Re: Security Working Group meeting - Wednesday August 4 - results

From: Brad Bishop <bradleyb@fuzziesquirrel.com>
To: Joseph Reynolds <jrey@linux.ibm.com>,
	James Mihm <james.mihm@intel.com>,
	"Sekar, Suryakanth" <suryakanth.sekar@linux.intel.com>
Cc: Andrew Jeffery <andrew@aj.id.au>, Ed Tanous <edtanous@google.com>,
	openbmc@lists.ozlabs.org
Subject: Re: Security Working Group meeting - Wednesday August 4 - results
Date: Thu, 05 Aug 2021 09:55:43 -0400	[thread overview]
Message-ID: <169a8f7b4c746995a1cd1e8781b4f427b61d4c83.camel@fuzziesquirrel.com> (raw)
In-Reply-To: <CAH2-KxBqzCr--LN93P=OsmorDPkbgzDxyxpSGckzFX7MAv96eA@mail.gmail.com>

On Wed, 2021-08-04 at 16:57 -0700, Ed Tanous wrote:
> On Wed, Aug 4, 2021 at 4:48 PM Andrew Jeffery <andrew@aj.id.au> wrote:
> > 
> > 
> > 
> > On Thu, 5 Aug 2021, at 06:19, Patrick Williams wrote:
> > > On Wed, Aug 04, 2021 at 03:39:45PM -0500, Joseph Reynolds wrote:
> > > > On 8/4/21 3:09 PM, Patrick Williams wrote:
> > > > > On Wed, Aug 04, 2021 at 01:47:31PM -0500, Joseph Reynolds
> > > > > wrote:
> > > > > 
> > > > > > 4 Surya set up a bugzilla within Intel and will administer
> > > > > > it.  Demo’d
> > > > > > the database. We briefly examined the database fields and
> > > > > > agreed it
> > > > > > looks like a good start.
> > > > > > 
> > > > > Once again I'll ask ***WHY***??!?
> > > > > 
> > > > > https://lore.kernel.org/openbmc/YNzsE1ipYQR7yfDq@heinlein/
> > > > > https://lore.kernel.org/openbmc/YPiK8xqFPJFZDa1+@heinlein/
> > > > > 
> > > > > Can we please create a private Github repository and be done
> > > > > with this topic?
> > > > 
> > > > I don't have any insight into how to resolve this question.
> > > > 
> > > >  From today's meeting: using bugzilla has advantages over github
> > > > issues:
> > > > - lets us define the fields we need: fix commitID, CVSS score,
> > > > etc.
> 
> I'm also really not following this as a rationale for starting a
> completely new server.  This is easy enough to add on github in the
> bug template.
> 
> > > 
> > > These are pretty minor when you could just add a comment template
> > > with this
> > > information.
> > > 
> > > > - has desirable access controls, specifically acess by the
> > > > security
> > > > respone tram plus we can add access for the problem submitter
> > > > and the
> > > > problem fixer
> > > 
> > > So does Github.
> 
> +1
> 
> > > 
> > > ----
> > > 
> > > I really don't think that some subset of the community should go
> > > off on their
> > > own bug tracking system.
> > 
> > +1
> > 
> > I'm not aware of any effort to use Github security advisories so
> > far. I
> > think we should try that before burdening ourselves and any bug
> > reporters with yet more disjoint bits of infrastructure (we already
> > have the two mailing lists, discord, gerrit, and github).
> 
> +1
> 
> > 
> > Andrew

+1 from me as well on all points.  We already use GitHub bug templates
and GitHub security controls in this project with great success and the
community is here to support the security working group if you don't
know how to make use of those.

Additional benefits to GitHub that were pointed out to me is that GitHub
checks passwords against leak databases, supports 2FA, can be configured
to require 2FA for those that have access.  GitHub is also more likely
to keep their software updated than a privately maintained bugzilla
instance.  In 2021 it is just too hard to compete with the scale of
support that services like GitHub provide.

I think my proposal would be that the security working group create a
new GitHub organization here:

https://github.com/openbmc-security

The security WG leadership could own the organization and create any
number of groups, acls, repositories (public or private), wikis, etc..

thx - brad