Mailing list for Security (was: SV: [GENIVI security group] Security group assessment method discussion)

Jeremiah Foster jeremiah.foster at pelagicore.com
Tue Aug 23 15:58:40 EDT 2016


Hi,

Not yet. We want to make sure we have consensus (which I think we have in
the security team) and then alignment with GENIVI IPR policy. I believe the
intention is to announce the mailing list set up on the genivi-projects
list, with the associated policies once its ready.

Walt, would you be able to share responsible disclosure policies for
vulnerabilities found from AGL? That might be useful input to the team.

Cheers,

JEremiah

On Tue, Aug 23, 2016 at 3:53 PM, Walt Miner <wminer at linuxfoundation.org>
wrote:

> So was a separate mail list set up?
>
> On Tue, Aug 23, 2016 at 2:52 PM, Jeremiah Foster <
> jeremiah.foster at pelagicore.com> wrote:
>
>> Hiya Walt,
>>
>> On Tue, Aug 23, 2016 at 3:49 PM, Walt Miner <wminer at linuxfoundation.org>
>> wrote:
>>
>>> Non-GENIVI members such as myself have access to the GENIVI projects
>>> mail list. If you move the discussion elsewhere doesn't that close it it
>>> off to non-GENIVI members?
>>>
>>
>> We intentionally want non-members to be able to join the discussion. We
>> only plan to moderate the list based on a set of published policies --
>> we're still working those policies out.
>>
>> Cheers,
>>
>> Jeremiah
>>
>>
>>> Walt
>>>
>>> On Tue, Aug 16, 2016 at 9:57 AM, Stacy Janes <stacy.janes at irdeto.com>
>>> wrote:
>>>
>>>> Sorry, should not have used EG, as yes, it is a team instead of an
>>>> Expert group.  I am fine with “team-sec” or “genivi-security” or similar.
>>>>
>>>>
>>>>
>>>> Your comment about private vs public lists brings up a question.  The
>>>> point of the output of the team will be to document vulnerabilities and
>>>> suggested mitigations and/or security requirements in specific projects.
>>>> In commercial engagements, this information is obviously highly
>>>> confidential for the product owner since they contain information on how to
>>>> attack a system.  How public do we want the analysis portion and final
>>>> product (security review document) of a particular project to be?
>>>>
>>>>
>>>>
>>>> As you say, for responsible disclosure reasons, maybe we conduct review
>>>> conversations in a private list and work with the respective EG on the
>>>> distribution of the final release to the public list?
>>>>
>>>>
>>>>
>>>> Stacy
>>>>
>>>> 't be able to participate and that might be inconvenient for
>>>> discussions with upstream. In such a case I think we ought to avoid the
>>>> moniker "eg-sec" simply because it makes the work look like a formal GENIVI
>>>> EG with the required OEM, and Tier 1 participation in specific roles and my
>>>> understanding is the the Security team is a subset of the SAT, or was in
>>>> the past. I think the Security team ought to be arranged a bit differently
>>>> to preserve the independent approach that the group can bring to the
>>>> domain. Calling it "ivi-security" or "genivi-security" or similar is my
>>>> suggestion.
>>>>
>>>>
>>>> Regards,
>>>>
>>>>
>>>>
>>>> Jeremiah
>>>>
>>>
>>>
>>
>
>
> --
> Walt Miner
>
>   <https://twitter.com/VStarWalt>
>
> Engineering Project Manager
> The Linux Foundation
> mobile: +1.847.502.7087
>
>
> Visit us at:
> automotive.linuxfoundation.org
> www.linuxfoundation.org
>
>
>


-- 
Jeremiah C. Foster
GENIVI COMMUNITY MANAGER

Pelagicore AB
Ekelundsgatan 4, 6tr, SE-411 18
Gothenburg, Sweden
M: +1.860.772.9242
jeremiah.foster at pelagicore.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.genivi.org/pipermail/genivi-projects_lists.genivi.org/attachments/20160823/ec62715a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PELAGICORE_RGB_Black_horizontal.png
Type: image/png
Size: 11841 bytes
Desc: not available
URL: <http://lists.genivi.org/pipermail/genivi-projects_lists.genivi.org/attachments/20160823/ec62715a/attachment.png>


More information about the genivi-projects mailing list