Re: [Openstack-poc] PPB Tuesday Meeting

2011-08-16 Thread Jarret Raim
Soren, I see the Group handling vulnerability tracking in addition to the larger role of being the security champions inside the OpenStack community. This might include documentation, examples, coordinating paid testing from companies like Rackspace, etc. I agree that for just vulnerability ma

Re: [Openstack-poc] PPB Tuesday Meeting

2011-08-16 Thread Jarret Raim
"Security notification email address (secur...@openstack.org)" Do we really need this, in addition to the "security issue" flag in LP and the private individual addresses ? I'm not sure either way... On one hand, one more medium to watch, on the other, security@ is common practice... Would it just

Re: [Openstack-poc] PPB Tuesday Meeting

2011-08-16 Thread Soren Hansen
2011/8/16 Jarret Raim : > I changed the text for the initial group membership to limit it to 8. I'm > happy to lower it if that seems to high. I wonder what your motivations are for such a large group? These are not people doing security auditing or anything like that. I see this as a very small g

Re: [Openstack-poc] PPB Tuesday Meeting

2011-08-16 Thread Thierry Carrez
Hey Jarret, Thanks for fixing the draft. Two minor remarks: "Security notification email address (secur...@openstack.org)" Do we really need this, in addition to the "security issue" flag in LP and the private individual addresses ? I'm not sure either way... On one hand, one more medium to watc

Re: [Openstack-poc] PPB Tuesday Meeting

2011-08-16 Thread Jarret Raim
Jay, >No problems at all, just wanted some more details on what you meant, >that's all. Sounds perfectly fine. I think in the future, those >private resources should also include a security-focused test suite >and possible some lab hardware that could run a Jenkins builder that >fires such a secu

Re: [Openstack-poc] PPB Tuesday Meeting

2011-08-16 Thread Jarret Raim
Jay, Thanks for the comments. I had changed the text below to be specific about LaunchPad, but I had missed the part you pointed out. I went ahead and changed that to: * Operate a private security mailing list and curate private issues in LaunchPad for tracking & resolving vulnerabilities. Hopef

Re: [Openstack-poc] PPB Tuesday Meeting

2011-08-16 Thread Jay Pipes
Hi Jarret! Comments inline :) On Tue, Aug 16, 2011 at 3:04 PM, Jarret Raim wrote: > Jay, > > Thanks for the comments. I had changed the text below to be specific about > LaunchPad, but I had missed the part you pointed out. I went ahead and > changed that to: > > * Operate a private security mail

Re: [Openstack-poc] PPB Tuesday Meeting

2011-08-16 Thread Jay Pipes
I think this bullet: * Operate a private security mailing list and issue tracker for tracking & resolving vulnerabilities. Is what Thierry was suggesting should be changed to remove the separate issue tracker, since Launchpad already provides security/private bug functionality. Also, this senten

Re: [Openstack-poc] PPB Tuesday Meeting

2011-08-16 Thread Jonathan Bryce
Jarret made updates to address most of Thierry's comments. Updated version still available at http://wiki.openstack.org/Governance/Proposed/OpenStack%20Security%20Group Jonathan. On Aug 16, 2011, at 12:01 PM, Jonathan Bryce wrote: > Thanks for the feedback. I forwarded it to Jarret and asked h

Re: [Openstack-poc] PPB Tuesday Meeting

2011-08-16 Thread Jonathan Bryce
Thanks for the feedback. I forwarded it to Jarret and asked him to update the proposal before we vote on it. Jonathan. On Aug 16, 2011, at 11:34 AM, Thierry Carrez wrote: > Joshua McKenty wrote: >> What's the logic to use personal email addresses? I agree with needing GPG >> keys, but I think

Re: [Openstack-poc] PPB Tuesday Meeting

2011-08-16 Thread Thierry Carrez
Joshua McKenty wrote: > What's the logic to use personal email addresses? I agree with needing GPG > keys, but I think there's an obvious role for company-level participation. Or > did you just mean "no group addresses", which I definitely agree with. Yes, the idea is "no group address", so that

Re: [Openstack-poc] PPB Tuesday Meeting

2011-08-16 Thread Jay Pipes
Fully agree with Thierry's comments here. -jay On Tue, Aug 16, 2011 at 7:57 AM, Thierry Carrez wrote: > Jonathan Bryce wrote: >> 2) Review security group proposal >> - http://wiki.openstack.org/Governance/Proposed/OpenStack%20Security%20Group >>

Re: [Openstack-poc] PPB Tuesday Meeting

2011-08-16 Thread Thierry Carrez
Jonathan Bryce wrote: > 2) Review security group proposal > - http://wiki.openstack.org/Governance/Proposed/OpenStack%20Security%20Group > > Following on some of the discussion from a few weeks ago, a Rackspace > employee put