John, you just volunteered to run the CloudStack security team. Congratulations!
Seriously though, would you like to start with a proposal for how we should handle these things? Ewan. > -----Original Message----- > From: John Kinsella [mailto:j...@stratosec.co] > Sent: Wednesday, June 20, 2012 1:10 PM > To: cloudstack-dev@incubator.apache.org > Subject: Re: Query regarding where to store encryption keys > > +1 :) > > On Jun 20, 2012, at 12:59 PM, David Nalley wrote: > > > On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor > <ewan.mel...@eu.citrix.com> wrote: > >>> -----Original Message----- > >>> From: David Nalley [mailto:da...@gnsa.us] > >>> Sent: Wednesday, June 20, 2012 12:32 PM > >>> To: cloudstack-dev@incubator.apache.org > >>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh > >>> Subject: Re: Query regarding where to store encryption keys > >>> > >>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati > >>> <vijayendra.bhamidip...@citrix.com> wrote: > >>>> Hi Team, > >>>> > >>>> This is with reference to bug CS-15151 > >>> (http://bugs.cloudstack.org/browse/CS-15151). I have some questions > and > >>> it would be great if you could share your knowledge and > suggestions. > >>>> > >>> > >>> > >>> Why is that bug not publicly visible? > >> > >> Probably because it's highlighting a potential security hole. That > seems like a reasonable precaution for the reporter to have taken. > >> > >> Would you like to handle these some other way? > >> > >> Ewan. > >> > > > > That's a perfectly valid reason to keep it private, - though now the > > content of the bug has been publicly discussed, so one wonders at the > > continued utility of it being private. > > > > Perhaps it's a good time to segue to discussing how we wish to handle > > security bugs, and get that documented. > > > > --David > > Stratosec - Secure Infrastructure as a Service > o: 415.315.9385 > @johnlkinsella
