From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,MIME_QP_LONG_LINE,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id CF4A8C4338F for ; Wed, 4 Aug 2021 23:24:16 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 050656105A for ; Wed, 4 Aug 2021 23:24:15 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 050656105A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=stwcx.xyz Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.ozlabs.org Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4Gg79V4fZPz3cRd for ; Thu, 5 Aug 2021 09:24:14 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=stwcx.xyz header.i=@stwcx.xyz header.a=rsa-sha256 header.s=fm2 header.b=mtHcwAjF; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.a=rsa-sha256 header.s=fm3 header.b=Lf+czWyK; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=stwcx.xyz (client-ip=66.111.4.28; helo=out4-smtp.messagingengine.com; envelope-from=patrick@stwcx.xyz; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=stwcx.xyz header.i=@stwcx.xyz header.a=rsa-sha256 header.s=fm2 header.b=mtHcwAjF; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.a=rsa-sha256 header.s=fm3 header.b=Lf+czWyK; dkim-atps=neutral Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4Gg78v2ldfz301s for ; Thu, 5 Aug 2021 09:23:42 +1000 (AEST) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 914DD5C00F7; Wed, 4 Aug 2021 19:23:38 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute6.internal (MEProxy); Wed, 04 Aug 2021 19:23:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stwcx.xyz; h= content-type:content-transfer-encoding:from:mime-version:subject :date:message-id:references:cc:in-reply-to:to; s=fm2; bh=veWJ6eL 5xIRRq/XEDC5+8dGL4PKRQSxvKsXUD1TvO8Q=; b=mtHcwAjFUEBELf/fTytmR3B 2J/UB1F+uEdHrGSmijsWj6wwQKtNczook6IJJ24It9pFTxvEE4d2zXnssh1DgSPD k5OWmdwWWbwgivBzHaY23TfAD3ZR90n/qT3zuEM4Uv6sqNDh4f1PFJOavTuiIMwE vEs6zHADz1Z2YDgQbIvCw5DZTPxPOyi06PoBDXmbwL2qIiGS44u1lW2pde7l25jy 1RnyuL75+z2e4CEaX5MOGbqzUresCHAH1wrkHClJ6zuQRMiMBUQJTafv+VSlFJMY WPuUNjLMS8KxOp0cmRmaaynT8p7FPacqDfdde5WCtJF/gdxvi7/eCVHhnJw7mXQ= = DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=veWJ6eL5xIRRq/XEDC5+8dGL4PKRQSxvKsXUD1TvO 8Q=; b=Lf+czWyKXi0BBh5+/WGJSMf3mlGqPTfLY3Sh21hAbxtXKacrlazTE27uA OUrxjIjZousQ4Yz4wDVlGsyrkUKx/BbawLZS8r3INDnQjKsZosKlArH2kCTcR0Cv YOAcCXX+ID8NIZh1xO5bG4dNlQ4fCqB4jNjB2ctEoyP/+l2KMYls4mrJ3YKxraKW lao+B0agteVTaBpXD60WKk1dl15Vws6k4Pw2MrHnMKjfI/E7zOCiovp0IR+IUwj3 7sn+jcnO4QEess9oeq4VyPTkDz67uRId0ed7y0mcZ+PbOIwdgrl1QOOEkuq/XjwY 4q2/ir4foePZEv6qriSEeZkOLWnHw== X-ME-Sender:

X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrieekgddulecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenfg hrlhcuvffnffculddvfedmnecujfgurheptgfghfggufffkfhfjgfvofesrgejmherhhdt jeenucfhrhhomheprfgrthhrihgtkhcuhghilhhlihgrmhhsuceophgrthhrihgtkhessh htfigtgidrgiihiieqnecuggftrfgrthhtvghrnhepgfetvefhhffghfetueelveehvedv vedvfeehffffveeivdfhjeevkeduvdfgudeinecuffhomhgrihhnpehgihhthhhusgdrtg homhdpkhgvrhhnvghlrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghm pehmrghilhhfrhhomhepphgrthhrihgtkhesshhtfigtgidrgiihii X-ME-Proxy:

Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 4 Aug 2021 19:23:36 -0400 (EDT) Content-Type: multipart/alternative; boundary=Apple-Mail-C6D10228-5A6C-41B2-A317-BB5FB774F1FA Content-Transfer-Encoding: 7bit From: Patrick Williams Mime-Version: 1.0 (1.0) Subject: Re: Security Working Group meeting - Wednesday August 4 - results Date: Wed, 4 Aug 2021 18:23:35 -0500 Message-Id: <5CC24537-286A-473D-AD11-3986848C2C9B@stwcx.xyz> References: In-Reply-To: To: Joseph Reynolds X-Mailer: iPhone Mail (18F72) X-BeenThere: openbmc@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development list for OpenBMC List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: openbmc@lists.ozlabs.org, Brad Bishop Errors-To: openbmc-bounces+openbmc=archiver.kernel.org@lists.ozlabs.org Sender: "openbmc" --Apple-Mail-C6D10228-5A6C-41B2-A317-BB5FB774F1FA Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Has this been read through? https://docs.github.com/en/code-security/security-advisories/about-github-se= curity-advisories > On Aug 4, 2021, at 3:49 PM, Patrick Williams wrote: >=20 > =EF=BB=BFOn Wed, Aug 04, 2021 at 03:39:45PM -0500, Joseph Reynolds wrote: >>> On 8/4/21 3:09 PM, Patrick Williams wrote: >>>> On Wed, Aug 04, 2021 at 01:47:31PM -0500, Joseph Reynolds wrote: >>>=20 >>>> 4 Surya set up a bugzilla within Intel and will administer it. Demo=E2= =80=99d >>>> the database. We briefly examined the database fields and agreed it >>>> looks like a good start. >>>>=20 >>> Once again I'll ask ***WHY***??!? >>>=20 >>> https://lore.kernel.org/openbmc/YNzsE1ipYQR7yfDq@heinlein/ >>> https://lore.kernel.org/openbmc/YPiK8xqFPJFZDa1+@heinlein/ >>>=20 >>> Can we please create a private Github repository and be done with this t= opic? >>=20 >> I don't have any insight into how to resolve this question. >>=20 >> =46rom today's meeting: using bugzilla has advantages over github issues:= >> - lets us define the fields we need: fix commitID, CVSS score, etc. >=20 > These are pretty minor when you could just add a comment template with thi= s > information. >=20 >> - has desirable access controls, specifically acess by the security=20 >> respone tram plus we can add access for the problem submitter and the=20 >> problem fixer >=20 > So does Github. >=20 > ---- >=20 > I really don't think that some subset of the community should go off on th= eir > own bug tracking system. This is a waste of time to maintain and just fur= ther > segments this "Security Team" off in their own bubble. >=20 > --=20 > Patrick Williams --Apple-Mail-C6D10228-5A6C-41B2-A317-BB5FB774F1FA Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable Has this been read through?

<= div>https://docs.github.com/en/code-security/s= ecurity-advisories/about-github-security-advisories

On Aug 4, 2021, at 3:49 PM, Patrick Williams &= lt;patrick@stwcx.xyz> wrote:

=EF=BB=BFOn Wed, Aug 04, 2021 at 03:39:45PM -0= 500, Joseph Reynolds wrote:
On 8/4= /21 3:09 PM, Patrick Williams wrote:
On Wed, Aug 04, 2021 at 01:47:31PM= -0500, Joseph Reynolds wrote:

4 Surya set up a bugzilla within Intel and will administer= it. Demo=E2=80=99d
<= blockquote type=3D"cite">
the database. We briefly examined the database fields and agreed it

looks like a good st= art.

Once again I'll ask ***WHY***??!?
<= /blockquote>

https://lore.kernel.org/openbmc/YNzsE1ipYQR7yfDq@heinlein/
https://lore.kernel.org/openbmc/YPiK8xqFPJFZDa1+@heinlein/

=
Can we please create a private Github reposi= tory and be done with this topic?

= I don't have any insight into how to resolve this question.
=

=46rom today's meeting: using bugzilla has advanta= ges over github issues:

- lets us define the fields we need: fix commitID, CVSS score, etc.

These are pretty minor when you cou= ld just add a comment template with this
information.=

- has desirable access c= ontrols, specifically acess by the security

respone tram plus we can add access for the problem s= ubmitter and the

pro= blem fixer

So does Github.

----

I really= don't think that some subset of the community should go off on their=
own bug tracking system. This is a waste of time to maintain= and just further
segments this "Security Team" off in their= own bubble.

--
Patrick Wi= lliams
= --Apple-Mail-C6D10228-5A6C-41B2-A317-BB5FB774F1FA--