[openstack-dev] Security bug in diskimage-builder

Emilien Macchi emilien at redhat.com
Tue May 30 15:05:27 UTC 2017


On Tue, May 30, 2017 at 3:43 PM, Ben Nemec <openstack at nemebean.com> wrote:
>
>
> On 05/30/2017 08:00 AM, Emilien Macchi wrote:
>>
>> On Mon, May 29, 2017 at 9:02 PM, Jeremy Stanley <fungi at yuggoth.org> wrote:
>>>
>>> On 2017-05-29 15:43:43 +0200 (+0200), Emilien Macchi wrote:
>>>>
>>>> On Wed, May 24, 2017 at 7:45 PM, Ben Nemec <openstack at nemebean.com>
>>>> wrote:
>>>
>>> [...]
>>>>>
>>>>> Emilien, I think we should create a tripleo-coresec group in
>>>>> launchpad that can be used for this. We have had
>>>>> tripleo-affecting security bugs in the past and I imagine we
>>>>> will again. I'm happy to help out with that, although I will
>>>>> admit my launchpad-fu is kind of weak so I don't know off the
>>>>> top of my head how to do it.
>>>>
>>>>
>>>> That or re-use an existing Launchpad group used by OpenStack VMT?
>>>
>>>
>>> The OpenStack VMT doesn't triage bugs for deliverables aside from
>>> those tagged with vulnerability:managed in governance. For those we
>>> recommend private security bugs only be automatically shared with
>>> the openstack-vuln-mgmt team in LP, and then we manually subscribe
>>> something-coresec to the report once we're sure it was reported
>>> against the correct project. For deliverables without VMT oversight,
>>> it makes sense to have private security bugs automatically shared
>>> with those something-coresec teams directly.
>>>
>>>
>>> https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html
>>
>>
>> I created https://launchpad.net/~tripleo-coresec
>>
>> With me (Pacific Time soon), shardy (Europe), bnemec (East coast) and
>
>
> If by "coast" you mean the Great Lakes then yes, but I'm in the central time
> zone. ;-)

lol.
I added James to cover (real) East coast, so we cover most of our TZs.

Thanks,

> Thanks for getting this set up guys.
>
>
>> fungi (East coast) for now. If we feel like we need more people we'll
>> think about it.
>> I'll explore Launchpad to see how we can use this group to handle Security
>> bugs.
>>
>> Thanks,
>>
>>> --
>>> Jeremy Stanley
>>>
>>>
>>> __________________________________________________________________________
>>> OpenStack Development Mailing List (not for usage questions)
>>> Unsubscribe:
>>> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>
>>
>>
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



-- 
Emilien Macchi



More information about the OpenStack-dev mailing list