Open Stack

On 01/13/2014 04:27 PM, Grant Murphy wrote:
> 
> 
> On Mon, 2014-01-13 at 08:24 -0800, Nathan Kinder wrote:
>> Hi,
> 
> Hi Nathan, 
> 
>>
>> I have started to put together a wiki page skeleton outlining the
>> process to follow when writing a new Security Note (OSSN).  I think it's
>> far enough along to share.  Any feedback and suggestions would be
>> appreciated!  The new page is available here:
>>
>>     https://wiki.openstack.org/wiki/Security/Security_Note_Process
>>
>> There are a few things that I think need to be added or clarified:
>>
>> - Do we want to change the numbering scheme?  We've discussed using
>> something similar to the OSSA numbering scheme (YYYY-XX).  This would be
>> an improvement over what we currently use (Launchpad bug #).
>>
> 
> I have no strong opinion about a numbering system. My only concern would
> be if people get confused about the difference between an OSSA and a
> OSSN. 

My problem with the current OSSN numbering scheme is that it gives no
indication of when the OSSN was published.  For example, a newer
Launchpad bug could result in a published OSSN before an older one.  It
would be nice to be able to compare two OSSN numbers and immediately
tell which is newer.

> One thing I would like to start doing is to track OSSA & OSSN in a
> more 'computer friendly' format. For example rubysec keeps advisories in
> github in yaml format. This allows tooling to be built around ensuring
> deployments are secure, and also allows us to see trends in what we are
> getting wrong as developers.  

This is a goal of mine as well.  I did some brief investigation a while
back into CVRF, which looks like a good potential option.  This is a
discussion I'd like to bring up with the VMT to get their thoughts.

> 
> 
> 
>> - When is a CVE needed, and how is CVE filing handled?  Should we
>> consult with the VMT team and let them make the determination?
>>
> 
> The VMT process is documented here:
>  https://wiki.openstack.org/wiki/VulnerabilityManagement
> 
> Anything that is considered a vulnerability should be reported to the
> VMT. If it is deemed that a CVE is not warranted a OSSN may be issued. 

We've published OSSNs that have a CVE associated with them.  I believe
that what happened in those cases is that the issue was looked at by the
VMT and a CVE was assigned while assessing the issue.  The issues were
low priority enough that it was determined that they should be handled
as OSSNs instead of OSSAs.

> 
> 
> HTH
> 
> - Grant.

Thanks for the feedback.  It's much appreciated!

-NGK
> 
> 
>> Thanks,
>> -NGK
>>
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
> 
> 
>