Open Stack

On 3/9/20 4:18 PM, Jeremy Stanley wrote:
> On 2020-03-09 15:51:12 -0500 (-0500), Ben Nemec wrote:
>> I just noticed that the Oslo core security team includes a number
>> of people no longer active in Oslo and also only me for current
>> cores. We should really clean that up so random people aren't
>> getting notified of private security bugs and ideally add some
>> current cores so we have more eyes on said security bugs.
> 
> It's been languishing on my to do list to remind all projects with
> the vulnerability:managed governance tag to review those group
> memberships in LP regularly and keep them groomed to fit the
> recommendations in requirement #2 here:
> 
> https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html#requirements
> 
> 
> 2. The deliverable must have a dedicated point of contact for
>     security issues (which could be shared by multiple deliverables
>     in a given project-team if needed), so that the VMT can engage
>     them to triage reports of potential vulnerabilities. Deliverables
>     with more than five core reviewers should (so as to limit the
>     unnecessary exposure of private reports) settle on a subset of
>     these to act as security core reviewers whose responsibility it
>     is to be able to confirm whether a bug report is
>     accurate/applicable or at least know other subject matter experts
>     they can in turn subscribe to perform those activities in a
>     timely manner. They should also be able to review and provide
>     pre-approval of patches attached to private bugs, which is why at
>     least a majority are expected to be core reviewers for the
>     deliverable. These should be members of a group contact (for
>     example a <something>-coresec team) in the deliverable’s defect
>     tracker so that the VMT can easily subscribe them to new bugs."
> 
> We're also trying to keep the liaisons and links to corresponding
> security teams tracked here for faster VMT response:
> 
> https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management
> 
>> How do we go about doing that?
> 
> A group member marked as an "administrator" for it should add and
> remove members as needed. Generally this group would include the
> current PTL or active liaison for vulnerability reports as an
> administrative member to take care of the duty of maintaining group
> membership, including proper hand-off during transitions of
> leadership.
> 
>> I see it's owned by the OpenStack Administrators team, so do I put
>> in a request with the changes or can they just make me an
>> administrator for that group?
> 
> Since I'm in the OpenStack Administrators group on LP I've gone
> ahead and flagged your membership in oslo-coresec as having
> administrative privileges. We require these groups to be owned by
> OpenStack Administrators so that it can act as a fallback in
> situations like this where expected group admin hand-off has been
> forgotten.
> 

Great, thanks! I have something to add to my shiny new Oslo PTL guide. :-)