[oslo][security-sig] Please revisit your open vulnerability report

Jeremy Stanley fungi at yuggoth.org
Thu Feb 18 19:13:05 UTC 2021


On 2021-02-18 12:39:52 -0600 (-0600), Ben Nemec wrote:
[...]
> Okay, I did that. I think we may need to audit all of the Oslo projects
> because the spot check I did on oslo.policy also did not have the needed
> sharing, and did have someone who doesn't even work on OpenStack anymore
> with access to private security bugs(!). I don't appear to have permission
> to change that either. :-/

Aha, thanks, that explains why the VMT members wouldn't have been
notified (or even able to see the bug at all).

If you put together a list of which ones need fixing, I think I have
a backdoor via being a member of the group which is the owner of the
groups which are listed as maintainer or owner of many of those
projects, so should be able to temporarily add myself to a group
which has access to adjust the sharing on them. Also at the moment,
the only Oslo deliverables which are listed as having explicit VMT
oversight are castellan and oslo.config. If there are others you
want our proactive help with, please add this tag to them:

https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html

> The other issue is probably that the Oslo projects are not part of the
> openstack org on launchpad. We did that because of the number of projects
> made it easier to keep track of them if they were their own org, but it does
> mean they wouldn't show up under a query for the openstack org,
> unfortunately.
[...]

And also means that our periodic reviews of Private Security bugs
for projects which are "part of OpenStack" on LP wouldn't have seen
it even if we'd had permission.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20210218/19c5c5e2/attachment.sig>


More information about the openstack-discuss mailing list