ROS 2 Security Working Group January Meeting

Well I must say I’m very unhappy with the management so far of the security working group. I will share my cents on a few things that must be improved:

  • Scheduling of meetings following requests: This is not the first time we ask for more friendly-time meetings. Today’s one is 7.30 PM CET time. There was some “planning” reaction reflected at GitHub - ros-security/community but still no action that I’ve felt.
  • Mechanisms to manage the group seem unactive: Following the governance PR of the WG, I filed a ticket for more direct participation yet this hasn’t been reviewed so far. This is surprising to me given “how fast” things seemed to be changing in the management of this group. Sometimes even without joint consensus!
  • Unilateral decisions, without consensus: Since Canonical has taken over the coordination of this group I’ve seen several decisions that were understood as work of the WG but didn’t receive consensus AFAIK. One recent one is this commit which unilaterally sets up vetos for Canonical themselves.

I must say I’m personally a bit concerned about other matters such as the definition of a Vulnerability Disclosure Policy being discussed here. In my opinion this is being approached unilaterly and purely from a vendor’s perspective (note that it’s security researchers the ones reporting!) and is leaving aside likely the most important aspect aside: re-assurring that ROS community cares about security and is responsibly taking actions (adopting deadlines, facilitating researchers safe disclosure paths, etc.) in this direction.