Mailing list for Security (was: SV: [GENIVI security group] Security group assessment method discussion)

Walt Miner wminer at linuxfoundation.org
Tue Aug 23 15:49:06 EDT 2016


Non-GENIVI members such as myself have access to the GENIVI projects mail
list. If you move the discussion elsewhere doesn't that close it it off to
non-GENIVI members?

Walt

On Tue, Aug 16, 2016 at 9:57 AM, Stacy Janes <stacy.janes at irdeto.com> wrote:

> Sorry, should not have used EG, as yes, it is a team instead of an Expert
> group.  I am fine with “team-sec” or “genivi-security” or similar.
>
>
>
> Your comment about private vs public lists brings up a question.  The
> point of the output of the team will be to document vulnerabilities and
> suggested mitigations and/or security requirements in specific projects.
> In commercial engagements, this information is obviously highly
> confidential for the product owner since they contain information on how to
> attack a system.  How public do we want the analysis portion and final
> product (security review document) of a particular project to be?
>
>
>
> As you say, for responsible disclosure reasons, maybe we conduct review
> conversations in a private list and work with the respective EG on the
> distribution of the final release to the public list?
>
>
>
> Stacy
>
>
>
> *From: *Jeremiah Foster <jeremiah.foster at pelagicore.com>
> *Date: *Tuesday, August 16, 2016 at 10:01 AM
> *To: *Stacy Janes <stacy.janes at irdeto.com>
> *Cc: *"Andersson, Gunnar" <gunnar.x.andersson at volvocars.com>, "Feuer,
> Magnus" <mfeuer1 at jaguarlandrover.com>, "anuja at computer.org" <
> anuja at computer.org>, "tal.bendavid at karambasecurity.com" <
> tal.bendavid at karambasecurity.com>, "genivi-projects at lists.genivi.org" <
> genivi-projects at lists.genivi.org>, "peter_yang at trend.com.tw" <
> peter_yang at trend.com.tw>, Yoram Berholtz <yoram at argus-sec.com>, "
> assaf.harel at karambasecurity.com" <assaf.harel at karambasecurity.com>,
> Antonio De Rosa <Antonio.DeRosa at opensynergy.com>, Ulf Wiger <
> uwiger at jaguarlandrover.com>, "genivi-pmo at mail.genivi.org" <
> genivi-pmo at mail.genivi.org>
> *Subject: *Re: Mailing list for Security (was: SV: [GENIVI security
> group] Security group assessment method discussion)
>
>
>
>
>
>
>
> On Tue, Aug 16, 2016 at 9:44 AM, Stacy Janes <stacy.janes at irdeto.com>
> wrote:
>
> On the topic of email groups, I agree with Gunnar that “genivi-projects”
> may not be the best choice.  We got there on a suggestion when the majority
> of the team was new to GENIVI and not opinioned on the lists.
>
> GENIVI has a security at mail.genivi.org mailing list, but it’s description
> just says “security” so that could be anything from security reviews on
> projects to network security.  It’s a private list.  I recommend that we
> create an eg-sec at mail.genivi.org mailing list for our general
> discussions.  Opinions?
>
>
>
> What are we talking about when we say "general discussion"? I ask because
> maybe it makes a difference as to whether we have a private mailing list or
> a public moderated list without public archives. The latter is quite useful
> for software development but I can see some occasions where the a private
> list might be better. A private list might make it easier for participants
> to share sensitive discussion on vulnerabilities for example helping to
> effectuate responsible disclosure, at least partially.
>
>
>
> I think a public list that is moderated where the archives are only open
> to members is the best approach. I say this because if we go the formal
> Expert Group route and create eg-sec, then non-GENIVI members won't be able
> to participate and that might be inconvenient for discussions with
> upstream. In such a case I think we ought to avoid the moniker "eg-sec"
> simply because it makes the work look like a formal GENIVI EG with the
> required OEM, and Tier 1 participation in specific roles and my
> understanding is the the Security team is a subset of the SAT, or was in
> the past. I think the Security team ought to be arranged a bit differently
> to preserve the independent approach that the group can bring to the
> domain. Calling it "ivi-security" or "genivi-security" or similar is my
> suggestion.
>
>
> Regards,
>
>
>
> Jeremiah
>
>
>
>
> Stacy
>
>
> On 2016-08-16, 5:46 AM, "Andersson, Gunnar" <gunnar.x.andersson at volvocars.
> com> wrote:
>
> >Magnus, and all:
> >
> >
> >Magnus writes:
> >> Can you please extend the invite to Ulf Wiger (uwiger) in my team as
> well?
> >
> >Actually, we use mailing lists for this type of thing don't we?  In my
> humble opinion, rather than asking people to extend an invitation to your
> guys, you could have just forwarded the email to Ulf and ask _him_ (just
> using Ulf as an example here),  to keep track of the meeting?
> >
> >It's up to Stacy as lead to have an opinion, but I believe that
> maintaining some manual list of email addresses is time consuming and
> error-prone.   And it may even have the detrimental effect that some people
> believe they are not part of some  elite group, and therefore are less
> likely to get involved.   We already have good practices in place in GENIVI
> - this is not new I think...
> >
> >As you can see, the public genivi-projects mailing list has been chosen
> here.  If that's our choice, then that's what it is.    But we have many
> newcomers to this reboot of the Security group, so let's have the
> discussion:  I would suggest to all of you who participate - please
> consider for yourself; if the large and very general genivi-projects list
> is not appropriate for you to track, you might want to suggest that we set
> up a smaller separate list for the security work.
> >
> >None of this is exactly news and I'm surprised we need to discuss it, but
> just to document what I think is good practice, *if* a dedicated list
> exists:
> >
> >Send administrative mails like apologies and group politics/process
> discussions (those that tend to be a disturbance to those who are not
> interested) on a dedicated list only, and  send more general
> questions/discussions and reporting on group results to both the dedicated
> (security)  and the general (projects) list, to reach a wide audience.
> >
> >What do you think?
> >
> >- Gunnar
> >
> >--
> >Gunnar Andersson
> >Lead Architect, GENIVI Alliance
> >Infotainment, Volvo Car Corporation
> >
>
>
> _______________________________________________
> genivi-projects mailing list
> genivi-projects at lists.genivi.org
> http://lists.genivi.org/cgi-bin/mailman/listinfo/genivi-projects
>
>


-- 
Walt Miner

  <https://twitter.com/VStarWalt>

Engineering Project Manager
The Linux Foundation
mobile: +1.847.502.7087


Visit us at:
automotive.linuxfoundation.org
www.linuxfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.genivi.org/pipermail/genivi-projects_lists.genivi.org/attachments/20160823/6e016b4b/attachment.html>


More information about the genivi-projects mailing list