openstack-ossg team mailing list archive

Thread
Date

OSSG Introduction

To: openstack-ossg@xxxxxxxxxxxxxxxxxxx
From: "Bryan D. Payne" <bdpayne@xxxxxxx>
Date: Tue, 23 Oct 2012 16:46:40 -0700
Sender: bdpayne@xxxxxxxxx

Thanks for participating in the OpenStack Security Group (OSSG).  We
are just getting started and it will only be as good as the community
involvement.  So I wanted to take a few minutes of your time to
suggest some ground rules and initial steps.

Mailing Lists
----
* Use the OSSG launchpad email list for communication within the group
(like this!) and for discussing vulnerabilities that shouldn't be
publicly discussed (e.g., when we help out the vulnerability
management team).

* Use openstack-dev with [OSSG] in the subject line for all other
discussions.  This comes from specific requests keep as much security
discussion as possible open to the community.  And I believe it will
help encourage a stronger security mindset within the community as
well.


Group Membership
----
* Right now we have people in the group from a variety of key players
(alpha by company):
CloudPassage (Andrew Hay)
Cloudscaling (Matt Joyce)
HP (Robert Clark)
Nebula (Bryan Payne, Jeff Ward, Paul McMillan)
OpenStack TC (Thierry Carrez)
Red Hat (Daniel Berrange, Kurt Seifried, Russell Bryant)
Seagate (Chris DeMattio)
Suse (Thomas Biege)

* I'd like to continue adding to the group to ensure we have all of
the key players.  If you know someone that would be a good addition,
please let me know and/or make an introduction.
* I'd also like to get more OpenStack core developers in the group so
that we can contribute more through code contributions and code
reviews.


Next Steps
-----
* We should define some initial tasks for our group.  I'll start a
separate email thread about this on the openstack-dev list.
* I have already submitted a request to create a SecurityImpact label
on pull requests (see
https://bugs.launchpad.net/openstack-ci/+bug/1070577).  The idea is
that people can label code changes that they believe require a
security review.  Those review requests will come to this mailing
list.  As a group, let's try to provide thoughtful, timely reviews for
all of these.  And, of course, any other security oriented code
reviews you can do would be great.
* I'd like to have at _least_ one OSSG member as an active code
contributor on each core project.  If you have commit privs for a core
project, and would like to help us out in this capacity, then let me
know so that we can list you as the OSSG security contact for that
project.


Feedback and suggestions are always welcome.  Let's work together to
make the security of each OpenStack release better than the previous!

Cheers,
-bryan

Follow ups

Re: OSSG Introduction
From: Thierry Carrez, 2012-10-24