Mailing list for Security (was: SV: [GENIVI security group] Security group assessment method discussion)
stacy.janes at irdeto.com
Tue Aug 16 10:57:30 EDT 2016
Sorry, should not have used EG, as yes, it is a team instead of an Expert group. I am fine with “team-sec” or “genivi-security” or similar.
Your comment about private vs public lists brings up a question. The point of the output of the team will be to document vulnerabilities and suggested mitigations and/or security requirements in specific projects. In commercial engagements, this information is obviously highly confidential for the product owner since they contain information on how to attack a system. How public do we want the analysis portion and final product (security review document) of a particular project to be?
As you say, for responsible disclosure reasons, maybe we conduct review conversations in a private list and work with the respective EG on the distribution of the final release to the public list?
From: Jeremiah Foster <jeremiah.foster at pelagicore.com>
Date: Tuesday, August 16, 2016 at 10:01 AM
To: Stacy Janes <stacy.janes at irdeto.com>
Cc: "Andersson, Gunnar" <gunnar.x.andersson at volvocars.com>, "Feuer, Magnus" <mfeuer1 at jaguarlandrover.com>, "anuja at computer.org" <anuja at computer.org>, "tal.bendavid at karambasecurity.com" <tal.bendavid at karambasecurity.com>, "genivi-projects at lists.genivi.org" <genivi-projects at lists.genivi.org>, "peter_yang at trend.com.tw" <peter_yang at trend.com.tw>, Yoram Berholtz <yoram at argus-sec.com>, "assaf.harel at karambasecurity.com" <assaf.harel at karambasecurity.com>, Antonio De Rosa <Antonio.DeRosa at opensynergy.com>, Ulf Wiger <uwiger at jaguarlandrover.com>, "genivi-pmo at mail.genivi.org" <genivi-pmo at mail.genivi.org>
Subject: Re: Mailing list for Security (was: SV: [GENIVI security group] Security group assessment method discussion)
On Tue, Aug 16, 2016 at 9:44 AM, Stacy Janes <stacy.janes at irdeto.com<mailto:stacy.janes at irdeto.com>> wrote:
On the topic of email groups, I agree with Gunnar that “genivi-projects” may not be the best choice. We got there on a suggestion when the majority of the team was new to GENIVI and not opinioned on the lists.
GENIVI has a security at mail.genivi.org<mailto:security at mail.genivi.org> mailing list, but it’s description just says “security” so that could be anything from security reviews on projects to network security. It’s a private list. I recommend that we create an eg-sec at mail.genivi.org<mailto:eg-sec at mail.genivi.org> mailing list for our general discussions. Opinions?
What are we talking about when we say "general discussion"? I ask because maybe it makes a difference as to whether we have a private mailing list or a public moderated list without public archives. The latter is quite useful for software development but I can see some occasions where the a private list might be better. A private list might make it easier for participants to share sensitive discussion on vulnerabilities for example helping to effectuate responsible disclosure, at least partially.
I think a public list that is moderated where the archives are only open to members is the best approach. I say this because if we go the formal Expert Group route and create eg-sec, then non-GENIVI members won't be able to participate and that might be inconvenient for discussions with upstream. In such a case I think we ought to avoid the moniker "eg-sec" simply because it makes the work look like a formal GENIVI EG with the required OEM, and Tier 1 participation in specific roles and my understanding is the the Security team is a subset of the SAT, or was in the past. I think the Security team ought to be arranged a bit differently to preserve the independent approach that the group can bring to the domain. Calling it "ivi-security" or "genivi-security" or similar is my suggestion.
On 2016-08-16, 5:46 AM, "Andersson, Gunnar" <gunnar.x.andersson at volvocars.com<mailto:gunnar.x.andersson at volvocars.com>> wrote:
>Magnus, and all:
>> Can you please extend the invite to Ulf Wiger (uwiger) in my team as well?
>Actually, we use mailing lists for this type of thing don't we? In my humble opinion, rather than asking people to extend an invitation to your guys, you could have just forwarded the email to Ulf and ask _him_ (just using Ulf as an example here), to keep track of the meeting?
>It's up to Stacy as lead to have an opinion, but I believe that maintaining some manual list of email addresses is time consuming and error-prone. And it may even have the detrimental effect that some people believe they are not part of some elite group, and therefore are less likely to get involved. We already have good practices in place in GENIVI - this is not new I think...
>As you can see, the public genivi-projects mailing list has been chosen here. If that's our choice, then that's what it is. But we have many newcomers to this reboot of the Security group, so let's have the discussion: I would suggest to all of you who participate - please consider for yourself; if the large and very general genivi-projects list is not appropriate for you to track, you might want to suggest that we set up a smaller separate list for the security work.
>None of this is exactly news and I'm surprised we need to discuss it, but just to document what I think is good practice, *if* a dedicated list exists:
>Send administrative mails like apologies and group politics/process discussions (those that tend to be a disturbance to those who are not interested) on a dedicated list only, and send more general questions/discussions and reporting on group results to both the dedicated (security) and the general (projects) list, to reach a wide audience.
>What do you think?
>Lead Architect, GENIVI Alliance
>Infotainment, Volvo Car Corporation
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the genivi-projects