Security Working Group meeting - Wednesday August 4 - results

Patrick Williams patrick at stwcx.xyz
Thu Aug 5 09:23:35 AEST 2021


Has this been read through?

https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories

> On Aug 4, 2021, at 3:49 PM, Patrick Williams <patrick at stwcx.xyz> wrote:
> 
> On Wed, Aug 04, 2021 at 03:39:45PM -0500, Joseph Reynolds wrote:
>>> On 8/4/21 3:09 PM, Patrick Williams wrote:
>>>> On Wed, Aug 04, 2021 at 01:47:31PM -0500, Joseph Reynolds wrote:
>>> 
>>>> 4 Surya set up a bugzilla within Intel and will administer it.  Demo’d
>>>> the database. We briefly examined the database fields and agreed it
>>>> looks like a good start.
>>>> 
>>> Once again I'll ask ***WHY***??!?
>>> 
>>> https://lore.kernel.org/openbmc/YNzsE1ipYQR7yfDq@heinlein/
>>> https://lore.kernel.org/openbmc/YPiK8xqFPJFZDa1+@heinlein/
>>> 
>>> Can we please create a private Github repository and be done with this topic?
>> 
>> I don't have any insight into how to resolve this question.
>> 
>> From today's meeting: using bugzilla has advantages over github issues:
>> - lets us define the fields we need: fix commitID, CVSS score, etc.
> 
> These are pretty minor when you could just add a comment template with this
> information.
> 
>> - has desirable access controls, specifically acess by the security 
>> respone tram plus we can add access for the problem submitter and the 
>> problem fixer
> 
> So does Github.
> 
> ----
> 
> I really don't think that some subset of the community should go off on their
> own bug tracking system.  This is a waste of time to maintain and just further
> segments this "Security Team" off in their own bubble.
> 
> -- 
> Patrick Williams
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210804/06dc19e1/attachment.htm>


More information about the openbmc mailing list