In order to improve readability and avoid confusion, move the
sections on reporting vulnerabilities and with VMT contact
information to their own respective documents.
Change-Id: I71d18bb60085961504c3090fe9ed3d5f418157b3
As a follow-up to I3301598500ade978093adf4dd138e35816c358b9, fix two
lingering references which were missed in that change.
Change-Id: If4bd7115fb45852e6ffa3b1e939e40cc97703d36
I update the expiration on my key frequently and leave it set to no
more than one year, but as a result I forget to replace static
copies in various places. Do that again now.
Change-Id: Icca79b8cc19586a8969c8646d217590607f81fa9
The TC passed a resolution replacing the Extended Maintenance phase
with an Unmaintained phase, and also reworked a fair amount of the
policy and process surrounding it. See
https://governance.openstack.org/tc/resolutions/20230724-unmaintained-branches.html
for details.
Fix our existing references to extended maintenance, and also
correct some broken hyperlinking while we're here.
Change-Id: I555f20339a86cd680ce58c8f69ef8a78bf34e97e
As Solar Designer noted in a recent presentation[*], the term
"responsible disclosure" is unnecessarily judgemental, suggesting
that any other process is irresponsible by comparison. More
accurately describe what we do as "coordinated disclosure" in the
two places where we previously used the less objective wording.
[*] https://www.sstic.org/2023/presentation/ouverture_2023/
Change-Id: I3301598500ade978093adf4dd138e35816c358b9
The paragraph wrapping for description and errata fields destroys
RST formatting embedded in the YAML strings, so just get rid of it
for now.
Change-Id: I7c5cf1ec4b647c4c7254dd222ff3f91838795e3a
Members of the OSSG maintained an OpenStack Security Blog between
2016 and 2017, but it's been abandoned for nearly 5 years now and
none of the currently involved contributors in the SIG have access
to that site nor available time to contribute new articles. Remove
the reference for now, it can always be added back if the blog is
resurrected or replaced in the future.
Change-Id: I04ba8b7cd734707406e480142a6b01df8900f1e9
Make it clear in the overseen repos list preamble that VMT members
attempt to provide guidance on request, even for repositories not
specifically opted into direct oversight.
Change-Id: Id357a1ec8c62a66c97f7d55eecd95325db60a6d1
I intentionally keep a short expiration on my OpenPGP key, but this
means I need to update public copies of it at least annually.
Change-Id: I33525b04e11aa2b8e748ab576b2a0330d88d23eb
The SKS Keyserver network shut down last year, due to a combination
of GDPR compliance challenges and third-party keysig upload attacks.
There's no great external source for displaying key details now, so
just omit the link.
Also restructure how we're linking to the local keys, in order to
simplify management of the document.
Change-Id: I266ccff9ed3183782961102fb7f8675ac518692b
The OpenStack TC has decided to stop using its "governance tags"
mechanism for recording specific details about project deliverables.
We previously relied on a vulnerability:managed tag to indicate the
deliverables overseen by the VMT, as well as documenting
expectations for the teams responsible for them.
Tags, being deliverable-specific rather than repository-specific,
were never a great fit for us. When bringing this information into
our own documentation, it's now reworked as a list of specific Git
repositories for simplicity and granularity. The expectations have
also been edited and shortened in order to accommodate this change,
but are still effectively the same as they were in governance.
Change-Id: Ie3c0cc38fc071716420c12b3f6de4a320428bd04
I realized the rules for posting to the linux-distros ML include
putting a special string in the subject line and encrypting the
message. Update our instructions to reflect that and link to theirs
while we're at it.
Change-Id: Icfd645748fd3a4db4c9d6c9e832afb3137f1fcff
The old impact description template was slightly misleading in its
use of <= to clamp upper bounds of affected versions. For many years
we've actually been using a strict < of the next possible SemVer
patchlevel version, so correct the examples and add a brief
paragraph to explain the construction in greater detail.
Change-Id: I44db2454bd1cd8691f445a0dcd403b8fa2681de3
A previous rework of the directory traversal mitigation example in
I3f8d3760daceb9e62396ae21b0d915ae07eff303 was not correctly cleaned
up, and left some unintended startswith method invocations behind.
Get rid of those, and also correct a wrong parameter name in the
main function while we're at it, as well as fixing some incorrect
indentation.
Change-Id: Ie5347f3b6cc8e689440db0aaf552d52ad37c231c
Closes-Bug: #1928544
In the instructions on reporting security vulnerabilities, detail
the StoryBoard workflow distinct from Launchpad, since we've had at
least one reported incident of a user thinking that just checking
the security checkbox would also make the story private.
Change-Id: Id8f824ef830bd321f7db4c03389dbebed01b163d
Rename the Incident Report Taxonomy section to Report Taxonomy but
leave a reference label behind so we don't obliterate any of the
many old external links to this document.
While tidying this up, also switch the task status reference to use
an internal anchor rather than an explicit URL anchor link.
Change-Id: I49245922e08d702b7ec1c46403a0db84dbad2882
Get rid of the outdated section for the long gone Security Project,
and move the VMT contact info from it to near the top of the main
security.o.o page. Also switch references in the process document to
link that list instead of going to the LP group page (which made
obtaining contact information a challenge).
Change-Id: I6aaf4da8bff51bc63706fc20e9f5f68d6e9b0fe4
The security SIG hasn't maintained the two projects listed under
the "Security tool development" section in quite a while. This
change removes the section entirely since the information it
has is no longer relevant to the security SIG.
Change-Id: I49aee997751b2b4f7ca6e879883a85c56087c0a1
As was pointed out in a bug report, the example for safe path
matching should not be comparing substrings, but actual path
components. As OpenStack projects currently no longer support Python
interpreter versions prior to 3.5, we can take advantage of
os.path.commonpath() for confirming this correctly.
Change-Id: I3f8d3760daceb9e62396ae21b0d915ae07eff303
Closes-Bug: #1815422
The textwrap module by default breaks hyphenated words across line
wrapping boundaries, which Sphinx will then reinterpret as
whitespace. Disable this behavior so that hyphenated words will be
moved to the next line rather than broken at their hyphens. Also
disable a related feature which would break lines longer than the
target line length, allowing one-word lines longer than that.
Change-Id: I2ce8dcd4d67b658817857167e218913c75df0bda
The HKPS proxy on 443/tcp at sks-keyservers.net hasn't been operable
for many months (consistently returning a 502 Bad Gateway error).
Switch to a direct HKP URL on 11371/tcp at pool.sks-keyservers.net
instead, which returns the same content (unfortunately not over an
encrypted connection). The next best alternatives would be to use a
lookup on keyserver.ubuntu.com which misses a lot of the
cross-signing key info, or keys.openpgp.net which only provides a
link to download key material with no additional information and no
signatures.
Change-Id: I5d99bcb261a77e2d557fa31ca199f2eed09583c3
Fix a breaking error for docs generation under Python 3.8 by working
from a copy of dict keys when iterating, so that the originals can
be altered within the loop.
Change-Id: I4ce90a163ce143d0b88ec722549750847bf4bf18
Switch to openstackdocstheme 2.2.1 version. Using
this version will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents
* Fix some rendering problems
Update Sphinx version as well.
Disable openstackdocs_auto_version to not auto-version the documents.
Disable openstackdocs_auto_name to use 'project' variable as name.
Change pygments_style to 'native' since old theme version always used
'native' and the theme now respects the setting and using 'sphinx' can
lead to some strange rendering.
Remove docs requirements from lower-constraints, they are not needed
during install or test but only for docs building.
openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.
See also
http://lists.openstack.org/pipermail/openstack-discuss/2020-May/014971.html
Remove also now obsolete sections from setup.cfg and cleanup tox.ini.
Change-Id: I861983389f7dc57d229a2c87e28ff3deb91a4a63
Make it clear in our embargo header template that having a fix
identified doesn't defer its publication deadline. This wording is
more consistent with the disclaimer in our reporting instructions as
well.
Change-Id: I22479ce657362725ede86d74a93b4239ff8febe4
Several recent examples have made it clear that some objects in
various services' APIs are keyed with UUIDs which are not
safeguarded or we otherwise don't position this information as
sensitive in obvious ways. We may still consider some reports a C1
if they genuinely hinge on an attacker guessing or socially
engineering an administrator to divulge an arbitrary type 4 UUID,
but this rule is not as solid an indicator of a C1 report as it was
in 2015 when this example was originally added.
Change-Id: Id9a768d3cb3880c4d8f28a45adc924edb8b5dc4a
Update our process to make it more readable, and more directly
actionable for projects which use StoryBoard. Since SB uses fewer
task statuses and calls them by different names (Todo, Progress,
Review, Merged, Invalid), remove some superfluous task status
changes around CVE requests and embargoed disclosure from our
process, and include corresponding task names from SB for those
which remain.
Note the vmt-process.png illustration still needs updating to
reflect the moved (In Progress and Fix Committed) statuses.
Change-Id: Id3710b4c50f1538629b77e3f681ebfd5ea5ff5bf
Now that Ia501817277a3fed215edd78a8035ad07a90810f0 has merged and
adds a 90-day maximum embargo period, update our instructions,
process documentation and templates accordingly. Also fix a few
locations where we failed to mention StoryBoard (now that we have
covered projects making use of it).
Change-Id: I5fd671910a44d03d25034cf1ea31fb34f695747f
This change removes the extra carriage returns as well as
the unused type attribute from the reviews dictionary.
Change-Id: I0928e9c37127299794d36bf21678744800bdeb16
Morgan Fainberg has acknowledged that he no longer has sufficient
opportunity to serve as a vulnerability manager for OpenStack.
Thanks so much, Morgan, for all your assistance over the years.
Hopefully we'll still see you around from time to time!
Change-Id: Ie93e5717981a938c465e42d8c207bd92bbd870c1
oss-security requires the affected project in the subject line of
disclosures on their mailing list.
This change adds "$PROJECT:" to the email subject template, as this
is required by oss-security and would be useful to the openstack
mailing lists as well.
Change-Id: I3bbd03079b0713d99e112cbc95c481bea49556ba
I explicitly maintain a <= 1 year expiration on my public OpenPGP
key and bump it periodically. As a result, the convenience export we
publish should also be refreshed with some regularity so that an old
expired version is not served in error. Update my key here with a
more recent export.
Change-Id: I6914dc0799538fe4d8106593f414e5bfbaf65137
OpenDev's Gerrit server has been moved to review.opendev.org so we
should use the canonical name in our process documentation rather
than the old compatibility redirect (but we can leave it as-is for
already created advisories).
Change-Id: Id7dcc90bf8fb6cbdd6103483befa9840b4754cfb
With the semi-recent switch in Sphinx themes, there is no longer a
"Show Source" button or link on rendered HTML pages. Instead
document how to alter the URL to find the generated reStructuredText
"source" files.
Change-Id: Iac7072dc2b67327b320ec89158ba5e2c4c22c263
This change marks the code highlighting to none for a
couple instances where there is invalid javascript in
a code block.
This fixes the docs gate failure.
Change-Id: Ib74098c971861604c7990b5786fd99dfc15aeadb
The old openstack@l.o.o general mailing list has been merged into
openstack-discuss, so we should cross-post future advisories there
instead.
Change-Id: I9853fff9c2a1c0c3b910c3481521330f7624a866
Update requirements and code for python3, this will not work with
python2 anymore.
Also, update to openstackdocstheme as current OpenStack theme and
configure it.
Some noteworthy changes:
* Remove reload, setting of UTF-8 in vmt.py - this is not needed anymore
with python3.
* Update requirements of Sphinx to current versions
* The Markup construct does not work with python3 in conf.py, replace
with simpler string.
* No need to use "pip -U", remove -U option.
* in vmt.py: Strings are unicode in python3, no need to check for it.
Change-Id: I421e3d4a09ff19523b3bd0ca015e31a4bd1e0608
Jeremy Stanley