Jump to: navigation, search

Security/Security Note Process

< Security
Revision as of 03:11, 7 March 2014 by Nkinder (talk | contribs) (Publishing)

This page describes the process that should be followed for writing and publishing an OpenStack Security Note (OSSN). This page is intended to be used by members of the OpenStack Security Group.

Writing

When writing a new Security Note, you should ensure that the target audience will be able to clearly answer the following questions once they have read the Security Note:

  • What is the issue?
  • Is my deployment affected?
  • What are the ramifications if my deployment is affected?
  • What can I do to correct or avoid the issue?

To ensure that the Security Note is technically correct, you should reach out to the developers involved if any clarification is needed. Much of the required technical information is usually in the Launchpad bug already, but additional information is often needed to produce a thorough Security Note.

You should also check the new Security Note for the following issues:

  • Correct spelling
  • Proper grammar
  • Avoid using acronyms (or define them when first used in the Security Note)

Template

The following can be used as a template for writing a new Security Note. This is the format that should be used for publishing to the OpenStack mailing lists. The line length should be limited to 72 characters with the exception of example snippets of configuration files or long links in the Contacts / References section. This will prevent problems with line wrapping messing up the formatting that can occur with popular PGP mail client software.

Title (single sentence)
---

### Summary ###
A few sentences describing the issue at a high level.

### Affected Services / Software ###
A comma separated list of affected services and OpenStack releases.

### Discussion ###
A detailed discussion of the problem.  This should have enough detail
that the person reading can determine if their deployment is affected,
when the problem was introduced, and what types of attacks/problems that
an affected deployment would be exposed to.

### Recommended Actions ###
A detailed description of what can be done to remediate the problem (if
possible).  If the recommendation involves configuration changes,
example snippets of configuration files should be included here.

### Contacts / References ###
This OSSN : <link to OSSN on wiki>
Original LaunchPad Bug : <link to launchpad bug for affected project/service>
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
CVE: <CVE number if one was filed>

Reviewing

A Security Note should be reviewed by at least one other member of the OpenStack Security Group as well as the PTL from any projects related to the Security Note. When a Security Note is ready for review, the draft should be entered as a comment in the OSSN bug in Launchpad. The reviewers should give their approval or feedback on required changes in the Launchpad bug.

Publishing

Once a Security Note has been approved by the appropriate reviewers, it is ready to be published. Security Notes are published to the OpenStack wiki and the OpenStack mailing lists.

Wiki

Before publishing a Security Note to the mailing lists, it should be published on the OpenStack wiki. This allows the e-mail version of the Security Note to contain a link to the wiki that is immediately accessible. Each Security Note gets it's own wiki page, which is then linked to from the Security Notes wiki page. The new Security Note wiki page location should be OSSN/OSSN-number. The numbering scheme is simply a 4 digit integer that we increment when a new OSSN is published. You can look at the previously posted Security Notes to see what the next free number is.

A template for publishing a Security Note on the OpenStack wiki with the proper wiki markup is available here. It is a good idea to preview your wiki page first to see if any additional wiki formatting can be done to improve readability.

Mailing Lists

Once a Security Note has been published on the wiki, it should be sent to the following mailing lists:

  • openstack-dev@lists.openstack.org
  • openstack@lists.openstack.org

The e-mails should be signed, and the subject should be in the form of [OSSG][OSSN] OSSN Title. The body of the e-mail should use the format from the template above.

Post-mortem Tasks

Once a Security Note has been published, it is a good idea to see if the OpenStack Security Guide or Security Guidelines could be improved to help prevent issues similar to the issue form the Security Note.