Re: Security Working Group Meeting - Wed 14 October - request for security bug tracker

From: krtaylor <kurt.r.taylor@gmail.com>
To: Joseph Reynolds <jrey@linux.ibm.com>, openbmc@lists.ozlabs.org
Subject: Re: Security Working Group Meeting - Wed 14 October - request for security bug tracker
Date: Thu, 15 Oct 2020 10:53:30 -0500	[thread overview]
Message-ID: <5166ecdc-aac6-38a4-9fd2-466132032f0f@gmail.com> (raw)
In-Reply-To: <d29bfcde-bf3f-b739-20b3-c63686f3f746@linux.ibm.com>

On 10/15/20 9:22 AM, Joseph Reynolds wrote:
> On 10/15/20 9:14 AM, Joseph Reynolds wrote:
>> On 10/13/20 2:06 PM, Parth Shukla wrote:
>>> This is a reminder of the OpenBMC Security Working Group meeting 
>>> scheduled for this...
>>> This Message Is From an External Sender
>>> This message came from outside your organization.
>>>
>>> This is a reminder of the OpenBMC Security Working Group meeting 
>>> scheduled for this Wednesday October 14 at 10:00am PDT.
>>>
>>> We'll discuss the following items on the agenda 
>>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI/edit>, 
>>> and anything else that comes up:
>>>
> ...snip...
>>
>> Two subtopics were discussed:
>>
>> 2A. We reviewed the security reporting and bug fixing process. 
>> Specifically:
>>
>>  * The OpenBMC security response team:
>> https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md 
>>
>>
>>  * This is what github advocates using:
>>    https://github.com/openbmc/openbmc/security/advisories
>>
>>  * What tools do we use to:
>>
>>     * Identify which open source pkgs are used in an openbmc build,
>>
>>     * Identify security bugs in those packages, and
>>
>>     * Ensure that we pull in fixes or otherwise mitigate the problem.
>>
>>
>> 2B. Given that OpenBMC is a Linux Foundation project, what resources 
>> does the Linux Foundation offer?  Specifically, we want a private 
>> secure bug tracker for the OpenBMC security response team to use.
> 
> Kurt,

Again, PLEASE cc me directly, I don't read every email on the list. It 
was another happy coincidence that I read this and saw my name. :)

> The OpenBMC security response team could benefit from a bug tracker to 
> track security vulnerabilities that were reported to the project and not 
> yet disclosed.  This is to support [1] and would have to be private and 
> secure.
> What is commonly used for this?  Can we do it at the project level? Can 
> LF help?

Just brainstorming here...

What about a github repo like openbmc/security_tracking or similar with 
its own team? We'd have to experiment with that and make sure it was 
private.

Otherwise, we could do something with hosting with the LF (bugzilla 
instance?), but it would surely cost $$$. Another reason for project 
owned, independent assets, but I digress.

Let's see what we can do with the tools we have now (github) especially 
since we may be moving that way anyway.

Kurt Taylor (krtaylor)

> - Joseph
> 
> [1]: 
> https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md 
> 
> 
> 
> ...snip...
>>> Access, agenda and notes are in the wiki:
>>> https://github.com/openbmc/openbmc/wiki/Security-working-group
>>>
>>> Regards,
>>> Parth
>>
> 