Re: [openstack-dev] [Horizon] Nominations to Horizon Core
Welcome Zhenguo and Ana to Horizon core. David On 6/20/14, 3:17 PM, Lyle, David david.l...@hp.com wrote: I would like to nominate Zhenguo Niu and Ana Krivokapic to Horizon core. Zhenguo has been a prolific reviewer for the past two releases providing high quality reviews. And providing a significant number of patches over the past three releases. Ana has been a significant reviewer in the Icehouse and Juno release cycles. She has also contributed several patches in this timeframe to both Horizon and tuskar-ui. Please feel free to respond in public or private your support or any concerns. Thanks, David ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
Thank you everyone, I'll do my best! 发自我的 iPhone 在 Jul 1, 2014,22:37,Lyle, David david.l...@hp.com 写道: Welcome Zhenguo and Ana to Horizon core. David On 6/20/14, 3:17 PM, Lyle, David david.l...@hp.com wrote: I would like to nominate Zhenguo Niu and Ana Krivokapic to Horizon core. Zhenguo has been a prolific reviewer for the past two releases providing high quality reviews. And providing a significant number of patches over the past three releases. Ana has been a significant reviewer in the Icehouse and Juno release cycles. She has also contributed several patches in this timeframe to both Horizon and tuskar-ui. Please feel free to respond in public or private your support or any concerns. Thanks, David ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
+1 and +1 Thank you Ana and Zhenguo! -- Kind regards, Tatiana 2014-06-21 1:17 GMT+04:00 Lyle, David david.l...@hp.com: I would like to nominate Zhenguo Niu and Ana Krivokapic to Horizon core. Zhenguo has been a prolific reviewer for the past two releases providing high quality reviews. And providing a significant number of patches over the past three releases. Ana has been a significant reviewer in the Icehouse and Juno release cycles. She has also contributed several patches in this timeframe to both Horizon and tuskar-ui. Please feel free to respond in public or private your support or any concerns. Thanks, David ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
+1 +1 Deserved. On Tue, Jun 24, 2014 at 10:41 AM, Tatiana Ovtchinnikova t.v.ovtchinnik...@gmail.com wrote: +1 and +1 Thank you Ana and Zhenguo! -- Kind regards, Tatiana 2014-06-21 1:17 GMT+04:00 Lyle, David david.l...@hp.com: I would like to nominate Zhenguo Niu and Ana Krivokapic to Horizon core. Zhenguo has been a prolific reviewer for the past two releases providing high quality reviews. And providing a significant number of patches over the past three releases. Ana has been a significant reviewer in the Icehouse and Juno release cycles. She has also contributed several patches in this timeframe to both Horizon and tuskar-ui. Please feel free to respond in public or private your support or any concerns. Thanks, David ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Regards, Tihomir Trifonov ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
On Fri, Jun 20, 2014 at 09:17:41PM +, Lyle, David wrote: I would like to nominate Zhenguo Niu and Ana Krivokapic to Horizon core. Zhenguo has been a prolific reviewer for the past two releases providing high quality reviews. And providing a significant number of patches over the past three releases. Ana has been a significant reviewer in the Icehouse and Juno release cycles. She has also contributed several patches in this timeframe to both Horizon and tuskar-ui. Please feel free to respond in public or private your support or any concerns. Thank you! +1 for both! Matthias -- Matthias Runge mru...@redhat.com ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
On 20/06/14 22:17, Lyle, David wrote: I would like to nominate Zhenguo Niu and Ana Krivokapic to Horizon core. Zhenguo has been a prolific reviewer for the past two releases providing high quality reviews. And providing a significant number of patches over the past three releases. Ana has been a significant reviewer in the Icehouse and Juno release cycles. She has also contributed several patches in this timeframe to both Horizon and tuskar-ui. Please feel free to respond in public or private your support or any concerns. +1 to both! Julie Thanks, David ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
+1 to both On Tue, Jun 24, 2014 at 1:48 PM, Julie Pichon jpic...@redhat.com wrote: On 20/06/14 22:17, Lyle, David wrote: I would like to nominate Zhenguo Niu and Ana Krivokapic to Horizon core. Zhenguo has been a prolific reviewer for the past two releases providing high quality reviews. And providing a significant number of patches over the past three releases. Ana has been a significant reviewer in the Icehouse and Juno release cycles. She has also contributed several patches in this timeframe to both Horizon and tuskar-ui. Please feel free to respond in public or private your support or any concerns. +1 to both! Julie Thanks, David ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
On 06/20/2014 11:17 PM, Lyle, David wrote: I would like to nominate Zhenguo Niu and Ana Krivokapic to Horizon core. Zhenguo has been a prolific reviewer for the past two releases providing high quality reviews. And providing a significant number of patches over the past three releases. Ana has been a significant reviewer in the Icehouse and Juno release cycles. She has also contributed several patches in this timeframe to both Horizon and tuskar-ui. Please feel free to respond in public or private your support or any concerns. Thanks, David ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev +1 to both, thanks for your hard work! Jirka ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
On 20/06/14 23:17, Lyle, David wrote: I would like to nominate Zhenguo Niu and Ana Krivokapic to Horizon core. Zhenguo has been a prolific reviewer for the past two releases providing high quality reviews. And providing a significant number of patches over the past three releases. Ana has been a significant reviewer in the Icehouse and Juno release cycles. She has also contributed several patches in this timeframe to both Horizon and tuskar-ui. Please feel free to respond in public or private your support or any concerns. Ana +1 Zhenguo +1 Thank you for your great work guys! -- Radomir Dopieralski ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Horizon] Nominations to Horizon Core
I would like to nominate Zhenguo Niu and Ana Krivokapic to Horizon core. Zhenguo has been a prolific reviewer for the past two releases providing high quality reviews. And providing a significant number of patches over the past three releases. Ana has been a significant reviewer in the Icehouse and Juno release cycles. She has also contributed several patches in this timeframe to both Horizon and tuskar-ui. Please feel free to respond in public or private your support or any concerns. Thanks, David ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
Lyle, David wrote: So again, nothing prevents a non-core security reviewer from reviewing blueprints and doing code reviews. Believe me any security minded input is always welcome and weighed carefully. Although the principle of having a minimum number of security reviewers in core is certainly a fair point of debate, in this particular case, the participation level does not warrant the outcry. Right. While I agree that Paul was extremely helpful in the handling of security vulnerabilities that were found in Horizon in the past, and his security insight is definitely wanted in code reviews, I really don't think he needs to be a core reviewer to make that happen. Core reviewing is about quality *and* volume. If you only have time for quality, then regular reviewing is what you should do (that's what I try to do: infrequently chime in on stuff I have an opinion on, as opposed to regularly review ANYTHING that comes up). Now if your -1s were routinely ignored and you felt like this had a negative impact on the security of the project, that would be a different story... But in the present case, I think David makes the right decision. -- Thierry Carrez (ttx) ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
On 12/11/2013 11:08 PM, Bryan D. Payne wrote: We can involve people in security reviews without having them on the core review team. They are separate concerns. Yes, but those people can't ultimately approve the patch. So you'd need to have a security reviewer do their review, and then someone who isn't a security person be able to offer the +1/+2 based on the opinion of the security reviewer. This doesn't make any sense to me. You're involving an extra person needlessly, and creating extra work. I don't want someone not regularly looking at changes going into the code able to do the ultimate approval of any patch. I think this is working as designed. Including the extra person in this case is a good thing. This has been discussed quite a bit. We can't handle security patches on gerrit right now while they are embargoed because we can't completely hide them. I think that you're confusing security reviews of new code changes with reviews of fixes to security problems. In this part of my email, I'm talking about the former. These are not embargoed. They are just the everyday improvements to the system. That is the best time to identify and gate on security issues. Without someone on core that can give a -2 when there's a problem, this will basically never happen. Then we'll be back to fixing a greater number of things as bugs. Anyone can offer a -1, and that will be paid attention to. If that ever doesn't happen, let's talk about it. -- Russell Bryant ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
I just wanted to close the loop here. I understand the position that others are taking and it appears that I'm outnumbered :-) While I disagree with this approach, it sounds like that's where we are at today. Even with this decision, I would encourage the horizon dev team to utilize Paul as a security resource. Perhaps the best way to flag something as needing a security review in gerrit is to tag your PRs by writing SecurityImpact in the commit message. This will trigger a message to the openstack-security mailing list. Which should (hopefully!) result in some additional eyes on the code. Cheers, -bryan ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
From: Russell Bryant rbry...@redhat.com We can involve people in security reviews without having them on the core review team. They are separate concerns. As I noted in my original mail, this was my primary concern. I just didn't want not core to stand in the way of is appropriate to provide security review for private patches on Launchpad. If that is the case, I want to be sure that there is someone on core who has the appropriate domain-specific knowledge to make sure the patch is thorough and correct. I'll leave the rest of the argument about why this is important for after I finish filing the tickets and fixes are released so we can publicly talk about it. -Paul ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
On 2013/10/12 21:24, Lyle, David wrote: I would like to nominate Tatiana Mazur to Horizon Core. Tatiana has been a significant code contributor in the last two releases, understands the code base well and has been doing a significant number of reviews for the last to milestones. +1 Additionally, I'd like to remove some inactive members of Horizon-core who have been inactive since the early Grizzly release at the latest. Devin Carlen Jake Dahn Jesse Andrews Joe Heck John Postlethwait Paul McMillan Todd Willey Tres Henry paul-tashima sleepsonthefloor +1 - havn't seen much activity. -- Jarda ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
+1 for Tatiana Mazur to Horizon Core On 12/10/2013 09:24 PM, Lyle, David wrote: I would like to nominate Tatiana Mazur to Horizon Core. Tatiana has been a significant code contributor in the last two releases, understands the code base well and has been doing a significant number of reviews for the last to milestones. Additionally, I'd like to remove some inactive members of Horizon-core who have been inactive since the early Grizzly release at the latest. Devin Carlen Jake Dahn Jesse Andrews Joe Heck John Postlethwait Paul McMillan Todd Willey Tres Henry paul-tashima sleepsonthefloor Please respond with a +1/-1 by this Friday. -David Lyle ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
+1 for Tatiana Mazur to Horizon Core not sure if only cores should do the vote, but Tatiana has been very active, so it will be well deserved. :-) On 12/11/2013 01:09 PM, Jiri Tomasek wrote: +1 for Tatiana Mazur to Horizon Core On 12/10/2013 09:24 PM, Lyle, David wrote: I would like to nominate Tatiana Mazur to Horizon Core. Tatiana has been a significant code contributor in the last two releases, understands the code base well and has been doing a significant number of reviews for the last to milestones. Additionally, I'd like to remove some inactive members of Horizon-core who have been inactive since the early Grizzly release at the latest. Devin Carlen Jake Dahn Jesse Andrews Joe Heck John Postlethwait Paul McMillan Todd Willey Tres Henry paul-tashima sleepsonthefloor Please respond with a +1/-1 by this Friday. -David Lyle ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
On 12/10/2013 05:57 PM, Paul McMillan wrote: +1 on Tatiana Mazur, she's been doing a bunch of good work lately. I'm fine with me being removed from core provided you have someone else qualified to address security issues as they come up. My contributions have lately been reviewing and responding to security issues, vetting fixes for those, and making sure they happen in a timely fashion. Fortunately, we haven't had too many of those lately. Other than that, I've been lurking and reviewing to make sure nothing egregious gets committed. If you don't have anyone else who is a web security specialist on the core team, I'd like to stay. Since I'm also a member of the Django security team, I offer a significant chunk of knowledge about how the underlying security protections are intended work. Security reviews aren't done on gerrit, though. They are handled in launchpad bugs. It seems you could still contribute in this way without being on the horizon-core team responsible for reviewing normal changes in gerrit. The bigger point is that you don't have to be on whatever-core to contribute productively to reviews. I think every project has people that make important review contributions, but aren't necessarily reviewing regularly enough to be whatever-core. -- Russell Bryant ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
On 12/11/2013 03:51 PM, Russell Bryant wrote: On 12/10/2013 05:57 PM, Paul McMillan wrote: +1 on Tatiana Mazur, she's been doing a bunch of good work lately. I'm fine with me being removed from core provided you have someone else qualified to address security issues as they come up. My contributions have lately been reviewing and responding to security issues, vetting fixes for those, and making sure they happen in a timely fashion. Fortunately, we haven't had too many of those lately. Other than that, I've been lurking and reviewing to make sure nothing egregious gets committed. If you don't have anyone else who is a web security specialist on the core team, I'd like to stay. Since I'm also a member of the Django security team, I offer a significant chunk of knowledge about how the underlying security protections are intended work. Security reviews aren't done on gerrit, though. They are handled in launchpad bugs. It seems you could still contribute in this way without being on the horizon-core team responsible for reviewing normal changes in gerrit. The bigger point is that you don't have to be on whatever-core to contribute productively to reviews. I think every project has people that make important review contributions, but aren't necessarily reviewing regularly enough to be whatever-core. And as a follow up - I betcha the vulnerability-management team would LOVE to have you! ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
-Original Message- From: Monty Taylor [mailto:mord...@inaugust.com] Sent: Wednesday, December 11, 2013 10:28 AM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [Horizon] Nominations to Horizon Core On 12/11/2013 03:51 PM, Russell Bryant wrote: On 12/10/2013 05:57 PM, Paul McMillan wrote: +1 on Tatiana Mazur, she's been doing a bunch of good work lately. I'm fine with me being removed from core provided you have someone else qualified to address security issues as they come up. My contributions have lately been reviewing and responding to security issues, vetting fixes for those, and making sure they happen in a timely fashion. Fortunately, we haven't had too many of those lately. Other than that, I've been lurking and reviewing to make sure nothing egregious gets committed. If you don't have anyone else who is a web security specialist on the core team, I'd like to stay. Since I'm also a member of the Django security team, I offer a significant chunk of knowledge about how the underlying security protections are intended work. Security reviews aren't done on gerrit, though. They are handled in launchpad bugs. It seems you could still contribute in this way without being on the horizon-core team responsible for reviewing normal changes in gerrit. The bigger point is that you don't have to be on whatever-core to contribute productively to reviews. I think every project has people that make important review contributions, but aren't necessarily reviewing regularly enough to be whatever-core. And as a follow up - I betcha the vulnerability-management team would LOVE to have you! Your reviews are still valued and carry no less weight in or out of Horizon-core. It really just boils down to engagement. I agree with Monty, that vulnerability-management seems like a natural fit for the concerns you raise, plus it has a broader focus. David ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
+1 for both Tatiana and cleaning up the core list. On Wed, Dec 11, 2013 at 5:24 AM, Lyle, David david.l...@hp.com wrote: I would like to nominate Tatiana Mazur to Horizon Core. Tatiana has been a significant code contributor in the last two releases, understands the code base well and has been doing a significant number of reviews for the last to milestones. Additionally, I'd like to remove some inactive members of Horizon-core who have been inactive since the early Grizzly release at the latest. Devin Carlen Jake Dahn Jesse Andrews Joe Heck John Postlethwait Paul McMillan Todd Willey Tres Henry paul-tashima sleepsonthefloor Please respond with a +1/-1 by this Friday. -David Lyle ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
+1 for Tatiana and the clean-up. On 11 December 2013 07:24, Lyle, David david.l...@hp.com wrote: I would like to nominate Tatiana Mazur to Horizon Core. Tatiana has been a significant code contributor in the last two releases, understands the code base well and has been doing a significant number of reviews for the last to milestones. Additionally, I'd like to remove some inactive members of Horizon-core who have been inactive since the early Grizzly release at the latest. Devin Carlen Jake Dahn Jesse Andrews Joe Heck John Postlethwait Paul McMillan Todd Willey Tres Henry paul-tashima sleepsonthefloor Please respond with a +1/-1 by this Friday. -David Lyle ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
On 2013-12-11 18:28:14 +0100 (+0100), Monty Taylor wrote: On 12/11/2013 03:51 PM, Russell Bryant wrote: On 12/10/2013 05:57 PM, Paul McMillan wrote: [...] If you don't have anyone else who is a web security specialist on the core team, I'd like to stay. Since I'm also a member of the Django security team, I offer a significant chunk of knowledge about how the underlying security protections are intended work. Security reviews aren't done on gerrit, though. They are handled in launchpad bugs. It seems you could still contribute in this way without being on the horizon-core team responsible for reviewing normal changes in gerrit. [...] And as a follow up - I betcha the vulnerability-management team would LOVE to have you! In particular, there are plenty of open public vulnerabilities throughout OpenStack in various states of being addressed which you can pitch in on even with fairly limited levels of commitment. Anything which needs an advisory, or which we think might need one but are not yet sure, is listed at https://bugs.launchpad.net/ossa (with privately-reported and still embargoed issues being the exception). Whatever you see there which piques your interest, whether it needs testing/confirmation, a patch or even just an expert opinion on exploitability/risk would be a welcome contribution. Any help we get dealing with already public vulnerabilities frees up more of our time to focus on embargoed items while still keeping the core group small (minimizing risk of premature disclosure). More info at... https://wiki.openstack.org/wiki/Vulnerability_Management /end_public_service_announcement -- Jeremy Stanley signature.asc Description: Digital signature ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
Re: Removing Paul McMillan from core I would argue that it is critical that each project have 1-2 people on core that are security experts. The VMT is an intentionally small team. They are moving to having specifically appointed security sub-teams on each project (I believe this is what I heard at the last summit). These teams would be a subset of the core devs that can handle security reviews. They idea is that these people would then be able to +1 / -1 embargoed security patches. So having someone like Paul on Horizon core would be very valuable for such things. In addition, I think that gerrit is exactly where security reviews *should* be happening. Much better to catch things before they are merged, rather than as bugs after-the-fact. Would we rather have a -1 on a code review than a CVE? My 2 cents, -bryan (from OSSG) ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
On 12/11/2013 08:14 PM, Bryan D. Payne wrote: Re: Removing Paul McMillan from core I would argue that it is critical that each project have 1-2 people on core that are security experts. The VMT is an intentionally small team. They are moving to having specifically appointed security sub-teams on each project (I believe this is what I heard at the last summit). These teams would be a subset of the core devs that can handle security reviews. They idea is that these people would then be able to +1 / -1 embargoed security patches. So having someone like Paul on Horizon core would be very valuable for such things. We can involve people in security reviews without having them on the core review team. They are separate concerns. In addition, I think that gerrit is exactly where security reviews *should* be happening. Much better to catch things before they are merged, rather than as bugs after-the-fact. Would we rather have a -1 on a code review than a CVE? This has been discussed quite a bit. We can't handle security patches on gerrit right now while they are embargoed because we can't completely hide them. -- Russell Bryant ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
+1 On Thu, Dec 12, 2013 at 9:14 AM, Bryan D. Payne bdpa...@acm.org wrote: Re: Removing Paul McMillan from core I would argue that it is critical that each project have 1-2 people on core that are security experts. The VMT is an intentionally small team. They are moving to having specifically appointed security sub-teams on each project (I believe this is what I heard at the last summit). These teams would be a subset of the core devs that can handle security reviews. They idea is that these people would then be able to +1 / -1 embargoed security patches. So having someone like Paul on Horizon core would be very valuable for such things. In addition, I think that gerrit is exactly where security reviews *should* be happening. Much better to catch things before they are merged, rather than as bugs after-the-fact. Would we rather have a -1 on a code review than a CVE? My 2 cents, -bryan (from OSSG) ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Best Regards, NiuZG ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
We can involve people in security reviews without having them on the core review team. They are separate concerns. Yes, but those people can't ultimately approve the patch. So you'd need to have a security reviewer do their review, and then someone who isn't a security person be able to offer the +1/+2 based on the opinion of the security reviewer. This doesn't make any sense to me. You're involving an extra person needlessly, and creating extra work. This has been discussed quite a bit. We can't handle security patches on gerrit right now while they are embargoed because we can't completely hide them. I think that you're confusing security reviews of new code changes with reviews of fixes to security problems. In this part of my email, I'm talking about the former. These are not embargoed. They are just the everyday improvements to the system. That is the best time to identify and gate on security issues. Without someone on core that can give a -2 when there's a problem, this will basically never happen. Then we'll be back to fixing a greater number of things as bugs. -bryan ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
On 12/11/2013 08:08 PM, Bryan D. Payne wrote: We can involve people in security reviews without having them on the core review team. They are separate concerns. Yes, but those people can't ultimately approve the patch. So you'd need to have a security reviewer do their review, and then someone who isn't a security person be able to offer the +1/+2 based on the opinion of the security reviewer. This doesn't make any sense to me. You're involving an extra person needlessly, and creating extra work. This has been discussed quite a bit. We can't handle security patches on gerrit right now while they are embargoed because we can't completely hide them. I think that you're confusing security reviews of new code changes with reviews of fixes to security problems. In this part of my email, I'm talking about the former. These are not embargoed. They are just the everyday improvements to the system. That is the best time to identify and gate on security issues. Without someone on core that can give a -2 when there's a problem, this will basically never happen. Then we'll be back to fixing a greater number of things as bugs. +1. I'd really like to see at least one security representative per project on core who makes sure that incoming code an blueprints are following security best practices. These best practices still need to be clearly defined, but it's going to be impossible to uphold them once they are established unless someone with review power is involved. We want security to be more proactive instead of reactive. -NGK -bryan ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
So again, nothing prevents a non-core security reviewer from reviewing blueprints and doing code reviews. Believe me any security minded input is always welcome and weighed carefully. Although the principle of having a minimum number of security reviewers in core is certainly a fair point of debate, in this particular case, the participation level does not warrant the outcry. Per http://russellbryant.net/openstack-stats/horizon-reviewers-365.txt Reviews for the last 365 days in horizon ** -- horizon-core team member ++--+-+ | Reviewer | Reviews -2 -1 +1 +2 +A+/- % | Disagreements* | ++--+-+ | paul-mcmillan ** |2010 1 1 50.0% |0 ( 0.0%) | As with other projects in OpenStack, removing a person from core merely implies that they are not actively reviewing enough to remain current with the code base and provide informed reviews with regards to the architecture and project direction. Also in-line with other OpenStack projects, reviewers removed from core who begin providing regular and meaningful reviews will have a reduced period of time to be re-added to core. Which I would be very happy to see. David -Original Message- From: Nathan Kinder [mailto:nkin...@redhat.com] Sent: Wednesday, December 11, 2013 9:33 PM To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [Horizon] Nominations to Horizon Core On 12/11/2013 08:08 PM, Bryan D. Payne wrote: We can involve people in security reviews without having them on the core review team. They are separate concerns. Yes, but those people can't ultimately approve the patch. So you'd need to have a security reviewer do their review, and then someone who isn't a security person be able to offer the +1/+2 based on the opinion of the security reviewer. This doesn't make any sense to me. You're involving an extra person needlessly, and creating extra work. This has been discussed quite a bit. We can't handle security patches on gerrit right now while they are embargoed because we can't completely hide them. I think that you're confusing security reviews of new code changes with reviews of fixes to security problems. In this part of my email, I'm talking about the former. These are not embargoed. They are just the everyday improvements to the system. That is the best time to identify and gate on security issues. Without someone on core that can give a -2 when there's a problem, this will basically never happen. Then we'll be back to fixing a greater number of things as bugs. +1. I'd really like to see at least one security representative per project on core who makes sure that incoming code an blueprints are following security best practices. These best practices still need to be clearly defined, but it's going to be impossible to uphold them once they are established unless someone with review power is involved. We want security to be more proactive instead of reactive. -NGK -bryan ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Horizon] Nominations to Horizon Core
I would like to nominate Tatiana Mazur to Horizon Core. Tatiana has been a significant code contributor in the last two releases, understands the code base well and has been doing a significant number of reviews for the last to milestones. Additionally, I'd like to remove some inactive members of Horizon-core who have been inactive since the early Grizzly release at the latest. Devin Carlen Jake Dahn Jesse Andrews Joe Heck John Postlethwait Paul McMillan Todd Willey Tres Henry paul-tashima sleepsonthefloor Please respond with a +1/-1 by this Friday. -David Lyle ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
+1 for Tatiana. On Tue, Dec 10, 2013 at 10:24 PM, Lyle, David david.l...@hp.com wrote: I would like to nominate Tatiana Mazur to Horizon Core. Tatiana has been a significant code contributor in the last two releases, understands the code base well and has been doing a significant number of reviews for the last to milestones. Additionally, I'd like to remove some inactive members of Horizon-core who have been inactive since the early Grizzly release at the latest. Devin Carlen Jake Dahn Jesse Andrews Joe Heck John Postlethwait Paul McMillan Todd Willey Tres Henry paul-tashima sleepsonthefloor Please respond with a +1/-1 by this Friday. -David Lyle ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- Regards, Tihomir Trifonov ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
On 12/10/2013 09:24 PM, Lyle, David wrote: I would like to nominate Tatiana Mazur to Horizon Core. Tatiana has been a significant code contributor in the last two releases, understands the code base well and has been doing a significant number of reviews for the last to milestones. Additionally, I'd like to remove some inactive members of Horizon-core who have been inactive since the early Grizzly release at the latest. Devin Carlen Jake Dahn Jesse Andrews Joe Heck John Postlethwait Paul McMillan Todd Willey Tres Henry paul-tashima sleepsonthefloor +1 and +1. Matthias ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
+1 on Tatiana Mazur being added to Core. I'm also okay with cleaning out the Core list. I considered doing it myself last cycle since none of those folks are involved anymore, but figured I'd leave them as a posthumous honor. ;-) I think now's a good time to trim it down. Glad I didn't make the axe list, - Gabriel -Original Message- From: Lyle, David [mailto:david.l...@hp.com] Sent: Tuesday, December 10, 2013 12:24 PM To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [Horizon] Nominations to Horizon Core I would like to nominate Tatiana Mazur to Horizon Core. Tatiana has been a significant code contributor in the last two releases, understands the code base well and has been doing a significant number of reviews for the last to milestones. Additionally, I'd like to remove some inactive members of Horizon-core who have been inactive since the early Grizzly release at the latest. Devin Carlen Jake Dahn Jesse Andrews Joe Heck John Postlethwait Paul McMillan Todd Willey Tres Henry paul-tashima sleepsonthefloor Please respond with a +1/-1 by this Friday. -David Lyle ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
David Lyle david.l...@hp.com wrote: I would like to nominate Tatiana Mazur to Horizon Core. Tatiana has been a significant code contributor in the last two releases, understands the code base well and has been doing a significant number of reviews for the last to milestones. +1 Additionally, I'd like to remove some inactive members of Horizon-core who have been inactive since the early Grizzly release at the latest. Devin Carlen Jake Dahn Jesse Andrews Joe Heck John Postlethwait Paul McMillan Todd Willey Tres Henry paul-tashima sleepsonthefloor +1. Thank you for your work in creating and building up Horizon! Julie Please respond with a +1/-1 by this Friday. -David Lyle ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Horizon] Nominations to Horizon Core
+1 on Tatiana Mazur, she's been doing a bunch of good work lately. I'm fine with me being removed from core provided you have someone else qualified to address security issues as they come up. My contributions have lately been reviewing and responding to security issues, vetting fixes for those, and making sure they happen in a timely fashion. Fortunately, we haven't had too many of those lately. Other than that, I've been lurking and reviewing to make sure nothing egregious gets committed. If you don't have anyone else who is a web security specialist on the core team, I'd like to stay. Since I'm also a member of the Django security team, I offer a significant chunk of knowledge about how the underlying security protections are intended work. -Paul From: Gabriel Hurley gabriel.hur...@nebula.com Sent: Tuesday, December 10, 2013 1:08 PM To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [Horizon] Nominations to Horizon Core +1 on Tatiana Mazur being added to Core. I'm also okay with cleaning out the Core list. I considered doing it myself last cycle since none of those folks are involved anymore, but figured I'd leave them as a posthumous honor. ;-) I think now's a good time to trim it down. Glad I didn't make the axe list, - Gabriel -Original Message- From: Lyle, David [mailto:david.l...@hp.com] Sent: Tuesday, December 10, 2013 12:24 PM To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [Horizon] Nominations to Horizon Core I would like to nominate Tatiana Mazur to Horizon Core. Tatiana has been a significant code contributor in the last two releases, understands the code base well and has been doing a significant number of reviews for the last to milestones. Additionally, I'd like to remove some inactive members of Horizon-core who have been inactive since the early Grizzly release at the latest. Devin Carlen Jake Dahn Jesse Andrews Joe Heck John Postlethwait Paul McMillan Todd Willey Tres Henry paul-tashima sleepsonthefloor Please respond with a +1/-1 by this Friday. -David Lyle ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
