OpenBMC security workgroup status

OpenBMC security workgroup status

[Joseph Reynolds]

[-- Attachment #1: Type: text/plain, Size: 639 bytes --]

Here is the OpenBMC security work group status.

The OpenBMC security work has been partitioned into four areas: 
hardware, firmware (Linux, phosphor, etc.), OpenBMC development 
activity, and downstream development.  Reviews are out for three areas; 
see https://gerrit.openbmc-project.xyz/#/c/11120/ and 11164.  Work to 
sketch out firmware security topics is beginning.  We are also beginning 
to look at topics such as release planning and how to handle security 
flaws.  For more details, see the group’s agenda and minutes at 
https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI.

- Joseph Reynolds

[-- Attachment #2: Type: text/html, Size: 1444 bytes --]

Re: OpenBMC security workgroup status

[Andrew Jeffery]

On Tue, 10 Jul 2018, at 11:50, Joseph Reynolds wrote:
> Here is the OpenBMC security work group status.
> 
> The OpenBMC security work has been partitioned into four areas: 
> hardware, firmware (Linux, phosphor, etc.), OpenBMC development 
> activity, and downstream development.  Reviews are out for three areas; 
> see https://gerrit.openbmc-project.xyz/#/c/11120/ and 11164.  Work to 
> sketch out firmware security topics is beginning.  We are also beginning 
> to look at topics such as release planning and how to handle security 
> flaws.  For more details, see the group’s agenda and minutes at 
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI.

What's the short-term strategy for handling vulnerability reports received in the gap between now and getting some formal process in place?