In order to improve readability and avoid confusion, move the
sections on reporting vulnerabilities and with VMT contact
information to their own respective documents.
Change-Id: I71d18bb60085961504c3090fe9ed3d5f418157b3
As a follow-up to I3301598500ade978093adf4dd138e35816c358b9, fix two
lingering references which were missed in that change.
Change-Id: If4bd7115fb45852e6ffa3b1e939e40cc97703d36
I update the expiration on my key frequently and leave it set to no
more than one year, but as a result I forget to replace static
copies in various places. Do that again now.
Change-Id: Icca79b8cc19586a8969c8646d217590607f81fa9
The TC passed a resolution replacing the Extended Maintenance phase
with an Unmaintained phase, and also reworked a fair amount of the
policy and process surrounding it. See
https://governance.openstack.org/tc/resolutions/20230724-unmaintained-branches.html
for details.
Fix our existing references to extended maintenance, and also
correct some broken hyperlinking while we're here.
Change-Id: I555f20339a86cd680ce58c8f69ef8a78bf34e97e
As Solar Designer noted in a recent presentation[*], the term
"responsible disclosure" is unnecessarily judgemental, suggesting
that any other process is irresponsible by comparison. More
accurately describe what we do as "coordinated disclosure" in the
two places where we previously used the less objective wording.
[*] https://www.sstic.org/2023/presentation/ouverture_2023/
Change-Id: I3301598500ade978093adf4dd138e35816c358b9
Since this only impacts the fix for stable/wallaby which is not
under normal maintenance, we'll dispose with the usual errata
announcements.
Change-Id: Ibd0d1d796012fb5d34d48925ce34f6f1c300b54e
Related-Bug: #2004555
The paragraph wrapping for description and errata fields destroys
RST formatting embedded in the YAML strings, so just get rid of it
for now.
Change-Id: I7c5cf1ec4b647c4c7254dd222ff3f91838795e3a
Drop the skipsdist and usedevelop settings, they're not needed in
this project anyway and have different side effects in newer Tox.
Change-Id: I231815a9bb7ee81ec4e9f011d75a704fa471d6dd
The newer default Python interpreter version on Ubuntu 22.04 LTS
doesn't support older PyYAML's use of stdlib collections. It was
pinned to a specific version when first added in 2014 by
I384971732166fbeb123d572d3ccbcde6bad39dfc with no reason given.
Change-Id: I9c18dbd542615f795f063fb6c665f6b6a475e498
Members of the OSSG maintained an OpenStack Security Blog between
2016 and 2017, but it's been abandoned for nearly 5 years now and
none of the currently involved contributors in the SIG have access
to that site nor available time to contribute new articles. Remove
the reference for now, it can always be added back if the blog is
resurrected or replaced in the future.
Change-Id: I04ba8b7cd734707406e480142a6b01df8900f1e9
Make it clear in the overseen repos list preamble that VMT members
attempt to provide guidance on request, even for repositories not
specifically opted into direct oversight.
Change-Id: Id357a1ec8c62a66c97f7d55eecd95325db60a6d1
I intentionally keep a short expiration on my OpenPGP key, but this
means I need to update public copies of it at least annually.
Change-Id: I33525b04e11aa2b8e748ab576b2a0330d88d23eb
The SKS Keyserver network shut down last year, due to a combination
of GDPR compliance challenges and third-party keysig upload attacks.
There's no great external source for displaying key details now, so
just omit the link.
Also restructure how we're linking to the local keys, in order to
simplify management of the document.
Change-Id: I266ccff9ed3183782961102fb7f8675ac518692b
The OpenStack TC has decided to stop using its "governance tags"
mechanism for recording specific details about project deliverables.
We previously relied on a vulnerability:managed tag to indicate the
deliverables overseen by the VMT, as well as documenting
expectations for the teams responsible for them.
Tags, being deliverable-specific rather than repository-specific,
were never a great fit for us. When bringing this information into
our own documentation, it's now reworked as a list of specific Git
repositories for simplicity and granularity. The expectations have
also been edited and shortened in order to accommodate this change,
but are still effectively the same as they were in governance.
Change-Id: Ie3c0cc38fc071716420c12b3f6de4a320428bd04
I realized the rules for posting to the linux-distros ML include
putting a special string in the subject line and encrypting the
message. Update our instructions to reflect that and link to theirs
while we're at it.
Change-Id: Icfd645748fd3a4db4c9d6c9e832afb3137f1fcff
The old impact description template was slightly misleading in its
use of <= to clamp upper bounds of affected versions. For many years
we've actually been using a strict < of the next possible SemVer
patchlevel version, so correct the examples and add a brief
paragraph to explain the construction in greater detail.
Change-Id: I44db2454bd1cd8691f445a0dcd403b8fa2681de3
Follow-up to correct the date on which OSSA-2021-001 was published
so that we don't lose the existing votes on the original change.
Change-Id: I295a49103c651d4b40a557dda0b2b9ea4b124bfa
A previous rework of the directory traversal mitigation example in
I3f8d3760daceb9e62396ae21b0d915ae07eff303 was not correctly cleaned
up, and left some unintended startswith method invocations behind.
Get rid of those, and also correct a wrong parameter name in the
main function while we're at it, as well as fixing some incorrect
indentation.
Change-Id: Ie5347f3b6cc8e689440db0aaf552d52ad37c231c
Closes-Bug: #1928544
In the instructions on reporting security vulnerabilities, detail
the StoryBoard workflow distinct from Launchpad, since we've had at
least one reported incident of a user thinking that just checking
the security checkbox would also make the story private.
Change-Id: Id8f824ef830bd321f7db4c03389dbebed01b163d
Rename the Incident Report Taxonomy section to Report Taxonomy but
leave a reference label behind so we don't obliterate any of the
many old external links to this document.
While tidying this up, also switch the task status reference to use
an internal anchor rather than an explicit URL anchor link.
Change-Id: I49245922e08d702b7ec1c46403a0db84dbad2882
Get rid of the outdated section for the long gone Security Project,
and move the VMT contact info from it to near the top of the main
security.o.o page. Also switch references in the process document to
link that list instead of going to the LP group page (which made
obtaining contact information a challenge).
Change-Id: I6aaf4da8bff51bc63706fc20e9f5f68d6e9b0fe4
The security SIG hasn't maintained the two projects listed under
the "Security tool development" section in quite a while. This
change removes the section entirely since the information it
has is no longer relevant to the security SIG.
Change-Id: I49aee997751b2b4f7ca6e879883a85c56087c0a1
As was pointed out in a bug report, the example for safe path
matching should not be comparing substrings, but actual path
components. As OpenStack projects currently no longer support Python
interpreter versions prior to 3.5, we can take advantage of
os.path.commonpath() for confirming this correctly.
Change-Id: I3f8d3760daceb9e62396ae21b0d915ae07eff303
Closes-Bug: #1815422
The original advisory omitted URLs for fixes on branches newer than
stable/train, so add those for all other branches where similar
patches merged.
Note the outstanding changes for branches earlier than stable/stein
are proposed but not currently passing CI jobs and have yet to be
reviewed, so they're not included here.
Change-Id: I238e1d91e6a6662d3af3800a114a7b3072660f92
The textwrap module by default breaks hyphenated words across line
wrapping boundaries, which Sphinx will then reinterpret as
whitespace. Disable this behavior so that hyphenated words will be
moved to the next line rather than broken at their hyphens. Also
disable a related feature which would break lines longer than the
target line length, allowing one-word lines longer than that.
Change-Id: I2ce8dcd4d67b658817857167e218913c75df0bda
The HKPS proxy on 443/tcp at sks-keyservers.net hasn't been operable
for many months (consistently returning a 502 Bad Gateway error).
Switch to a direct HKP URL on 11371/tcp at pool.sks-keyservers.net
instead, which returns the same content (unfortunately not over an
encrypted connection). The next best alternatives would be to use a
lookup on keyserver.ubuntu.com which misses a lot of the
cross-signing key info, or keys.openpgp.net which only provides a
link to download key material with no additional information and no
signatures.
Change-Id: I5d99bcb261a77e2d557fa31ca199f2eed09583c3