Open Stack

On 05/13/2016 12:44 AM, Jeremy Stanley wrote:
> On 2016-05-12 17:38:22 -0400 (-0400), Nikhil Komawar wrote:
>> On 5/12/16 8:35 AM, Jeremy Stanley wrote:
> [...]
>>> While the size I picked in item #2 at
>>> <URL: https://governance.openstack.org/reference/tags/vulnerability_managed.html#requirements >
>>> is not meant to be a strict limit, you may still want to take this
>>> as an opportunity to rotate out some of your less-active reviewers
>>> (if there are any).
>>
>> Thanks for not being strict on it.
> 
> It's also possible this is an indication that we put the recommended
> cap too low, and should revisit it. I'll bring it up with other VMT
> members. I sort of picked that number out of the air... it seemed
> reasonable based on a survey of the sizes of some other supported
> projects' -coresec teams, but that's certainly worth revisiting.
> 

Agreed it's hard to set an absolute value when some project have a much
bigger code base to work with.
On the other hand it's also hard to define an efficient relative value.


>> I do however, want to make another proposal:
>>
>> Since Stuart is our VMT liaison and he's on hiatus, can we add Brian as
>> his substitute. As soon as Stuart is back and is ready to shoulder this
>> responsibility we should do the rotation.
> [...]
> 
> This seems fine. It does make sense to not expose embargoed
> vulnerabilities to (even temporarily) inactive team members, as a
> matter of hygiene.
> 

Well *active* member sounds even more important, a coresec member not
helping on embargoed issues should be removed indeed.

Thanks,
-Tristan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160513/7e352c98/attachment.pgp>