openbmc.lists.ozlabs.org archive mirror
 help / color / mirror / Atom feed
From: "Mihm, James" <james.mihm@intel.com>
To: Patrick Williams <patrick@stwcx.xyz>,
	Joseph Reynolds <jrey@linux.ibm.com>
Cc: "openbmc@lists.ozlabs.org" <openbmc@lists.ozlabs.org>,
	Brad Bishop <bradleyb@fuzziesquirrel.com>
Subject: RE: Security Working Group meeting - Wednesday August 4 - results
Date: Fri, 6 Aug 2021 17:10:16 +0000	[thread overview]
Message-ID: <SJ0PR11MB56460EDB38FA5BF593C0686D90F39@SJ0PR11MB5646.namprd11.prod.outlook.com> (raw)
In-Reply-To: <5CC24537-286A-473D-AD11-3986848C2C9B@stwcx.xyz>

[-- Attachment #1: Type: text/plain, Size: 2441 bytes --]

I’ve been pushing for a database of some sort to track the security issues that I’ve submitted so far. My initial impression was that the github security advisories was targeted more for disclosures and not necessarily management. I’ll look into the github security advisories further. What I’m looking for is a tool that will help us track the progress of mitigations or the lack thereof.
I’d also like to track all of the issues from upstream projects that impact openbmc, and a database seems like a good option for that.

Regards, James.

From: openbmc <openbmc-bounces+james.mihm=intel.com@lists.ozlabs.org> On Behalf Of Patrick Williams
Sent: Wednesday, August 4, 2021 4:24 PM
To: Joseph Reynolds <jrey@linux.ibm.com>
Cc: openbmc@lists.ozlabs.org; Brad Bishop <bradleyb@fuzziesquirrel.com>
Subject: Re: Security Working Group meeting - Wednesday August 4 - results

Has this been read through?

https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories


On Aug 4, 2021, at 3:49 PM, Patrick Williams <patrick@stwcx.xyz<mailto:patrick@stwcx.xyz>> wrote:
On Wed, Aug 04, 2021 at 03:39:45PM -0500, Joseph Reynolds wrote:

On 8/4/21 3:09 PM, Patrick Williams wrote:
On Wed, Aug 04, 2021 at 01:47:31PM -0500, Joseph Reynolds wrote:

4 Surya set up a bugzilla within Intel and will administer it.  Demo’d
the database. We briefly examined the database fields and agreed it
looks like a good start.

Once again I'll ask ***WHY***??!?

https://lore.kernel.org/openbmc/YNzsE1ipYQR7yfDq@heinlein/
https://lore.kernel.org/openbmc/YPiK8xqFPJFZDa1+@heinlein/

Can we please create a private Github repository and be done with this topic?

I don't have any insight into how to resolve this question.

From today's meeting: using bugzilla has advantages over github issues:
- lets us define the fields we need: fix commitID, CVSS score, etc.

These are pretty minor when you could just add a comment template with this
information.


- has desirable access controls, specifically acess by the security
respone tram plus we can add access for the problem submitter and the
problem fixer

So does Github.

----

I really don't think that some subset of the community should go off on their
own bug tracking system.  This is a waste of time to maintain and just further
segments this "Security Team" off in their own bubble.

--
Patrick Williams

[-- Attachment #2: Type: text/html, Size: 8954 bytes --]

  reply	other threads:[~2021-08-06 17:12 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-03 22:57 Security Working Group meeting - Wednesday August 4 Joseph Reynolds
2021-08-04  3:04 ` Patrick Williams
2021-08-04  3:22 ` Patrick Williams
2021-08-09 14:09   ` Security Working Group meeting - Wednesday August 4 - ibm-acf repo Joseph Reynolds
2021-08-04  3:28 ` Security Working Group meeting - Wednesday August 4 Patrick Williams
2021-08-04 18:43   ` Security Working Group meeting - Wednesday August 4 - all distro owners please review Joseph Reynolds
2021-08-04 18:47 ` Security Working Group meeting - Wednesday August 4 - results Joseph Reynolds
2021-08-04 20:09   ` Patrick Williams
2021-08-04 20:39     ` Joseph Reynolds
2021-08-04 20:49       ` Patrick Williams
2021-08-04 23:23         ` Patrick Williams
2021-08-06 17:10           ` Mihm, James [this message]
2021-08-04 23:47         ` Andrew Jeffery
2021-08-04 23:57           ` Ed Tanous
2021-08-05 13:55             ` Brad Bishop
2021-08-05 13:43       ` Brad Bishop
2021-08-05 15:54   ` Brad Bishop

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=SJ0PR11MB56460EDB38FA5BF593C0686D90F39@SJ0PR11MB5646.namprd11.prod.outlook.com \
    --to=james.mihm@intel.com \
    --cc=bradleyb@fuzziesquirrel.com \
    --cc=jrey@linux.ibm.com \
    --cc=openbmc@lists.ozlabs.org \
    --cc=patrick@stwcx.xyz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).