* Security Working Group meeting - Wednesday November 10
@ 2021-11-10 14:38 Joseph Reynolds
2021-11-10 20:35 ` Security Working Group meeting - Wednesday November 10 - results Joseph Reynolds
0 siblings, 1 reply; 5+ messages in thread
From: Joseph Reynolds @ 2021-11-10 14:38 UTC (permalink / raw)
To: openbmc
This is a reminder of the OpenBMC Security Working Group meeting
scheduled for this Wednesday November 10 at 10:00am PDT.
We'll discuss the following items on the agenda
<https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
and anything else that comes up:
1.
Access, agenda and notes are in the wiki:
https://github.com/openbmc/openbmc/wiki/Security-working-group
<https://github.com/openbmc/openbmc/wiki/Security-working-group>
- Joseph
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Security Working Group meeting - Wednesday November 10 - results
2021-11-10 14:38 Security Working Group meeting - Wednesday November 10 Joseph Reynolds
@ 2021-11-10 20:35 ` Joseph Reynolds
2021-11-10 20:38 ` Security Working Group - Nov 24 meeting cancelled: reschedule? Joseph Reynolds
2021-11-10 20:41 ` Security Working Group - OpenBMC working to become a CVE numbering authority (CNA) Joseph Reynolds
0 siblings, 2 replies; 5+ messages in thread
From: Joseph Reynolds @ 2021-11-10 20:35 UTC (permalink / raw)
To: openbmc
On 11/10/21 8:38 AM, Joseph Reynolds wrote:
> This is a reminder of the OpenBMC Security Working Group meeting
> scheduled for this Wednesday November 10 at 10:00am PDT.
>
> We'll discuss the following items on the agenda
> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
> and anything else that comes up:
>
Attended: Joseph, Bruce, Vernon, James, Caci, Jiang, Dick, Ratan, Dhananjay
Agenda items discussed:
1 Next meeting Nov 24 “Thanksgiving eve”
Votes: cancel, cancel, cancel. Agreed. Someone else schedule a meeting?
2 Should OpenBMC become a CVE Numbering Authority (CNA).
Ref: https://www.cve.org/ResourcesSupport/AllResources/CNARules
<https://www.cve.org/ResourcesSupport/AllResources/CNARules>
This would better integrate the CVE process with github.
OpenBMC looked into become a CNA years ago. See the old review:
https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621
<https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621>
Is it worthwhile for openBMC to become a CNA? Yes, we have had multiple
CVEs per year and believe this will continue. We have filled out the
form (at cve.mitre.org) to create CVEs and have become familiar with
writing CVE language.
We agreed to pursue becoming a CNA. No objections. James will follow up.
3 Make progress on these competing reviews:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/48564
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/48564>
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/48633
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/48633>
Ensure we have a CI test for this. TODO: Joseph to contact George on email.
4 The OpenBMC security response team (SRT) is working toward improving
the way it handles private security vulnerabilities before they are
disclosed. (See notes from previous meetings.)
The repo https://github.com/openbmc/openbmc/security-response
<https://github.com/openbmc/openbmc/security-response>was created for
this, the idea is to make this private to the SRT members and use
https://github.com/openbmc/openbmc/security-response/issues to identify
issues and track progress.
Open questions: What content should this repo have?
How to add content? Do we need files? Any private content? Web
interfaces vs gerrit vs command line (git submissions?)
The README should have content like:
*
the purpose of the repo (to track security vulnerability issues for
the overall openbmc organization before public disclosure).
*
the fact that the repo is private and access is controlled by the
github @security-response team.
*
Link to
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md
<https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team-guidelines.md>
*
Instructions to use
github.com/openbmc/openbmc/security-response/issues for new issues
Nothing in the README needs to be private. The content which must
remain private is in the issues.
Code reviews for fixes would use their own repo, and perhaps private
gerrit review process, as stated in the
obmc-security-response-team-guidelines.md.
The question for github is: What should a security response team (like
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md
<https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md>)
use to track private security reports before public disclosure?
The overall structure might be like this:
*
github.com/openbmc/openbmc/issues -- currently stores security
advisories: search for “advisory”
*
github.com/openbmc/openbmc/security/advisories -- proposed place for
all advisories; this is what github wants us to use.
*
github.com/openbmc/openbmc/security-response -- new PRIVATE repo for
the SRT to track new security vulnerabilities toward closure
See
https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization
<https://docs.github.com/en/organizations/managing-access-to-your-organizations-repositories/repository-roles-for-an-organization>
Next steps:
*
Add github.com/openbmc/openbmc/security-response README -- see above
for ideas
*
Create first low-sev issue in
https://github.com/openbmc/openbmc/security-response/issues
<https://github.com/openbmc/openbmc/security-response/issues>and
ensure it is not accidentally disclosed via a Discord bot, an email
bot, or any other way.
>
>
> Access, agenda and notes are in the wiki:
> https://github.com/openbmc/openbmc/wiki/Security-working-group
> <https://github.com/openbmc/openbmc/wiki/Security-working-group>
>
> - Joseph
^ permalink raw reply [flat|nested] 5+ messages in thread
* Security Working Group - Nov 24 meeting cancelled: reschedule?
2021-11-10 20:35 ` Security Working Group meeting - Wednesday November 10 - results Joseph Reynolds
@ 2021-11-10 20:38 ` Joseph Reynolds
2021-11-23 15:49 ` Joseph Reynolds
2021-11-10 20:41 ` Security Working Group - OpenBMC working to become a CVE numbering authority (CNA) Joseph Reynolds
1 sibling, 1 reply; 5+ messages in thread
From: Joseph Reynolds @ 2021-11-10 20:38 UTC (permalink / raw)
To: openbmc
On 11/10/21 2:35 PM, Joseph Reynolds wrote:
> On 11/10/21 8:38 AM, Joseph Reynolds wrote:
>
> Agenda items discussed:
>
> 1 Next meeting Nov 24 “Thanksgiving eve”
>
> Votes: cancel, cancel, cancel. Agreed. Someone else schedule a meeting?
>
The next regularly scheduled Security Working Group meeting (Nov 24) is
cancelled.
This would be a perfect time to for someone maybe in another time zone
outside the US to schedule a Security Working Group call.
Any volunteers?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Security Working Group - OpenBMC working to become a CVE numbering authority (CNA)
2021-11-10 20:35 ` Security Working Group meeting - Wednesday November 10 - results Joseph Reynolds
2021-11-10 20:38 ` Security Working Group - Nov 24 meeting cancelled: reschedule? Joseph Reynolds
@ 2021-11-10 20:41 ` Joseph Reynolds
1 sibling, 0 replies; 5+ messages in thread
From: Joseph Reynolds @ 2021-11-10 20:41 UTC (permalink / raw)
To: openbmc
On 11/10/21 2:35 PM, Joseph Reynolds wrote:
> On 11/10/21 8:38 AM, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting
>> scheduled for this Wednesday November 10 at 10:00am PDT.
>>
>> We'll discuss the following items on the agenda
>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
>> and anything else that comes up:
>>
>
> Attended: Joseph, Bruce, Vernon, James, Caci, Jiang, Dick, Ratan,
> Dhananjay
>
>
> Agenda items discussed:
...snip...
> 2 Should OpenBMC become a CVE Numbering Authority (CNA).
>
> Ref: https://www.cve.org/ResourcesSupport/AllResources/CNARules
> <https://www.cve.org/ResourcesSupport/AllResources/CNARules>
>
> This would better integrate the CVE process with github.
>
> OpenBMC looked into become a CNA years ago. See the old review:
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621
> <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621>
>
> Is it worthwhile for openBMC to become a CNA? Yes, we have had
> multiple CVEs per year and believe this will continue. We have filled
> out the form (at cve.mitre.org) to create CVEs and have become
> familiar with writing CVE language.
>
> We agreed to pursue becoming a CNA. No objections. James will follow
> up.
The OpenBMC security response team is working to become a CVE Numbering
Authority (CNA).
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Security Working Group - Nov 24 meeting cancelled: reschedule?
2021-11-10 20:38 ` Security Working Group - Nov 24 meeting cancelled: reschedule? Joseph Reynolds
@ 2021-11-23 15:49 ` Joseph Reynolds
0 siblings, 0 replies; 5+ messages in thread
From: Joseph Reynolds @ 2021-11-23 15:49 UTC (permalink / raw)
To: openbmc
On 11/10/21 2:38 PM, Joseph Reynolds wrote:
> On 11/10/21 2:35 PM, Joseph Reynolds wrote:
>> On 11/10/21 8:38 AM, Joseph Reynolds wrote:
>>
>> Agenda items discussed:
>>
>> 1 Next meeting Nov 24 “Thanksgiving eve”
>>
>> Votes: cancel, cancel, cancel. Agreed. Someone else schedule a
>> meeting?
>>
>
> The next regularly scheduled Security Working Group meeting (Nov 24)
> is cancelled.
> This would be a perfect time to for someone maybe in another time zone
> outside the US to schedule a Security Working Group call.
> Any volunteers?
>
The regularly scheduled OpenBMC Security Working Group meeting for Nov
24 is cancelled because of the US Thanksgiving holiday.
Joseph
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-11-23 15:50 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-10 14:38 Security Working Group meeting - Wednesday November 10 Joseph Reynolds
2021-11-10 20:35 ` Security Working Group meeting - Wednesday November 10 - results Joseph Reynolds
2021-11-10 20:38 ` Security Working Group - Nov 24 meeting cancelled: reschedule? Joseph Reynolds
2021-11-23 15:49 ` Joseph Reynolds
2021-11-10 20:41 ` Security Working Group - OpenBMC working to become a CVE numbering authority (CNA) Joseph Reynolds
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).