openstack-poc team mailing list archive

[Thierry Carrez <thierry@xxxxxxxxxxxxx>]

Jonathan Bryce wrote:
> 2) Review security group proposal
> - http://wiki.openstack.org/Governance/Proposed/OpenStack%20Security%20Group
> <http://wiki.openstack.org/Governance/Proposed/OpenStack Security Group>
> Following on some of the discussion from a few weeks ago, a Rackspace
> employee put together a proposal around forming a security group. I know
> we've had a few various starts on this issue, but it seems like
> something that would be good to codify and publish so we can educate
> people on the right way to handle any vulnerabilities that pop up.

I replied last month to Jarret with some comments/suggestions (which he
agreed on) and I think the current proposal should be fixed before we
can vote on it. In particular:

- Public ML -> we should reuse the main openstack list at least until
traffic justifies a separate list
- Private bugtracker -> LP supports "private" security bugs so there is
no need for an additional separate thing
- security@xxxxxxxxxxxxx -> this should rather be a small set of
personal email addresses (with associated GPG keys) so that mail can be
sent encrypted.

I also think (from experience) that the size of the group should be kept
minimal. The current draft states that "a core of OpenStack community
leaders, Rackspace specialists and security experts in the commercial
and open source world start out as the seed of the OSSG", which would
already make a decently-sized group... I'd like to see some safeguards
against inflation: we don't want to end up with as many members as
http://www.mozilla.org/projects/security/secgrouplist.html -- which may
make sense for complex security models like Firefox's, but is just an
increased leak risk for us.

-- 
Thierry Carrez (ttx)
Release Manager, OpenStack