Merge "Update vulnerability:managed tag for deliverables"
This commit is contained in:
Jenkins
Gerrit Code Review
commit
fdd01af705
@ -11,14 +11,14 @@
|
||||
=======================
|
||||
|
||||
This tag is part of the vulnerability-classification system for
|
||||
vulnerability reporting and tracking across source code
|
||||
repositories. ``vulnerability:managed`` indicates that a
|
||||
repository's vulnerability report reception and disclosure are
|
||||
vulnerability reporting and tracking across project
|
||||
deliverables. ``vulnerability:managed`` indicates that a
|
||||
deliverable's vulnerability report reception and disclosure are
|
||||
handled directly by the OpenStack Vulnerability Management team
|
||||
(VMT).
|
||||
|
||||
|
||||
Application to current repositories
|
||||
Application to current deliverables
|
||||
===================================
|
||||
|
||||
.. tagged-projects:: vulnerability:managed
|
||||
@ -28,10 +28,10 @@ Rationale
|
||||
=========
|
||||
|
||||
The VMT is building out automation and reporting for vulnerability
|
||||
management processes in order to better accomodate the rapid growth
|
||||
of the OpenStack ecosystem. In an order to scale consumability of
|
||||
management processes in order to better accommodate the rapid growth
|
||||
of the OpenStack ecosystem. In an order to scale availability of
|
||||
its processes beyond its current charter and capacity, a formal
|
||||
acknowledgement of the list of source code repositories directly
|
||||
acknowledgement of the list of project deliverables directly
|
||||
handled by the VMT (rather than managed independently by individual
|
||||
project teams) is best maintained through application of a
|
||||
governance-related tag.
|
||||
@ -110,7 +110,7 @@ Tag application process
|
||||
=======================
|
||||
|
||||
Anyone may propose adding or removing this tag to a set of
|
||||
repositories by proposing a change to the openstack/governance
|
||||
deliverables by proposing a change to the openstack/governance
|
||||
repository. The change is reviewed by the VMT and Technical
|
||||
Committee and approved using standard resolution approval rules,
|
||||
including discussion at at least one Technical Committee public IRC
|
||||
@ -121,7 +121,7 @@ Deprecation
|
||||
===========
|
||||
|
||||
The ``vulnerability:managed`` tag should only be removed from
|
||||
repositories under extreme circumstances, when the VMT is no longer
|
||||
deliverables under extreme circumstances, when the VMT is no longer
|
||||
able to adequately handle these vulnerabilities. Care should be
|
||||
taken to only discontinue vulnerability management for future
|
||||
non-patch releases, while continuing to handle vulnerabilities on
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user