Open Stack

On Mon Jan 20 16:45:38 2014, Daniel P. Berrange wrote:
> On Mon, Jan 20, 2014 at 04:37:55PM +0000, Clark, Robert Graham wrote:
>>
>> Thanks Daniel, I think you raise some good points but perhaps you are
>> blurring the lines between security notes (OSSN) and security
>> advisories (OSSA) a little too much.  It's worth keeping in mind that
>> we are not talking about how OpenStack handles security advisories, we
>> are talking about OpenStack Security Notes that provide guidance around
>> configuration and software choices that have potential security impact
>> to OpenStack deployments.
>>
>> ( fwiw I think that OSSAs probably should be published in CVRF 1.1 )
>>
>> In many cases we wont have metadata such as  'reported date,' a 'fix
>> commit', or even a 'broken in' date. Often we are not talking about
>> specific defects but potential bad combinations of software, bad
>> configurations (user end) etc. In fact we are almost never referring
>> directly to a vulnerability in the OpenStack framework with an OSSN.
>>
>> We don't have the same downstream consumers of OSSNs that libvirt LSNs
>> or for that matter, that OpenStack OSSA's have. We don't necessarily
>> need a format that's easily machine read - OSSNs are usually very
>> subjective and require the reader to make an evaluation on the impact
>> to their deployment. (I suppose I can see an opportunity for some
>> future project that makes use of OSSNs as part of an automated
>> checklist for an OpenStack deployment, but OSSNs are so broad that
>> almost every one would be liable to generate false positives.) I'm not
>> completely against having a machine readable format that can be parsed
>> out into various languages but I think it might be a bit over-the-top
>> for what our requirements are.
>>
>> Your offer to relicense the scripts etc that are used by the libvirt
>> project is greatly appreciated, having tooling available significantly
>> lowers the bar in terms of adopting it, I think perhaps this is
>> something that we should consider discussing at the weekly security
>> meeting.
>
> Doh, I was in fact mixing up OSSNs and OSSAs. As you say, OSSNs obviously
> don't require the same level of detail for metadata. I do wonder, however,
> if there is some value is using related data formats for both ? eg perhaps
> an OSSN could use the same core schema as OSSAs, but with a number of the
> metadata pieces omitted, so similar tools could deal with both types of
> document more easily ?
>
> Daniel

I'd be open to that at some point in the future but as we currently 
don't have anything like this in place for OSSA's there's nothing for 
us to align with :-s

Definitely worth considering in the future.