[security-sig][ironic] Ironic + the VMT

Jay Faulkner jay at gr-oss.io
Fri Mar 10 18:27:34 UTC 2023


I've reviewed the requirements, and it's my intention to set Ironic as
under the VMT. I'll wait until it can be announced at Monday's meeting to
make it official so folks can have a chance to object if they wish.

-
Jay Faulkner
Ironic PTL
TC Member

On Mon, Feb 27, 2023 at 10:26 AM Jeremy Stanley <fungi at yuggoth.org> wrote:

> On 2023-02-27 08:16:50 -0800 (-0800), Jay Faulkner wrote:
> [...]
> > Is there any reason Ironic should not be vulnerability-managed? Is the
> > security team willing to have us?
>
> As long as you make sure you're good with this checklist, just
> propose the specific repositories in question as an update to the
> top section of the document (in openstack/ossa):
>
> https://security.openstack.org/repos-overseen.html#requirements
>
> > The only potential complication is that Ironic may receive reports
> > for vendor libraries used by Ironic but not maintained by
> > Ironic -- I was hoping there might already be some historical
> > precedent for how we handle those; it can't be that unique to
> > Ironic.
> [...]
>
>     2. The VMT will not track or issue advisories for external
>     software components. Only source code provided by official
>     OpenStack project teams is eligible for oversight by the VMT.
>     For example, base operating system components included in a
>     server/container image or libraries vendored into compiled
>     binary artifacts are not within the VMT’s scope.
>
> Receiving bug reports about such things is fine, but the VMT doesn't
> coordinate those reports nor issue official security advisories
> about them since they need fixing by their upstream maintainers with
> whom we have no direct relationship. You can still propose security
> notes urging operators to update software in those situations, if it
> seems appropriate to do so:
>
> https://wiki.openstack.org/wiki/Security_Notes
>
> --
> Jeremy Stanley
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230310/c5bb4c39/attachment.htm>


More information about the openstack-discuss mailing list