Date: Wed, 24 May 2023 16:48:23 +0000 From: Jeremy Stanley <fungi@...goth.org> To: oss-security@...ts.openwall.com Subject: Re: Clarification on embargoed testing in a partner cloud On 2023-05-24 07:26:42 -0700 (-0700), Anthony Liguori wrote: [...] > For list members that have questions about AWS, I'm happy to > answer, in gory details. I know other large cloud providers have > folks on the list that would likely offer the same (or at least > direct to the appropriate people). I can also help make > connections to most of the large cloud providers if folks don't > have contacts. I'm similarly happy to connect interested parties to contacts at the hundreds of public cloud service providers who run OpenStack, if there are questions along those lines. > That said, I don't think this is the most important part of the > discussion... [...] Agreed. With my upstream developer and vulnerability coordinator hat on, I don't mind if downstream stakeholders who are given advance notice of our upcoming advisories test the included patches on resources in "public clouds" (whatever that term really means), as long as they're reasonably confident in the contractual relationships they have with those providers to operate ethically and above board. But also, we intentionally don't open up our embargoed discussions to downstream distributors until fairly close to the planned publication date, in order to limit the blast radius from accidental leaks. Perhaps unsurprisingly, the OpenStack community does perform basically all of its testing and vulnerability management tasks on donated resources within OpenStack-based cloud providers, so it would be somewhat hypocritical of us to tell our users they shouldn't. I get the impression an increasing number of open source projects do the same today. -- Jeremy Stanley Download attachment "signature.asc" of type "application/pgp-signature" (964 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.