Open Stack

Thanks Jeremy for the instructions, as suggested, I've added
'openstack-security' team to access the storyboard task and paste the
code change as a comment.

I am still hoping the process could be documented in the right place in
case someone else is in the similar situation as me.

-
Best regards,
Lingxian Kong
Catalyst Cloud


On Thu, Apr 9, 2020 at 7:01 PM Jeremy Stanley <fungi at yuggoth.org> wrote:

> On 2020-04-09 16:43:53 +1200 (+1200), Lingxian Kong wrote:
> > As most of the projects have migrated to storyboard for bug tracking,
>
> Most have not, actually, at last count it was nearing 50% of
> OpenStack teams but I don't have exact numbers handy at the moment.
>
> > after reading https://security.openstack.org/vmt-process.html, I have
> > two questions:
> >
> > 1. I didn't find openstack/ossa or ossa project exists in storyboard.
>
> Like in Launchpad, you report suspected vulnerabilities to the
> projects in which you've found them. The VMT isn't using explicit
> advisory tasks in StoryBoard at the moment, but we're still acting
> on vulnerabilities reported in StoryBoard for projects with the
> vulnerability:managed governance tag (at present that's Barbican,
> Heat, Sahara and Trove). We get automatic access to those, but are
> also happy to discuss suspected vulnerabilities in other projects as
> long as you give us access to the story (click the pencil-shaped
> edit icon next to the story title, then add the "openstack-security"
> team to the list of "Teams and Users that can see this story" and
> click the Save button).
>
> > 2. I didn't find a place in storyboard to attach a patch.
>
> There is work underway to add attachments support:
>
> https://review.opendev.org/#/q/topic:story-attachments
>
> Right now you can just paste the patch into a story comment if the
> story is private (for public stories, patches should go to Gerrit as
> usual, and use a Task or Story footer in the commit message to refer
> to a relevant task or story ID number). The comment field supports
> markdown, so if you indent all the lines of a patch by an additional
> 4 spaces it will be displayed as a block of preformatted code. Use
> the Toggle Preview button so you can make sure it looks the way you
> expect before committing the comment. I've put an example in
> storyboard-dev here:
>
> https://storyboard-dev.openstack.org/#!/story/1831449
>
> It can be a bit unwieldy, but it's the best option we've got until
> proper attachment support is finished.
>
> > Am I missing something?
>
> Hopefully not, but feel free to reach out to OpenStack VMT team
> members directly by private E-mail (OpenPGP-encrypted to our keys if
> you feel it's especially sensitive). You can find us listed at
> https://security.openstack.org/#how-to-report-security-issues-to-openstack
> along with high-level instructions on reporting vulnerabilities.
> Some of us also generally attend the OpenStack Security SIG meeting
> every Thursday at 15:00 UTC in #openstack-meeting and can be found
> at various times of day in the #openstack-security IRC channel as
> well.
> --
> Jeremy Stanley
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200409/e211f098/attachment.html>