[openstack-dev] [security] Security SIG

Jeremy Stanley fungi at yuggoth.org
Sat Nov 18 20:34:42 UTC 2017

On 2017-11-03 07:49:05 +0000 (+0000), Luke Hinds wrote:
> One thing came to mind on Jeremy's points around the VMT, is
> OSSN's
> We often get a workflow where Sec-Core are brought into a private
> LP bug to determine if its suitable for an OSSN, and it remains so
> until we release the OSSN.
> So the option here is transfer OSSN into the VMT, or we keep
> things as they are.

The VMT has operated fairly independently of the Security Team even
while they were technically one project team from a governance
perspective. In my opinion moving OSSN publications to the VMT makes
little sense as those were always intended to be addenda/appendices
of the Security Guide, which would presumably remain the purview of
the new Security SIG. As you note the VMT already does a decent job
of pulling the security notes editors into discussions if we
determine an issue is out of scope for an advisory, and I don't see
that process would need to change.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171118/8880f1cf/attachment.sig>

More information about the OpenStack-dev mailing list