Topics

Initial Security Process draft


Ashlee <ashlee@...>
 

Hi Everyone,

This week is pretty crazy with the OPNFV Hackfest and with ONS. I’ve attached an initial draft of the security process. I still need to work out the flows, but since they’re kinda dependent on whether or not we agree to my initial assumptions, I thought this would be a good place for some initial feedback. 

My wife and I found out a couple days ago that our daughter is getting an honor roll award at 8am this morning, so I will not be able to attend the TSC call. I do plan to be on the next one, on the 25th. 

I’m happy to have a call with anyone interested in discussing the slides, or we can have a IRC or other type of chat. Email also works. 

Best,

Ash



Joel Halpern
 

The later parts of this looked philosophically correct (we need a way to get reports and react to them, …)

I am a little confused about the earlier part of the deck, as it seems to be about protecting the project resources themselves from attacks.  While important, my understanding is that such was the LF responsibility.  We can report problems, but it is not a TSC task.

 

Yours,

Joel

 

From: tsc-bounces@... [mailto:tsc-bounces@...] On Behalf Of Ashlee
Sent: Thursday, March 17, 2016 1:39 PM
To: tsc@...
Subject: [tsc] Initial Security Process draft

 

Hi Everyone,

 

This week is pretty crazy with the OPNFV Hackfest and with ONS. I’ve attached an initial draft of the security process. I still need to work out the flows, but since they’re kinda dependent on whether or not we agree to my initial assumptions, I thought this would be a good place for some initial feedback. 

 

My wife and I found out a couple days ago that our daughter is getting an honor roll award at 8am this morning, so I will not be able to attend the TSC call. I do plan to be on the next one, on the 25th. 

 

I’m happy to have a call with anyone interested in discussing the slides, or we can have a IRC or other type of chat. Email also works. 

 

Best,

 

Ash

 

 


Ashlee <ashlee@...>
 

Hi Joel,

If that’s the decision of the TSC, I can totally understand. In OPNFV, we were recently compromised when malware struck our Wiki. We lost several days of being able to post pertinent release updates or other information when that hit. My understanding is that while LF does provide hosting and other resources for us, we do have the ability to override certain default selections, for example the use of Media Wiki vs. the de facto wiki solution. 

Not a biggie for me. Just thought we might want to have a policy that supports when we have an opinion. Also, I think the tools will also help determine how we can actually support the later part of the deck. 

Hope this explanation helps.

Best,

Ash

From: Joel Halpern <joel.halpern@...>
Date: Thursday, March 17, 2016 at 6:36 AM
To: Ashlee <ashlee@...>, "tsc@..." <tsc@...>
Subject: RE: Initial Security Process draft

The later parts of this looked philosophically correct (we need a way to get reports and react to them, …)

I am a little confused about the earlier part of the deck, as it seems to be about protecting the project resources themselves from attacks.  While important, my understanding is that such was the LF responsibility.  We can report problems, but it is not a TSC task.

 

Yours,

Joel

 

From: tsc-bounces@... [mailto:tsc-bounces@...] On Behalf Of Ashlee
Sent: Thursday, March 17, 2016 1:39 PM
To: tsc@...
Subject: [tsc] Initial Security Process draft

 

Hi Everyone,

 

This week is pretty crazy with the OPNFV Hackfest and with ONS. I’ve attached an initial draft of the security process. I still need to work out the flows, but since they’re kinda dependent on whether or not we agree to my initial assumptions, I thought this would be a good place for some initial feedback. 

 

My wife and I found out a couple days ago that our daughter is getting an honor roll award at 8am this morning, so I will not be able to attend the TSC call. I do plan to be on the next one, on the 25th. 

 

I’m happy to have a call with anyone interested in discussing the slides, or we can have a IRC or other type of chat. Email also works. 

 

Best,

 

Ash

 

 


Joel Halpern
 

I did not realize there were any meaningful choices to be made in terms of protecting the project.

Given that there are choices, we should consider the issue, rather than just letting it slide.

I do consider it a separate issue from the security process for getting, processing, and resolving security issues in the code itself.

 

Yours,

Joel

 

From: Ashlee [mailto:ashlee@...]
Sent: Thursday, March 17, 2016 2:58 PM
To: Joel Halpern; tsc@...
Subject: Re: Initial Security Process draft

 

Hi Joel,

 

If that’s the decision of the TSC, I can totally understand. In OPNFV, we were recently compromised when malware struck our Wiki. We lost several days of being able to post pertinent release updates or other information when that hit. My understanding is that while LF does provide hosting and other resources for us, we do have the ability to override certain default selections, for example the use of Media Wiki vs. the de facto wiki solution. 

 

Not a biggie for me. Just thought we might want to have a policy that supports when we have an opinion. Also, I think the tools will also help determine how we can actually support the later part of the deck. 

 

Hope this explanation helps.

 

Best,

 

Ash

 

From: Joel Halpern <joel.halpern@...>
Date: Thursday, March 17, 2016 at 6:36 AM
To: Ashlee <ashlee@...>, "tsc@..." <tsc@...>
Subject: RE: Initial Security Process draft

 

The later parts of this looked philosophically correct (we need a way to get reports and react to them, …)

I am a little confused about the earlier part of the deck, as it seems to be about protecting the project resources themselves from attacks.  While important, my understanding is that such was the LF responsibility.  We can report problems, but it is not a TSC task.

 

Yours,

Joel

 

From: tsc-bounces@... [mailto:tsc-bounces@...] On Behalf Of Ashlee
Sent: Thursday, March 17, 2016 1:39 PM
To: tsc@...
Subject: [tsc] Initial Security Process draft

 

Hi Everyone,

 

This week is pretty crazy with the OPNFV Hackfest and with ONS. I’ve attached an initial draft of the security process. I still need to work out the flows, but since they’re kinda dependent on whether or not we agree to my initial assumptions, I thought this would be a good place for some initial feedback. 

 

My wife and I found out a couple days ago that our daughter is getting an honor roll award at 8am this morning, so I will not be able to attend the TSC call. I do plan to be on the next one, on the 25th. 

 

I’m happy to have a call with anyone interested in discussing the slides, or we can have a IRC or other type of chat. Email also works. 

 

Best,

 

Ash

 

 


Ashlee Young <ashlee@...>
 

Understood. Thank you for the feedback!!!





On Thu, Mar 17, 2016 at 7:18 AM -0700, "Joel Halpern" <joel.halpern@...> wrote:

I did not realize there were any meaningful choices to be made in terms of protecting the project.

Given that there are choices, we should consider the issue, rather than just letting it slide.

I do consider it a separate issue from the security process for getting, processing, and resolving security issues in the code itself.

 

Yours,

Joel

 

From: Ashlee [mailto:ashlee@...]
Sent: Thursday, March 17, 2016 2:58 PM
To: Joel Halpern; tsc@...
Subject: Re: Initial Security Process draft

 

Hi Joel,

 

If that’s the decision of the TSC, I can totally understand. In OPNFV, we were recently compromised when malware struck our Wiki. We lost several days of being able to post pertinent release updates or other information when that hit. My understanding is that while LF does provide hosting and other resources for us, we do have the ability to override certain default selections, for example the use of Media Wiki vs. the de facto wiki solution. 

 

Not a biggie for me. Just thought we might want to have a policy that supports when we have an opinion. Also, I think the tools will also help determine how we can actually support the later part of the deck. 

 

Hope this explanation helps.

 

Best,

 

Ash

 

From: Joel Halpern <joel.halpern@...>
Date: Thursday, March 17, 2016 at 6:36 AM
To: Ashlee <ashlee@...>, "tsc@..." <tsc@...>
Subject: RE: Initial Security Process draft

 

The later parts of this looked philosophically correct (we need a way to get reports and react to them, …)

I am a little confused about the earlier part of the deck, as it seems to be about protecting the project resources themselves from attacks.  While important, my understanding is that such was the LF responsibility.  We can report problems, but it is not a TSC task.

 

Yours,

Joel

 

From: tsc-bounces@... [mailto:tsc-bounces@...] On Behalf Of Ashlee
Sent: Thursday, March 17, 2016 1:39 PM
To: tsc@...
Subject: [tsc] Initial Security Process draft

 

Hi Everyone,

 

This week is pretty crazy with the OPNFV Hackfest and with ONS. I’ve attached an initial draft of the security process. I still need to work out the flows, but since they’re kinda dependent on whether or not we agree to my initial assumptions, I thought this would be a good place for some initial feedback. 

 

My wife and I found out a couple days ago that our daughter is getting an honor roll award at 8am this morning, so I will not be able to attend the TSC call. I do plan to be on the next one, on the 25th. 

 

I’m happy to have a call with anyone interested in discussing the slides, or we can have a IRC or other type of chat. Email also works. 

 

Best,

 

Ash