Revisit response timelines about committee-security-response HOT 15 CLOSED

I think we should take a user-centric approach to this, where everyone on distributors-announce are our users. I'd like to put together a questionnaire to collect feedback from distributors on how they use the embargo announcements, with details like what the ideal embargo length would be, and what their severity threshholds are for handling vulnerabilities. My hope was that the security process working group could own this.

from committee-security-response.

+1 I think our timelines are too aggressive as well.

Context: When the document was originally written we were hoping to have tighter control over the release process; but in practice trying to have that level of control leads to an extremely high amount of effort and eventual burn out. So, we should document the reality.

from committee-security-response.

/cc @destijl

from committee-security-response.

I'd be happy to help out on getting the questionnaire out and working on this

from committee-security-response.

from committee-security-response.

@micahhausler If you want to take a stab at putting together a questionnaire, that would be great. Here are some questions we might want to ask:

• How satisfied are you with the way in which Kubernetes vulnerabilities have been handled?
• Do create custom k8s releases for embargoed vulnerabilities before the official release is cut? If so, how long does it typically take?
• Do you release custom patched k8s releases for embargoed vulnerabilities?
• How long does it typically take you to release a patch, from initial notification?
• What would your ideal embargo timeline be?
• Do you have a severity threshold for handling embargoed patches? What is the maximum severity you would tolerate for handling without embargo?
• Any other feedback for the PSC?

Edit - also:

• Which distributor are you responding for?
  (in case it isn't obvious from the email address)

from committee-security-response.

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

from committee-security-response.

/remove-lifecycle stale

from committee-security-response.

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

from committee-security-response.

/remove-lifecycle stale

I think this is covered for medium/lows by @cji's policy update, but we should still revise the timelines for high/critical issues

from committee-security-response.

/assign @immutableT

from committee-security-response.

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

from committee-security-response.

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

from committee-security-response.

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

from committee-security-response.

@fejta-bot: Closing this issue.

from committee-security-response.