On 08/13/2013 06:20 PM, Dolph Mathews wrote:
With regard to:
https://blueprints.launchpad.net/keystone/+spec/key-distribution-server
During today's project status meeting [1], the state of KDS was
discussed [2]. To quote ttx directly: "we've been bitten in the past
with late security-sensitive stuff" and "I'm a bit worried to ship
late code with such security implications as a KDS." I share the same
concern, especially considering the API only recently went up for
formal review [3], and the WIP implementation is still failing
smokestack [4].
Since KDS is a security tightening in acase where there is no security
at all, adding it in can only improve security.
It is a relatively simple extension from the keystone side. THe
corresponding change is in the client, and that has already merged.
I'm happy to see the reviews in question continue to receive their
fair share of attention over the next few weeks, but can (and should?)
merging be delayed until icehouse while more security-focused eyes
have time to review the code?
Ceilometer and nova would both be affected by a delay, as both have
use cases for consuming trusted messaging [5] (a dependency of the bp
in question).
Thanks for you feedback!
[1]:
http://eavesdrop.openstack.org/irclogs/%23openstack-meeting/%23openstack-meeting.2013-08-13.log
[2]: http://paste.openstack.org/raw/44075/
[3]: https://review.openstack.org/#/c/40692/
[4]: https://review.openstack.org/#/c/37118/
[5]: https://blueprints.launchpad.net/oslo/+spec/trusted-messaging
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
