Tristan, Flying a bit by the seat of my pants here. I can't find a simple check-list of how exactly you get a project managed by the VMT :) If anything in this email is wrong, feel free to correct me and get us on the right track.
The kolla-coresec team consists of the following folks: Martin Andre Steven Dake Ryan Hallisey Michal Jastrzebski Michal Rostecki Sam Yaple That is one more person then the guidelines recommend, but they are guidelines not hard and fast rules. I was not able to include everyone that asked to be included. I'd ask for these folks to be active on the bug triage for security for Kolla. The next step is for us to locate a security expert to do a security audit of the codebase including potential security issues with how we use dependencies. I'll be reaching out to the security team for guidance, but have someone in mind (Dave Mccowan) who is a security expert and knows a bit about containers and Kolla as well :) If the security team would find this acceptable and Dave would as well, we can proceed down that path, or we could take recommendations from the security team instead. Also Red Hat has a great infosec team that audits every bit of code that goes into Red Hat products, so perhaps Ryan or Mandre can reach out to them to audit our code base in their copious spare time. :) If the security audit turns up anything existing in the code base, we will have to fix the bugs and attach them to the bug triage tool as * PRIVATE * bugs and attachments. I'll be seeking more guidance from the security team as to how to proceed prior, during, and after ODS. The long term goal is to obtain the vulnerability:managed tag in the governance repo. After that is achieved, this kolla-coresec team will still be responsible for fixing problems found in the codebase and working with the OpenStack VMT (vulnerability management team) to release the changes in a synchronized fashion. Regards, -steve On 3/1/16, 12:11 PM, "Steven Dake (stdake)" <std...@cisco.com> wrote: > > >On 3/1/16, 10:47 AM, "Tristan Cacqueray" <tdeca...@redhat.com> wrote: > >>On 03/01/2016 05:12 PM, Ryan Hallisey wrote: >>> Hello, >>> >>> I have experience writing selinux policy. My plan was to write the >>>selinux policy for Kolla in the next cycle. I'd be interested in >>>joining if that fits the criteria here. >>> >> >>Hello Ryan, >> >>While knowing howto write SELinux policy is a great asset for a coresec >>team member, it's not a requirement. Such team purpose isn't to >>implement core security features, but rather be responsive about private >>security bug to confirm the issue and discuss the scope of any >>vulnerability along with potential solutions. >> >> >> >>> Thanks, >>> -Ryan >>> >>> ----- Original Message ----- >>> From: "Steven Dake (stdake)" <std...@cisco.com> >>> To: "OpenStack Development Mailing List (not for usage questions)" >>><openstack-dev@lists.openstack.org> >>> Sent: Tuesday, March 1, 2016 11:55:55 AM >>> Subject: [openstack-dev] [kolla][security] Obtaining >>>the vulnerability:managed tag >>> >>> Core reviewers, >>> >>> Please review this document: >>> >>>https://github.com/openstack/governance/blob/master/reference/tags/vulne >>>r >>>ability_managed.rst >>> >>> It describes how vulnerability management is handled at a high level >>>for Kolla. When we are ready, I want the kolla delivery repos >>>vulnerabilities to be managed by the VMT team. By doing this, we >>>standardize with other OpenStack processes for handling security >>>vulnerabilities. >>> >>For reference, the full process is described here: >>https://security.openstack.org/vmt-process.html >> >>> The first step is to form a kolla-coresec team, and create a separate >>>kolla-coresec tracker. I have already created the tracker for >>>kolla-coresec and the kolla-coresec team in launchpad: >>> >>> https://launchpad.net/~kolla-coresec >>> >>> https://launchpad.net/kolla-coresec >>> >>> I have a history of security expertise, and the PTL needs to be on the >>>team as an escalation point as described in the VMT tagging document >>>above. I also need 2-3 more volunteers to join the team. You can read >>>the requirements of the job duties in the vulnerability:managed tag. >>> >>> If your interested in joining the VMT team, please respond on this >>>thread. If there are more then 4 individuals interested in joining this >>>team, I will form the team from the most active members based upon >>>liberty + mitaka commits, reviews, and PDE spent. >>> >>Note that the VMT team is global to openstack, I guess you are referring >>to the Kolla VMT team (now known as kolla-coresec). > >Yes that is correct. Thanks Tristan for clarifying. >> >> >>Regards, >>-Tristan >> >> > > >__________________________________________________________________________ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev