incubator-cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Brockmeier <...@zonker.net>
Subject Re: [DISCUSS] ACS pre-disclosure security list
Date Fri, 11 Jan 2013 22:40:58 GMT
On Fri, Jan 11, 2013 at 02:20:49PM -0800, John Kinsella wrote:
> Everyone - as we're trying to define the ACS security response plan, we
> started considering the idea of a pre-disclosure mailing list. Membership
> would consist of security teams from organizations that have large
> installations of ACS upon which their business is critical. The idea
> was based on Xen's pre-disclosure list[1]. After we (PPMC) discussed
> and invited thoughts from security@apache.org, it was suggested that
> we get feedback from the general development community. I'll summarize
> the discussion points below, but would love to hear further thoughts or
> comments from everyone.

Thanks for taking lead on that and starting this discussion. 

> * The initial thought was to have the list for distributions that include ACS, but expanded
to consider organizations with Significant installations.
> * For organizations who have decided to base their business (or a good chunk of it) on
ACS, advance notice allows them a chance to mitigate security issues which could cause significant
operational issues before general release to the public.
> * Having an pre-disclosure list, though, means we would need to manage who gets on and
who doesn't. Membership would have to be limited by either install size, criticality of the
install base, or some other similar metric. If we don't limit membership, it's the same as
just doing a public announcement.
> * Some are worried that management of this list could be significant work or cause stress
in the community.
> * We'd have to keep the pre-disclosure advance notice timeframe fairly small, otherwise
it'll leak out without responsible control on our behalf.
> * In some cases, individuals have seen vulnerability reports demand that certain organizations
do not get pre-disclosure. So that's something we might have to deal with.
> * One question is if membership should be limited to organizations who have individuals
who contribute to the project, or if it should be open to anyone. The concept being "why should
they get something from us when we get nothing from them?"
> * One suggestion was to use the pre-disclosure list not so much as an advanced-warning
list, but as a QA list, allowing folks to review the announcement before it is published for
general consumption.

The intent here is good: We want to help users of CloudStack and ensure
that any security issues are as minimally disruptive as possible.

I wonder about the effect, though. Essentially this would be saying
"some users are more important than others" based on size or some other
criteria. 

Now - we've talked about being packaged in Linux distributions recently.
I think we can make a case for a pre-disclosure list of downstreams
security teams, if they're packaging + shipping Apache CloudStack. The
number of vendors/projects would be fairly manageable. The other
argument is that we need to give downstreams time to apply patches or
whatever so they can ship them to their users. Note that would also fit
with it being a QA list. If we're serious about being in Linux distros,
we need to think about how we'd work with them on security issues. 

But having a list of organizations that use CloudStack, judged by the
"significance" of their installation... I'm not comfortable telling a
user of CloudStack "sorry, you don't merit early notification of
security bugs because your installation isn't big enough." 

Best,

jzb
--
Joe Brockmeier
http://dissociatedpress.net/
Twitter: @jzb

Mime
View raw message