[openstack-dev] [barbican] Project Navigator Out of Date?

Dave McCowan (dmccowan) dmccowan at cisco.com
Mon Jan 16 16:36:36 UTC 2017


Hi Ian--
   Thanks for the reminder.  As PTL, I know I have some action items to
update our project navigator status.
   Speaking on behalf of the Barbican community, I can say that we do
follow the rules of stable branches and deprecation.  I'll submit a patch
now to state this assertion.
   I also believe that we currently have the appropriate variety of
distributions available.  Our installation guide gives instructions on how
to install from each of these.  I don't know how to apply for this "star"
in project navigator.
   We have taken steps to qualify for vulnerability management, most
notably we completed a threat modeling exercise with the security project
team.  I'll reach out to that team to find out what remaining steps are
necessary to be tagged as vulnerability managed.
--Dave

On 1/16/17, 8:55 AM, "Ian Cordasco" <sigmavirus24 at gmail.com> wrote:

>Hi barbicaneers (I don't actually know what y'all call yourselves :)),
>
>Related to the other thread I just started, I was looking at the
>project navigator [1] for Barbican and found some things that look
>wrong (to an outsider) and was hoping could be cleared up.
>
>First, "Is this project maintained following the common Stable branch
>policy?" appears to be "Yes" now. I notice you have stable branches
>that actually look stable. Are y'all working with the stable
>maintenance team on them?
>
>Second, "Does this project follows standard deprecation?" I'm not
>(yet) a user of Barbican, but are you still not following the standard
>deprecation policy?
>
>Third, "Existence and quality of packages for this project in popular
>distributions." it seems Fedora [2], Debian [3], Ubuntu [4], and
>OpenSUSE [5] all have packages (including in stable versions). I can't
>speak to the quality of the packages, but knowing the hard work most
>of our downstream redistributors put into those packages, I'm certain
>they're good quality. This should *definitely* be updated, in my
>opinion.
>
>Finally, "Are vulnerability issues managed by the OpenStack security
>team?". I know that the OpenStack Security Project worked with the
>Barbican team to come up with a vulnerability analysis a few midcycles
>ago. Is that roughly where you all stopped? Is there a reason you
>haven't attempted to work with the VMT on security issues?
>
>Hopefully my agenda is obvious - I'd like to see fewer projects
>attempting to implement their own secret storage and instead use
>Barbican. Keeping the navigator up-to-date seems (to me) to be a good
>way to improve Barbican's image. I would be happy to work with you all
>(with what little time I have) to update the navigator to better
>reflect Barbican's reality.
>
>[1]: 
>https://www.openstack.org/software/releases/newton/components/barbican
>[2]: https://apps.fedoraproject.org/packages/s/barbican
>[3]: 
>https://packages.debian.org/search?keywords=barbican&searchon=all&suite=al
>l&section=all
>[4]: 
>http://packages.ubuntu.com/search?keywords=barbican&searchon=names&suite=a
>ll&section=all
>[5]: 
>https://software.opensuse.org/search?utf8=✓&q=barbican&search_devel=false&
>search_unsupported=false&baseproject=openSUSE:Leap:42.2
>
>Cheers,
>--
>Ian Cordasco
>
>__________________________________________________________________________
>OpenStack Development Mailing List (not for usage questions)
>Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



More information about the OpenStack-dev mailing list