Re: [openstack-dev] [kolla][security] Obtaining the vulnerability:managed tag

2016-03-02 Thread Michal Rostecki 
Please count me as well. I'd be interesting in joining the team, as well 
as in introducing SELinux to kolla-mesos and/or helping in introducing 
SELinux to kolla in general if that will be needed.


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla][security] Obtaining the vulnerability:managed tag

2016-03-01 Thread Michał Jastrzębski 
As I said on irc:) count me in sdake!

On 1 March 2016 at 22:11, Swapnil Kulkarni  wrote:
> On Tue, Mar 1, 2016 at 10:25 PM, Steven Dake (stdake)  
> wrote:
>> Core reviewers,
>>
>> Please review this document:
>> https://github.com/openstack/governance/blob/master/reference/tags/vulnerability_managed.rst
>>
>> It describes how vulnerability management is handled at a high level for
>> Kolla.  When we are ready, I want the kolla delivery repos vulnerabilities
>> to be managed by the VMT team.  By doing this, we standardize with other
>> OpenStack processes for handling security vulnerabilities.
>>
>> The first step is to form a kolla-coresec team, and create a separate
>> kolla-coresec tracker.  I have already created the tracker for kolla-coresec
>> and the kolla-coresec team in launchpad:
>>
>> https://launchpad.net/~kolla-coresec
>>
>> https://launchpad.net/kolla-coresec
>>
>> I have a history of security expertise, and the PTL needs to be on the team
>> as an escalation point as described in the VMT tagging document above.  I
>> also need 2-3 more volunteers to join the team.  You can read the
>> requirements of the job duties in the vulnerability:managed tag.
>>
>> If your interested in joining the VMT team, please respond on this thread.
>> If there are more then 4 individuals interested in joining this team, I will
>> form the team from the most active members based upon liberty + mitaka
>> commits, reviews, and PDE spent.
>>
>> Regards
>> -steve
>>
>>
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> I am interested in security. I would .like to be a part of it.
>
> ~coolsvap
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla][security] Obtaining the vulnerability:managed tag

2016-03-01 Thread Swapnil Kulkarni 
On Tue, Mar 1, 2016 at 10:25 PM, Steven Dake (stdake)  wrote:
> Core reviewers,
>
> Please review this document:
> https://github.com/openstack/governance/blob/master/reference/tags/vulnerability_managed.rst
>
> It describes how vulnerability management is handled at a high level for
> Kolla.  When we are ready, I want the kolla delivery repos vulnerabilities
> to be managed by the VMT team.  By doing this, we standardize with other
> OpenStack processes for handling security vulnerabilities.
>
> The first step is to form a kolla-coresec team, and create a separate
> kolla-coresec tracker.  I have already created the tracker for kolla-coresec
> and the kolla-coresec team in launchpad:
>
> https://launchpad.net/~kolla-coresec
>
> https://launchpad.net/kolla-coresec
>
> I have a history of security expertise, and the PTL needs to be on the team
> as an escalation point as described in the VMT tagging document above.  I
> also need 2-3 more volunteers to join the team.  You can read the
> requirements of the job duties in the vulnerability:managed tag.
>
> If your interested in joining the VMT team, please respond on this thread.
> If there are more then 4 individuals interested in joining this team, I will
> form the team from the most active members based upon liberty + mitaka
> commits, reviews, and PDE spent.
>
> Regards
> -steve
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>

I am interested in security. I would .like to be a part of it.

~coolsvap

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla][security] Obtaining the vulnerability:managed tag

2016-03-01 Thread Martin André 
On Wed, Mar 2, 2016 at 1:55 AM, Steven Dake (stdake) 
wrote:

> Core reviewers,
>
> Please review this document:
>
> https://github.com/openstack/governance/blob/master/reference/tags/vulnerability_managed.rst
>
> It describes how vulnerability management is handled at a high level for
> Kolla.  When we are ready, I want the kolla delivery repos vulnerabilities
> to be managed by the VMT team.  By doing this, we standardize with other
> OpenStack processes for handling security vulnerabilities.
>
> The first step is to form a kolla-coresec team, and create a separate
> kolla-coresec tracker.  I have already created the tracker for
> kolla-coresec and the kolla-coresec team in launchpad:
>
> https://launchpad.net/~kolla-coresec
>
> https://launchpad.net/kolla-coresec
>
> I have a history of security expertise, and the PTL needs to be on the
> team as an escalation point as described in the VMT tagging document
> above.  I also need 2-3 more volunteers to join the team.  You can read the
> requirements of the job duties in the vulnerability:managed tag.
>
> If your interested in joining the VMT team, please respond on this
> thread.  If there are more then 4 individuals interested in joining this
> team, I will form the team from the most active members based upon liberty
> + mitaka commits, reviews, and PDE spent.
>

How many more cores do you need? If you don't have enough volunteers you
can sign me up for it.

Martin
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla][security] Obtaining the vulnerability:managed tag

2016-03-01 Thread Steven Dake (stdake) 
Adam,

Thank you for your offer, but I believe the VMT kolla-coresec team must be 
formed from core reviewers or I'd ask Dave Mccowan to consider an invitation.

The text that I think this comes from is:
Deliverables with more than five core reviewers should (so as to limit the 
unnecessary exposure of private reports) settle on a subset of these to act as 
security core reviewers whose responsibility it is to be able to confirm 
whether a bug report is accurate/applicable or at least know other subject 
matter experts they can in turn subscribe to perform those activities in a 
timely manner

It is pretty easy to become a core reviewer in Kolla over time but it requires 
doing consistently proven good reviewing of the code going into the repository, 
consistent irc participation, as well as implementation work.

If your interested, please join us on IRC and begin the process :)

Regards
-steve


From: Adam Heczko <ahec...@mirantis.com<mailto:ahec...@mirantis.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" 
<openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>
Date: Tuesday, March 1, 2016 at 1:57 PM
To: "OpenStack Development Mailing List (not for usage questions)" 
<openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>>
Subject: Re: [openstack-dev] [kolla][security] Obtaining the 
vulnerability:managed tag

Hi Steven,
I'd like to help you with vulnerability management process of Kolla and become 
a member of Kolla VMT team.
I have experience and expertise in IT security and related to it processes.

Best regards,

Adam

On Tue, Mar 1, 2016 at 5:55 PM, Steven Dake (stdake) 
<std...@cisco.com<mailto:std...@cisco.com>> wrote:
Core reviewers,

Please review this document:
https://github.com/openstack/governance/blob/master/reference/tags/vulnerability_managed.rst

It describes how vulnerability management is handled at a high level for Kolla. 
 When we are ready, I want the kolla delivery repos vulnerabilities to be 
managed by the VMT team.  By doing this, we standardize with other OpenStack 
processes for handling security vulnerabilities.

The first step is to form a kolla-coresec team, and create a separate 
kolla-coresec tracker.  I have already created the tracker for kolla-coresec 
and the kolla-coresec team in launchpad:

https://launchpad.net/~kolla-coresec

https://launchpad.net/kolla-coresec

I have a history of security expertise, and the PTL needs to be on the team as 
an escalation point as described in the VMT tagging document above.  I also 
need 2-3 more volunteers to join the team.  You can read the requirements of 
the job duties in the vulnerability:managed tag.

If your interested in joining the VMT team, please respond on this thread.  If 
there are more then 4 individuals interested in joining this team, I will form 
the team from the most active members based upon liberty + mitaka commits, 
reviews, and PDE spent.

Regards
-steve


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: 
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




--
Adam Heczko
Security Engineer @ Mirantis Inc.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla][security] Obtaining the vulnerability:managed tag

2016-03-01 Thread Adam Heczko 
Hi Steven,
I'd like to help you with vulnerability management process of Kolla and
become a member of Kolla VMT team.
I have experience and expertise in IT security and related to it processes.

Best regards,

Adam

On Tue, Mar 1, 2016 at 5:55 PM, Steven Dake (stdake) 
wrote:

> Core reviewers,
>
> Please review this document:
>
> https://github.com/openstack/governance/blob/master/reference/tags/vulnerability_managed.rst
>
> It describes how vulnerability management is handled at a high level for
> Kolla.  When we are ready, I want the kolla delivery repos vulnerabilities
> to be managed by the VMT team.  By doing this, we standardize with other
> OpenStack processes for handling security vulnerabilities.
>
> The first step is to form a kolla-coresec team, and create a separate
> kolla-coresec tracker.  I have already created the tracker for
> kolla-coresec and the kolla-coresec team in launchpad:
>
> https://launchpad.net/~kolla-coresec
>
> https://launchpad.net/kolla-coresec
>
> I have a history of security expertise, and the PTL needs to be on the
> team as an escalation point as described in the VMT tagging document
> above.  I also need 2-3 more volunteers to join the team.  You can read the
> requirements of the job duties in the vulnerability:managed tag.
>
> If your interested in joining the VMT team, please respond on this
> thread.  If there are more then 4 individuals interested in joining this
> team, I will form the team from the most active members based upon liberty
> + mitaka commits, reviews, and PDE spent.
>
> Regards
> -steve
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
Adam Heczko
Security Engineer @ Mirantis Inc.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla][security] Obtaining the vulnerability:managed tag

2016-03-01 Thread Steven Dake (stdake) 


On 3/1/16, 10:47 AM, "Tristan Cacqueray"  wrote:

>On 03/01/2016 05:12 PM, Ryan Hallisey wrote:
>> Hello,
>> 
>> I have experience writing selinux policy. My plan was to write the
>>selinux policy for Kolla in the next cycle.  I'd be interested in
>>joining if that fits the criteria here.
>> 
>
>Hello Ryan,
>
>While knowing howto write SELinux policy is a great asset for a coresec
>team member, it's not a requirement. Such team purpose isn't to
>implement core security features, but rather be responsive about private
>security bug to confirm the issue and discuss the scope of any
>vulnerability along with potential solutions.
>
>
>
>> Thanks,
>> -Ryan
>> 
>> - Original Message -
>> From: "Steven Dake (stdake)" 
>> To: "OpenStack Development Mailing List (not for usage questions)"
>>
>> Sent: Tuesday, March 1, 2016 11:55:55 AM
>> Subject: [openstack-dev] [kolla][security] Obtaining
>>the   vulnerability:managed tag
>> 
>> Core reviewers, 
>> 
>> Please review this document:
>> 
>>https://github.com/openstack/governance/blob/master/reference/tags/vulner
>>ability_managed.rst
>> 
>> It describes how vulnerability management is handled at a high level
>>for Kolla. When we are ready, I want the kolla delivery repos
>>vulnerabilities to be managed by the VMT team. By doing this, we
>>standardize with other OpenStack processes for handling security
>>vulnerabilities. 
>> 
>For reference, the full process is described here:
>https://security.openstack.org/vmt-process.html
>
>> The first step is to form a kolla-coresec team, and create a separate
>>kolla-coresec tracker. I have already created the tracker for
>>kolla-coresec and the kolla-coresec team in launchpad:
>> 
>> https://launchpad.net/~kolla-coresec
>> 
>> https://launchpad.net/kolla-coresec
>> 
>> I have a history of security expertise, and the PTL needs to be on the
>>team as an escalation point as described in the VMT tagging document
>>above. I also need 2-3 more volunteers to join the team. You can read
>>the requirements of the job duties in the vulnerability:managed tag.
>> 
>> If your interested in joining the VMT team, please respond on this
>>thread. If there are more then 4 individuals interested in joining this
>>team, I will form the team from the most active members based upon
>>liberty + mitaka commits, reviews, and PDE spent.
>> 
>Note that the VMT team is global to openstack, I guess you are referring
>to the Kolla VMT team (now known as kolla-coresec).

Yes that is correct.  Thanks Tristan for clarifying.
>
>
>Regards,
>-Tristan
>
>


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla][security] Obtaining the vulnerability:managed tag

2016-03-01 Thread Tristan Cacqueray 
On 03/01/2016 05:12 PM, Ryan Hallisey wrote:
> Hello,
> 
> I have experience writing selinux policy. My plan was to write the selinux 
> policy for Kolla in the next cycle.  I'd be interested in joining if that 
> fits the criteria here.
> 

Hello Ryan,

While knowing howto write SELinux policy is a great asset for a coresec
team member, it's not a requirement. Such team purpose isn't to
implement core security features, but rather be responsive about private
security bug to confirm the issue and discuss the scope of any
vulnerability along with potential solutions.



> Thanks,
> -Ryan
> 
> - Original Message -
> From: "Steven Dake (stdake)" 
> To: "OpenStack Development Mailing List (not for usage questions)" 
> 
> Sent: Tuesday, March 1, 2016 11:55:55 AM
> Subject: [openstack-dev] [kolla][security] Obtaining the  
> vulnerability:managed tag
> 
> Core reviewers, 
> 
> Please review this document: 
> https://github.com/openstack/governance/blob/master/reference/tags/vulnerability_managed.rst
>  
> 
> It describes how vulnerability management is handled at a high level for 
> Kolla. When we are ready, I want the kolla delivery repos vulnerabilities to 
> be managed by the VMT team. By doing this, we standardize with other 
> OpenStack processes for handling security vulnerabilities. 
> 
For reference, the full process is described here:
https://security.openstack.org/vmt-process.html

> The first step is to form a kolla-coresec team, and create a separate 
> kolla-coresec tracker. I have already created the tracker for kolla-coresec 
> and the kolla-coresec team in launchpad: 
> 
> https://launchpad.net/~kolla-coresec 
> 
> https://launchpad.net/kolla-coresec 
> 
> I have a history of security expertise, and the PTL needs to be on the team 
> as an escalation point as described in the VMT tagging document above. I also 
> need 2-3 more volunteers to join the team. You can read the requirements of 
> the job duties in the vulnerability:managed tag. 
> 
> If your interested in joining the VMT team, please respond on this thread. If 
> there are more then 4 individuals interested in joining this team, I will 
> form the team from the most active members based upon liberty + mitaka 
> commits, reviews, and PDE spent. 
> 
Note that the VMT team is global to openstack, I guess you are referring
to the Kolla VMT team (now known as kolla-coresec).


Regards,
-Tristan




signature.asc
Description: OpenPGP digital signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [kolla][security] Obtaining the vulnerability:managed tag

2016-03-01 Thread Ryan Hallisey 
Hello,

I have experience writing selinux policy. My plan was to write the selinux 
policy for Kolla in the next cycle.  I'd be interested in joining if that fits 
the criteria here.

Thanks,
-Ryan

- Original Message -
From: "Steven Dake (stdake)" 
To: "OpenStack Development Mailing List (not for usage questions)" 

Sent: Tuesday, March 1, 2016 11:55:55 AM
Subject: [openstack-dev] [kolla][security] Obtaining the
vulnerability:managed tag

Core reviewers, 

Please review this document: 
https://github.com/openstack/governance/blob/master/reference/tags/vulnerability_managed.rst
 

It describes how vulnerability management is handled at a high level for Kolla. 
When we are ready, I want the kolla delivery repos vulnerabilities to be 
managed by the VMT team. By doing this, we standardize with other OpenStack 
processes for handling security vulnerabilities. 

The first step is to form a kolla-coresec team, and create a separate 
kolla-coresec tracker. I have already created the tracker for kolla-coresec and 
the kolla-coresec team in launchpad: 

https://launchpad.net/~kolla-coresec 

https://launchpad.net/kolla-coresec 

I have a history of security expertise, and the PTL needs to be on the team as 
an escalation point as described in the VMT tagging document above. I also need 
2-3 more volunteers to join the team. You can read the requirements of the job 
duties in the vulnerability:managed tag. 

If your interested in joining the VMT team, please respond on this thread. If 
there are more then 4 individuals interested in joining this team, I will form 
the team from the most active members based upon liberty + mitaka commits, 
reviews, and PDE spent. 

Regards 
-steve 


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev