[openstack-dev] Security bug in diskimage-builder
Ben Nemec
openstack at nemebean.com
Thu Jun 1 15:40:34 UTC 2017
On 05/30/2017 10:05 AM, Emilien Macchi wrote:
> On Tue, May 30, 2017 at 3:43 PM, Ben Nemec <openstack at nemebean.com> wrote:
>>
>>
>> On 05/30/2017 08:00 AM, Emilien Macchi wrote:
>>>
>>> On Mon, May 29, 2017 at 9:02 PM, Jeremy Stanley <fungi at yuggoth.org> wrote:
>>>>
>>>> On 2017-05-29 15:43:43 +0200 (+0200), Emilien Macchi wrote:
>>>>>
>>>>> On Wed, May 24, 2017 at 7:45 PM, Ben Nemec <openstack at nemebean.com>
>>>>> wrote:
>>>>
>>>> [...]
>>>>>>
>>>>>> Emilien, I think we should create a tripleo-coresec group in
>>>>>> launchpad that can be used for this. We have had
>>>>>> tripleo-affecting security bugs in the past and I imagine we
>>>>>> will again. I'm happy to help out with that, although I will
>>>>>> admit my launchpad-fu is kind of weak so I don't know off the
>>>>>> top of my head how to do it.
>>>>>
>>>>>
>>>>> That or re-use an existing Launchpad group used by OpenStack VMT?
>>>>
>>>>
>>>> The OpenStack VMT doesn't triage bugs for deliverables aside from
>>>> those tagged with vulnerability:managed in governance. For those we
>>>> recommend private security bugs only be automatically shared with
>>>> the openstack-vuln-mgmt team in LP, and then we manually subscribe
>>>> something-coresec to the report once we're sure it was reported
>>>> against the correct project. For deliverables without VMT oversight,
>>>> it makes sense to have private security bugs automatically shared
>>>> with those something-coresec teams directly.
>>>>
>>>>
>>>> https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html
>>>
>>>
>>> I created https://launchpad.net/~tripleo-coresec
>>>
>>> With me (Pacific Time soon), shardy (Europe), bnemec (East coast) and
>>
>>
>> If by "coast" you mean the Great Lakes then yes, but I'm in the central time
>> zone. ;-)
>
> lol.
> I added James to cover (real) East coast, so we cover most of our TZs.
>
> Thanks,
Okay, so we're all set up, but now it appears we're all subscribed to
every tripleo bug as well. I think oslo-coresec used to be the same
way, but at some point it changed so I only get explicitly notified of
security bugs. Does anyone know how to set up tripleo-coresec that way
too? I've poked around the launchpad settings but I haven't found
anything that looks promising.
>
>> Thanks for getting this set up guys.
>>
>>
>>> fungi (East coast) for now. If we feel like we need more people we'll
>>> think about it.
>>> I'll explore Launchpad to see how we can use this group to handle Security
>>> bugs.
>>>
>>> Thanks,
>>>
>>>> --
>>>> Jeremy Stanley
>>>>
>>>>
>>>> __________________________________________________________________________
>>>> OpenStack Development Mailing List (not for usage questions)
>>>> Unsubscribe:
>>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>>
>>>
>>>
>>>
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
More information about the OpenStack-dev
mailing list