Jonathan Bryce wrote: > 2) Review security group proposal > - http://wiki.openstack.org/Governance/Proposed/OpenStack%20Security%20Group > <http://wiki.openstack.org/Governance/Proposed/OpenStack Security Group> > Following on some of the discussion from a few weeks ago, a Rackspace > employee put together a proposal around forming a security group. I know > we've had a few various starts on this issue, but it seems like > something that would be good to codify and publish so we can educate > people on the right way to handle any vulnerabilities that pop up.
I replied last month to Jarret with some comments/suggestions (which he agreed on) and I think the current proposal should be fixed before we can vote on it. In particular: - Public ML -> we should reuse the main openstack list at least until traffic justifies a separate list - Private bugtracker -> LP supports "private" security bugs so there is no need for an additional separate thing - [email protected] -> this should rather be a small set of personal email addresses (with associated GPG keys) so that mail can be sent encrypted. I also think (from experience) that the size of the group should be kept minimal. The current draft states that "a core of OpenStack community leaders, Rackspace specialists and security experts in the commercial and open source world start out as the seed of the OSSG", which would already make a decently-sized group... I'd like to see some safeguards against inflation: we don't want to end up with as many members as http://www.mozilla.org/projects/security/secgrouplist.html -- which may make sense for complex security models like Firefox's, but is just an increased leak risk for us. -- Thierry Carrez (ttx) Release Manager, OpenStack _______________________________________________ Mailing list: https://launchpad.net/~openstack-poc Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack-poc More help : https://help.launchpad.net/ListHelp
