Project Tracker Management

OpenStack projects use Launchpad or StoryBoard to track bugs and blueprints. Both use UbuntuOne SSO, the same login mechanism used for Gerrit, keeping account overhead low for users and operators. While unofficial alternatives exist (Taiga, Trello, etc.), official trackers are strongly preferred because they don’t require contributors to create additional accounts.

Most projects use Launchpad. StoryBoard is a lighter-weight alternative; see the StoryBoard documentation if your team prefers it.

The rest of this guide focuses on Launchpad.

Setting Up a Tracker

When creating a new repository, every user-facing or operator-facing repo in your project should have a bug tracker. A project team can have any number of repos, each with its own tracker.

  1. Check for name collisions on https://launchpad.net before registering. The Launchpad project name should match your repository name. If the name is already taken, teams have used the prefix openstack- (e.g., openstack-helm).

  2. Register the project on Launchpad. Set the bug supervisor to your drivers team, not to an individual.

  3. Create a drivers team called ~<TEAM>-drivers (e.g., ~oslo-drivers, ~manila-drivers). This team manages bug triage and blueprint approvals.

  4. Transfer ownership of the drivers team to ~openstack-admins. This is required. You create the team, then hand over ownership. ~openstack-admins does not need to be a member of the team, only the owner.

  5. Configure sharing settings. By default, Launchpad may grant your bug supervisor (the drivers team) access to private bug reports. Go to your project’s sharing settings page (https://launchpad.net/<PROJECT>/+sharing) and remove the drivers team’s access to the Private Security information type. Then grant Private Security access to the OpenStack Vulnerability Management team so that only the VMT (and the reporter) can see security bugs when they are filed.

Note

Multiple repos can share the same drivers team. For example, if your project is Nova, the trackers for nova, python-novaclient, placement, and os-traits can all be managed by ~nova-drivers.

Setting Up a Coresec Team

Alongside the drivers team, you must create a ~<TEAM>-coresec team. The Vulnerability Management Team (VMT) uses this team to coordinate embargoed bugs under the responsible vulnerability disclosure process.

  1. Create ~<TEAM>-coresec on Launchpad with a small, curated set of trusted core contributors.

  2. Transfer ownership to ~openstack-admins (same as drivers).

  3. Keep this team active and up-to-date at all times. The coresec team is critical to security response. If it goes stale, embargoed vulnerability coordination breaks down.

See Vulnerability Management for the full VMT process.

Ongoing Maintenance

  • Review drivers and coresec membership each release cycle. Remove inactive members promptly.

  • Ensure each team has more than one administrator so you don’t create a single point of failure for tracker management.

  • Verify that sharing and privacy settings remain correctly configured after any team changes.