Simo Sorce wrote: >> During today's project status meeting [1], the state of KDS was >> discussed [2]. To quote ttx directly: "we've been bitten in the past >> with late security-sensitive stuff" and "I'm a bit worried to ship >> late code with such security implications as a KDS." > > Is ttx going to review any "security implications" ? The code does not > mature just because is sit there untouched for more or less time.
This is me wearing my vulnerability management hat on. The trick is that we (the VMT) have to support security issues for code that will be shipped in stable/havana. The most embarrassing security issues we had in the past were with code that didn't see a fair amount of time in master before we had to start supporting it. So for us there is a big difference between landing the KDS now and have it security-supported after one month of usage, and landing it in a few weeks and have it security-supported after 7 months of usage. After 7 months I'm pretty sure most of the embarrassing issues will be ironed out. I don't really want us to repeat the mistakes of the past where we shipped really new code in keystone that ended up not really usable, but which we still had to support security-wise due to our policy. By "security implications", I mean that this is a domain (like, say, token expiration) where even basic bugs can easily create a vulnerability. We just don't have the bandwidth to ship an embargoed security advisory for every bug that will be found in the KDS one month from now. > I would agree to this only if you can name individuals that are going to > do a "security review", otherwise I see no real reason to delay, as it > will cost time to keep patches up to date, and I'd rather not do that if > no one is lining up to do a "security review". > > FWIW I did circulate the design for the security mechanism internally in > Red Hat to some people with some expertise in crypto matters. Are you saying it won't have significantly less issues in 7 months just by the virtue of being landed in master and put into use in various projects ? Or that it was so thoroughly audited that my fears are unwarranted ? -- Thierry Carrez (ttx) _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev