[resolution] Extend scope of VMT to cover all project teams
Change-Id: Ib43644523b85f2b778b985948ec49f1b7a937ac8
This commit is contained in:
Goutham Pacha Ravi
@@ -35,7 +35,8 @@ Each Cycle
|
|||||||
<https://etherpad.opendev.org/p/tc-xena-tracker>`__
|
<https://etherpad.opendev.org/p/tc-xena-tracker>`__
|
||||||
* Update the etherpad link in the `wiki
|
* Update the etherpad link in the `wiki
|
||||||
<https://wiki.openstack.org/wiki/Technical_Committee_Tracker>`__
|
<https://wiki.openstack.org/wiki/Technical_Committee_Tracker>`__
|
||||||
|
* Nominate two members of the TC to be a part of the OpenStack Vulnerability
|
||||||
|
Management team.
|
||||||
* Check on the active goals and, if there is no active goal, then ensure
|
* Check on the active goals and, if there is no active goal, then ensure
|
||||||
that 2 TC members are signed up to manage the goal selection process.
|
that 2 TC members are signed up to manage the goal selection process.
|
||||||
* Ensure PTI and testing runtime update is done.
|
* Ensure PTI and testing runtime update is done.
|
||||||
|
|||||||
67
resolutions/20250317-extend-scope-VMT-cover-all-projects.rst
Normal file
67
resolutions/20250317-extend-scope-VMT-cover-all-projects.rst
Normal file
@@ -0,0 +1,67 @@
|
|||||||
|
=====================================================
|
||||||
|
2025-03-17 Extend scope of VMT to cover all projects
|
||||||
|
=====================================================
|
||||||
|
|
||||||
|
The OpenStack `vulnerability management team (VMT)`_ is responsible
|
||||||
|
for vulnerability management practices across most OpenStack
|
||||||
|
project repositories. The team coordinates the progressive disclosure
|
||||||
|
of vulnerabilities by working with bug reporters, project contributors
|
||||||
|
and project maintainers. Their work is crucial not only in handling
|
||||||
|
different classes of security issues in or related to the
|
||||||
|
OpenStack code base, but also in ensuring a common entry point and a
|
||||||
|
consistent process around such issues. This consistency is essential to
|
||||||
|
users, operators and developers of OpenStack since they needn't be burdened
|
||||||
|
from following team-specific processes, intentionally or
|
||||||
|
inadvertently violating disclosures because of differences in security
|
||||||
|
processes between different OpenStack project teams.
|
||||||
|
|
||||||
|
Historically, OpenStack teams have been encouraged to work with the
|
||||||
|
`OpenStack Security SIG`_, which includes the VMT, by opting-into this security
|
||||||
|
process. VMT's oversight has been restricted to deliverables from a `subset of
|
||||||
|
OpenStack project teams`_.
|
||||||
|
|
||||||
|
The OpenStack Technical Committee resolves to extend the mandate of the
|
||||||
|
OpenStack Vulnerability Management Team, and add all
|
||||||
|
:doc:`/reference/projects/index` under their purview.
|
||||||
|
|
||||||
|
This resolution does not automatically bring all code repositories
|
||||||
|
under the ``openstack/`` namespace on opendev.org under VMT. Individual project
|
||||||
|
teams retain the discretion to determine which repositories should be subject
|
||||||
|
to vulnerability management.
|
||||||
|
|
||||||
|
The VMT commits its efforts to the ``master`` branch (the primary development
|
||||||
|
branch) and all `maintained`_ stable branches. This resolution does not
|
||||||
|
require the VMT to extend vulnerability management to any other code branches.
|
||||||
|
|
||||||
|
This resolution requires OpenStack project teams to:
|
||||||
|
|
||||||
|
- nominate a security liaison for their projects. This is already
|
||||||
|
a requirement of teams following
|
||||||
|
:doc:`/reference/distributed-project-leadership`. Project team leaders
|
||||||
|
must update the `VMT liaisons`_ list and ensure it remains current
|
||||||
|
through each release cycle.
|
||||||
|
- ensure that project bug trackers follow the VMT guidelines including
|
||||||
|
defining a ``<project>-coresec`` team and granting access to the
|
||||||
|
`VMT Launchpad team`_ to view private security bugs in the project.
|
||||||
|
- ensure that project bug trackers, project teams and the above-mentioned
|
||||||
|
``coresec`` groups on https://launchpad.net are owned by
|
||||||
|
``OpenStack Administrators``.
|
||||||
|
- limit membership in the project’s coresec group to a small subset of
|
||||||
|
trusted contributors and update the group each release cycle by
|
||||||
|
removing inactive members.
|
||||||
|
|
||||||
|
In rare occasions, project teams may not comply to the guidelines of the VMT,
|
||||||
|
such as respecting bug embargo timelines, or responding to questions
|
||||||
|
on bug reports within a reasonable timeframe. With each term of the
|
||||||
|
OpenStack TC, we resolve to nominate two representatives to interface with the
|
||||||
|
OpenStack VMT. These members may participate in triaging security bugs and
|
||||||
|
helping with the VMT process, however, the primary responsibility would be to
|
||||||
|
ensure that project teams are attentive and responsive through the
|
||||||
|
vulnerability management process.
|
||||||
|
|
||||||
|
.. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html
|
||||||
|
.. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst
|
||||||
|
.. _OpenStack Security SIG: https://wiki.openstack.org/wiki/Security-SIG
|
||||||
|
.. _VMT liaisons: https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management
|
||||||
|
.. _maintained: https://docs.openstack.org/project-team-guide/stable-branches.html
|
||||||
|
.. _VMT Launchpad team: https://launchpad.net/~openstack-vuln-mgmt
|
||||||
Reference in New Issue
Block a user