On 05/17/2017 10:46 AM, Jeremy Stanley wrote:
On 2017-05-17 15:57:16 +0300 (+0300), George Shuklin wrote:
There is a bug in diskimage-builder I reported it at 2017-03-10 as 'private
security'. I think this bug is a medium severity.
So far there was no reaction at all. I plan to change this bug to public
security on next Monday. If someone is interested in bumping up CVE count
for DIB, please look at
https://bugs.launchpad.net/diskimage-builder/+bug/1671842 (private-walled
for security group).
Thanks for the heads up! One thing we missed in the migration of DIB
from TripleO to Infra team governance is that the bug tracker for it
was still under TripleO team control (I just now leveraged my
OpenStack Administrator membership on LP to fix that), so the bug
was only visible to https://launchpad.net/~tripleo until moments
ago.
That said, a "private" bug report visible to the 86 people who are
members of that LP team doesn't really qualify as private in my book
so there's probably no additional harm in just switching it to
public security while I work on triaging it with the DIB devs.
Going forward, private security bugs filed for DIB are only visible
to the 18 people who make up the diskimage-builder-core and
openstack-ci-core teams on LP, which is still more than it probably
should be but it's a start at least.
Hmm, this points out a valid issue that we don't have a security group
for tripleo at all. We use the tripleo group to include basically all
tripleo developers so it's definitely not appropriate for this purpose.
Emilien, I think we should create a tripleo-coresec group in launchpad
that can be used for this. We have had tripleo-affecting security bugs
in the past and I imagine we will again. I'm happy to help out with
that, although I will admit my launchpad-fu is kind of weak so I don't
know off the top of my head how to do it.
-Ben
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
