openstack-poc team mailing list archive
-
openstack-poc team
-
Mailing list archive
-
Message #00220
Re: PPB Tuesday Meeting
Fully agree with Thierry's comments here.
-jay
On Tue, Aug 16, 2011 at 7:57 AM, Thierry Carrez <thierry@xxxxxxxxxxxxx> wrote:
> Jonathan Bryce wrote:
>> 2) Review security group proposal
>> - http://wiki.openstack.org/Governance/Proposed/OpenStack%20Security%20Group
>> <http://wiki.openstack.org/Governance/Proposed/OpenStack Security Group>
>> Following on some of the discussion from a few weeks ago, a Rackspace
>> employee put together a proposal around forming a security group. I know
>> we've had a few various starts on this issue, but it seems like
>> something that would be good to codify and publish so we can educate
>> people on the right way to handle any vulnerabilities that pop up.
>
> I replied last month to Jarret with some comments/suggestions (which he
> agreed on) and I think the current proposal should be fixed before we
> can vote on it. In particular:
>
> - Public ML -> we should reuse the main openstack list at least until
> traffic justifies a separate list
> - Private bugtracker -> LP supports "private" security bugs so there is
> no need for an additional separate thing
> - security@xxxxxxxxxxxxx -> this should rather be a small set of
> personal email addresses (with associated GPG keys) so that mail can be
> sent encrypted.
>
> I also think (from experience) that the size of the group should be kept
> minimal. The current draft states that "a core of OpenStack community
> leaders, Rackspace specialists and security experts in the commercial
> and open source world start out as the seed of the OSSG", which would
> already make a decently-sized group... I'd like to see some safeguards
> against inflation: we don't want to end up with as many members as
> http://www.mozilla.org/projects/security/secgrouplist.html -- which may
> make sense for complex security models like Firefox's, but is just an
> increased leak risk for us.
>
> --
> Thierry Carrez (ttx)
> Release Manager, OpenStack
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack-poc
> Post to : openstack-poc@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack-poc
> More help : https://help.launchpad.net/ListHelp
>
References