Mailing list for Security (was: SV: [GENIVI security group] Security group assessment method discussion)

Walt Miner wminer at linuxfoundation.org
Tue Aug 23 15:53:32 EDT 2016


So was a separate mail list set up?

On Tue, Aug 23, 2016 at 2:52 PM, Jeremiah Foster <
jeremiah.foster at pelagicore.com> wrote:

> Hiya Walt,
>
> On Tue, Aug 23, 2016 at 3:49 PM, Walt Miner <wminer at linuxfoundation.org>
> wrote:
>
>> Non-GENIVI members such as myself have access to the GENIVI projects mail
>> list. If you move the discussion elsewhere doesn't that close it it off to
>> non-GENIVI members?
>>
>
> We intentionally want non-members to be able to join the discussion. We
> only plan to moderate the list based on a set of published policies --
> we're still working those policies out.
>
> Cheers,
>
> Jeremiah
>
>
>> Walt
>>
>> On Tue, Aug 16, 2016 at 9:57 AM, Stacy Janes <stacy.janes at irdeto.com>
>> wrote:
>>
>>> Sorry, should not have used EG, as yes, it is a team instead of an
>>> Expert group.  I am fine with “team-sec” or “genivi-security” or similar.
>>>
>>>
>>>
>>> Your comment about private vs public lists brings up a question.  The
>>> point of the output of the team will be to document vulnerabilities and
>>> suggested mitigations and/or security requirements in specific projects.
>>> In commercial engagements, this information is obviously highly
>>> confidential for the product owner since they contain information on how to
>>> attack a system.  How public do we want the analysis portion and final
>>> product (security review document) of a particular project to be?
>>>
>>>
>>>
>>> As you say, for responsible disclosure reasons, maybe we conduct review
>>> conversations in a private list and work with the respective EG on the
>>> distribution of the final release to the public list?
>>>
>>>
>>>
>>> Stacy
>>>
>>> 't be able to participate and that might be inconvenient for discussions
>>> with upstream. In such a case I think we ought to avoid the moniker
>>> "eg-sec" simply because it makes the work look like a formal GENIVI EG with
>>> the required OEM, and Tier 1 participation in specific roles and my
>>> understanding is the the Security team is a subset of the SAT, or was in
>>> the past. I think the Security team ought to be arranged a bit differently
>>> to preserve the independent approach that the group can bring to the
>>> domain. Calling it "ivi-security" or "genivi-security" or similar is my
>>> suggestion.
>>>
>>>
>>> Regards,
>>>
>>>
>>>
>>> Jeremiah
>>>
>>
>>
>


-- 
Walt Miner

  <https://twitter.com/VStarWalt>

Engineering Project Manager
The Linux Foundation
mobile: +1.847.502.7087


Visit us at:
automotive.linuxfoundation.org
www.linuxfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.genivi.org/pipermail/genivi-projects_lists.genivi.org/attachments/20160823/40dff341/attachment.html>


More information about the genivi-projects mailing list