openstack-ossg team mailing list archive

Thread
Date

Re: OSSG Introduction

To: openstack-ossg@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry@xxxxxxxxxxxxx>
Date: Wed, 24 Oct 2012 14:59:38 +0200
In-reply-to: <CAFpPvXBgwnjhqrU=g1N5nqCDe5Ur59-YGHt=2eWHUFh6V96x5w@mail.gmail.com>
Organization: OpenStack
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121010 Thunderbird/16.0.1

Bryan D. Payne wrote:
> * Use the OSSG launchpad email list for communication within the group
> (like this!) and for discussing vulnerabilities that shouldn't be
> publicly discussed (e.g., when we help out the vulnerability
> management team).

Note that the OSSG list archive is public. I can access
https://lists.launchpad.net/openstack-ossg/ without being logged in. So
I would definitely avoid it to discuss embargoed issues :)

When the Vulnerability Management Team (VMT) pulls the OSSG in on a bug
(by subscribing the team to the bug), the discussion can happen in bug
comments, which are private until the bug is opened.

> * Right now we have people in the group from a variety of key players
> (alpha by company):
> CloudPassage (Andrew Hay)
> Cloudscaling (Matt Joyce)
> HP (Robert Clark)
> Nebula (Bryan Payne, Jeff Ward, Paul McMillan)
> OpenStack TC (Thierry Carrez)
> Red Hat (Daniel Berrange, Kurt Seifried, Russell Bryant)
> Seagate (Chris DeMattio)
> Suse (Thomas Biege)
> 
> * I'd like to continue adding to the group to ensure we have all of
> the key players.  If you know someone that would be a good addition,
> please let me know and/or make an introduction.

Rackspace sounds like the big missing party here. I'd recommend Matt
Tesauro, I think he was interested...

> * I have already submitted a request to create a SecurityImpact label
> on pull requests (see
> https://bugs.launchpad.net/openstack-ci/+bug/1070577).  The idea is
> that people can label code changes that they believe require a
> security review.  Those review requests will come to this mailing
> list.  As a group, let's try to provide thoughtful, timely reviews for
> all of these.  And, of course, any other security oriented code
> reviews you can do would be great.

I'll try to implement that label soon, before we rewrite the whole
gerrit-to-launchpad updating mechanism.

Note that the VMT also uses the "security" tag on bugs that are not
considered directly-exploitable vulnerabilities but rather welcome
security strengthening enhancements (all good things to have for
isolation and security in depth). Those sound like good priority targets
for this group! You can see them all at:

https://bugs.launchpad.net/openstack/+bugs?field.tag=security

If you see bugs that should belong to this category, don't hesitate to
tag them :)

Regards,

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack

References

OSSG Introduction
From: Bryan D. Payne, 2012-10-23