On 2015-02-12 17:20:37 +0100 (+0100), Alan Pevec wrote: > Discussing CVEs in private came up few times but I'm not sure IRC > is secure enough for that. IMHO discussion about embargoed issues > must be kept in private Launchpad bugs but I'd like to hear from > VMT team.
I do from time to time /msg a security review liaison for some particular project to bring a new vulnerability report to their attention or prod them to put a status update in an embargoed bug. I connect to IRC via SSL/TLS, authenticate and protect my nick through the network's nickserv bot and hope most of them follow the same precautions. Nevertheless I do try not to discuss specifics, but rather keep those brief exchanges vague/general. In the end I'm not sure private, encrypted, authenticated discussion in IRC is substantially less secure than having a bug set to private in launchpad though (after all, I and the rest of the project infrastructure admins don't run either freenode nor launchpad so we're beholden to them to keep their services above board regardless). The VMT also do collectively have brief private discussions with one another via a variety of secured media around logistics/coordination efforts and to perform last-minute checks of our advisory texts prior to disclosure, but I don't want to paint the VMT in a special light here and feel that the point of all this is that the result of any such discussions should be reflected in public as soon as it is safe to do so (be that making the bug visible to everyone, sending an OSSA to various mailing lists, pushing patches into Gerrit, et cetera). -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev