[openstack-dev] [Nova] Security vulnerability contacts

[Russell Bryant]

Greetings,

I'm on a quest to address Nova's project management growing pains and to
make sure the Nova PTL is never an unnecessary bottleneck.  One area
that has been identified as needing a small team is handling Nova
security vulnerability reports.

We have the nova-coresec team on launchpad [1], which is currently all
of nova-core.  We need to re-work this to be a small subset of nova-core
that is specifically interested in being the primary contacts for
security issues.  These people will be responsible for:

1) Helping determine if a report is legitimate

2) Pulling in the right expertise as necessary to analyze and/or fix a
problem

3) Helping develop fixes for security issues

4) Helping to review security fixes (they must be reviewed in advance,
before going to gerrit, because the patches are under embargo)

I'm happy to be on this team, but I would like a few people with broad
expertise to help out.

For more information on the vulnerability management process, see [2].

Who's in?

[1] https://launchpad.net/~nova-coresec
[2] https://wiki.openstack.org/wiki/Vulnerability_Management

-- 
Russell Bryant

___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Nova] Security vulnerability contacts

[Sriram Subramanian]

Russell,

(ccing Bryan, Rob)

Thanks for the initiative. We at the OpenStack Security Group
https://launchpad.net/~openstack-ossgare doing
large part of these tasks now and are looking for more help (particularly
around reviews from people that are intimate to the project internals).
Here are some 
pointershttps://wiki.openstack.org/wiki/Security/How_To_Contribute#How_To_Contribute_To_The_OpenStack_Security_Group_.28OSSG.29on
how to get involved. You probably are inviting more volunteers for
OSSG,
I am just trying to make it clearer. If not, we need to work to make sure
the efforts are aligned and not duplicated.

Thanks,
-Sriram


On Mon, Nov 18, 2013 at 9:50 AM, Russell Bryant rbry...@redhat.com wrote:

 Greetings,

 I'm on a quest to address Nova's project management growing pains and to
 make sure the Nova PTL is never an unnecessary bottleneck.  One area
 that has been identified as needing a small team is handling Nova
 security vulnerability reports.

 We have the nova-coresec team on launchpad [1], which is currently all
 of nova-core.  We need to re-work this to be a small subset of nova-core
 that is specifically interested in being the primary contacts for
 security issues.  These people will be responsible for:

 1) Helping determine if a report is legitimate

 2) Pulling in the right expertise as necessary to analyze and/or fix a
 problem

 3) Helping develop fixes for security issues

 4) Helping to review security fixes (they must be reviewed in advance,
 before going to gerrit, because the patches are under embargo)

 I'm happy to be on this team, but I would like a few people with broad
 expertise to help out.

 For more information on the vulnerability management process, see [2].

 Who's in?

 [1] https://launchpad.net/~nova-coresec
 [2] https://wiki.openstack.org/wiki/Vulnerability_Management

 --
 Russell Bryant

 ___
 OpenStack-dev mailing list
 OpenStack-dev@lists.openstack.org
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




-- 
Thanks,
-Sriram
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev