incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: Query regarding where to store encryption keys
Date Fri, 22 Jun 2012 02:25:56 GMT
OK - draft up at http://wiki.cloudstack.org/display/COMM/Draft%3A+Security+response+procedure

I think out of the 3 below, I like the OS and Eucalyptus pages the most, as the stress that
security is important and will contact will be responded to quickly.

Give feedback on the draft above - then let's talk next steps…I'd say we need a security
list, a php key behind it, a security notification page somewhere on the CS site, and I wouldn't'
mind seeing a twitter feed specifically for security announcements, as well...

John

On Jun 20, 2012, at 1:21 PM, Clement Chen wrote:

> We should set up a dedicated channel for security issues and handle security bugs carefully.
> 
> Below are some of the examples:
> 
> Apache HTTP Server Project: http://httpd.apache.org/security_report.html
> OpenStack: http://openstack.org/projects/openstack-security/
> Eucalyptus: http://www.eucalyptus.com/eucalyptus-cloud/security/procedures
> 
> -Clement		 
> 
> -----Original Message-----
> From: David Nalley [mailto:david@gnsa.us] 
> Sent: Wednesday, June 20, 2012 12:59 PM
> To: cloudstack-dev@incubator.apache.org
> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
> Subject: Re: Query regarding where to store encryption keys
> 
> On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <Ewan.Mellor@eu.citrix.com> wrote:
>>> -----Original Message-----
>>> From: David Nalley [mailto:david@gnsa.us]
>>> Sent: Wednesday, June 20, 2012 12:32 PM
>>> To: cloudstack-dev@incubator.apache.org
>>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>>> Subject: Re: Query regarding where to store encryption keys
>>> 
>>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati 
>>> <vijayendra.bhamidipati@citrix.com> wrote:
>>>> Hi Team,
>>>> 
>>>> This is with reference to bug CS-15151
>>> (http://bugs.cloudstack.org/browse/CS-15151). I have some questions 
>>> and it would be great if you could share your knowledge and suggestions.
>>>> 
>>> 
>>> 
>>> Why is that bug not publicly visible?
>> 
>> Probably because it's highlighting a potential security hole.  That seems like a
reasonable precaution for the reporter to have taken.
>> 
>> Would you like to handle these some other way?
>> 
>> Ewan.
>> 
> 
> That's a perfectly valid reason to keep it private, - though now the content of the bug
has been publicly discussed, so one wonders at the continued utility of it being private.
> 
> Perhaps it's a good time to segue to discussing how we wish to handle security bugs,
and get that documented.
> 
> --David



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message