From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 09C8CC433B4 for ; Sun, 16 May 2021 23:17:01 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id C2AAA61028 for ; Sun, 16 May 2021 23:16:59 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org C2AAA61028 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=aj.id.au Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=openbmc-bounces+openbmc=archiver.kernel.org@lists.ozlabs.org Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4Fjyp20V6dz2yyF for ; Mon, 17 May 2021 09:16:58 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=aj.id.au header.i=@aj.id.au header.a=rsa-sha256 header.s=fm2 header.b=PpXW1IAx; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.a=rsa-sha256 header.s=fm2 header.b=UQA2iQRx; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=aj.id.au (client-ip=64.147.123.21; helo=wout5-smtp.messagingengine.com; envelope-from=andrew@aj.id.au; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=aj.id.au header.i=@aj.id.au header.a=rsa-sha256 header.s=fm2 header.b=PpXW1IAx; dkim=pass (2048-bit key; unprotected) header.d=messagingengine.com header.i=@messagingengine.com header.a=rsa-sha256 header.s=fm2 header.b=UQA2iQRx; dkim-atps=neutral Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4FjynT3Wtdz2xvL for ; Mon, 17 May 2021 09:16:28 +1000 (AEST) Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 5EEE18E8; Sun, 16 May 2021 19:16:24 -0400 (EDT) Received: from imap2 ([10.202.2.52]) by compute3.internal (MEProxy); Sun, 16 May 2021 19:16:24 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aj.id.au; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=NFIPV 4RTOS/ELQ/HEnbhWCiXV3avQpLcT0yi9VWrbIw=; b=PpXW1IAxGybF6EPkOB11R Zm4xrYJmuwTyPCF9w45y/qlm8CVEGhMJdVIFsH/ZYTfJWb+BZ6QwJhj/jYRkowQn bWnp37Oeh/YwZWxzW9PBDb5LbsF8WxsJp48BZLL+2mNo0MhIT6UuMY19dUQzKwXE BIi5swTrW7xzsMcs7CRBciy/VDW1iWTwXRvSF/LDhx40PUQsYtOVPp3bxj6h0c33 no03V9+818oROPWMDg4NYkixSHeGn4FJJW4TzZ3wCuGKT6KsOD8i1eLP3q3aIfxk 0O3L6eJtKlNXRMfWZCu22JFMyAqzxwSx4r3QxrAj2b2T++rsAFnjyto1U3aQ9aaV Q== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=NFIPV4RTOS/ELQ/HEnbhWCiXV3avQpLcT0yi9VWrb Iw=; b=UQA2iQRx0KoBBTnZ183xfYWE/2OLuIx+Um2HIRwCPd2FtOfgsAb3//HKF BS/zRhdk1ked1gyE7yiL/KYiRXaCL9ATUYJQhuI2znDXfD23Z6K5f7rurBqJz4h2 YP85x5GAiaiMkjM2FkZue7WFKZNUrr2sL/L8jEPp4CVyaRJHBnfeh+geLafVrJZ5 v7gJ6RGAL5SrM47B7qU7jcbVxRNGKAdCZJ80jRqqmO/2FxxM1B2czna7Js3oej8f Y/9VccMsH7md5uh9buzIubBMfiwYW/kpuqR0T7dgry9SXKpM+PAdAtKmaIe0cjaX DFg/xzNIE08LwH6jXRK9OeKMF4hMw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdeigedgvddtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedftehn ughrvgifucflvghffhgvrhihfdcuoegrnhgurhgvfiesrghjrdhiugdrrghuqeenucggtf frrghtthgvrhhnpedvgeekheegfedvhfethefhudetteegueeggfeiieegueehkedugedt kefglefgheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpegrnhgurhgvfiesrghjrdhiugdrrghu X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 675BAA00079; Sun, 16 May 2021 19:16:23 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.5.0-alpha0-448-gae190416c7-fm-20210505.004-gae190416 Mime-Version: 1.0 Message-Id: <464e2eba-c3bb-421f-b336-e50941ff5cd9@www.fastmail.com> In-Reply-To: <9f59a396-7a97-71b1-8cba-210545b0b023@linux.ibm.com> References: <35156c27-e195-c238-1bb9-d20a30db3c63@linux.ibm.com> <8febdc9d-08bb-4094-9cad-7e6035c5bd71@linux.ibm.com> <99f4fa9d-9fc2-4092-be1f-d3246379206a@www.fastmail.com> <9f59a396-7a97-71b1-8cba-210545b0b023@linux.ibm.com> Date: Mon, 17 May 2021 08:45:55 +0930 From: "Andrew Jeffery" To: "Joseph Reynolds" , openbmc@lists.ozlabs.org Subject: Re: Security Working Group - Wednesday May 12 - results Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: openbmc@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development list for OpenBMC List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openbmc-bounces+openbmc=archiver.kernel.org@lists.ozlabs.org Sender: "openbmc" On Sat, 15 May 2021, at 04:32, Joseph Reynolds wrote: > In general, it is hard to know who to contact.=C2=A0=20 I think it deserves some effort, no? Talking in abstractions doesn't=20 help as we're not discussing the abstract but specific patches, some of=20= which you've left a comment against. Equivalently, saying "In general, it is hard to build secure systems"=20= and then not putting in any further effort as a consequence isn't=20 acceptable - we need to do the work; narrow the statement from the=20 abstract to the specific do our best to mitigate risks. That same=20 strategy of narrowing the abstract to the specific applies here. Given you've already commented on one of the patches I don't think it's=20= a big leap to look at who the author is and include them on related=20 discussions in other mediums. So anyway, I think this open source process works best if we recognise=20= that resolving issues requires bringing people together, and not=20 treating the work as some kind of abstract process. I feel like=20 broadcasting (1-to-many) the minutes here without including the people=20= impacted by the discussion creates a separation. Let's put the effort=20= in to bring the right people into discussions from the outset. > Note=20 > that I am following up on this item privately through other channels.=C2= =A0 Okay, hopefully I'm included on those discussions too. =20 > Finally, during the meeting, I encouraged attendees to make comments i= n=20 > the relevant gerrit review process. Great! I hope we can capture the concrete concerns in the patch=20 comments and work to resolve them. Andrew