[openstack-dev] [security] Security SIG

Luke Hinds lhinds at redhat.com
Fri Oct 27 18:23:18 UTC 2017

On Fri, Oct 27, 2017 at 6:08 PM, Jeremy Stanley <fungi at yuggoth.org> wrote:

> On 2017-10-27 15:30:34 +0200 (+0200), Thierry Carrez wrote:
> [...]
> > I think the Security project team would benefit from becoming a
> > proper SIG.
> [...]
> I tend to agree, though it's worth also considering what the
> implications are for vulnerability management under the new model.
> The VMT tended to act as an independent task force in the
> beforetime, until the big t^W^Wproject reform of 2014, and then
> allied itself with the newly-formed Security Team while continuing
> operation autonomously under a fairly independent mandate. Does this
> still make sense in a Security SIG context, or should we be
> considering alternative (perhaps more formal?) governance for the
> VMT in that scenario? I don't have especially cogent thoughts around
> this yet, so interested to hear what others in the community think.
> --
> Jeremy Stanley
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

We discussed the SIG proposal on the security meeting and I planned to
invite you in for a session to discuss Thierry (apologies for being late
for getting this together).

Overall folks thought it an idea worth while enough to explore further.

My own view is that if its leads to getting more eyes on security, then its
a good thing. With that in mind, I had the idea that we could run a
"Security SIG" in parallel to the security project and see if it gains
traction and security minded people from the wider community do actually
come forward to get involved and merit the change worth while (and it's not
just the Security Project rearranging the furniture). We could then review
how its gone at the end of the Queens cycle and if a success (not sure how
we would define that as yet), then implement the change at the juncture of
a new release.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20171027/6cd97183/attachment.html>

More information about the OpenStack-dev mailing list