Re: [openstack-dev] [security] [telemetry] How to handle security bugs
On Tue, Jan 17 2017, Jeremy Stanley wrote: > Others have already answered most of your questions in this thread, > but since nobody from the VMT has chimed in yet I'll just state on > our behalf that we're generally happy to consult privately or > publicly on any suspected vulnerability report within the OpenStack > ecosystem (and sometimes beyond). If you subscribe > openstack-vuln-mgmt (OpenStack Vulnerability Management team) on > Launchpad to the private bug in question we'll get notified > automatically and take a look. For deliverables with the > vulnerability:managed governance tag this happens automatically and > we prioritize our time toward those, but we're available to help on > others as well on a best-effort basis and time permitting. > > The VMT's process document exists primarily for the purposes of > transparency, and outlines the steps we follow and templates we use > when triaging suspected vulnerabilities for OpenStack deliverables > with the vulnerability:managed governance tag. It's also usable in > great part by other deliverables, and though the VMT doesn't > officially take responsibility for those we're still usually able to > help take you through the process and answer questions. If you need > to reach us through a secure channel, E-mail addresses and > corresponding OpenPGP keys are published at > https://security.openstack.org/#how-to-report-security-issues-to-openstack > for anyone who needs them. Amazing feedback, thanks Jeremy. -- Julien Danjou /* Free Software hacker https://julien.danjou.info */ signature.asc Description: PGP signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [security] [telemetry] How to handle security bugs
On 2017-01-17 13:26:02 +0100 (+0100), Julien Danjou wrote: > I've asked on #openstack-security without success, so let me try here > insteead: > > We, Telemetry, have a security bug and we're not managed by VMT, any > hint as how to handle our bug? Or how to get covered by VMT? ๐ Others have already answered most of your questions in this thread, but since nobody from the VMT has chimed in yet I'll just state on our behalf that we're generally happy to consult privately or publicly on any suspected vulnerability report within the OpenStack ecosystem (and sometimes beyond). If you subscribe openstack-vuln-mgmt (OpenStack Vulnerability Management team) on Launchpad to the private bug in question we'll get notified automatically and take a look. For deliverables with the vulnerability:managed governance tag this happens automatically and we prioritize our time toward those, but we're available to help on others as well on a best-effort basis and time permitting. The VMT's process document exists primarily for the purposes of transparency, and outlines the steps we follow and templates we use when triaging suspected vulnerabilities for OpenStack deliverables with the vulnerability:managed governance tag. It's also usable in great part by other deliverables, and though the VMT doesn't officially take responsibility for those we're still usually able to help take you through the process and answer questions. If you need to reach us through a secure channel, E-mail addresses and corresponding OpenPGP keys are published at https://security.openstack.org/#how-to-report-security-issues-to-openstack for anyone who needs them. -- Jeremy Stanley signature.asc Description: Digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [security] [telemetry] How to handle security bugs
On Tue, Jan 17 2017, Ian Cordasco wrote: > Or, perhaps the last time people complained that the process > documentation was too detailed and the telemetry project decided it > didn't want to have to follow it? If that's the case, following the > embargoed procedures might not be what you want as a project. At that > point, you don't need to work with the VMT and you can immediately > open the bug to start collaborating on Gerrit. You of course open up > all of your deployers to being targeted, but that's the project's call > in the end I guess. Yeah it sucks, though if you have little help (resources) from the deployers, that's what is going to happen sooner or later. > I would think that if you want the "vulnerability:managed" tag, you > might be willing to follow the process outlined. Perhaps it's verbose, > but it is verbose for good reason. OpenStack's handling of embargoed > issues is pretty much as good as it gets for a project the size of > OpenStack. It benefits deployers and users by making the issue AND the > fix known at the same time which gives deployers the ability to > immediately consume the fix. Yeah don't read me wrong (though I was not precise :-) but we don't have any problem with _respecting_ the procedure. I think small projects like us have it is nearly impossible to _apply_ the procedure on our own: requesting CVE, OSSA, OSSN, getting the right classification, publishing, getting in touch with downstreamโฆ is too much work for such small teams. -- Julien Danjou ;; Free Software hacker ;; https://julien.danjou.info signature.asc Description: PGP signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [security] [telemetry] How to handle security bugs
On Tue, Jan 17, 2017 at 8:02 AM, Julien Danjou wrote: > On Tue, Jan 17 2017, Adam Heczko wrote: > >> Hi Julien, I think that you should follow this [1] workflow. >> >> TL;DR: Pls make sure that if the bug is serious make it private on LP so >> that only core team members can access it and propose patches. Please do >> not send patches to Gerrit review queue but rather attach it to LP bug >> ticket and discuss there. Contact VMT members to get more details on how to >> get Telemetry project covered by VMT. >> >> [1] https://security.openstack.org/vmt-process.html > > IMHO that's a problem. The page is so long and the process so complex > that if nobody has the time to do all of that, it'll never be fixed or > I'll just send the patch to Gerrit to get it fix and be done with it. > > At first glance Telemetry matches all requirements to get covered by > VMT. IIRC last time we asked for it we get punted because there was > already too much work for the VMT team. But if that's possible, we'd be > glad to apply again. :-) Or, perhaps the last time people complained that the process documentation was too detailed and the telemetry project decided it didn't want to have to follow it? If that's the case, following the embargoed procedures might not be what you want as a project. At that point, you don't need to work with the VMT and you can immediately open the bug to start collaborating on Gerrit. You of course open up all of your deployers to being targeted, but that's the project's call in the end I guess. I would think that if you want the "vulnerability:managed" tag, you might be willing to follow the process outlined. Perhaps it's verbose, but it is verbose for good reason. OpenStack's handling of embargoed issues is pretty much as good as it gets for a project the size of OpenStack. It benefits deployers and users by making the issue AND the fix known at the same time which gives deployers the ability to immediately consume the fix. -- Ian Cordasco __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [security] [telemetry] How to handle security bugs
On Tue, Jan 17 2017, Rob C wrote: > Ian has provided advice on how you might become security managed, which > is a good aspiration for any team to have. > > However, if you have a serious security issue that you need help mitigating > the security project can help. We can work with you on the solution and also > issue an OpenStack Security Note to notify users of the update/patch that > they might need to apply. > > Please go ahead and add me to the security bug, if required I'll add other > core-sec people as required. Thanks a lot Rob, that's very helpful. I'll add you. -- Julien Danjou /* Free Software hacker https://julien.danjou.info */ signature.asc Description: PGP signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [security] [telemetry] How to handle security bugs
On Tue, Jan 17 2017, Adam Heczko wrote: > Hi Julien, I think that you should follow this [1] workflow. > > TL;DR: Pls make sure that if the bug is serious make it private on LP so > that only core team members can access it and propose patches. Please do > not send patches to Gerrit review queue but rather attach it to LP bug > ticket and discuss there. Contact VMT members to get more details on how to > get Telemetry project covered by VMT. > > [1] https://security.openstack.org/vmt-process.html IMHO that's a problem. The page is so long and the process so complex that if nobody has the time to do all of that, it'll never be fixed or I'll just send the patch to Gerrit to get it fix and be done with it. At first glance Telemetry matches all requirements to get covered by VMT. IIRC last time we asked for it we get punted because there was already too much work for the VMT team. But if that's possible, we'd be glad to apply again. :-) -- Julien Danjou # Free Software hacker # https://julien.danjou.info signature.asc Description: PGP signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [security] [telemetry] How to handle security bugs
You've done the right thing by posting here with the [Security] tag. Ian has provided advice on how you might become security managed, which is a good aspiration for any team to have. However, if you have a serious security issue that you need help mitigating the security project can help. We can work with you on the solution and also issue an OpenStack Security Note to notify users of the update/patch that they might need to apply. Please go ahead and add me to the security bug, if required I'll add other core-sec people as required. Cheers -Rob On Tue, Jan 17, 2017 at 1:14 PM, Adam Heczko wrote: > Hi Julien, I think that you should follow this [1] workflow. > > TL;DR: Pls make sure that if the bug is serious make it private on LP so > that only core team members can access it and propose patches. Please do > not send patches to Gerrit review queue but rather attach it to LP bug > ticket and discuss there. Contact VMT members to get more details on how to > get Telemetry project covered by VMT. > > [1] https://security.openstack.org/vmt-process.html > > On Tue, Jan 17, 2017 at 1:26 PM, Julien Danjou wrote: > >> Hi, >> >> I've asked on #openstack-security without success, so let me try here >> insteead: >> >> We, Telemetry, have a security bug and we're not managed by VMT, any >> hint as how to handle our bug? Or how to get covered by VMT? ๐ >> >> Cheers, >> -- >> Julien Danjou >> /* Free Software hacker >>https://julien.danjou.info */ >> >> >> __ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib >> e >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > > -- > Adam Heczko > Security Engineer @ Mirantis Inc. > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [security] [telemetry] How to handle security bugs
Hi Julien, I think that you should follow this [1] workflow. TL;DR: Pls make sure that if the bug is serious make it private on LP so that only core team members can access it and propose patches. Please do not send patches to Gerrit review queue but rather attach it to LP bug ticket and discuss there. Contact VMT members to get more details on how to get Telemetry project covered by VMT. [1] https://security.openstack.org/vmt-process.html On Tue, Jan 17, 2017 at 1:26 PM, Julien Danjou wrote: > Hi, > > I've asked on #openstack-security without success, so let me try here > insteead: > > We, Telemetry, have a security bug and we're not managed by VMT, any > hint as how to handle our bug? Or how to get covered by VMT? ๐ > > Cheers, > -- > Julien Danjou > /* Free Software hacker >https://julien.danjou.info */ > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Adam Heczko Security Engineer @ Mirantis Inc. __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [security] [telemetry] How to handle security bugs
On Tue, Jan 17, 2017 at 6:26 AM, Julien Danjou wrote: > Hi, > > I've asked on #openstack-security without success, so let me try here > insteead: > > We, Telemetry, have a security bug and we're not managed by VMT, any > hint as how to handle our bug? Or how to get covered by VMT? ๐ So, in terms of process I'd advise you read https://security.openstack.org/vmt-process.html because it describes how the VMT process works. I believe http://docs.openstack.org/project-team-guide/vulnerability-management.html described that you need to be "security-supported" which involves joining the list of projects with the "vulnerability:managed" tag (https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html). https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html#requirements describes the requirements to attain that tag. Cheers, -- Ian Cordasco __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [security] [telemetry] How to handle security bugs
Hi, I've asked on #openstack-security without success, so let me try here insteead: We, Telemetry, have a security bug and we're not managed by VMT, any hint as how to handle our bug? Or how to get covered by VMT? ๐ Cheers, -- Julien Danjou /* Free Software hacker https://julien.danjou.info */ signature.asc Description: PGP signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev