[Openstack-security] Security Note (OSSN) Process

Thierry Carrez thierry at openstack.org
Tue Jan 14 09:37:44 UTC 2014 

Nathan Kinder wrote:
>> One note I would use the same number sequence, e.g.:
> 
>> OSSA-2014-01 OSSA-2014-02 OSSN-2014-03
> 
>> The reason for this: "OSSA-2014-01" vs "OSSN-2014-01" is kind of 
>> messy, harder to search/etc. Also I would advice using more than 2 
>> digits (3 should be safe).
> 
> I like it.  That prevents the OSSA/OSSN confusion problem and it also
> has the benefit of allowing us to easily compare the publishing date
> between an OSSA and OSSN.

I think it actually increases the confusion, and we'd need to build some
central numbering authority to make sure we don't reuse the same number...

OSSAs (and CVEs) are vulnerabilities, so they are serial events very
related to the time of their publication, hence the numbering. OSSNs are
more like security best practices: and those are permanent, eternal and
their order doesn't matter that much. What you need is a convenient way
to uniquely identify them, and then a mechanism to publish updated
version of them if need be.

For example you could use a single serial number with a date-based
edition version, like "OSSN 12 (2014-01-20 edition)". That would let you
revisit some topics as the software evolves over time.

(In summary, OSSAs are like a calendar with events, while OSSNs are like
a reference book with chapters. You would not number book chapters after
the date the chapter was originally written).

About CVEs: since anybody can request a CVE to be assigned about a
specific issue and everyone has a different opinion on what constitues a
"vulnerability", there have been a number of issues in the past that had
CVE assigned to them and did not trigger an OSSA. They tend to fall into
two categories though: CVE assigned by the VMT but not triggering an
OSSA, or CVE assigned by some other party (generally a distribution).
For that reason I don't think you need to be concerned too much about
CVE assignment. To handle the corner case where one is warranted but
nobody ever assigned one, you can always ask the VMT or this list for one.

-- 
Thierry Carrez (ttx)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20140114/d8756767/attachment.sig>

More information about the Openstack-security mailing list