I’ve been pushing for a database of some sort to track the security issues that I’ve submitted so far. My initial impression was that the github security advisories was targeted more for disclosures and not necessarily management. I’ll look into the github security advisories further. What I’m looking for is a tool that will help us track the progress of mitigations or the lack thereof. I’d also like to track all of the issues from upstream projects that impact openbmc, and a database seems like a good option for that. Regards, James. From: openbmc On Behalf Of Patrick Williams Sent: Wednesday, August 4, 2021 4:24 PM To: Joseph Reynolds Cc: openbmc@lists.ozlabs.org; Brad Bishop Subject: Re: Security Working Group meeting - Wednesday August 4 - results Has this been read through? https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories On Aug 4, 2021, at 3:49 PM, Patrick Williams > wrote: On Wed, Aug 04, 2021 at 03:39:45PM -0500, Joseph Reynolds wrote: On 8/4/21 3:09 PM, Patrick Williams wrote: On Wed, Aug 04, 2021 at 01:47:31PM -0500, Joseph Reynolds wrote: 4 Surya set up a bugzilla within Intel and will administer it. Demo’d the database. We briefly examined the database fields and agreed it looks like a good start. Once again I'll ask ***WHY***??!? https://lore.kernel.org/openbmc/YNzsE1ipYQR7yfDq@heinlein/ https://lore.kernel.org/openbmc/YPiK8xqFPJFZDa1+@heinlein/ Can we please create a private Github repository and be done with this topic? I don't have any insight into how to resolve this question. From today's meeting: using bugzilla has advantages over github issues: - lets us define the fields we need: fix commitID, CVSS score, etc. These are pretty minor when you could just add a comment template with this information. - has desirable access controls, specifically acess by the security respone tram plus we can add access for the problem submitter and the problem fixer So does Github. ---- I really don't think that some subset of the community should go off on their own bug tracking system. This is a waste of time to maintain and just further segments this "Security Team" off in their own bubble. -- Patrick Williams