[openstack-dev] [security] [salt] Removal of Security and OpenStackSalt project teams from the Big Tent

Ian Cordasco sigmavirus24 at gmail.com
Wed Sep 21 12:59:08 UTC 2016


 

-----Original Message-----
From: Rob C <hyakuhei at gmail.com>
Reply: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Date: September 21, 2016 at 07:19:40
To: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Subject:  Re: [openstack-dev] [security] [salt] Removal of Security and OpenStackSalt project teams from the Big Tent

> For my part, I missed the elections, that's my bad. I normally put a
> calendar item in for that issue. I don't think that my missing the election
> date should result in the group being treated in this way. Members of the
> TC have contacted me about unrelated things recently, I have always been
> available however my schedule has made it hard for me to sift through -dev
> recently and I missed the volley of nomination emails. This is certainly a
> failing on my part.
>  
> It's certainly true that the security team, and our cores tend not to pay
> as much attention to the -dev mailing list as we should. The list is pretty
> noisy and traditionally we always had a separate list that we used for
> security and since moving away from that we tend to focus on IRC or direct
> emails. Though as can be seen with our core announcements etc, we do try to
> do things the "openstack way"
>  
> However, to say we're not active I think is a bit unfair. Theirry and
> others regularly mail me directly about things like rooms for the summit
> and I typically respond in good time, I think what's happened here is more
> an identification of the fact that we need to focus more on doing things
> "the openstack way" rather than being kicked out of the big tent.
>  
> We regularly work with the VMT on security issues, we issue large amounts
> of guidance on our own, we have been working hard on an asset based threat
> analysis process for OpenStack teams who are looking to be security
> managed, we've reviewed external TA documentation and recently in our
> midcycle (yes, we're dedicated enough to fly to Texas and meet up to work
> on such issues) we created the first real set of security documents for an
> OpenStack project, we worked with Barbican to apply the asset based threat
> analysis that we'd like to engage other teams in [1], [2]
>  
> Here's a couple of the things that we've been doing in this cycle:
> * Issuing Security Notes for Glance, Nova, Horizon, Bandit, Neutron and
> Barbican[3]
> * Updating the security guide (the book we wrote on securing OpenStack)[4]
> * Hosting a midcycle and inducting new members
> * Supporting the VMT with several embargoed and complex vulnerabilities
> * Building up a security blog[5]
> * Making OpenStack the biggest open source project to ever receive the Core
> Infrastructure Initative Best Practices Badge[6][7]
> * Working on the OpenStack Security Whitepaper [8]
> * Developing CI security tooling such as Bandit [9]
>  
> We are a very active team, working extremely hard on trying to make one
> OpenStack secure. This is often a thankless task, we provide a lot of what
> customers are asking for from OpenStack but as we don't drive individual
> flagship features our contributions are often overlooked. However, above is
> just a selection of what we've been doing throughout the last cycle.
>  
> If it's too late for these comments to have an influence then sobeit but
> this is failure of appropriate levels of email filtering and perhaps a
> highlight of how we need to alter our culture somewhat to partipate more in
> -dev in general than it is any indication of a lack of dedication, time,
> effort or contribution on the part of the Security Project. We have
> dedicate huge amounts of efforts to OpenStack and to relegate us to a
> working group would be massively detrimental for one reason above all
> others. We get corporate participation, time and effort in terms of
> employee hours and contributions because we're an official part of
> OpenStack, we've had to build this up over time. If you remove the Security
> Project from the big tent I believe that participation in Security for
> OpenStack will drop off significantly.
>  
> We are active, we are helping to make OpenStack secure and we (I) suck at
> keeping ontop of email. Don't kick us out for that. If needs be we can find
> another PTL or otherwise take special steps to ensure that missing
> elections doesn't happen.
>  
> Apart from missing elections, I think we do a huge amount for the community
> and removing us from OpenStack would in no way be beneficial to either the
> Security Project or OpenStack as a whole.
>  
> -Rob
>  
> [1] https://review.openstack.org/#/c/357978/5
> [2] https://etherpad.openstack.org/p/barbican-threat-analysis
> [3] https://wiki.openstack.org/wiki/Security_Notes
> [4] http://docs.openstack.org/sec/
> [5] https://openstack-security.github.io/
> [6] https://bestpractices.coreinfrastructure.org/
> [7]
> http://www.businesswire.com/news/home/20160725005133/en/OpenStack-Earns-Core-Infrastructure-Initiative-Practices-Badge  
> [8] https://www.openstack.org/software/security/
> [9] https://wiki.openstack.org/wiki/Security/Projects/Bandit
>  
>  
>  
>  
> On Wed, Sep 21, 2016 at 12:23 PM, Thierry Carrez  
> wrote:
>  
> > Hi everyone,
> >
> > As announced previously[1][2], there were no PTL candidates within the
> > election deadline for a number of official OpenStack project teams:
> > Astara, UX, OpenStackSalt and Security.
> >
> > In the Astara case, the current team working on it would like to abandon
> > the project (and let it be available for any new team who wishes to take
> > it away). A change should be proposed really soon now to go in that
> > direction.
> >
> > In the UX case, the current PTL (Piet Kruithof) very quickly reacted,
> > explained his error and asked to be considered for the position for
> > Ocata. The TC will officialize his nomination at the next meeting,
> > together with the newly elected PTLs.
> >
> > That leaves us with OpenStackSalt and Security, where nobody reacted to
> > the announcement that we are missing PTL candidates. That points to a
> > real disconnect between those teams and the rest of the community. Even
> > if you didn't have the election schedule in mind, it was pretty hard to
> > miss all the PTL nominations in the email last week.
> >
> > The majority of TC members present at the meeting yesterday suggested
> > that those project teams should be removed from the Big Tent, with their
> > design summit space allocation slightly reduced to match that (and make
> > room for other not-yet-official teams).
> >
> > In the case of OpenStackSalt, it's a relatively new addition, and if
> > they get their act together they could probably be re-proposed in the
> > future. In the case of Security, it points to a more significant
> > disconnect (since it's not the first time the PTL misses the nomination
> > call). We definitely still need to care about Security (and we also need
> > a home for the Vulnerability Management team), but I think the "Security
> > team" acts more like a workgroup than as an official project team, as
> > evidenced by the fact that nobody in that team reacted to the lack of
> > PTL nomination, or the announcement that the team missed the bus.
> >
> > The suggested way forward there would be to remove the "Security project
> > team", have the Vulnerability Management Team file to be its own
> > official project team (in the same vein as the stable maintenance team),
> > and have Security be just a workgroup rather than a project team.
> >
> > Thoughts, comments ?
> >
> > [1]
> > http://lists.openstack.org/pipermail/openstack-dev/2016-
> > September/103904.html
> > [2]
> > http://lists.openstack.org/pipermail/openstack-dev/2016-
> > September/103939.html

For my part, I do participate on this mailing list and try to read it daily (last week was abnormal for me because I was moving house). I'd like to think I would have seen http://lists.openstack.org/pipermail/openstack-dev/2016-September/103904.html but again, I wasn't around.

Thierry, you're right, this is certainly not the first time since I've been involved in the Security Project that we have missed the PTL nomination deadline. Perhaps that means that the Security Project needs more people interested in being PTL because Rob clearly has more on his plate than allows him to follow those things closely.

Rob, perhaps it would be good to start grooming someone to take over as PTL? Maybe it would be good to find someone with "the OpenStack way" experience who can help guide the project in that direction this cycle and after that.

--  
Ian Cordasco




More information about the OpenStack-dev mailing list