Re: [openstack-dev] [security] [telemetry] How to handle security bugs

2017-01-17 Thread Julien Danjou 
On Tue, Jan 17 2017, Jeremy Stanley wrote:

> Others have already answered most of your questions in this thread,
> but since nobody from the VMT has chimed in yet I'll just state on
> our behalf that we're generally happy to consult privately or
> publicly on any suspected vulnerability report within the OpenStack
> ecosystem (and sometimes beyond). If you subscribe
> openstack-vuln-mgmt (OpenStack Vulnerability Management team) on
> Launchpad to the private bug in question we'll get notified
> automatically and take a look. For deliverables with the
> vulnerability:managed governance tag this happens automatically and
> we prioritize our time toward those, but we're available to help on
> others as well on a best-effort basis and time permitting.
>
> The VMT's process document exists primarily for the purposes of
> transparency, and outlines the steps we follow and templates we use
> when triaging suspected vulnerabilities for OpenStack deliverables
> with the vulnerability:managed governance tag. It's also usable in
> great part by other deliverables, and though the VMT doesn't
> officially take responsibility for those we're still usually able to
> help take you through the process and answer questions. If you need
> to reach us through a secure channel, E-mail addresses and
> corresponding OpenPGP keys are published at
> https://security.openstack.org/#how-to-report-security-issues-to-openstack
> for anyone who needs them.

Amazing feedback, thanks Jeremy.

-- 
Julien Danjou
/* Free Software hacker
   https://julien.danjou.info */


signature.asc
Description: PGP signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [security] [telemetry] How to handle security bugs

2017-01-17 Thread Jeremy Stanley 
On 2017-01-17 13:26:02 +0100 (+0100), Julien Danjou wrote:
> I've asked on #openstack-security without success, so let me try here
> insteead:
> 
> We, Telemetry, have a security bug and we're not managed by VMT, any
> hint as how to handle our bug? Or how to get covered by VMT? 

Others have already answered most of your questions in this thread,
but since nobody from the VMT has chimed in yet I'll just state on
our behalf that we're generally happy to consult privately or
publicly on any suspected vulnerability report within the OpenStack
ecosystem (and sometimes beyond). If you subscribe
openstack-vuln-mgmt (OpenStack Vulnerability Management team) on
Launchpad to the private bug in question we'll get notified
automatically and take a look. For deliverables with the
vulnerability:managed governance tag this happens automatically and
we prioritize our time toward those, but we're available to help on
others as well on a best-effort basis and time permitting.

The VMT's process document exists primarily for the purposes of
transparency, and outlines the steps we follow and templates we use
when triaging suspected vulnerabilities for OpenStack deliverables
with the vulnerability:managed governance tag. It's also usable in
great part by other deliverables, and though the VMT doesn't
officially take responsibility for those we're still usually able to
help take you through the process and answer questions. If you need
to reach us through a secure channel, E-mail addresses and
corresponding OpenPGP keys are published at
https://security.openstack.org/#how-to-report-security-issues-to-openstack
for anyone who needs them.
-- 
Jeremy Stanley


signature.asc
Description: Digital signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [security] [telemetry] How to handle security bugs

2017-01-17 Thread Julien Danjou 
On Tue, Jan 17 2017, Ian Cordasco wrote:

> Or, perhaps the last time people complained that the process
> documentation was too detailed and the telemetry project decided it
> didn't want to have to follow it? If that's the case, following the
> embargoed procedures might not be what you want as a project. At that
> point, you don't need to work with the VMT and you can immediately
> open the bug to start collaborating on Gerrit. You of course open up
> all of your deployers to being targeted, but that's the project's call
> in the end I guess.

Yeah it sucks, though if you have little help (resources) from the
deployers, that's what is going to happen sooner or later.

> I would think that if you want the "vulnerability:managed" tag, you
> might be willing to follow the process outlined. Perhaps it's verbose,
> but it is verbose for good reason. OpenStack's handling of embargoed
> issues is pretty much as good as it gets for a project the size of
> OpenStack. It benefits deployers and users by making the issue AND the
> fix known at the same time which gives deployers the ability to
> immediately consume the fix.

Yeah don't read me wrong (though I was not precise :-) but we don't have
any problem with _respecting_ the procedure. I think small projects like
us have it is nearly impossible to _apply_ the procedure on our own:
requesting CVE, OSSA, OSSN, getting the right classification,
publishing, getting in touch with downstream… is too much work for such
small teams.

-- 
Julien Danjou
;; Free Software hacker
;; https://julien.danjou.info


signature.asc
Description: PGP signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [security] [telemetry] How to handle security bugs

2017-01-17 Thread Ian Cordasco 
On Tue, Jan 17, 2017 at 8:02 AM, Julien Danjou  wrote:
> On Tue, Jan 17 2017, Adam Heczko wrote:
>
>> Hi Julien, I think that you should follow this [1] workflow.
>>
>> TL;DR: Pls make sure that if the bug is serious make it private on LP so
>> that only core team members can access it and propose patches. Please do
>> not send patches to Gerrit review queue but rather attach it to LP bug
>> ticket and discuss there. Contact VMT members to get more details on how to
>> get Telemetry project covered by VMT.
>>
>> [1] https://security.openstack.org/vmt-process.html
>
> IMHO that's a problem. The page is so long and the process so complex
> that if nobody has the time to do all of that, it'll never be fixed or
> I'll just send the patch to Gerrit to get it fix and be done with it.
>
> At first glance Telemetry matches all requirements to get covered by
> VMT. IIRC last time we asked for it we get punted because there was
> already too much work for the VMT team. But if that's possible, we'd be
> glad to apply again. :-)

Or, perhaps the last time people complained that the process
documentation was too detailed and the telemetry project decided it
didn't want to have to follow it? If that's the case, following the
embargoed procedures might not be what you want as a project. At that
point, you don't need to work with the VMT and you can immediately
open the bug to start collaborating on Gerrit. You of course open up
all of your deployers to being targeted, but that's the project's call
in the end I guess.

I would think that if you want the "vulnerability:managed" tag, you
might be willing to follow the process outlined. Perhaps it's verbose,
but it is verbose for good reason. OpenStack's handling of embargoed
issues is pretty much as good as it gets for a project the size of
OpenStack. It benefits deployers and users by making the issue AND the
fix known at the same time which gives deployers the ability to
immediately consume the fix.

-- 
Ian Cordasco

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [security] [telemetry] How to handle security bugs

2017-01-17 Thread Julien Danjou 
On Tue, Jan 17 2017, Rob C wrote:

> Ian has provided advice on how you might become security managed, which
> is a good aspiration for any team to have.
>
> However, if you have a serious security issue that you need help mitigating
> the security project can help. We can work with you on the solution and also
> issue an OpenStack Security Note to notify users of the update/patch that
> they might need to apply.
>
> Please go ahead and add me to the security bug, if required I'll add other
> core-sec people as required.

Thanks a lot Rob, that's very helpful. I'll add you.

-- 
Julien Danjou
/* Free Software hacker
   https://julien.danjou.info */


signature.asc
Description: PGP signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [security] [telemetry] How to handle security bugs

2017-01-17 Thread Julien Danjou 
On Tue, Jan 17 2017, Adam Heczko wrote:

> Hi Julien, I think that you should follow this [1] workflow.
>
> TL;DR: Pls make sure that if the bug is serious make it private on LP so
> that only core team members can access it and propose patches. Please do
> not send patches to Gerrit review queue but rather attach it to LP bug
> ticket and discuss there. Contact VMT members to get more details on how to
> get Telemetry project covered by VMT.
>
> [1] https://security.openstack.org/vmt-process.html

IMHO that's a problem. The page is so long and the process so complex
that if nobody has the time to do all of that, it'll never be fixed or
I'll just send the patch to Gerrit to get it fix and be done with it.

At first glance Telemetry matches all requirements to get covered by
VMT. IIRC last time we asked for it we get punted because there was
already too much work for the VMT team. But if that's possible, we'd be
glad to apply again. :-)

-- 
Julien Danjou
# Free Software hacker
# https://julien.danjou.info


signature.asc
Description: PGP signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [security] [telemetry] How to handle security bugs

2017-01-17 Thread Rob C 
You've done the right thing by posting here with the [Security] tag.

Ian has provided advice on how you might become security managed, which
is a good aspiration for any team to have.

However, if you have a serious security issue that you need help mitigating
the security project can help. We can work with you on the solution and also
issue an OpenStack Security Note to notify users of the update/patch that
they might need to apply.

Please go ahead and add me to the security bug, if required I'll add other
core-sec people as required.

Cheers
-Rob



On Tue, Jan 17, 2017 at 1:14 PM, Adam Heczko  wrote:

> Hi Julien, I think that you should follow this [1] workflow.
>
> TL;DR: Pls make sure that if the bug is serious make it private on LP so
> that only core team members can access it and propose patches. Please do
> not send patches to Gerrit review queue but rather attach it to LP bug
> ticket and discuss there. Contact VMT members to get more details on how to
> get Telemetry project covered by VMT.
>
> [1] https://security.openstack.org/vmt-process.html
>
> On Tue, Jan 17, 2017 at 1:26 PM, Julien Danjou  wrote:
>
>> Hi,
>>
>> I've asked on #openstack-security without success, so let me try here
>> insteead:
>>
>> We, Telemetry, have a security bug and we're not managed by VMT, any
>> hint as how to handle our bug? Or how to get covered by VMT? 
>>
>> Cheers,
>> --
>> Julien Danjou
>> /* Free Software hacker
>>https://julien.danjou.info */
>>
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscrib
>> e
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>
>
> --
> Adam Heczko
> Security Engineer @ Mirantis Inc.
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [security] [telemetry] How to handle security bugs

2017-01-17 Thread Adam Heczko 
Hi Julien, I think that you should follow this [1] workflow.

TL;DR: Pls make sure that if the bug is serious make it private on LP so
that only core team members can access it and propose patches. Please do
not send patches to Gerrit review queue but rather attach it to LP bug
ticket and discuss there. Contact VMT members to get more details on how to
get Telemetry project covered by VMT.

[1] https://security.openstack.org/vmt-process.html

On Tue, Jan 17, 2017 at 1:26 PM, Julien Danjou  wrote:

> Hi,
>
> I've asked on #openstack-security without success, so let me try here
> insteead:
>
> We, Telemetry, have a security bug and we're not managed by VMT, any
> hint as how to handle our bug? Or how to get covered by VMT? 
>
> Cheers,
> --
> Julien Danjou
> /* Free Software hacker
>https://julien.danjou.info */
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Adam Heczko
Security Engineer @ Mirantis Inc.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [security] [telemetry] How to handle security bugs

2017-01-17 Thread Ian Cordasco 
On Tue, Jan 17, 2017 at 6:26 AM, Julien Danjou  wrote:
> Hi,
>
> I've asked on #openstack-security without success, so let me try here
> insteead:
>
> We, Telemetry, have a security bug and we're not managed by VMT, any
> hint as how to handle our bug? Or how to get covered by VMT? 

So, in terms of process I'd advise you read
https://security.openstack.org/vmt-process.html because it describes
how the VMT process works.

I believe 
http://docs.openstack.org/project-team-guide/vulnerability-management.html
described that you need to be "security-supported" which involves
joining the list of projects with the "vulnerability:managed" tag
(https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html).

https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html#requirements
describes the requirements to attain that tag.

Cheers,
-- 
Ian Cordasco

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [security] [telemetry] How to handle security bugs

2017-01-17 Thread Julien Danjou 
Hi,

I've asked on #openstack-security without success, so let me try here
insteead:

We, Telemetry, have a security bug and we're not managed by VMT, any
hint as how to handle our bug? Or how to get covered by VMT? 

Cheers,
-- 
Julien Danjou
/* Free Software hacker
   https://julien.danjou.info */


signature.asc
Description: PGP signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev