From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.1 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING, NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 747FFC433DF for ; Thu, 15 Oct 2020 15:54:58 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [203.11.71.2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7610020878 for ; Thu, 15 Oct 2020 15:54:57 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="vGCPhQeB" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 7610020878 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=openbmc-bounces+openbmc=archiver.kernel.org@lists.ozlabs.org Received: from bilbo.ozlabs.org (lists.ozlabs.org [IPv6:2401:3900:2:1::3]) by lists.ozlabs.org (Postfix) with ESMTP id 4CBv4G2LmQzDqYB for ; Fri, 16 Oct 2020 02:54:54 +1100 (AEDT) Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=gmail.com (client-ip=2607:f8b0:4864:20::c2e; helo=mail-oo1-xc2e.google.com; envelope-from=kurt.r.taylor@gmail.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=vGCPhQeB; dkim-atps=neutral Received: from mail-oo1-xc2e.google.com (mail-oo1-xc2e.google.com [IPv6:2607:f8b0:4864:20::c2e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4CBv2n3MLHzDqRR for ; Fri, 16 Oct 2020 02:53:36 +1100 (AEDT) Received: by mail-oo1-xc2e.google.com with SMTP id l18so822061ooa.9 for ; Thu, 15 Oct 2020 08:53:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=OTzRw9/5HSwTWgocpymKpwK/2AGFfFqNPpM1rO9LvBw=; b=vGCPhQeB5qo4YNg/J89rICBru7fZ072zf8/LBKTEQTLizAaSIzaRZL/k5rUs8SvEjB eKxfesUXzcoIc+IyA6KeAyO97UBslNLps5BfNwUCnBRczh5zyOXMnfNQ317wQgqxdxgX EiL9h9mDJcKdw20cajOVwKDeeiD+XY1eO25E+Ugfp3aR2eSCVVxzolMqdsEngbCEZxi6 5UT8Y1amZqnw0GZjvXi0oIPZUREPDptRHVzYebmPuk6VXei66n0Ep4Ts/1qZScgCdZNZ LDVCpOZ3pE5VlZtzIscCC1uhFU30DxEiXk7OGDuUL9uqGoIHxySiq9YAJTeYRocY1H/P jAMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=OTzRw9/5HSwTWgocpymKpwK/2AGFfFqNPpM1rO9LvBw=; b=ShOtRppbQviy3SwYqsYFhJKvgABnGN8i2ayc+YmXG1IRjzSONVpmmvHIo5V4qbkIu6 OhYPfQLzjb5PltgP9OUxqfNVwMiJA5ArT7Ipe189i2pysYjec1FQX2isKe4eOgccnLSR NAc4Es03xLIS2yQBrwAsnRPU1KhY5CM1K79Au5KTTjxbk9nBwOuVz4BKY+SMkGgJ59Sh RsgYTagnICUvL8Jtgqss1VEhvpNPVZAs2QgWG8v9+7CWzHG9shYlHHhi4C8dBjfT7itl oqFI4hNojc1yJa8Z89yIXEI4SjJ0kQRR73Bbp+emAN3rnsMtXCqYN8ab360cE/ub9C62 V+3g== X-Gm-Message-State: AOAM530oziFuM52YF7K01n5kEfgd3I9GtU7U1bT/W1FFUpTgZevJHLQB 5mZlqUO0+0QZQJfvyBMDVuW+v23eDbIHKg== X-Google-Smtp-Source: ABdhPJyG5zsCYt6cPROerMOTG3+S9xOVsS/Ux1+BEplyHZg/HTZcfn1/SoHD4+xwsVe5u0iT00PzuQ== X-Received: by 2002:a4a:d104:: with SMTP id k4mr1765535oor.0.1602777212254; Thu, 15 Oct 2020 08:53:32 -0700 (PDT) Received: from krtaylors-MacBook-Pro.local (072-182-100-019.res.spectrum.com. [72.182.100.19]) by smtp.gmail.com with ESMTPSA id v17sm1230905ote.40.2020.10.15.08.53.31 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 15 Oct 2020 08:53:31 -0700 (PDT) Subject: Re: Security Working Group Meeting - Wed 14 October - request for security bug tracker To: Joseph Reynolds , openbmc@lists.ozlabs.org References: <0c8a7bd5-e437-6460-b309-c9146477e120@linux.ibm.com> From: krtaylor Message-ID: <5166ecdc-aac6-38a4-9fd2-466132032f0f@gmail.com> Date: Thu, 15 Oct 2020 10:53:30 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.12.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-BeenThere: openbmc@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development list for OpenBMC List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openbmc-bounces+openbmc=archiver.kernel.org@lists.ozlabs.org Sender: "openbmc" On 10/15/20 9:22 AM, Joseph Reynolds wrote: > On 10/15/20 9:14 AM, Joseph Reynolds wrote: >> On 10/13/20 2:06 PM, Parth Shukla wrote: >>> This is a reminder of the OpenBMC Security Working Group meeting >>> scheduled for this... >>> This Message Is From an External Sender >>> This message came from outside your organization. >>> >>> This is a reminder of the OpenBMC Security Working Group meeting >>> scheduled for this Wednesday October 14 at 10:00am PDT. >>> >>> We'll discuss the following items on the agenda >>> , >>> and anything else that comes up: >>> > ...snip... >> >> Two subtopics were discussed: >> >> 2A. We reviewed the security reporting and bug fixing process. >> Specifically: >> >> * The OpenBMC security response team: >> https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md >> >> >> * This is what github advocates using: >> https://github.com/openbmc/openbmc/security/advisories >> >> * What tools do we use to: >> >> * Identify which open source pkgs are used in an openbmc build, >> >> * Identify security bugs in those packages, and >> >> * Ensure that we pull in fixes or otherwise mitigate the problem. >> >> >> 2B. Given that OpenBMC is a Linux Foundation project, what resources >> does the Linux Foundation offer? Specifically, we want a private >> secure bug tracker for the OpenBMC security response team to use. > > Kurt, Again, PLEASE cc me directly, I don't read every email on the list. It was another happy coincidence that I read this and saw my name. :) > The OpenBMC security response team could benefit from a bug tracker to > track security vulnerabilities that were reported to the project and not > yet disclosed. This is to support [1] and would have to be private and > secure. > What is commonly used for this? Can we do it at the project level? Can > LF help? Just brainstorming here... What about a github repo like openbmc/security_tracking or similar with its own team? We'd have to experiment with that and make sure it was private. Otherwise, we could do something with hosting with the LF (bugzilla instance?), but it would surely cost $$$. Another reason for project owned, independent assets, but I digress. Let's see what we can do with the tools we have now (github) especially since we may be moving that way anyway. Kurt Taylor (krtaylor) > - Joseph > > [1]: > https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md > > > > ...snip... >>> Access, agenda and notes are in the wiki: >>> https://github.com/openbmc/openbmc/wiki/Security-working-group >>> >>> Regards, >>> Parth >> >