Fully agree with Thierry's comments here. -jay
On Tue, Aug 16, 2011 at 7:57 AM, Thierry Carrez <[email protected]> wrote: > Jonathan Bryce wrote: >> 2) Review security group proposal >> - http://wiki.openstack.org/Governance/Proposed/OpenStack%20Security%20Group >> <http://wiki.openstack.org/Governance/Proposed/OpenStack Security Group> >> Following on some of the discussion from a few weeks ago, a Rackspace >> employee put together a proposal around forming a security group. I know >> we've had a few various starts on this issue, but it seems like >> something that would be good to codify and publish so we can educate >> people on the right way to handle any vulnerabilities that pop up. > > I replied last month to Jarret with some comments/suggestions (which he > agreed on) and I think the current proposal should be fixed before we > can vote on it. In particular: > > - Public ML -> we should reuse the main openstack list at least until > traffic justifies a separate list > - Private bugtracker -> LP supports "private" security bugs so there is > no need for an additional separate thing > - [email protected] -> this should rather be a small set of > personal email addresses (with associated GPG keys) so that mail can be > sent encrypted. > > I also think (from experience) that the size of the group should be kept > minimal. The current draft states that "a core of OpenStack community > leaders, Rackspace specialists and security experts in the commercial > and open source world start out as the seed of the OSSG", which would > already make a decently-sized group... I'd like to see some safeguards > against inflation: we don't want to end up with as many members as > http://www.mozilla.org/projects/security/secgrouplist.html -- which may > make sense for complex security models like Firefox's, but is just an > increased leak risk for us. > > -- > Thierry Carrez (ttx) > Release Manager, OpenStack > > _______________________________________________ > Mailing list: https://launchpad.net/~openstack-poc > Post to : [email protected] > Unsubscribe : https://launchpad.net/~openstack-poc > More help : https://help.launchpad.net/ListHelp > _______________________________________________ Mailing list: https://launchpad.net/~openstack-poc Post to : [email protected] Unsubscribe : https://launchpad.net/~openstack-poc More help : https://help.launchpad.net/ListHelp
