[oslo][infra] Oslo core security team on Launchpad
Ben Nemec
openstack at nemebean.com
Mon Mar 9 21:42:20 UTC 2020
On 3/9/20 4:18 PM, Jeremy Stanley wrote:
> On 2020-03-09 15:51:12 -0500 (-0500), Ben Nemec wrote:
>> I just noticed that the Oslo core security team includes a number
>> of people no longer active in Oslo and also only me for current
>> cores. We should really clean that up so random people aren't
>> getting notified of private security bugs and ideally add some
>> current cores so we have more eyes on said security bugs.
>
> It's been languishing on my to do list to remind all projects with
> the vulnerability:managed governance tag to review those group
> memberships in LP regularly and keep them groomed to fit the
> recommendations in requirement #2 here:
>
> https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html#requirements
>
>
> 2. The deliverable must have a dedicated point of contact for
> security issues (which could be shared by multiple deliverables
> in a given project-team if needed), so that the VMT can engage
> them to triage reports of potential vulnerabilities. Deliverables
> with more than five core reviewers should (so as to limit the
> unnecessary exposure of private reports) settle on a subset of
> these to act as security core reviewers whose responsibility it
> is to be able to confirm whether a bug report is
> accurate/applicable or at least know other subject matter experts
> they can in turn subscribe to perform those activities in a
> timely manner. They should also be able to review and provide
> pre-approval of patches attached to private bugs, which is why at
> least a majority are expected to be core reviewers for the
> deliverable. These should be members of a group contact (for
> example a <something>-coresec team) in the deliverable’s defect
> tracker so that the VMT can easily subscribe them to new bugs."
>
> We're also trying to keep the liaisons and links to corresponding
> security teams tracked here for faster VMT response:
>
> https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management
>
>> How do we go about doing that?
>
> A group member marked as an "administrator" for it should add and
> remove members as needed. Generally this group would include the
> current PTL or active liaison for vulnerability reports as an
> administrative member to take care of the duty of maintaining group
> membership, including proper hand-off during transitions of
> leadership.
>
>> I see it's owned by the OpenStack Administrators team, so do I put
>> in a request with the changes or can they just make me an
>> administrator for that group?
>
> Since I'm in the OpenStack Administrators group on LP I've gone
> ahead and flagged your membership in oslo-coresec as having
> administrative privileges. We require these groups to be owned by
> OpenStack Administrators so that it can act as a fallback in
> situations like this where expected group admin hand-off has been
> forgotten.
>
Great, thanks! I have something to add to my shiny new Oslo PTL guide. :-)
More information about the openstack-discuss
mailing list