Security Working Group meeting - Wednesday August 4 - results

Thu Aug 5 09:57:52 AEST 2021

On Wed, Aug 4, 2021 at 4:48 PM Andrew Jeffery <andrew at aj.id.au> wrote:
>
>
>
> On Thu, 5 Aug 2021, at 06:19, Patrick Williams wrote:
> > On Wed, Aug 04, 2021 at 03:39:45PM -0500, Joseph Reynolds wrote:
> > > On 8/4/21 3:09 PM, Patrick Williams wrote:
> > > > On Wed, Aug 04, 2021 at 01:47:31PM -0500, Joseph Reynolds wrote:
> > > >
> > > >> 4 Surya set up a bugzilla within Intel and will administer it.  Demo’d
> > > >> the database. We briefly examined the database fields and agreed it
> > > >> looks like a good start.
> > > >>
> > > > Once again I'll ask ***WHY***??!?
> > > >
> > > > https://lore.kernel.org/openbmc/YNzsE1ipYQR7yfDq@heinlein/
> > > > https://lore.kernel.org/openbmc/YPiK8xqFPJFZDa1+@heinlein/
> > > >
> > > > Can we please create a private Github repository and be done with this topic?
> > >
> > > I don't have any insight into how to resolve this question.
> > >
> > >  From today's meeting: using bugzilla has advantages over github issues:
> > > - lets us define the fields we need: fix commitID, CVSS score, etc.

I'm also really not following this as a rationale for starting a
completely new server.  This is easy enough to add on github in the
bug template.

> >
> > These are pretty minor when you could just add a comment template with this
> > information.
> >
> > > - has desirable access controls, specifically acess by the security
> > > respone tram plus we can add access for the problem submitter and the
> > > problem fixer
> >
> > So does Github.

+1

> >
> > ----
> >
> > I really don't think that some subset of the community should go off on their
> > own bug tracking system.
>
> +1
>
> I'm not aware of any effort to use Github security advisories so far. I
> think we should try that before burdening ourselves and any bug
> reporters with yet more disjoint bits of infrastructure (we already
> have the two mailing lists, discord, gerrit, and github).

+1

>
> Andrew