Once again, OpenStack engineers met to design the Mitaka cycle. Here is a summary of the Security Project and relevant release mangement changes.

What is the OpenStack Security Project ?

Security issues, tooling, innovations and education within OpenStack are the responsibility of the Security Project. The Security Project undertakes technical and governance activities for the OpenStack community, aiming to provide guidance, information and code that enhances the OpenStack ecosystem's security.

Bandit and Syntribos

The OSSP (OpenStack Security Project) discussed Bandit and Syntribos developpements.

  • Bandit is a static analyser for python language whose purpose is to find trivial programing mistakes and to help enforce strong security guideline.
  • Syntribos is an API testing framework that aims to facilitate fault injection tests through REST interfaces.

While Bandit is currently used as a gate job for Keystone, Syntribos is currently being developed and its usecases are still under constructions. Overall, roadmap's goals are to get better reporting from the tools, more OpenStack projects on board and improved stability. Both etherpads used during design sessions are available here: Bandit worksession and Syntribos worksession

Governance Tag: vulnerability:managed

The vulnerability management team VMT introduced a new tag vulnerability:managed to help identify which projects are being supervised by the team. The incubation process for new projects is now described there and we are looking to have a few more project on board.

In order to help us scale for the big tent, a new downstream stakeholder mailing list will be created to ease advanced notification workflow (pre-OSSAs). This list would also be useful for projects that are not yet supported and to warn stakeholders about upcoming vulnerabilities.

Stable Release

Stable releases such as 2015.1.2 are now gone and will no longer be produced. Instead, projects will now be able to release new versions independly and security fixes should be tagged and released right after their merge. This is a great improvement for all upstream release users and stable release managers as the process is now streamlined.

Other improvements for release management are to be expected, such as automation of release notes with reno, a project explorer and a handy page of version numbers recap for the last release.

Once again, we have made great progress and I'm looking forward to further developments. Thank you all for the great OpenStack Mitaka Design Summit!

Tristan Cacqueray

OpenStack Vulnerability Management Team