[openstack-dev] [OSSG] Announcement: I'll be transitioning away from OpenStack

2015-03-16 Thread Bryan D. Payne
I have recently accepted a new position with a company that does not work with OpenStack. As a result, I'll be transitioning away from this community. As such, I wanted to offer a few quick notes: * OpenStack Security Guide -- I have transitioned leadership of this security documentation effort

[openstack-dev] nominating Nathaniel Dillon for security-doc core

2015-03-05 Thread Bryan D. Payne
To security-doc core and other interested parties, Nathaniel Dillon has been working consistently on the security guide since our first mid-cycle meet up last summer. In that time he has come to understand the inner workings of the book and the doc process very well. He has also been a

Re: [openstack-dev] nominating Nathaniel Dillon for security-doc core

2015-03-05 Thread Bryan D. Payne
Thanks everyone. I've added Nathaniel to security-doc core. Welcome Nathaniel! Cheers, -bryan __ OpenStack Development Mailing List (not for usage questions) Unsubscribe:

Re: [openstack-dev] [Openstack-security] [Barbican][OSSG] Mid Cycle Attendance / Crossover.

2014-11-07 Thread Bryan D. Payne
I would like to try to attend both, assuming the Barbican guys will have me ;-) -bryan On Fri, Nov 7, 2014 at 12:02 PM, Clark, Robert Graham robert.cl...@hp.com wrote: Hi All, How many people would want to attend both the OSSG mid-cycle and the Barbican one? Both expected to be on the west

Re: [openstack-dev] [Openstack-security] [Barbican][OSSG][Keystone] Mid-Cycle Meetup

2014-05-22 Thread Bryan D. Payne
I plan on attending. -bryan On Thu, May 22, 2014 at 10:48 AM, Jarret Raim jarret.r...@rackspace.comwrote: All, There was some interest at the Summit in semi-combining the mid-cycle meet ups for Barbican, Keystone and the OSSG as there is some overlap in team members and interest areas. The

Re: [openstack-dev] [barbican] Cryptography audit by OSSG

2014-04-18 Thread Bryan D. Payne
Is anyone following the openstack-security list and/or part of the OpenStack Security Group (OSSG)? This sounds like another group and list we should keep our eyes on. I'm one of the OSSG leads. We'd certainly welcome your involvement in OSSG. In fact, there has been much interest in

Re: [openstack-dev] Diversity as a requirement for incubation

2013-12-20 Thread Bryan D. Payne
+1 -bryan On Wed, Dec 18, 2013 at 10:22 PM, Jay Pipes jaypi...@gmail.com wrote: On 12/18/2013 12:34 PM, Doug Hellmann wrote: I have more of an issue with a project failing *after* becoming integrated than during incubation. That's why we have the incubation period to begin with. For the

Re: [openstack-dev] Incubation Request for Barbican

2013-12-12 Thread Bryan D. Payne
Steven Gonzales stevendgonza...@gmail.com 1 Russell Bryant rbry...@redhat.com 1 Bryan D. Payne bdpa...@acm.org It appears to be an effort done by a group, and not an individual. Most commits by far are from Rackspace, but there is at least one non-trivial contributor (Malini) from

Re: [openstack-dev] [Horizon] Nominations to Horizon Core

2013-12-12 Thread Bryan D. Payne
I just wanted to close the loop here. I understand the position that others are taking and it appears that I'm outnumbered :-) While I disagree with this approach, it sounds like that's where we are at today. Even with this decision, I would encourage the horizon dev team to utilize Paul as a

Re: [openstack-dev] [Horizon] Nominations to Horizon Core

2013-12-11 Thread Bryan D. Payne
Re: Removing Paul McMillan from core I would argue that it is critical that each project have 1-2 people on core that are security experts. The VMT is an intentionally small team. They are moving to having specifically appointed security sub-teams on each project (I believe this is what I heard

Re: [openstack-dev] [Horizon] Nominations to Horizon Core

2013-12-11 Thread Bryan D. Payne
We can involve people in security reviews without having them on the core review team. They are separate concerns. Yes, but those people can't ultimately approve the patch. So you'd need to have a security reviewer do their review, and then someone who isn't a security person be able to

Re: [openstack-dev] [Nova] FFE Request: Encrypt Cinder volumes

2013-09-06 Thread Bryan D. Payne
2) There is general consensus that the simple config based key manager (single key) does provide some amount of useful security. I believe it does, just want to make sure we're in agreement on it. Obviously we want to improve this in the future. I believe that it does add value. For

Re: [openstack-dev] [nova] key management and Cinder volume encryption

2013-09-03 Thread Bryan D. Payne
How can someone use your code without a key manager? Some key management mechanism is required although it could be simplistic. For example, we’ve tested our code internally with an implementation of the key manager interface that returns a single, constant key. That works for

Re: [openstack-dev] [OSSG] ASK - What is the regular OSSG IRC meetup schedule? #TIA

2013-08-21 Thread Bryan D. Payne
AM, Bryan D. Payne bdpa...@acm.org wrote: Thursdays at 1800 UTC. https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity -bryan On Wed, Aug 21, 2013 at 10:57 AM, Sriram Subramanian sri...@sriramhere.com wrote: -- Thanks, -Sriram

[openstack-dev] SecurityImpact tagging in gerrit

2013-06-21 Thread Bryan D. Payne
This is a quick note to announce that the OpenStack gerrit system supports a SecurityImpact tag. If you are familiar with the DocImpact tag, this works in a similar fashion. Please use this in the commit message for any commits that you feel would benefit from a security review. Commits with