Re: [Ksummit-discuss] [CORE TOPIC] dev/maintainer workflow security

[Jason Cooper <jason@lakedaemon.net>]

On Fri, Jul 10, 2015 at 10:34:16PM +0200, Olof Johansson wrote:
> On Fri, Jul 10, 2015 at 9:45 PM, Steven Rostedt <rostedt@goodmis.org> wrote:
> > On Fri, 10 Jul 2015 12:23:28 -0400
> > Theodore Ts'o <tytso@mit.edu> wrote:
> >
> >> I wonder if this might be better done as a panel session during the
> >> wider technical session day?
> >
> > Or both. Have this brought up as a panel session as well as a topic for
> > the core day. The panel session (which would come first), could be
> > about what types of attacks there could be, and concerns that people
> > have, and other general ideas about the topic.
> >
> > The core day can be about what to do with all the info we got from the
> > panel session.
> 
> Agreed. I suspect nobody will have anything else than stringent best
> practices advice to give in an open forum, while hopefully in a closed
> one we might learn a bit about what convenience-vs-security trade-offs
> people have done in reality, if any.

This is what I was driving at.  Thanks for the clarification.  I was
hoping the idea of Chatham House Rule would encourage the desired
honesty.  Basically, everyone agrees not to tie anything said in the
closed session to the person/org that said it.  Other than that,
everything is publishable, etc.

> Ideal outcome to me from a closed session would be learning how to get
> more convenience without sacrificing security, which can probably be
> presented widely (open session and/or LWN article, etc). To get there
> we might need to hear a bit about what level of convenience people
> want.

I think it makes more sense to have the larger, open session after the
closed session.  We can first collect and distill the honest trade-offs
from the closed session.  Then boil it down into into a set of
recommendations or a report.  This would help keep the open session on a
more formal, presentation-style track.

thx,

Jason.