On Wed, 2013-08-14 at 12:35 -0300, Thierry Carrez wrote: > Simo Sorce wrote: > >> During today's project status meeting [1], the state of KDS was > >> discussed [2]. To quote ttx directly: "we've been bitten in the past > >> with late security-sensitive stuff" and "I'm a bit worried to ship > >> late code with such security implications as a KDS." > > > > Is ttx going to review any "security implications" ? The code does not > > mature just because is sit there untouched for more or less time. > > This is me wearing my vulnerability management hat on. The trick is that > we (the VMT) have to support security issues for code that will be > shipped in stable/havana. The most embarrassing security issues we had > in the past were with code that didn't see a fair amount of time in > master before we had to start supporting it. > > So for us there is a big difference between landing the KDS now and have > it security-supported after one month of usage, and landing it in a few > weeks and have it security-supported after 7 months of usage. After 7 > months I'm pretty sure most of the embarrassing issues will be ironed out. > > I don't really want us to repeat the mistakes of the past where we > shipped really new code in keystone that ended up not really usable, but > which we still had to support security-wise due to our policy. > > By "security implications", I mean that this is a domain (like, say, > token expiration) where even basic bugs can easily create a > vulnerability. We just don't have the bandwidth to ship an embargoed > security advisory for every bug that will be found in the KDS one month > from now.
I understand and appreciate that, so are you saying you want to veto KDS introduction in Havana on this ground ? > > I would agree to this only if you can name individuals that are going to > > do a "security review", otherwise I see no real reason to delay, as it > > will cost time to keep patches up to date, and I'd rather not do that if > > no one is lining up to do a "security review". > > > > FWIW I did circulate the design for the security mechanism internally in > > Red Hat to some people with some expertise in crypto matters. > > Are you saying it won't have significantly less issues in 7 months just > by the virtue of being landed in master and put into use in various > projects ? Or that it was so thoroughly audited that my fears are > unwarranted ? Bugs can always happen, and whether 7 month of being used in development makes a difference when it comes to security relevant bugs I can't say. I certainly am not going to claim my work flawless, I know better than that :) Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
