[Openstack-security] Fwd: Adding 'SecurityImpact' tag to OpenStack Blue prints
Sriram Subramanian
sriram at sriramhere.com
Thu Aug 22 21:00:39 UTC 2013
Followup from today's meeting
1) Appears that there is not an easy way as of now to add a tag to
blueprints.
2) What are your thoughts on documenting the 'how' part of getting OSSG
involved during design?
thanks,
-Sriram
---------- Forwarded message ----------
From: Thierry Carrez <thierry at openstack.org>
Date: Thu, Aug 22, 2013 at 1:30 PM
Subject: Re: Adding 'SecurityImpact' tag to OpenStack Blue prints
To: Sriram Subramanian <sriram at sriramhere.com>
Cc: Bryan Payne <bdpayne at acm.org>
Sriram Subramanian wrote:
> At today's OSSG meeting, it was discussed that it would be great to
> introduce security review during design stage itself. As a starter, it
> was suggested to tag blueprints with '*SecurityImpact*' so that security
> could be brought into design discussions or as a followup. Is there an
> easy way to do this?
Launchpad blueprints do not support tagging.
> If not, is it possible to add such tagging
> capability to blueprints?
It's a bit difficult to propose code to Launchpad and get it merged
there. I mean, you can try... but blueprints are the ugly stepchild of
Launchpad and they are in a sad state. I'm working on a replacement that
will have blueprints tags, but it's still a long way away.
> I can also think of using WhiteBoard free text area to add such tags,
> but there is a possibility of typo or variations in usage. If tagging is
> absolutely not possible, could we use this area to this effect then?
You could add keywords to the whiteboard, but those are not easily
searchable, so it's non-trivial to make them generate alerts.
In this precise case (and until we get proper tagging for blueprints) I
think we should just document and communicate *how* to get the OSSG
involved in early security design, and then encourage people to make use
of that resource (for example by spotting blueprints which would have
benefited from it early on and publicly blame their authors for not
doing it :)
Cheers,
--
Thierry Carrez (ttx)
--
Thanks,
-Sriram
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20130822/a0e9aebe/attachment.html>
More information about the Openstack-security
mailing list