Open Stack

On 2014-02-13 16:25:33 -0600 (-0600), Anne Gentle wrote:
> Good question. I know the reporting process is purposely planned
> for protection, see https://wiki.openstack.org/wiki/
> VulnerabilityManagement.
> 
> So I would guess that once something warrants a note, the secrecy
> /privacy is done and the main goal is to communicate effectively.

Correct, the OSSG drafts notes entirely in the open based on
publicly-disclosed information only. The VMT *may* draft advisories
in private if associated with an embargoed vulnerability, but
otherwise also works entirely in the open when the issue is already
public.

As a tag-along to this discussion, I know there has been talk in the
past of the OSSG collecting and publishing the official set of
advisories to make them easier for deployers and other interested
parties to find. Perhaps this could share a parallel namespace and
some common publication tooling along with the notes? We've already
discussed that they would probably need to be organized and tracked
in a somewhat different manner since advisories are chronological
and tied to some very specific release versioning metadata, but I'm
definitely in favor of any work which makes both OSSAs and OSSNs
more accessible to the general public.
-- 
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-docs/attachments/20140214/e4897490/attachment-0001.pgp>