)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"02eadf1a34961fbd954e0d734c46a46b515f95c5","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"221cc8a9_823da04f","updated":"2025-04-15 17:44:02.000000000","message":"Adding my own vote","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"ede77467b5b497d7fb19bd5fb05b001ae12956e1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"545859b8_306a3192","updated":"2025-04-16 13:55:55.000000000","message":"Practical question inline, but I agree with the overall direction of this proposal.","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"bc2bceec6846ca2396f1346060d82c92edb79390","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"3e23e575_241c7c82","updated":"2025-04-15 19:02:48.000000000","message":"We had a discussion on the previous TC PTG session and we eventually had a consensus for this governance change. Lemme proxy my +RV vote now 😊","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"828babf098f8f5e0af4308726a80c895b2411238","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"57cedb99_1e89d483","updated":"2025-03-28 09:08:22.000000000","message":"lgtm and I vote to apply it as-is","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"b55ba62eea6bb3e07b8cc7078f03d3cd24eb6305","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"ac173303_b8117d35","updated":"2025-04-23 12:02:19.000000000","message":"Revision LGTM.","commit_id":"33b93b806f871c89869bd07343c16ff623ec191a"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"3db257a10b26c3136f9d679c5f8809e34cf9a72e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"931cbcd9_ceb49355","updated":"2025-04-22 17:02:33.000000000","message":"Thank you all for your comments/review. The latest patch removes the \"vulnerability-managed\" annotation proposed to projects.yaml. Like it\u0027s mentioned in the comments so far, we have not had a reason yet to require such a thing. This can be revisited in the future","commit_id":"33b93b806f871c89869bd07343c16ff623ec191a"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"493eec5edce388b229ce82b69070ed856cdf7ad0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"ff0d3904_7fecb2f0","updated":"2025-04-30 20:30:44.000000000","message":"This has had sufficient soak time, lets get this in and act on further steps:\n\n1) VMT documentation changes - i assume this will be handled by the VMT; i could help review and fix missing/mis information\n2) VMT/TC Liaisons - We\u0027ll list these on https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management\n3) Work with project teams on securing their coresec teams, fixing project trackers to properly route security bugs through the VMT, listing liaisons properly on https://wiki.openstack.org/wiki/CrossProjectLiaisons#Vulnerability_management - the target is to have this completed by the Flamingo release cycle ends.","commit_id":"33b93b806f871c89869bd07343c16ff623ec191a"},{"author":{"_account_id":7166,"name":"Sylvain Bauza","email":"sbauza@redhat.com","username":"sbauza"},"change_message_id":"3e5f24c4da3b506acf343d9ce1b5cf02cc2d1d2f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"e6e8d343_47e18a5a","updated":"2025-04-22 17:11:37.000000000","message":"We have a consensus here I think and as I said in the TC meeting, I volunteer for a TC/VMT liaison","commit_id":"33b93b806f871c89869bd07343c16ff623ec191a"},{"author":{"_account_id":8556,"name":"Ghanshyam Maan","display_name":"Ghanshyam Maan","email":"gmaan.os14@gmail.com","username":"ghanshyam"},"change_message_id":"3f48b353a9ff47596e0a3fe935288c9b36e49c31","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"1e9068d1_8300f0b9","updated":"2025-04-28 19:44:45.000000000","message":"lgtm, finding liaison can be challenging but this is good first step.","commit_id":"33b93b806f871c89869bd07343c16ff623ec191a"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"e4f457315ab83f4b0790eef585e0609f20fae9af","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"037aac2f_8674f844","updated":"2025-04-22 17:01:50.000000000","message":"thx","commit_id":"33b93b806f871c89869bd07343c16ff623ec191a"}],"resolutions/20250317-extend-scope-VMT-cover-all-projects.rst":[{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"318934b532f9656b58da8f769e0b3d290ae6f591","unresolved":true,"context_lines":[{"line_number":49,"context_line":" `OpenStack Administrators`."},{"line_number":50,"context_line":"- add only a small subset of project contributors to the project\u0027s `coresec`"},{"line_number":51,"context_line":"  group, and ensure that group is updated through each release cycle by"},{"line_number":52,"context_line":"  removing any inactive project contributors."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":".. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html"},{"line_number":55,"context_line":".. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst"}],"source_content_type":"text/x-rst","patch_set":1,"id":"a02d7e91_36404ebf","line":52,"updated":"2025-03-17 22:47:30.000000000","message":"This resolution should include, IMO, specific fallbacks for when a project inevitably lets a security bug sit untriaged for a significant period of time. Will there be a TC liason, or TC members, who will serve as this fallback? ...or will we just embargo someones\u0027 report for 90 days to do nothing about it -- if that happens; we\u0027ll look sillier than if we had no process at all.","commit_id":"1c0ebd725847a8dfcb90044ab9946ecf34437c20"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"4e1185aa6c09bb4fa654ed9e2f7b1702e7cbc6dc","unresolved":true,"context_lines":[{"line_number":49,"context_line":" `OpenStack Administrators`."},{"line_number":50,"context_line":"- add only a small subset of project contributors to the project\u0027s `coresec`"},{"line_number":51,"context_line":"  group, and ensure that group is updated through each release cycle by"},{"line_number":52,"context_line":"  removing any inactive project contributors."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":".. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html"},{"line_number":55,"context_line":".. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst"}],"source_content_type":"text/x-rst","patch_set":1,"id":"8d0da93f_da9a1b3a","line":52,"in_reply_to":"2758df9a_26ca9077","updated":"2025-03-21 19:57:05.000000000","message":"Do you have any proposals on how to resolve such a situation?\n\nBy making sure the TC actively participates in the VMT, we can apply the governance pressure on a project team to pay timely attention to a vulnerability report. I wouldn\u0027t expect someone from the VMT (including the TC members on it) to take the issue to closure.. if they do, it\u0027d be appreciated, but, we can\u0027t encode it as their responsibility.\n\nIF a project team (security liaison/s and PTL) are unresponsive even after the VMT (along with the TC members in it) trying its best, we must make the bug public. We have an the existing VMT process to terminate embargo: https://security.openstack.org/vmt-process.html#abnormal-embargo-termination ; maybe we apply the same yardstick? We can then initiate processes to mark the project inactive, and eventually retire it: https://governance.openstack.org/tc/reference/dropping-projects.html \n\nI think we can add language in the guide above regarding failing to acknowledge security bugs/working with the VMT.","commit_id":"1c0ebd725847a8dfcb90044ab9946ecf34437c20"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"8b8dd3f01eba436b21a3821968cc5f813966907a","unresolved":true,"context_lines":[{"line_number":49,"context_line":" `OpenStack Administrators`."},{"line_number":50,"context_line":"- add only a small subset of project contributors to the project\u0027s `coresec`"},{"line_number":51,"context_line":"  group, and ensure that group is updated through each release cycle by"},{"line_number":52,"context_line":"  removing any inactive project contributors."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":".. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html"},{"line_number":55,"context_line":".. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2758df9a_26ca9077","line":52,"in_reply_to":"2f8c4569_215f4a9b","updated":"2025-03-21 19:28:16.000000000","message":"I\u0027d be happy to document the escalation process in the ossa repo (and so on the security.o.o site) if we can settle on something. Right now the undocumented process for embargoed (private security bug) reports is that if it seems like the subscribed security review group hasn\u0027t noticed the bug then after an unspecified amount of time a vulnerability coordinator reaches out to the corresponding PTL or DPL security liaison either in IRC privmsg or by E-mail (also subscribing them to the bug if they\u0027re not a core security reviewer for their project). If the PTL/liaison is unresponsive or the bug still isn\u0027t getting commented on for a while after talking to them, then a vulnerability coordinator brings it up publicly in a vague manner with the TC (perhaps during their meeting) begging for a volunteer to look at it while trying not to disclose any details, possibly supplying some more context to interested TC members in private, and then hopefully subscribes anyone who steps forward.","commit_id":"1c0ebd725847a8dfcb90044ab9946ecf34437c20"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"a36b1b56e17df49b0ad40c78eac7b582a5fb0fcd","unresolved":true,"context_lines":[{"line_number":49,"context_line":" `OpenStack Administrators`."},{"line_number":50,"context_line":"- add only a small subset of project contributors to the project\u0027s `coresec`"},{"line_number":51,"context_line":"  group, and ensure that group is updated through each release cycle by"},{"line_number":52,"context_line":"  removing any inactive project contributors."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":".. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html"},{"line_number":55,"context_line":".. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7120c27b_d853fbda","line":52,"in_reply_to":"341688a4_cc6ae68d","updated":"2025-04-14 19:46:14.000000000","message":"Okay, it sounds like you\u0027re in agreement of the process... @fungi@yuggoth.org can i have your CR +1 as well if you agree, as the Security SIG chair?\n\nI\u0027ll also add the rest of the VMT contacts for further review","commit_id":"1c0ebd725847a8dfcb90044ab9946ecf34437c20"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"3db257a10b26c3136f9d679c5f8809e34cf9a72e","unresolved":false,"context_lines":[{"line_number":49,"context_line":" `OpenStack Administrators`."},{"line_number":50,"context_line":"- add only a small subset of project contributors to the project\u0027s `coresec`"},{"line_number":51,"context_line":"  group, and ensure that group is updated through each release cycle by"},{"line_number":52,"context_line":"  removing any inactive project contributors."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":".. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html"},{"line_number":55,"context_line":".. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst"}],"source_content_type":"text/x-rst","patch_set":1,"id":"a9dd7718_d90287cb","line":52,"in_reply_to":"4c557ba5_8f369d4b","updated":"2025-04-22 17:02:33.000000000","message":"Resolving comment since we\u0027ve discussed this in good detail","commit_id":"1c0ebd725847a8dfcb90044ab9946ecf34437c20"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"4df554bd128b15073fe51063a4e4803f54261bce","unresolved":true,"context_lines":[{"line_number":49,"context_line":" `OpenStack Administrators`."},{"line_number":50,"context_line":"- add only a small subset of project contributors to the project\u0027s `coresec`"},{"line_number":51,"context_line":"  group, and ensure that group is updated through each release cycle by"},{"line_number":52,"context_line":"  removing any inactive project contributors."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":".. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html"},{"line_number":55,"context_line":".. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst"}],"source_content_type":"text/x-rst","patch_set":1,"id":"341688a4_cc6ae68d","line":52,"in_reply_to":"4f908df4_ed8f9e8b","updated":"2025-04-11 16:19:34.000000000","message":"I think we could add a \"VMT liaison\" role within the TC, but having that fall back to TC (vice- +)chair when it is not defined seems like a good idea and would solve this issue immediately","commit_id":"1c0ebd725847a8dfcb90044ab9946ecf34437c20"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"29603fd47613329090578ef45e33a07208f26de2","unresolved":true,"context_lines":[{"line_number":49,"context_line":" `OpenStack Administrators`."},{"line_number":50,"context_line":"- add only a small subset of project contributors to the project\u0027s `coresec`"},{"line_number":51,"context_line":"  group, and ensure that group is updated through each release cycle by"},{"line_number":52,"context_line":"  removing any inactive project contributors."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":".. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html"},{"line_number":55,"context_line":".. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst"}],"source_content_type":"text/x-rst","patch_set":1,"id":"4c557ba5_8f369d4b","line":52,"in_reply_to":"7120c27b_d853fbda","updated":"2025-04-16 15:23:33.000000000","message":"I talked about this a bit with Fungi today; he pointed out to me that even though Murano wasn\u0027t VMT-managed, we still effectively ran the response to that. It made me realize that should a bad situation happen, we\u0027re likely to be involved whether this resolution passes or not, so I\u0027m +1.","commit_id":"1c0ebd725847a8dfcb90044ab9946ecf34437c20"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"828babf098f8f5e0af4308726a80c895b2411238","unresolved":true,"context_lines":[{"line_number":49,"context_line":" `OpenStack Administrators`."},{"line_number":50,"context_line":"- add only a small subset of project contributors to the project\u0027s `coresec`"},{"line_number":51,"context_line":"  group, and ensure that group is updated through each release cycle by"},{"line_number":52,"context_line":"  removing any inactive project contributors."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":".. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html"},{"line_number":55,"context_line":".. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst"}],"source_content_type":"text/x-rst","patch_set":1,"id":"e8baab4a_64d38b20","line":52,"in_reply_to":"8d0da93f_da9a1b3a","updated":"2025-03-28 09:08:22.000000000","message":"this is a good discussion, but to me it is kind of orthogonal to the patch under review, which is about extending the scope of the VMT. changing or better documenting the escalation process of the VMT could also be done by the VMT on its own and doesn\u0027t require an update to this resolution nor another one?","commit_id":"1c0ebd725847a8dfcb90044ab9946ecf34437c20"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"8410638bda35fcfa0b20f8b73d84830cf2d217b2","unresolved":false,"context_lines":[{"line_number":49,"context_line":" `OpenStack Administrators`."},{"line_number":50,"context_line":"- add only a small subset of project contributors to the project\u0027s `coresec`"},{"line_number":51,"context_line":"  group, and ensure that group is updated through each release cycle by"},{"line_number":52,"context_line":"  removing any inactive project contributors."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":".. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html"},{"line_number":55,"context_line":".. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst"}],"source_content_type":"text/x-rst","patch_set":1,"id":"a97ade62_29a85a4f","line":52,"in_reply_to":"a02d7e91_36404ebf","updated":"2025-03-17 22:48:42.000000000","message":"(Not a hypothetical case either, this already happens.)","commit_id":"1c0ebd725847a8dfcb90044ab9946ecf34437c20"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"4ab20f1688968ecf0f5cf06529125405f5b8edc5","unresolved":true,"context_lines":[{"line_number":49,"context_line":" `OpenStack Administrators`."},{"line_number":50,"context_line":"- add only a small subset of project contributors to the project\u0027s `coresec`"},{"line_number":51,"context_line":"  group, and ensure that group is updated through each release cycle by"},{"line_number":52,"context_line":"  removing any inactive project contributors."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":".. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html"},{"line_number":55,"context_line":".. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst"}],"source_content_type":"text/x-rst","patch_set":1,"id":"ebc8424f_31e10fe2","line":52,"in_reply_to":"a02d7e91_36404ebf","updated":"2025-03-18 05:19:27.000000000","message":"Indeed, that sounds like something we should codify so its not ambigious. We no longer have TC liaisons for specific projects (except those with DPLs), but, the TC is the backstop for all project governance. Disclosing an embargoed bug to the entire TC doesn\u0027t sound right, but, maybe the TC can nominate a subset to be participants of the OpenStack VMT? They can use their discretion and pull other folks in if necessary without breaking embargo. WDYT?","commit_id":"1c0ebd725847a8dfcb90044ab9946ecf34437c20"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"1e3542d6c23738014f53c5bac264c4308e08eb27","unresolved":true,"context_lines":[{"line_number":49,"context_line":" `OpenStack Administrators`."},{"line_number":50,"context_line":"- add only a small subset of project contributors to the project\u0027s `coresec`"},{"line_number":51,"context_line":"  group, and ensure that group is updated through each release cycle by"},{"line_number":52,"context_line":"  removing any inactive project contributors."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":".. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html"},{"line_number":55,"context_line":".. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst"}],"source_content_type":"text/x-rst","patch_set":1,"id":"4f908df4_ed8f9e8b","line":52,"in_reply_to":"e8baab4a_64d38b20","updated":"2025-04-11 14:31:46.000000000","message":"I can easily codify the VMT\u0027s current escalation process in the ossa repo/on the security.o.o site. It can actually be inferred from the existing process documentation, but being explicit about it sounds like a great idea.\n\nThe bigger problem is that we have no clear guidance from the TC on how to safely escalate embargoed vulnerabilities in (thankfully rare) cases where a PTL or liaison is unresponsive; the only identified ways to reach out to the TC collectively are public channels, which becomes challenging.\n\nI suppose we could just stick all the TC member addresses listed on governance.o.o in the To: line of an E-mail, but that\u0027s far from ideal. Something like a published rota of TC members volunteering to serve as direct points of escalation would be much better, for example, because it serves to initially limit the number of individuals we\u0027d need to involve directly in discussion of sensitive details.\n\nAlternatively, we could just say that a VMT member will reach out directly to the TC chair, or a vice-chair if the chair is unavailable at that time, and make it a chair/VC responsibility to be that point of escalation (they can then pull in other TC members as desired).","commit_id":"1c0ebd725847a8dfcb90044ab9946ecf34437c20"},{"author":{"_account_id":22629,"name":"Michal Nasiadka","email":"mnasiadka@gmail.com","username":"mnasiadka"},"change_message_id":"f13974e8759a082f57debf9540ac0257f6a2d19d","unresolved":true,"context_lines":[{"line_number":49,"context_line":" `OpenStack Administrators`."},{"line_number":50,"context_line":"- add only a small subset of project contributors to the project\u0027s `coresec`"},{"line_number":51,"context_line":"  group, and ensure that group is updated through each release cycle by"},{"line_number":52,"context_line":"  removing any inactive project contributors."},{"line_number":53,"context_line":""},{"line_number":54,"context_line":".. _vulnerability management team (VMT): https://docs.openstack.org/project-team-guide/vulnerability-management.html"},{"line_number":55,"context_line":".. _subset of OpenStack project teams: https://opendev.org/openstack/ossa/src/commit/dca905784d01aace07e35bac7cb9bc8d87891cbb/doc/source/repos-overseen.rst"}],"source_content_type":"text/x-rst","patch_set":1,"id":"2f8c4569_215f4a9b","line":52,"in_reply_to":"ebc8424f_31e10fe2","updated":"2025-03-21 19:10:40.000000000","message":"Well, I think it would be sort of important to define what happens, if there\u0027s an embargoed security bug that is not picked up by project -coresec group in let\u0027s say a week or two?","commit_id":"1c0ebd725847a8dfcb90044ab9946ecf34437c20"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"ede77467b5b497d7fb19bd5fb05b001ae12956e1","unresolved":true,"context_lines":[{"line_number":40,"context_line":"  :doc:`/reference/distributed-project-leadership`. Project team leaders"},{"line_number":41,"context_line":"  must update the `VMT liaisons`_ list and ensure it remains current"},{"line_number":42,"context_line":"  through each release cycle."},{"line_number":43,"context_line":"- define what deliverables are vulnerability managed by editing `projects"},{"line_number":44,"context_line":"  .yaml` in the openstack/governance repository."},{"line_number":45,"context_line":"- ensure that project bug trackers follow the VMT guidelines including"},{"line_number":46,"context_line":"  defining a ``\u003cproject\u003e-coresec`` team and granting access to the"},{"line_number":47,"context_line":"  `VMT Launchpad team`_ to view private security bugs in the project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"dbdbfda2_e160adf0","line":44,"range":{"start_line":43,"start_character":2,"end_line":44,"end_character":48},"updated":"2025-04-16 13:55:55.000000000","message":"Practical question: how will this be indicated?  There\u0027s nothing there now.  And it sounds like this will be opt-in?  How do we distinguish between a team that has thoughtfully declined to put any of their deliverables under vulnerability management vs. a team that has just ignored the request?  Maybe the model should be opt-out ... all repos under all projects are considered managed, and if a project wants to exclude a deliverable, they can add \"vulnerability:not-managed\" to projects.yaml","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"643ca80d2a7034ce302013ab1beec97685ec5444","unresolved":false,"context_lines":[{"line_number":41,"context_line":"  must update the `VMT liaisons`_ list and ensure it remains current"},{"line_number":42,"context_line":"  through each release cycle."},{"line_number":43,"context_line":"- define what deliverables are vulnerability managed by editing `projects"},{"line_number":44,"context_line":"  .yaml` in the openstack/governance repository."},{"line_number":45,"context_line":"- ensure that project bug trackers follow the VMT guidelines including"},{"line_number":46,"context_line":"  defining a ``\u003cproject\u003e-coresec`` team and granting access to the"},{"line_number":47,"context_line":"  `VMT Launchpad team`_ to view private security bugs in the project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"36356cd3_378b567d","line":44,"updated":"2025-04-16 13:40:32.000000000","message":"This is my only real concern with the proposal. One of the main benefits of having the VMT oversee all deliverables is that it relieves the project of needing to track which repositories are overseen and which aren\u0027t. It would make more sense for the rare reports we receive for repositories we can\u0027t manage to just be handled pragmatically at that time (switch to public with an appropriate comment explaining why, or escalate privately to the TC volunteers asking them to make a decision).\n\nBut if the TC does insist on tracking this distinction after all, deliverable-level granularity is insufficient. There\u0027s a reason why when we dropped the old governance tag we switched to a list of *repositories* overseen even though the tag had been per-deliverable before. Multi-repository deliverables often have a mix of repositories we can deal with and ones we can\u0027t. This is also why our list of oversight requirements talks about \"repositories\" (the word \"deliverable\" appears nowhere in the text).","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"f74cb15decf08e99ee0cb1c62685acbc5c2a8daa","unresolved":true,"context_lines":[{"line_number":40,"context_line":"  :doc:`/reference/distributed-project-leadership`. Project team leaders"},{"line_number":41,"context_line":"  must update the `VMT liaisons`_ list and ensure it remains current"},{"line_number":42,"context_line":"  through each release cycle."},{"line_number":43,"context_line":"- define what deliverables are vulnerability managed by editing `projects"},{"line_number":44,"context_line":"  .yaml` in the openstack/governance repository."},{"line_number":45,"context_line":"- ensure that project bug trackers follow the VMT guidelines including"},{"line_number":46,"context_line":"  defining a ``\u003cproject\u003e-coresec`` team and granting access to the"},{"line_number":47,"context_line":"  `VMT Launchpad team`_ to view private security bugs in the project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"d5a78d97_e750cf77","line":44,"range":{"start_line":43,"start_character":2,"end_line":44,"end_character":48},"in_reply_to":"23c919db_95ebaf22","updated":"2025-04-16 21:09:17.000000000","message":"I had assumed (and would prefer) that we would simply eliminate the explicit repository list once the VMT is overseeing all of OpenStack. I\u0027d really rather not make more unnecessary work tracking exclusions that ultimately won\u0027t matter, or can be dealt with on a case-by-case basis once every few years if it comes up at all.","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"51020cb02570327112a22b1a2f3f373149053c3d","unresolved":true,"context_lines":[{"line_number":40,"context_line":"  :doc:`/reference/distributed-project-leadership`. Project team leaders"},{"line_number":41,"context_line":"  must update the `VMT liaisons`_ list and ensure it remains current"},{"line_number":42,"context_line":"  through each release cycle."},{"line_number":43,"context_line":"- define what deliverables are vulnerability managed by editing `projects"},{"line_number":44,"context_line":"  .yaml` in the openstack/governance repository."},{"line_number":45,"context_line":"- ensure that project bug trackers follow the VMT guidelines including"},{"line_number":46,"context_line":"  defining a ``\u003cproject\u003e-coresec`` team and granting access to the"},{"line_number":47,"context_line":"  `VMT Launchpad team`_ to view private security bugs in the project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"7d513b93_036baa38","line":44,"range":{"start_line":43,"start_character":2,"end_line":44,"end_character":48},"in_reply_to":"4e293f78_46a89532","updated":"2025-04-16 21:34:41.000000000","message":"I don\u0027t know the answer to that question, and would defer to you folks and your experience. I agree that tracking everything would be unnecessary - most of this is common sense; the VMT explicitly states that the coverage is for source code in OpenStack.\n\n\nand the only grey area would be stuff that projects are \"vendoring in\" - i.e., javascript libraries and x-static content that was developed elsewhere and added alongside/inside OpenStack repos. We should try and tackle that as a separate problem.. \n\n\nI can revise this patch by dropping the \"vulnerability-managed\" tracking. Does this align with what you\u0027re thinking?","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"},{"author":{"_account_id":5263,"name":"Jeremy Stanley","display_name":"fungi","email":"fungi@yuggoth.org","username":"fungi","status":"missing, presumed fed"},"change_message_id":"6468afee5719d1822dc58e7e9ade10c1506f958f","unresolved":true,"context_lines":[{"line_number":40,"context_line":"  :doc:`/reference/distributed-project-leadership`. Project team leaders"},{"line_number":41,"context_line":"  must update the `VMT liaisons`_ list and ensure it remains current"},{"line_number":42,"context_line":"  through each release cycle."},{"line_number":43,"context_line":"- define what deliverables are vulnerability managed by editing `projects"},{"line_number":44,"context_line":"  .yaml` in the openstack/governance repository."},{"line_number":45,"context_line":"- ensure that project bug trackers follow the VMT guidelines including"},{"line_number":46,"context_line":"  defining a ``\u003cproject\u003e-coresec`` team and granting access to the"},{"line_number":47,"context_line":"  `VMT Launchpad team`_ to view private security bugs in the project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"84233473_353dc338","line":44,"range":{"start_line":43,"start_character":2,"end_line":44,"end_character":48},"in_reply_to":"7d513b93_036baa38","updated":"2025-04-16 22:04:02.000000000","message":"That would suffice for me, but then so would going forward with this resolution and making a minor follow-up one to eliminate the tracking part. Whatever works for you.","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"d0369cc8c3ba5e6113ed6378907fe2c768d0ef28","unresolved":true,"context_lines":[{"line_number":40,"context_line":"  :doc:`/reference/distributed-project-leadership`. Project team leaders"},{"line_number":41,"context_line":"  must update the `VMT liaisons`_ list and ensure it remains current"},{"line_number":42,"context_line":"  through each release cycle."},{"line_number":43,"context_line":"- define what deliverables are vulnerability managed by editing `projects"},{"line_number":44,"context_line":"  .yaml` in the openstack/governance repository."},{"line_number":45,"context_line":"- ensure that project bug trackers follow the VMT guidelines including"},{"line_number":46,"context_line":"  defining a ``\u003cproject\u003e-coresec`` team and granting access to the"},{"line_number":47,"context_line":"  `VMT Launchpad team`_ to view private security bugs in the project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"84b90764_44528c54","line":44,"range":{"start_line":43,"start_character":2,"end_line":44,"end_character":48},"in_reply_to":"84233473_353dc338","updated":"2025-04-17 08:43:24.000000000","message":"thanks for this discussion, I\u0027d prefer to have the resolution amended before it is accepted and changed my vote accordingly","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"3db257a10b26c3136f9d679c5f8809e34cf9a72e","unresolved":false,"context_lines":[{"line_number":40,"context_line":"  :doc:`/reference/distributed-project-leadership`. Project team leaders"},{"line_number":41,"context_line":"  must update the `VMT liaisons`_ list and ensure it remains current"},{"line_number":42,"context_line":"  through each release cycle."},{"line_number":43,"context_line":"- define what deliverables are vulnerability managed by editing `projects"},{"line_number":44,"context_line":"  .yaml` in the openstack/governance repository."},{"line_number":45,"context_line":"- ensure that project bug trackers follow the VMT guidelines including"},{"line_number":46,"context_line":"  defining a ``\u003cproject\u003e-coresec`` team and granting access to the"},{"line_number":47,"context_line":"  `VMT Launchpad team`_ to view private security bugs in the project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"0da9ac71_906179e0","line":44,"range":{"start_line":43,"start_character":2,"end_line":44,"end_character":48},"in_reply_to":"84b90764_44528c54","updated":"2025-04-22 17:02:33.000000000","message":"Done","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"e4f457315ab83f4b0790eef585e0609f20fae9af","unresolved":false,"context_lines":[{"line_number":40,"context_line":"  :doc:`/reference/distributed-project-leadership`. Project team leaders"},{"line_number":41,"context_line":"  must update the `VMT liaisons`_ list and ensure it remains current"},{"line_number":42,"context_line":"  through each release cycle."},{"line_number":43,"context_line":"- define what deliverables are vulnerability managed by editing `projects"},{"line_number":44,"context_line":"  .yaml` in the openstack/governance repository."},{"line_number":45,"context_line":"- ensure that project bug trackers follow the VMT guidelines including"},{"line_number":46,"context_line":"  defining a ``\u003cproject\u003e-coresec`` team and granting access to the"},{"line_number":47,"context_line":"  `VMT Launchpad team`_ to view private security bugs in the project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"370dd177_bbc1c0b6","line":44,"range":{"start_line":43,"start_character":2,"end_line":44,"end_character":48},"in_reply_to":"84b90764_44528c54","updated":"2025-04-22 17:01:50.000000000","message":"Done","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"},{"author":{"_account_id":10342,"name":"Jay Faulkner","display_name":"JayF","email":"jay@jvf.cc","username":"JayF","status":"youtube.com/@oss-gr / podcast.gr-oss.io"},"change_message_id":"7e2068e45efb5dd82a19daa01097adf2f6ccf121","unresolved":true,"context_lines":[{"line_number":40,"context_line":"  :doc:`/reference/distributed-project-leadership`. Project team leaders"},{"line_number":41,"context_line":"  must update the `VMT liaisons`_ list and ensure it remains current"},{"line_number":42,"context_line":"  through each release cycle."},{"line_number":43,"context_line":"- define what deliverables are vulnerability managed by editing `projects"},{"line_number":44,"context_line":"  .yaml` in the openstack/governance repository."},{"line_number":45,"context_line":"- ensure that project bug trackers follow the VMT guidelines including"},{"line_number":46,"context_line":"  defining a ``\u003cproject\u003e-coresec`` team and granting access to the"},{"line_number":47,"context_line":"  `VMT Launchpad team`_ to view private security bugs in the project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"4e293f78_46a89532","line":44,"range":{"start_line":43,"start_character":2,"end_line":44,"end_character":48},"in_reply_to":"d5a78d97_e750cf77","updated":"2025-04-16 21:13:37.000000000","message":"Is this opt-out being actively asked for by anyone? It seems like unneeded complexity both technically and mentally.","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"},{"author":{"_account_id":16643,"name":"Goutham Pacha Ravi","email":"gouthampravi@gmail.com","username":"gouthamr"},"change_message_id":"20b45039dcc766fe940745172b43d171272e6f97","unresolved":true,"context_lines":[{"line_number":40,"context_line":"  :doc:`/reference/distributed-project-leadership`. Project team leaders"},{"line_number":41,"context_line":"  must update the `VMT liaisons`_ list and ensure it remains current"},{"line_number":42,"context_line":"  through each release cycle."},{"line_number":43,"context_line":"- define what deliverables are vulnerability managed by editing `projects"},{"line_number":44,"context_line":"  .yaml` in the openstack/governance repository."},{"line_number":45,"context_line":"- ensure that project bug trackers follow the VMT guidelines including"},{"line_number":46,"context_line":"  defining a ``\u003cproject\u003e-coresec`` team and granting access to the"},{"line_number":47,"context_line":"  `VMT Launchpad team`_ to view private security bugs in the project."}],"source_content_type":"text/x-rst","patch_set":3,"id":"23c919db_95ebaf22","line":44,"range":{"start_line":43,"start_character":2,"end_line":44,"end_character":48},"in_reply_to":"dbdbfda2_e160adf0","updated":"2025-04-16 20:57:06.000000000","message":"Interesting thought.. @fungi@yuggoth.org said its occurred very few times that a vulnerability was reported to software not supported by the VMT. So, an opt-out model that you suggest makes sense. In the project schema, we can have a \"default\" value for \"vulnerability_managed\" be True; and we explicitly set only the ones we don\u0027t as \"vulnerability_managed: false\". The schema update doesn\u0027t really help right now, but, i am assuming we\u0027ll auto-generate https://security.openstack.org/repos-overseen.html#repositories-overseen based on the schema after this","commit_id":"ace630c1eb24b58bc5ad3dd53b6dd113b6b49cb9"}]}