Hi Ian-- Thanks for the reminder. As PTL, I know I have some action items to update our project navigator status. Speaking on behalf of the Barbican community, I can say that we do follow the rules of stable branches and deprecation. I'll submit a patch now to state this assertion. I also believe that we currently have the appropriate variety of distributions available. Our installation guide gives instructions on how to install from each of these. I don't know how to apply for this "star" in project navigator. We have taken steps to qualify for vulnerability management, most notably we completed a threat modeling exercise with the security project team. I'll reach out to that team to find out what remaining steps are necessary to be tagged as vulnerability managed. --Dave
On 1/16/17, 8:55 AM, "Ian Cordasco" <sigmaviru...@gmail.com> wrote: >Hi barbicaneers (I don't actually know what y'all call yourselves :)), > >Related to the other thread I just started, I was looking at the >project navigator [1] for Barbican and found some things that look >wrong (to an outsider) and was hoping could be cleared up. > >First, "Is this project maintained following the common Stable branch >policy?" appears to be "Yes" now. I notice you have stable branches >that actually look stable. Are y'all working with the stable >maintenance team on them? > >Second, "Does this project follows standard deprecation?" I'm not >(yet) a user of Barbican, but are you still not following the standard >deprecation policy? > >Third, "Existence and quality of packages for this project in popular >distributions." it seems Fedora [2], Debian [3], Ubuntu [4], and >OpenSUSE [5] all have packages (including in stable versions). I can't >speak to the quality of the packages, but knowing the hard work most >of our downstream redistributors put into those packages, I'm certain >they're good quality. This should *definitely* be updated, in my >opinion. > >Finally, "Are vulnerability issues managed by the OpenStack security >team?". I know that the OpenStack Security Project worked with the >Barbican team to come up with a vulnerability analysis a few midcycles >ago. Is that roughly where you all stopped? Is there a reason you >haven't attempted to work with the VMT on security issues? > >Hopefully my agenda is obvious - I'd like to see fewer projects >attempting to implement their own secret storage and instead use >Barbican. Keeping the navigator up-to-date seems (to me) to be a good >way to improve Barbican's image. I would be happy to work with you all >(with what little time I have) to update the navigator to better >reflect Barbican's reality. > >[1]: >https://www.openstack.org/software/releases/newton/components/barbican >[2]: https://apps.fedoraproject.org/packages/s/barbican >[3]: >https://packages.debian.org/search?keywords=barbican&searchon=all&suite=al >l§ion=all >[4]: >http://packages.ubuntu.com/search?keywords=barbican&searchon=names&suite=a >ll§ion=all >[5]: >https://software.opensuse.org/search?utf8=✓&q=barbican&search_devel=false&; >search_unsupported=false&baseproject=openSUSE:Leap:42.2 > >Cheers, >-- >Ian Cordasco > >__________________________________________________________________________ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
