[Bug 1616764] Re: [MIR] python-oslo.privsep

Thu Sep 29 18:05:56 UTC 2016

This took some work to find the right person to chat with upstream about
the 'vulnerability:managed tag'.

tldr: security support is always provided by individual projects
regardless of this tag. projects tagged with 'vulnerability:managed' get
more strict/rigorous process for their disclosure and reporting.

Here's my chat with Jeremy Stanley <fungi> in #openstack-oslo:

<coreycb> fungi, hi
<coreycb> fungi, I'm looking at this and trying to figure out if only oslo.config gets security support: https://governance.openstack.org/reference/projects/oslo.html#oslo-privsep
<coreycb> fungi, ie. 'vulnerability:managed' tag
<coreycb> fungi, the problem I'm running into is our distro security team is hesitant to support a package if upstream doesn't provide security support for it
<coreycb> oslo.privsep is the package I'm trying to get security support for
<fungi> coreycb: security "support" is on the individual project developer teams to provide, though if it's tagged as "vulnerability:managed" then our central vulnerability management team provides oversight and imposes a more strict/rigorous process for their disclosure and reporting
<fungi> in the end though, it still winds up being the developers on each project who produce the security fixes and backports
<coreycb> fungi, ok that clears it up, thanks
<fungi> coreycb: the vmt's process is documented at https://security.openstack.org/vmt-process.html and we encourage teams to follow it even for deliverables without vulnerability:managed
<fungi> and we also still consult with teams on issues the vmt isn't overseeing, as time permits
<coreycb> fungi, ok so in the end if a CVE is reported for say, oslo.privsep, you'd expect the oslo.privsep developers to handle that appropriately and consult with the VMT if needed
<fungi> coreycb: correct
<coreycb> fungi, it does seem like there should be an effort for security sensitive projects to be tagged 'vulnerability:managed', like oslo.privsep.  but i imagine it's also a resource issue as everything is.
<fungi> though generally a cve wouldn't be reported to the oslo.privsep team so much as a suspected vulnerability would be reported and then they would request a cve assignment for it
<fungi> coreycb: sure, oslo.privsep is relatively new too, so i think its authors simply haven't sought that level of assistance out yet
<fungi> coreycb: and we're still in the last stages of hashing out a threat analysis process for deliverables that want direct vmt overisght. we used to personally review the source of each before taking it on, but as the project has scaled up that's not something a handful of already busy people can tackle so we're trying to collaborate on a way that projects can work together on analyzing themselves and
<fungi> each other
<coreycb> fungi, I completely understand that
<coreycb> fungi, thanks for the discussion
<fungi> the openstack security team (of which the vmt is only a small part) have embarked on a http://git.openstack.org/cgit/openstack/security-analysis/ repo where standardized analyses can be curated
<fungi> which will make it easier for the vmt to be directly involved in reported vulnerabilities for more deliverables in the future

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-oslo.privsep in Ubuntu.
https://bugs.launchpad.net/bugs/1616764

Title:
  [MIR] python-oslo.privsep

Status in python-oslo.privsep package in Ubuntu:
  New

Bug description:
  [Availability]
  In universe

  [Rationale]
  New dependency for OpenStack projects

  [Security]
  No security history

  [Quality assurance]
  Package builds py2 and py3 modules, unit tests run for both.

  [Dependencies]
  All in main

  [Standards compliance]
  OK

  [Maintenance]
  ubuntu-openstack

  [Background information]
  This library helps applications perform actions which require more or less privileges than they were started with in a safe, easy to code and easy to use manner. For more information on why this is generally a good idea please read over the principle of least privilege and the specification which created this library. (taken from upstream)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-oslo.privsep/+bug/1616764/+subscriptions