Start using github security advisories
Mihm, James
james.mihm at intel.com
Thu Oct 28 05:29:05 AEDT 2021
Brad or Andrew, Can we proceed with the creation of security repository so that we can run a couple of trials on security issues?
I think it's important that we are able to meet the following criteria using a github repo with restricted access.
a) individual security issues can be restricted using access control lists without granting global access to all security issues.
b) individual security issues can be linked to private code reviews and discussions without leaking information beyond those with a need to know.
Regards, James.
>-----Original Message-----
>From: openbmc <openbmc-
>bounces+james.mihm=intel.com at lists.ozlabs.org> On Behalf Of Bruce
>Mitchell
>Sent: Monday, October 18, 2021 12:06 PM
>To: Brad Bishop <bradleyb at fuzziesquirrel.com>; Andrew Geissler
><geissonator at gmail.com>
>Cc: openbmc <openbmc at lists.ozlabs.org>; Joseph Reynolds
><jrey at linux.ibm.com>
>Subject: Re: Start using github security advisories
>
>On 10/18/2021 11:49, Brad Bishop wrote:
>> On Thu, Oct 14, 2021 at 02:12:20PM -0500, Andrew Geissler wrote:
>>>> Per today's Security working group meeting, we want to start using
>>>> [GitHub security advisories][]. I think we need someone with admin
>>>> permissions to github.com/openbmc/openbmc to create new advisories.
>>>> Then we'll want a group (team? perhaps security-response-team) with
>>>> the current OpenBMC [security response team][] members. (I have that
>>>> list.)
>>>
>>> Looks like you’ll need admin authority on openbmc/openbmc in order to
>>> utilize the security advisories feature. I wonder if it’s better to
>>> create a openbmc/security repo and we can give you and the security
>>> team admin of that repo for this work? This would also provide a
>>> potential location to track github issues for the security team.
>>
>> This was my thinking as well Andrew. I'll create
>> openbmc/security-response if I don't see any complaints in the next
>> little while.
>>
>> -brad
>
>I believe we want to make sure that none of security advisories
>get sent to Discord, wouldn't want to accidentally be going to
>something like #gh-issues.
More information about the openbmc
mailing list