From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 9679CBB3 for ; Sat, 11 Jul 2015 01:19:11 +0000 (UTC) Received: from pmta2.delivery5.ore.mailhop.org (pmta2.delivery5.ore.mailhop.org [54.186.218.12]) by smtp1.linuxfoundation.org (Postfix) with SMTP id 014CE118 for ; Sat, 11 Jul 2015 01:19:10 +0000 (UTC) Date: Sat, 11 Jul 2015 01:19:08 +0000 From: Jason Cooper To: Olof Johansson Message-ID: <20150711011908.GZ23515@io.lakedaemon.net> References: <20150710143832.GU23515@io.lakedaemon.net> <20150710162328.GB12009@thunk.org> <20150710154536.6cf0b510@gandalf.local.home> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Cc: Josh Boyer , "ksummit-discuss@lists.linuxfoundation.org" Subject: Re: [Ksummit-discuss] [CORE TOPIC] dev/maintainer workflow security List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , On Fri, Jul 10, 2015 at 10:34:16PM +0200, Olof Johansson wrote: > On Fri, Jul 10, 2015 at 9:45 PM, Steven Rostedt wrote: > > On Fri, 10 Jul 2015 12:23:28 -0400 > > Theodore Ts'o wrote: > > > >> I wonder if this might be better done as a panel session during the > >> wider technical session day? > > > > Or both. Have this brought up as a panel session as well as a topic for > > the core day. The panel session (which would come first), could be > > about what types of attacks there could be, and concerns that people > > have, and other general ideas about the topic. > > > > The core day can be about what to do with all the info we got from the > > panel session. > > Agreed. I suspect nobody will have anything else than stringent best > practices advice to give in an open forum, while hopefully in a closed > one we might learn a bit about what convenience-vs-security trade-offs > people have done in reality, if any. This is what I was driving at. Thanks for the clarification. I was hoping the idea of Chatham House Rule would encourage the desired honesty. Basically, everyone agrees not to tie anything said in the closed session to the person/org that said it. Other than that, everything is publishable, etc. > Ideal outcome to me from a closed session would be learning how to get > more convenience without sacrificing security, which can probably be > presented widely (open session and/or LWN article, etc). To get there > we might need to hear a bit about what level of convenience people > want. I think it makes more sense to have the larger, open session after the closed session. We can first collect and distill the honest trade-offs from the closed session. Then boil it down into into a set of recommendations or a report. This would help keep the open session on a more formal, presentation-style track. thx, Jason.