Difference between revisions of "Security/Security Note Process"
(→Publishing) |
|||
| Line 32: | Line 32: | ||
A Security Note should be reviewed by at least one other member of the OpenStack Security Group as well as the PTL from any projects related to the Security Note. When a Security Note is ready for review, the draft should be entered as a comment in the OSSN bug in Launchpad. The reviewers should give their approval or feedback on required changes in the Launchpad bug. | A Security Note should be reviewed by at least one other member of the OpenStack Security Group as well as the PTL from any projects related to the Security Note. When a Security Note is ready for review, the draft should be entered as a comment in the OSSN bug in Launchpad. The reviewers should give their approval or feedback on required changes in the Launchpad bug. | ||
== Publishing == | == Publishing == | ||
| − | Once a Security Note has been approved by the appropriate reviewers, it is ready to be published. Security Notes are published | + | Once a Security Note has been approved by the appropriate reviewers, it is ready to be published. Security Notes are published to the OpenStack mailing lists and the OpenStack wiki. |
| − | * | + | === Mailing Lists === |
| − | * OpenStack wiki | + | Security Notes should be sent to the following mailing lists: |
| + | |||
| + | * openstack-dev@lists.openstack.org | ||
| + | * openstack@lists.openstack.org | ||
| + | |||
| + | The e-mails should be signed, and the subject should be in the form of '''[OSSG][OSSN] ''OSSN Title'''''. The body of the e-mail should use the format from the template above. | ||
| + | === Wiki === | ||
| + | Once a Security Note has been published to the mailing list, it should be published on the OpenStack wiki. Each Security Note gets it's own wiki page, which is then linked to from the [[Security_Notes | Security Notes]] wiki page. The new Security Note wiki page location should be '''OSSN/''launchpad bug number'''''. | ||
| + | |||
== Post-mortem Tasks == | == Post-mortem Tasks == | ||
Once a Security Note has been published, it is a good idea to see if the OpenStack Security Guide or Security Guidelines could be improved to help prevent issues similar to the issue form the Security Note. | Once a Security Note has been published, it is a good idea to see if the OpenStack Security Guide or Security Guidelines could be improved to help prevent issues similar to the issue form the Security Note. | ||
Revision as of 04:07, 13 January 2014
This page describes the process that should be followed for writing and publishing an OpenStack Security Note (OSSN). This page is intended to be used by members of the OpenStack Security Group.
Contents
Writing
Template
The following can be used as a template for writing a new Security Note. This is the format that should be used for publishing to the OpenStack mailing lists.
Title (single sentence) --- ### Summary ### A few sentences describing the issue at a high level. ### Affected Services / Software ### A comma separated list of affected services and OpenStack releases. ### Discussion ### A detailed discussion of the problem. This should have enough detail that the person reading can determine if their deployment is affected, when the problem was introduced, and what types of attacks/problems that an affected deployment would be exposed to. ### Recommended Actions ### A detailed description of what can be done to remediate the problem (if possible). If the recommendation involves configuration changes, example snippets of configuration files should be included here. ### Contacts / References ### This OSSN : <link to launchpad OSSN bug> Original LaunchPad Bug : <link to launchpad bug for affected project/service> OpenStack Security ML : openstack-security@lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg CVE: <CVE number if one was filed>
Reviewing
A Security Note should be reviewed by at least one other member of the OpenStack Security Group as well as the PTL from any projects related to the Security Note. When a Security Note is ready for review, the draft should be entered as a comment in the OSSN bug in Launchpad. The reviewers should give their approval or feedback on required changes in the Launchpad bug.
Publishing
Once a Security Note has been approved by the appropriate reviewers, it is ready to be published. Security Notes are published to the OpenStack mailing lists and the OpenStack wiki.
Mailing Lists
Security Notes should be sent to the following mailing lists:
- openstack-dev@lists.openstack.org
- openstack@lists.openstack.org
The e-mails should be signed, and the subject should be in the form of [OSSG][OSSN] OSSN Title. The body of the e-mail should use the format from the template above.
Wiki
Once a Security Note has been published to the mailing list, it should be published on the OpenStack wiki. Each Security Note gets it's own wiki page, which is then linked to from the Security Notes wiki page. The new Security Note wiki page location should be OSSN/launchpad bug number.
Post-mortem Tasks
Once a Security Note has been published, it is a good idea to see if the OpenStack Security Guide or Security Guidelines could be improved to help prevent issues similar to the issue form the Security Note.
