[Openstack-security] Security Note (OSSN) Process

Daniel P. Berrange berrange at redhat.com
Mon Jan 20 10:53:29 UTC 2014


On Fri, Jan 17, 2014 at 10:17:50AM -0800, Bryan D. Payne wrote:
> A couple of thoughts...
> 
> * I like the idea of storing these in git.
> * Perhaps including a date in the numbering of the OSSN is not needed?
>  Could we just number them sequentially?
> 
> OSSN-0001
> OSSN-0002
> etc.
> 
> If we use git and number sequentially, then it would be easy to just grab
> the next number when writing a new OSSN.  I also really like the idea of
> doing the reviews in gerrit rather than launchpad / email.

NB if the OSSN being created is for a non-public security issue then
you really don't want this going anywhere near a public gerrit review
or git repository. There's just too much risk of exposing sensitive
data that way.


Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the Openstack-security mailing list