On Wed, May 24, 2017 at 7:45 PM, Ben Nemec <openst...@nemebean.com> wrote: > > > On 05/17/2017 10:46 AM, Jeremy Stanley wrote: >> >> On 2017-05-17 15:57:16 +0300 (+0300), George Shuklin wrote: >>> >>> There is a bug in diskimage-builder I reported it at 2017-03-10 as >>> 'private >>> security'. I think this bug is a medium severity. >>> >>> So far there was no reaction at all. I plan to change this bug to public >>> security on next Monday. If someone is interested in bumping up CVE count >>> for DIB, please look at >>> https://bugs.launchpad.net/diskimage-builder/+bug/1671842 (private-walled >>> for security group). >> >> >> Thanks for the heads up! One thing we missed in the migration of DIB >> from TripleO to Infra team governance is that the bug tracker for it >> was still under TripleO team control (I just now leveraged my >> OpenStack Administrator membership on LP to fix that), so the bug >> was only visible to https://launchpad.net/~tripleo until moments >> ago. >> >> That said, a "private" bug report visible to the 86 people who are >> members of that LP team doesn't really qualify as private in my book >> so there's probably no additional harm in just switching it to >> public security while I work on triaging it with the DIB devs. >> Going forward, private security bugs filed for DIB are only visible >> to the 18 people who make up the diskimage-builder-core and >> openstack-ci-core teams on LP, which is still more than it probably >> should be but it's a start at least. > > > Hmm, this points out a valid issue that we don't have a security group for > tripleo at all. We use the tripleo group to include basically all tripleo > developers so it's definitely not appropriate for this purpose. > > Emilien, I think we should create a tripleo-coresec group in launchpad that > can be used for this. We have had tripleo-affecting security bugs in the > past and I imagine we will again. I'm happy to help out with that, although > I will admit my launchpad-fu is kind of weak so I don't know off the top of > my head how to do it.
That or re-use an existing Launchpad group used by OpenStack VMT? fungi, thoughts? -- Emilien Macchi __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev