On 2015-09-02 17:47:20 +0000 (+0000), Tristan Cacqueray wrote: [...] > Any supported programming language by the openstack project should/could > also be accepted for vulnerability management. > As long as there is a way to test patch, I think the VMT can support > other languages like Go or Puppet.
Okay, so for me that implies an extra criterion: the repos for the deliverable covered should have testing. Great point, it seems pretty important really and was absent from my initial list. > The risk is to divide downstream communities, and managing different > lists sounds like overkill for now. One improvement would be to maintain > that list publicly like xen do for their pre-disclosure list: > http://www.xenproject.org/security-policy.html [...] > With a public stakeholder list, we can clarify our vmt-process to be > directly usable without vmt supervision. [...] Unlike many communities, our commercial popularity and corresponding desire from many vendors to make their involvement in OpenStack as obvious as possible leads to a bit of a "me too" situation whenever we create public lists of organizations. I'm all for making our stakeholder *criteria* clearly documented, but worry that turning the list of who gets advance notification of embargoed vulnerability fixes into a public roster will put undue pressure on vendors to be seen as one of the "privileged few" (creating additional work for the VMT and potentially resulting in downstream stakeholders who don't actually intend to make use of the notification and so needlessly increase the risk of leaks and premature disclosure). An alternative solution we've discussed to make reaching downstream stakeholders easier for our developers is adding them to a private mailing list reserved only for advance notification of embargoed vulnerability fixes. The VMT could control manual subscription of new stakeholders and moderate posts to ensure that subsequent discussion is pushed back to the embargoed bug reports themselves (we should also probably create a corresponding stakeholders group in the bug tracker so they can be subscribed to private bugs at the same time advance notifications are sent, and start including the bug links in those downstream notifications). -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
