We should set up a dedicated channel for security issues and handle security bugs carefully.
Below are some of the examples: Apache HTTP Server Project: http://httpd.apache.org/security_report.html OpenStack: http://openstack.org/projects/openstack-security/ Eucalyptus: http://www.eucalyptus.com/eucalyptus-cloud/security/procedures -Clement -----Original Message----- From: David Nalley [mailto:da...@gnsa.us] Sent: Wednesday, June 20, 2012 12:59 PM To: cloudstack-dev@incubator.apache.org Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh Subject: Re: Query regarding where to store encryption keys On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <ewan.mel...@eu.citrix.com> wrote: >> -----Original Message----- >> From: David Nalley [mailto:da...@gnsa.us] >> Sent: Wednesday, June 20, 2012 12:32 PM >> To: cloudstack-dev@incubator.apache.org >> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh >> Subject: Re: Query regarding where to store encryption keys >> >> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati >> <vijayendra.bhamidip...@citrix.com> wrote: >> > Hi Team, >> > >> > This is with reference to bug CS-15151 >> (http://bugs.cloudstack.org/browse/CS-15151). I have some questions >> and it would be great if you could share your knowledge and suggestions. >> > >> >> >> Why is that bug not publicly visible? > > Probably because it's highlighting a potential security hole. That seems > like a reasonable precaution for the reporter to have taken. > > Would you like to handle these some other way? > > Ewan. > That's a perfectly valid reason to keep it private, - though now the content of the bug has been publicly discussed, so one wonders at the continued utility of it being private. Perhaps it's a good time to segue to discussing how we wish to handle security bugs, and get that documented. --David
