From: Brad Bishop <firstname.lastname@example.org>
To: Joseph Reynolds <email@example.com>,
James Mihm <firstname.lastname@example.org>,
"Sekar, Suryakanth" <email@example.com>
Cc: Andrew Jeffery <firstname.lastname@example.org>, Ed Tanous <email@example.com>,
Subject: Re: Security Working Group meeting - Wednesday August 4 - results
Date: Thu, 05 Aug 2021 09:55:43 -0400 [thread overview]
Message-ID: <firstname.lastname@example.org> (raw)
On Wed, 2021-08-04 at 16:57 -0700, Ed Tanous wrote:
> On Wed, Aug 4, 2021 at 4:48 PM Andrew Jeffery <email@example.com> wrote:
> > On Thu, 5 Aug 2021, at 06:19, Patrick Williams wrote:
> > > On Wed, Aug 04, 2021 at 03:39:45PM -0500, Joseph Reynolds wrote:
> > > > On 8/4/21 3:09 PM, Patrick Williams wrote:
> > > > > On Wed, Aug 04, 2021 at 01:47:31PM -0500, Joseph Reynolds
> > > > > wrote:
> > > > >
> > > > > > 4 Surya set up a bugzilla within Intel and will administer
> > > > > > it. Demo’d
> > > > > > the database. We briefly examined the database fields and
> > > > > > agreed it
> > > > > > looks like a good start.
> > > > > >
> > > > > Once again I'll ask ***WHY***??!?
> > > > >
> > > > > https://lore.kernel.org/openbmc/YNzsE1ipYQR7yfDq@heinlein/
> > > > > https://lore.kernel.org/openbmc/YPiK8xqFPJFZDa1+@heinlein/
> > > > >
> > > > > Can we please create a private Github repository and be done
> > > > > with this topic?
> > > >
> > > > I don't have any insight into how to resolve this question.
> > > >
> > > > From today's meeting: using bugzilla has advantages over github
> > > > issues:
> > > > - lets us define the fields we need: fix commitID, CVSS score,
> > > > etc.
> I'm also really not following this as a rationale for starting a
> completely new server. This is easy enough to add on github in the
> bug template.
> > >
> > > These are pretty minor when you could just add a comment template
> > > with this
> > > information.
> > >
> > > > - has desirable access controls, specifically acess by the
> > > > security
> > > > respone tram plus we can add access for the problem submitter
> > > > and the
> > > > problem fixer
> > >
> > > So does Github.
> > >
> > > ----
> > >
> > > I really don't think that some subset of the community should go
> > > off on their
> > > own bug tracking system.
> > +1
> > I'm not aware of any effort to use Github security advisories so
> > far. I
> > think we should try that before burdening ourselves and any bug
> > reporters with yet more disjoint bits of infrastructure (we already
> > have the two mailing lists, discord, gerrit, and github).
> > Andrew
+1 from me as well on all points. We already use GitHub bug templates
and GitHub security controls in this project with great success and the
community is here to support the security working group if you don't
know how to make use of those.
Additional benefits to GitHub that were pointed out to me is that GitHub
checks passwords against leak databases, supports 2FA, can be configured
to require 2FA for those that have access. GitHub is also more likely
to keep their software updated than a privately maintained bugzilla
instance. In 2021 it is just too hard to compete with the scale of
support that services like GitHub provide.
I think my proposal would be that the security working group create a
new GitHub organization here:
The security WG leadership could own the organization and create any
number of groups, acls, repositories (public or private), wikis, etc..
thx - brad
next prev parent reply other threads:[~2021-08-05 13:56 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-03 22:57 Security Working Group meeting - Wednesday August 4 Joseph Reynolds
2021-08-04 3:04 ` Patrick Williams
2021-08-04 3:22 ` Patrick Williams
2021-08-09 14:09 ` Security Working Group meeting - Wednesday August 4 - ibm-acf repo Joseph Reynolds
2021-08-04 3:28 ` Security Working Group meeting - Wednesday August 4 Patrick Williams
2021-08-04 18:43 ` Security Working Group meeting - Wednesday August 4 - all distro owners please review Joseph Reynolds
2021-08-04 18:47 ` Security Working Group meeting - Wednesday August 4 - results Joseph Reynolds
2021-08-04 20:09 ` Patrick Williams
2021-08-04 20:39 ` Joseph Reynolds
2021-08-04 20:49 ` Patrick Williams
2021-08-04 23:23 ` Patrick Williams
2021-08-06 17:10 ` Mihm, James
2021-08-04 23:47 ` Andrew Jeffery
2021-08-04 23:57 ` Ed Tanous
2021-08-05 13:55 ` Brad Bishop [this message]
2021-08-05 13:43 ` Brad Bishop
2021-08-05 15:54 ` Brad Bishop
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).