[Openstack-security] Fwd: Adding 'SecurityImpact' tag to OpenStack Blue prints

Adam Young ayoung at redhat.com
Fri Aug 30 14:10:19 UTC 2013


On 08/22/2013 05:00 PM, Sriram Subramanian wrote:
> Followup from today's meeting
>
> 1) Appears that there is not an easy way as of now to add a tag to 
> blueprints.

Each Blueprint should have a bug.  If it is a new feature, it should be 
a Wishlist bug.  Tag the bug.
>
> 2) What are your thoughts on documenting the 'how' part of getting 
> OSSG involved during design?



>
>
> thanks,
> -Sriram
>
> ---------- Forwarded message ----------
> From: *Thierry Carrez* <thierry at openstack.org 
> <mailto:thierry at openstack.org>>
> Date: Thu, Aug 22, 2013 at 1:30 PM
> Subject: Re: Adding 'SecurityImpact' tag to OpenStack Blue prints
> To: Sriram Subramanian <sriram at sriramhere.com 
> <mailto:sriram at sriramhere.com>>
> Cc: Bryan Payne <bdpayne at acm.org <mailto:bdpayne at acm.org>>
>
>
> Sriram Subramanian wrote:
> > At today's OSSG meeting, it was discussed that it would be great to
> > introduce security review during design stage itself. As a starter, it
> > was suggested to tag blueprints with '*SecurityImpact*' so that security
> > could be brought into design discussions or as a followup. Is there an
> > easy way to do this?
>
> Launchpad blueprints do not support tagging.
>
> > If not, is it possible to add such tagging
> > capability to blueprints?
>
> It's a bit difficult to propose code to Launchpad and get it merged
> there. I mean, you can try... but blueprints are the ugly stepchild of
> Launchpad and they are in a sad state. I'm working on a replacement that
> will have blueprints tags, but it's still a long way away.
>
> > I can also think of using WhiteBoard free text area to add such tags,
> > but there is a possibility of typo or variations in usage. If tagging is
> > absolutely not possible, could we use this area to this effect then?
>
> You could add keywords to the whiteboard, but those are not easily
> searchable, so it's non-trivial to make them generate alerts.
>
> In this precise case (and until we get proper tagging for blueprints) I
> think we should just document and communicate *how* to get the OSSG
> involved in early security design, and then encourage people to make use
> of that resource (for example by spotting blueprints which would have
> benefited from it early on and publicly blame their authors for not
> doing it :)
>
> Cheers,
>
> --
> Thierry Carrez (ttx)
>
>
>
> -- 
> Thanks,
> -Sriram
>
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20130830/b2d30c8e/attachment.html>


More information about the Openstack-security mailing list