-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Complete Initial Draft of v1 Security Program Standards #211
Comments
I have a rough feeling that most of those guidelines are significantly too strict for all our projects and adopting them will bring them to a halt. Here is a non-exhaustive list:
Note that "default branch must be up to date before merging", 4/6 eyes reviews and dismissing stale reviews will bring any progress on most project to a halt, because essentially it implies have 2 people that spend their days reviewing and landing changes, in order. There are a lot more like this. I don't think these are helpful for us, as they would require extensive rework of GitHub organizations. Note that LFIT proposes to take over "owner" duties in an GH org and move to a ticketing system for any changes in the GH org. I don't see how this is feasible either. Last but not least, I don't think it's fair to ask for volunteer work where they cannot trust their fellow volunteers. We should trust (and empower) people. |
the intro is really well-written. 👏 provided some minor comments/suggestions in the doc. I will take a look at the checklist later. thanks Rudd! |
went through the checklist, lots of great stuff in there |
Second @ctcpip’s comments: great intro. I like how the spreadsheet references documentation on how to implement it. That’s very helpful. I think the recommendations would benefit from some information as to what threats they’re addressing. This might be obvious to you, but it isn’t necessarily obvious to everyone, myself included. People tend to take recommendations to heart more willingly if they understand their intended purposes. Finally, I didn’t dig into the specifics of the requirements yet, but I think @mcollina’s comment here are critical; we can’t add requirements that burden maintainers. |
Thanks folks! I've incorporated a lot of the feedback from @mcollina @ljharb and @ctcpip and will be doing more edits tonight. @tobie I agree. FWIW, the data you're talking about is usually in the references, but buried very, very deep. My current preference is to communicate the 'why' through the lens of the risk it's attempting to control for and potentially even an example of an attack that could have been avoided (this is a lot of data gathering tho and may be better in a v2). My preference is also to do this in the most minimalist way possible for quick comprehension. CNCF's guide has fantastic detail, but even as a security guy I find its length overwhelming and I'd prefer to avoid that visceral reaction here. |
I just realized I put this in the wrong issue (originally posted this in #150). Here are some mockups for how to move the guidelines from gSheets to Github Markdown: Priority Group Index Page Options: https://hackmd.io/@rudd/H14K8eUuR |
Intro and Review of Standards: https://docs.google.com/document/d/1tvJYtptFXqvS4863dhPwoVmFT5Jwr_WZLralrnulCZs/edit
Standards Checklist:
https://docs.google.com/spreadsheets/d/1GwIsAudAn89xv9DAbr1HUaY4KEVBsYfg--_1cW0uIB0/edit#gid=0
The text was updated successfully, but these errors were encountered: