[openstack-dev] [security] Security SIG

Luke Hinds lhinds at redhat.com
Thu Nov 23 09:14:23 UTC 2017


On Sat, Nov 18, 2017 at 8:34 PM, Jeremy Stanley <fungi at yuggoth.org> wrote:

> On 2017-11-03 07:49:05 +0000 (+0000), Luke Hinds wrote:
> [...]
> > One thing came to mind on Jeremy's points around the VMT, is
> > OSSN's
> >
> > We often get a workflow where Sec-Core are brought into a private
> > LP bug to determine if its suitable for an OSSN, and it remains so
> > until we release the OSSN.
> >
> > So the option here is transfer OSSN into the VMT, or we keep
> > things as they are.
> [...]
>
> The VMT has operated fairly independently of the Security Team even
> while they were technically one project team from a governance
> perspective. In my opinion moving OSSN publications to the VMT makes
> little sense as those were always intended to be addenda/appendices
> of the Security Guide, which would presumably remain the purview of
> the new Security SIG. As you note the VMT already does a decent job
> of pulling the security notes editors into discussions if we
> determine an issue is out of scope for an advisory, and I don't see
> that process would need to change.
> --
> Jeremy Stanley
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
Let's keep it as it is then. We intend to keep the same access control /
structure when we move to a SIG, so I cannot see the work flow we have
changing (whereby you bring Sec-Core into the LP bug).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171123/847e5101/attachment.html>


More information about the OpenStack-dev mailing list