openstack-poc team mailing list archive

Thread
Date

Re: PPB Tuesday Meeting

To: Thierry Carrez <thierry@xxxxxxxxxxxxx>
From: Jay Pipes <jaypipes@xxxxxxxxx>
Date: Tue, 16 Aug 2011 10:29:45 -0400
Cc: openstack-poc@xxxxxxxxxxxxxxxxxxx
In-reply-to: <4E4A5B0C.2020102@openstack.org>

Fully agree with Thierry's comments here.

-jay

On Tue, Aug 16, 2011 at 7:57 AM, Thierry Carrez <thierry@xxxxxxxxxxxxx> wrote:
> Jonathan Bryce wrote:
>> 2) Review security group proposal
>> - http://wiki.openstack.org/Governance/Proposed/OpenStack%20Security%20Group
>> <http://wiki.openstack.org/Governance/Proposed/OpenStack Security Group>
>> Following on some of the discussion from a few weeks ago, a Rackspace
>> employee put together a proposal around forming a security group. I know
>> we've had a few various starts on this issue, but it seems like
>> something that would be good to codify and publish so we can educate
>> people on the right way to handle any vulnerabilities that pop up.
>
> I replied last month to Jarret with some comments/suggestions (which he
> agreed on) and I think the current proposal should be fixed before we
> can vote on it. In particular:
>
> - Public ML -> we should reuse the main openstack list at least until
> traffic justifies a separate list
> - Private bugtracker -> LP supports "private" security bugs so there is
> no need for an additional separate thing
> - security@xxxxxxxxxxxxx -> this should rather be a small set of
> personal email addresses (with associated GPG keys) so that mail can be
> sent encrypted.
>
> I also think (from experience) that the size of the group should be kept
> minimal. The current draft states that "a core of OpenStack community
> leaders, Rackspace specialists and security experts in the commercial
> and open source world start out as the seed of the OSSG", which would
> already make a decently-sized group... I'd like to see some safeguards
> against inflation: we don't want to end up with as many members as
> http://www.mozilla.org/projects/security/secgrouplist.html -- which may
> make sense for complex security models like Firefox's, but is just an
> increased leak risk for us.
>
> --
> Thierry Carrez (ttx)
> Release Manager, OpenStack
>
> _______________________________________________
> Mailing list: https://launchpad.net/~openstack-poc
> Post to     : openstack-poc@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~openstack-poc
> More help   : https://help.launchpad.net/ListHelp
>

References

PPB Tuesday Meeting
From: Jonathan Bryce, 2011-08-16
Re: PPB Tuesday Meeting
From: Thierry Carrez, 2011-08-16