[oslo][infra] Oslo core security team on Launchpad

Jeremy Stanley fungi at yuggoth.org
Mon Mar 9 21:18:03 UTC 2020 

On 2020-03-09 15:51:12 -0500 (-0500), Ben Nemec wrote:
> I just noticed that the Oslo core security team includes a number
> of people no longer active in Oslo and also only me for current
> cores. We should really clean that up so random people aren't
> getting notified of private security bugs and ideally add some
> current cores so we have more eyes on said security bugs.

It's been languishing on my to do list to remind all projects with
the vulnerability:managed governance tag to review those group
memberships in LP regularly and keep them groomed to fit the
recommendations in requirement #2 here:

https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html#requirements


2. The deliverable must have a dedicated point of contact for
   security issues (which could be shared by multiple deliverables
   in a given project-team if needed), so that the VMT can engage
   them to triage reports of potential vulnerabilities. Deliverables
   with more than five core reviewers should (so as to limit the
   unnecessary exposure of private reports) settle on a subset of
   these to act as security core reviewers whose responsibility it
   is to be able to confirm whether a bug report is
   accurate/applicable or at least know other subject matter experts
   they can in turn subscribe to perform those activities in a
   timely manner. They should also be able to review and provide
   pre-approval of patches attached to private bugs, which is why at
   least a majority are expected to be core reviewers for the
   deliverable. These should be members of a group contact (for
   example a <something>-coresec team) in the deliverable’s defect
   tracker so that the VMT can easily subscribe them to new bugs."

We're also trying to keep the liaisons and links to corresponding
security teams tracked here for faster VMT response:

https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management

> How do we go about doing that?

A group member marked as an "administrator" for it should add and
remove members as needed. Generally this group would include the
current PTL or active liaison for vulnerability reports as an
administrative member to take care of the duty of maintaining group
membership, including proper hand-off during transitions of
leadership.

> I see it's owned by the OpenStack Administrators team, so do I put
> in a request with the changes or can they just make me an
> administrator for that group?

Since I'm in the OpenStack Administrators group on LP I've gone
ahead and flagged your membership in oslo-coresec as having
administrative privileges. We require these groups to be owned by
OpenStack Administrators so that it can act as a fallback in
situations like this where expected group admin hand-off has been
forgotten.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20200309/98ab777b/attachment.sig>

More information about the openstack-discuss mailing list