Product endorsement in Passwords in Security Guide

Patches to the architecture design guide last year also removed third party references. There should be a recommendation in the docs contributor guide about not adding third party references.

Fix proposed to branch: master
Review: https://review.openstack.org/281117

Is this a confirmed approach by the Docs team?

The original security guide was written to suggest sensible security controls where there exists a gap in OpenStack Tooling. Additionally, this is not the only place 3rd party products are referenced within this guide (dm-verity, logstash, and more to name a few), and in regards to security I believe it is in the best interests of the readers to introduce specific controls as not all are created equal (such as a lack of security around Mozilla's password vault without a master password set).

as we already found this could be construed as an endorsement, suggest remove it from the Security guide immediately to avoid further burden...

So the 'we' in this case was not done in the security project - this is the first I had heard of this. I'd be interested in the policy of the documentation team here as the recommendations in the guide are supposed to be F/OSS products that address an existing gap in OpenStack tooling. I'd be much more willing to change the language to explicitly state no endorsement is made than remove the recommendations entirely (again, as not all products are as secure as others).

Let's discuss on the docs mailing list, please.

I'm not on the docs mailing list so I'll make a comment here. A secure OpenStack deployment cannot be achieved without the correct configuration of under cloud services. The security guide has to mention individual software projects (MySQL, KVM, Xen etc) and it would be farcical to remove them.

While the general principle of no-endorsements makes sense in a more general setting. There is no way we can write this guidance and not mention how to secure specific technologies. Where possible we've chosen 2-3 of the most suitable for OpenStack.

As ND mentions above, not all products in a certain class are created equal. There are for example security considerations to be made between KVM and Xen - or to address this bug specifically, ND gives a great example of why "use a password vault" is bad advice on it's own, there are bad choices out there, this guide exists explicitly to stop people making those bad choices.

So perhaps a general disclaimer at the beginning of the book/documentation that states whether OpenStack endorses or does not endorse specific products in the documentation?

Or perhaps a paragraph in the beginning that states only open source products are referenced in OpenStack documentation.

Would a general disclaimer that no warranty or promise is made by OpenStack that the products (even if open source) have been fully reviewed by OpenStack to not have security bugs?

Probably falls into the OpenStack legal area.

Change abandoned by chen.xing (<email address hidden>) on branch: master
Review: https://review.openstack.org/281117

[Expired for openstack-manuals because there has been no activity for 60 days.]