[openstack-dev] [security] [salt] Removal of Security and OpenStackSalt project teams from the Big Tent

Doug Hellmann doug at doughellmann.com
Wed Sep 21 14:52:15 UTC 2016


Excerpts from Rob C's message of 2016-09-21 13:17:07 +0100:
> For my part, I missed the elections, that's my bad. I normally put a
> calendar item in for that issue. I don't think that my missing the election
> date should result in the group being treated in this way. Members of the
> TC have contacted me about unrelated things recently, I have always been
> available however my schedule has made it hard for me to sift through -dev
> recently and I missed the volley of nomination emails. This is certainly a
> failing on my part.
> 
> It's certainly true that the security team, and our cores tend not to pay
> as much attention to the -dev mailing list as we should. The list is pretty
> noisy and  traditionally we always had a separate list that we used for
> security and since moving away from that we tend to focus on IRC or direct
> emails. Though as can be seen with our core announcements etc, we do try to
> do things the "openstack way"
> 
> However, to say we're not active I think is a bit unfair. Theirry and
> others regularly mail me directly about things like rooms for the summit
> and I typically respond in good time, I think what's happened here is more
> an identification of the fact that we need to focus more on doing things
> "the openstack way" rather than being kicked out of the big tent.
> 
> We regularly work with the VMT on security issues, we issue large amounts
> of guidance on our own, we have been working hard on an asset based threat
> analysis process for OpenStack teams who are looking to be security
> managed, we've reviewed external TA documentation and recently in our
> midcycle (yes, we're dedicated enough to fly to Texas and meet up to work
> on such issues) we created the first real set of security documents for an
> OpenStack project,  we worked with Barbican to apply the asset based threat
> analysis that we'd like to engage other teams in [1], [2]
> 
> Here's a couple of the things that we've been doing in this cycle:
> * Issuing Security Notes for Glance, Nova, Horizon, Bandit, Neutron and
> Barbican[3]
> * Updating the security guide (the book we wrote on securing OpenStack)[4]
> * Hosting a midcycle and inducting new members
> * Supporting the VMT with several embargoed and complex vulnerabilities
> * Building up a security blog[5]
> * Making OpenStack the biggest open source project to ever receive the Core
> Infrastructure Initative Best Practices Badge[6][7]
> * Working on the OpenStack Security Whitepaper [8]
> * Developing CI security tooling such as Bandit [9]
> 
> We are a very active team, working extremely hard on trying to make one
> OpenStack secure. This is often a thankless task, we provide a lot of what
> customers are asking for from OpenStack but as we don't drive individual
> flagship features our contributions are often overlooked. However, above is
> just a selection of what we've been doing throughout the last cycle.
> 
> If it's too late for these comments to have an influence then sobeit but
> this is failure of appropriate levels of email filtering and perhaps a
> highlight of how we need to alter our culture somewhat to partipate more in
> -dev in general than it is any indication of a lack of dedication, time,
> effort or contribution on the part of the Security Project.  We have
> dedicate huge amounts of efforts to OpenStack and to relegate us to a
> working group would be massively detrimental for one reason above all
> others. We get corporate participation, time and effort in terms of
> employee hours and contributions because we're an official part of
> OpenStack, we've had to build this up over time. If you remove the Security
> Project from the big tent I believe that participation in Security for
> OpenStack will drop off significantly.
> 
> We are active, we are helping to make OpenStack secure and we (I) suck at
> keeping ontop of email. Don't kick us out for that. If needs be we can find
> another PTL or otherwise take special steps to ensure that missing
> elections doesn't happen.

While it's admirable of you to take responsibility, there's no
reason to think this is an individual team member's fault.  The
team is responsible as a group for ensuring that it is meeting its
responsibilities to the rest of the community. In this case, the
election officials and TC had no reason to assume that you would
or would not run again. Any contributor could have entered the race.
When no one at all did, that lack of engagement reflected on the
entire team, not only you.

> Apart from missing elections, I think we do a huge amount for the community
> and removing us from OpenStack would in no way be beneficial to either the
> Security Project or OpenStack as a whole.

Based on the list above, the team is doing far more than I was aware
of.  I'm glad to hear that, as it looks like there is a considerable
amount of work going into those contributions. I hope we can find
a way to increase the team's participation in community operations
outside of coding so they meet the minimum expectations.

Doug

> 
> -Rob
> 
> [1] https://review.openstack.org/#/c/357978/5
> [2] https://etherpad.openstack.org/p/barbican-threat-analysis
> [3] https://wiki.openstack.org/wiki/Security_Notes
> [4] http://docs.openstack.org/sec/
> [5] https://openstack-security.github.io/
> [6] https://bestpractices.coreinfrastructure.org/
> [7]
> http://www.businesswire.com/news/home/20160725005133/en/OpenStack-Earns-Core-Infrastructure-Initiative-Practices-Badge
> [8] https://www.openstack.org/software/security/
> [9] https://wiki.openstack.org/wiki/Security/Projects/Bandit
> 
> 
> 
> 
> On Wed, Sep 21, 2016 at 12:23 PM, Thierry Carrez <thierry at openstack.org>
> wrote:
> 
> > Hi everyone,
> >
> > As announced previously[1][2], there were no PTL candidates within the
> > election deadline for a number of official OpenStack project teams:
> > Astara, UX, OpenStackSalt and Security.
> >
> > In the Astara case, the current team working on it would like to abandon
> > the project (and let it be available for any new team who wishes to take
> > it away). A change should be proposed really soon now to go in that
> > direction.
> >
> > In the UX case, the current PTL (Piet Kruithof) very quickly reacted,
> > explained his error and asked to be considered for the position for
> > Ocata. The TC will officialize his nomination at the next meeting,
> > together with the newly elected PTLs.
> >
> > That leaves us with OpenStackSalt and Security, where nobody reacted to
> > the announcement that we are missing PTL candidates. That points to a
> > real disconnect between those teams and the rest of the community. Even
> > if you didn't have the election schedule in mind, it was pretty hard to
> > miss all the PTL nominations in the email last week.
> >
> > The majority of TC members present at the meeting yesterday suggested
> > that those project teams should be removed from the Big Tent, with their
> > design summit space allocation slightly reduced to match that (and make
> > room for other not-yet-official teams).
> >
> > In the case of OpenStackSalt, it's a relatively new addition, and if
> > they get their act together they could probably be re-proposed in the
> > future. In the case of Security, it points to a more significant
> > disconnect (since it's not the first time the PTL misses the nomination
> > call). We definitely still need to care about Security (and we also need
> > a home for the Vulnerability Management team), but I think the "Security
> > team" acts more like a workgroup than as an official project team, as
> > evidenced by the fact that nobody in that team reacted to the lack of
> > PTL nomination, or the announcement that the team missed the bus.
> >
> > The suggested way forward there would be to remove the "Security project
> > team", have the Vulnerability Management Team file to be its own
> > official project team (in the same vein as the stable maintenance team),
> > and have Security be just a workgroup rather than a project team.
> >
> > Thoughts, comments ?
> >
> > [1]
> > http://lists.openstack.org/pipermail/openstack-dev/2016-
> > September/103904.html
> > [2]
> > http://lists.openstack.org/pipermail/openstack-dev/2016-
> > September/103939.html
> >
> > --
> > Thierry Carrez (ttx)
> >
> > __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >



More information about the OpenStack-dev mailing list