Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Complete Initial Draft of v1 Security Program Standards #211

Open
Tracked by #150
ruddermann opened this issue Jun 3, 2024 · 6 comments
Open
Tracked by #150

Complete Initial Draft of v1 Security Program Standards #211

ruddermann opened this issue Jun 3, 2024 · 6 comments
Assignees

Comments

@ruddermann
Copy link
Collaborator

ruddermann commented Jun 3, 2024

Intro and Review of Standards: https://docs.google.com/document/d/1tvJYtptFXqvS4863dhPwoVmFT5Jwr_WZLralrnulCZs/edit

Standards Checklist:
https://docs.google.com/spreadsheets/d/1GwIsAudAn89xv9DAbr1HUaY4KEVBsYfg--_1cW0uIB0/edit#gid=0

@mcollina
Copy link
Member

mcollina commented Jun 4, 2024

I have a rough feeling that most of those guidelines are significantly too strict for all our projects and adopting them will bring them to a halt.

Here is a non-exhaustive list:

  1. limiting github ownership is problematic. It creates additional work for a few individuals that are usually best used elsewhere.
  2. 4 eyes reviews is untenable in most cases. Even Node.js has a rule that drops it after a week, because certain areas of the project have only two active maintainers.
  3. Dismissing stale reviews when commits are pushed is problematic and will add a lot of friction.

Note that "default branch must be up to date before merging", 4/6 eyes reviews and dismissing stale reviews will bring any progress on most project to a halt, because essentially it implies have 2 people that spend their days reviewing and landing changes, in order.

There are a lot more like this. I don't think these are helpful for us, as they would require extensive rework of GitHub organizations. Note that LFIT proposes to take over "owner" duties in an GH org and move to a ticketing system for any changes in the GH org. I don't see how this is feasible either.

Last but not least, I don't think it's fair to ask for volunteer work where they cannot trust their fellow volunteers. We should trust (and empower) people.

@ctcpip
Copy link
Member

ctcpip commented Jun 4, 2024

the intro is really well-written. 👏 provided some minor comments/suggestions in the doc. I will take a look at the checklist later. thanks Rudd!

@ctcpip
Copy link
Member

ctcpip commented Jun 5, 2024

went through the checklist, lots of great stuff in there

@tobie
Copy link

tobie commented Jun 5, 2024

Second @ctcpip’s comments: great intro. I like how the spreadsheet references documentation on how to implement it. That’s very helpful.

I think the recommendations would benefit from some information as to what threats they’re addressing. This might be obvious to you, but it isn’t necessarily obvious to everyone, myself included. People tend to take recommendations to heart more willingly if they understand their intended purposes.

Finally, I didn’t dig into the specifics of the requirements yet, but I think @mcollina’s comment here are critical; we can’t add requirements that burden maintainers.

@ruddermann
Copy link
Collaborator Author

Thanks folks! I've incorporated a lot of the feedback from @mcollina @ljharb and @ctcpip and will be doing more edits tonight.

@tobie I agree. FWIW, the data you're talking about is usually in the references, but buried very, very deep.

My current preference is to communicate the 'why' through the lens of the risk it's attempting to control for and potentially even an example of an attack that could have been avoided (this is a lot of data gathering tho and may be better in a v2). My preference is also to do this in the most minimalist way possible for quick comprehension. CNCF's guide has fantastic detail, but even as a security guy I find its length overwhelming and I'd prefer to avoid that visceral reaction here.

@ruddermann
Copy link
Collaborator Author

I just realized I put this in the wrong issue (originally posted this in #150). Here are some mockups for how to move the guidelines from gSheets to Github Markdown:

Priority Group Index Page Options: https://hackmd.io/@rudd/H14K8eUuR
Categories Index Options: https://hackmd.io/@rudd/BkUM3WU_R
Priority Group Details Page Options: https://hackmd.io/@rudd/SyBtnZL_C

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: In Progress
Development

No branches or pull requests

4 participants