Security Working Group meeting - Wednesday August 4 - results

Mihm, James james.mihm at intel.com
Sat Aug 7 03:10:16 AEST 2021 

I’ve been pushing for a database of some sort to track the security issues that I’ve submitted so far. My initial impression was that the github security advisories was targeted more for disclosures and not necessarily management. I’ll look into the github security advisories further. What I’m looking for is a tool that will help us track the progress of mitigations or the lack thereof.
I’d also like to track all of the issues from upstream projects that impact openbmc, and a database seems like a good option for that.

Regards, James.

From: openbmc <openbmc-bounces+james.mihm=intel.com at lists.ozlabs.org> On Behalf Of Patrick Williams
Sent: Wednesday, August 4, 2021 4:24 PM
To: Joseph Reynolds <jrey at linux.ibm.com>
Cc: openbmc at lists.ozlabs.org; Brad Bishop <bradleyb at fuzziesquirrel.com>
Subject: Re: Security Working Group meeting - Wednesday August 4 - results

Has this been read through?

https://docs.github.com/en/code-security/security-advisories/about-github-security-advisories


On Aug 4, 2021, at 3:49 PM, Patrick Williams <patrick at stwcx.xyz<mailto:patrick at stwcx.xyz>> wrote:
On Wed, Aug 04, 2021 at 03:39:45PM -0500, Joseph Reynolds wrote:

On 8/4/21 3:09 PM, Patrick Williams wrote:
On Wed, Aug 04, 2021 at 01:47:31PM -0500, Joseph Reynolds wrote:

4 Surya set up a bugzilla within Intel and will administer it.  Demo’d
the database. We briefly examined the database fields and agreed it
looks like a good start.

Once again I'll ask ***WHY***??!?

https://lore.kernel.org/openbmc/YNzsE1ipYQR7yfDq@heinlein/
https://lore.kernel.org/openbmc/YPiK8xqFPJFZDa1+@heinlein/

Can we please create a private Github repository and be done with this topic?

I don't have any insight into how to resolve this question.

From today's meeting: using bugzilla has advantages over github issues:
- lets us define the fields we need: fix commitID, CVSS score, etc.

These are pretty minor when you could just add a comment template with this
information.


- has desirable access controls, specifically acess by the security
respone tram plus we can add access for the problem submitter and the
problem fixer

So does Github.

----

I really don't think that some subset of the community should go off on their
own bug tracking system.  This is a waste of time to maintain and just further
segments this "Security Team" off in their own bubble.

--
Patrick Williams
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20210806/f42a503d/attachment-0001.htm>

More information about the openbmc mailing list