incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Clement Chen <clement.c...@citrix.com>
Subject RE: Query regarding where to store encryption keys
Date Wed, 20 Jun 2012 20:21:13 GMT
We should set up a dedicated channel for security issues and handle security bugs carefully.

Below are some of the examples:

Apache HTTP Server Project: http://httpd.apache.org/security_report.html
OpenStack: http://openstack.org/projects/openstack-security/
Eucalyptus: http://www.eucalyptus.com/eucalyptus-cloud/security/procedures

-Clement		 

-----Original Message-----
From: David Nalley [mailto:david@gnsa.us] 
Sent: Wednesday, June 20, 2012 12:59 PM
To: cloudstack-dev@incubator.apache.org
Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
Subject: Re: Query regarding where to store encryption keys

On Wed, Jun 20, 2012 at 3:50 PM, Ewan Mellor <Ewan.Mellor@eu.citrix.com> wrote:
>> -----Original Message-----
>> From: David Nalley [mailto:david@gnsa.us]
>> Sent: Wednesday, June 20, 2012 12:32 PM
>> To: cloudstack-dev@incubator.apache.org
>> Cc: Kelven Yang; Sateesh Chodapuneedi; Devdeep Singh
>> Subject: Re: Query regarding where to store encryption keys
>>
>> On Wed, Jun 20, 2012 at 3:15 PM, Vijayendra Bhamidipati 
>> <vijayendra.bhamidipati@citrix.com> wrote:
>> > Hi Team,
>> >
>> > This is with reference to bug CS-15151
>> (http://bugs.cloudstack.org/browse/CS-15151). I have some questions 
>> and it would be great if you could share your knowledge and suggestions.
>> >
>>
>>
>> Why is that bug not publicly visible?
>
> Probably because it's highlighting a potential security hole.  That seems like a reasonable
precaution for the reporter to have taken.
>
> Would you like to handle these some other way?
>
> Ewan.
>

That's a perfectly valid reason to keep it private, - though now the content of the bug has
been publicly discussed, so one wonders at the continued utility of it being private.

Perhaps it's a good time to segue to discussing how we wish to handle security bugs, and get
that documented.

--David

Mime
View raw message