[dev][docs][security-sig] Retiring security-analysis process and repo

Jeremy Stanley fungi at yuggoth.org
Thu Jun 2 14:22:54 UTC 2022

In 2016, what was then the Security Project Team embarked on an
effort to centrally collect security analyses of OpenStack
components. It accumulated a total of two, one for Barbican as of
the Newton release, and another for KeystoneMiddleware as of Pike.
The latter was finalized in 2017 and took nearly a year to merge due
to already waning enthusiasm and reviewer availability:


Given this effort was effectively abandoned years ago, the Security
SIG members agree that the repository should be retired in order to
reduce confusion. The vulnerability management oversight
requirements were amended in February to remove any reference to
this process, and we reached a consensus that this sort of
documentation is better off inside the projects which are writing it
rather than collected centrally with a disconnected (or in this case
absent) group of reviewers and maintainers.

This message serves as notice to the community that we will be
pushing changes to follow the usual OpenStack repository retirement
process for openstack/security-analysis in the coming days. As
usual, the final state of the documents will be found in the parent
commit of the one which wipes all the old files, but for posterity
I'll link it here as well:


Many thanks to those who attempted to provide and review these
analyses in years past. The idea of maintaining information on the
security risks and considerations for the systems we design is still
a good one, and something I hope our contributor community might
find more time to focus on in the years to come; but the place to
document those things is right alongside the rest of the software's
documentation, there's nothing inherently special or different about
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20220602/eb96c0cb/attachment.sig>

More information about the openstack-discuss mailing list