[openstack-dev] [security] [telemetry] How to handle security bugs
Julien Danjou
julien at danjou.info
Tue Jan 17 14:02:38 UTC 2017
On Tue, Jan 17 2017, Adam Heczko wrote:
> Hi Julien, I think that you should follow this [1] workflow.
>
> TL;DR: Pls make sure that if the bug is serious make it private on LP so
> that only core team members can access it and propose patches. Please do
> not send patches to Gerrit review queue but rather attach it to LP bug
> ticket and discuss there. Contact VMT members to get more details on how to
> get Telemetry project covered by VMT.
>
> [1] https://security.openstack.org/vmt-process.html
IMHO that's a problem. The page is so long and the process so complex
that if nobody has the time to do all of that, it'll never be fixed or
I'll just send the patch to Gerrit to get it fix and be done with it.
At first glance Telemetry matches all requirements to get covered by
VMT. IIRC last time we asked for it we get punted because there was
already too much work for the VMT team. But if that's possible, we'd be
glad to apply again. :-)
--
Julien Danjou
# Free Software hacker
# https://julien.danjou.info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170117/3d81839c/attachment.pgp>
More information about the OpenStack-dev
mailing list