[openstack-dev] [security] [telemetry] How to handle security bugs

Julien Danjou julien at danjou.info
Tue Jan 17 15:04:26 UTC 2017


On Tue, Jan 17 2017, Ian Cordasco wrote:

> Or, perhaps the last time people complained that the process
> documentation was too detailed and the telemetry project decided it
> didn't want to have to follow it? If that's the case, following the
> embargoed procedures might not be what you want as a project. At that
> point, you don't need to work with the VMT and you can immediately
> open the bug to start collaborating on Gerrit. You of course open up
> all of your deployers to being targeted, but that's the project's call
> in the end I guess.

Yeah it sucks, though if you have little help (resources) from the
deployers, that's what is going to happen sooner or later.

> I would think that if you want the "vulnerability:managed" tag, you
> might be willing to follow the process outlined. Perhaps it's verbose,
> but it is verbose for good reason. OpenStack's handling of embargoed
> issues is pretty much as good as it gets for a project the size of
> OpenStack. It benefits deployers and users by making the issue AND the
> fix known at the same time which gives deployers the ability to
> immediately consume the fix.

Yeah don't read me wrong (though I was not precise :-) but we don't have
any problem with _respecting_ the procedure. I think small projects like
us have it is nearly impossible to _apply_ the procedure on our own:
requesting CVE, OSSA, OSSN, getting the right classification,
publishing, getting in touch with downstream… is too much work for such
small teams.

-- 
Julien Danjou
;; Free Software hacker
;; https://julien.danjou.info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170117/407bbb6b/attachment.pgp>


More information about the OpenStack-dev mailing list