Open Stack

Lloyd Dewolf wrote:
> On Thu, Nov 24, 2011 at 7:30 AM, Thierry Carrez <thierry at openstack.org> wrote:
>> I want to turn the question around: why do *you* want more ?
> I don't think you are implying it, but just to snuff out any though.
> I'm completely comfortable speaking for Piston Cloud that if by some
> craziness adjusting this policy to better serve the project required
> that Piston Cloud *never* was a member of the vulnerabiliity group I'm
> certain I can get sign off on that.

I'm not implying anything. My question is why do you want more. Why is 3
not enough. From the rest of your (long) reply I suspect that you want
more in order to have immediate, 24x7 coverage of security issues
reported in openstack software.

> I feel like you might have accidently skipped in your quoting at least
> one of my question. What is the successful three person, email-based,
> implimentation this is based on?

It's based on my own experience managing a Linux distribution security
team that used to have some success
(http://www.gentoo.org/security/en/index.xml). And on that case the
minimum necessary number was actually (and still is) 2 people.

> [...]
> The process to come up with this list might look like:
> 1. Revisit who are the top candidate volunteers2. Put their "usual"
> work day on a calendar including *weekends*. No healthy person works
> the same 8hrs seven days a week, so no one better claim they do ;-)
> 2.a Only allow each candidate volunteer to identify 8hrs per day.
> 
> Come up with the minimum list with density of at least three at each hour.

I agree with you that such coverage requires way more than 3 people.
Nobody in the current vulnerability management team is covering
weekends. We rely on core project developers to implement and review the
fixes, and those people don't work on weekends either. We coordinate the
critical fixes and disclosure with multiple downstream distributions,
which takes days -- and those don't work on weekends either.

My understanding is that you find the current team setup not good
enough. I suggest you come up with a new improved proposal, together
with the resources that would make it happen. I'm perfectly fine to let
my amateur community-based team be taken over by professionals, if
that's the wish of the PPB. Doing this was never part of my job description.

The setup we proposed was (1) to have something (one month ago, we had
*nothing*) and (2) to be realistic in relation with the rest of our
current development processes (what's the point in covering weekends if
you have to wait for week days to produce a fix or coordinate the
disclosure).

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack