeremy Stanley wrote:
[...]
> > While the size I picked in item #2 at
> > <URL: https://governance.openstack.org/reference/tags/vulnerability_managed.html#requirements >
> > is not meant to be a strict limit, you may still want to take this
> > as an opportunity to rotate out some of your less-active reviewers
> > (if there are any).
> 
> Thanks for not being strict on it.

It's also possible this is an indication that we put the recommended
cap too low, and should revisit it. I'll bring it up with other VMT
members. I sort of picked that number out of the air... it seemed
reasonable based on a survey of the sizes of some other supported
projects' -coresec teams, but that's certainly worth revisiting.

> I do however, want to make another proposal:
> 
> Since Stuart is our VMT liaison and he's on hiatus, can we add Brian as
> his substitute. As soon as Stuart is back and is ready to shoulder this
> responsibility we should do the rotation.
[...]

This seems fine. It does make sense to not expose embargoed
vulnerabilities to (even temporarily) inactive team members, as a
matter of hygiene.
-- 
Jeremy Stanley



More information about the OpenStack-dev mailing list