Security Working Group meeting - Wednesday August 4 - results

Andrew Jeffery andrew at aj.id.au
Thu Aug 5 09:47:44 AEST 2021



On Thu, 5 Aug 2021, at 06:19, Patrick Williams wrote:
> On Wed, Aug 04, 2021 at 03:39:45PM -0500, Joseph Reynolds wrote:
> > On 8/4/21 3:09 PM, Patrick Williams wrote:
> > > On Wed, Aug 04, 2021 at 01:47:31PM -0500, Joseph Reynolds wrote:
> > >   
> > >> 4 Surya set up a bugzilla within Intel and will administer it.  Demo’d
> > >> the database. We briefly examined the database fields and agreed it
> > >> looks like a good start.
> > >>
> > > Once again I'll ask ***WHY***??!?
> > >
> > > https://lore.kernel.org/openbmc/YNzsE1ipYQR7yfDq@heinlein/
> > > https://lore.kernel.org/openbmc/YPiK8xqFPJFZDa1+@heinlein/
> > >
> > > Can we please create a private Github repository and be done with this topic?
> > 
> > I don't have any insight into how to resolve this question.
> > 
> >  From today's meeting: using bugzilla has advantages over github issues:
> > - lets us define the fields we need: fix commitID, CVSS score, etc.
> 
> These are pretty minor when you could just add a comment template with this
> information.
> 
> > - has desirable access controls, specifically acess by the security 
> > respone tram plus we can add access for the problem submitter and the 
> > problem fixer
> 
> So does Github.
> 
> ----
> 
> I really don't think that some subset of the community should go off on their
> own bug tracking system. 

+1

I'm not aware of any effort to use Github security advisories so far. I 
think we should try that before burdening ourselves and any bug 
reporters with yet more disjoint bits of infrastructure (we already
have the two mailing lists, discord, gerrit, and github).

Andrew


More information about the openbmc mailing list