Apologies for not copying the [ptl] tag, since this change affects mostly the PTLs and the projects for which they facilitate.
Note PTL's the purpose of this change is to make your lives easier and streamline the VMT application process, but keep the spirit of the original requirement in place. Given that this change is to help make he lives of the PTL and security team easier, if both could weigh in ion the review, I'd appreciate it. I'd like to get the language correct so we don't have to keep changing section 5 of this tag or special case it to death since that is an anti-pattern in the governance repository. If PTLs, project partiicipants, or anyone else for that matter have any wording changes, feel free to propose them - IANAL and writing these things correctly is hard to do properly ); involving the community around the pain points of the tagging process is what I'm after. Regards -steve From: Steven Dake <std...@cisco.com<mailto:std...@cisco.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: Friday, April 1, 2016 at 5:04 PM To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: [openstack-dev] [security][tc] Tidy up language in section 5 of the vulnerability:managed tag Please see my review here as requested in this thread [1]: https://review.openstack.org/300698 The purpose of this review is two fold: 1. Permit sponsoring companies of single vendor projects or projects with low company affiliation diversity to allow their own security experts to sign off on a threat analysis, acting as a third party.. 2. Enable scaling of the OSSA and VMT processes by permitting projects to self-audit, self-review, or self-threat analyze with the condition that an impartial third party take responsibility for approving the audit, review, or threat analysis. [1] http://lists.openstack.org/pipermail/openstack-dev/2016-March/091075.html
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
