← Back to team overview

openstack team mailing list archive

Re: Vulnerability Management concerns: negativity & count

 

Hi ttx,

Very good points.

The gating factor is triage, and this is what we first have to build
our, OpenStack's, Vulnerability Management solution around.

If the needed resources are not yet available let's fully understand that.

If distros and other OpenStack builders are not able to provide
direct, accessible, 24/7 contact for coordinated disclosure in, say,
the emergence of a zero day attack, then we can't do much more for
them than hope they are not compromised before they can respond to the
public disclosure.

Prepare for the worst, hope for the best.


I think we will soon be surprised by how much resources we, OpenStack,
have available, and who you will be able to access at any time of day
[1] if the issue warrants it -- code forbid!

Just think it has takes these last many months (and for many, some
more months) for the most recent cohorts to explore the code, play
with the experience, and start to investigate solutions. 2012 is going
to be a huge year for OpenStack!


Aside, I don't like your amateur vs professional angle for a couple of
reasons. For starters, my skimming through the archives, wiki, and
code trees, it was clear before I started that you are anything but an
amateur.

Further, passion is one of the tools that the amateur, the maker, has
to bring more fully to bear than the profession -- I <3 passion!


It sounds like from your experiences you are all too familiar that
until someone (you!) puts something in place, there is much dragging
of feet, and once it is place everyone is a critic ;-)

Thanks for your patience with me, and thoughtful explanations. Thanks
for taking so much of your day today to engage me on this issue -- I
can't wait to some day not-to-far-away meet you.


After this long weekend I'll see if I can't bend some of your PPB
ears, and see us iterate to the next solution. I trust you will
continue to be a passionate participant!


Cheers,
Lloyd


1. The sun is always shining on an international project!


Follow ups

References