*: clarify how security issues are handled #22
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jonboulle
reviewed
Nov 30, 2016
| @@ -1,5 +1,12 @@ | |||
| ## Contribution Guidelines | |||
|
|
|||
| ### Security issues | |||
|
|
|||
| If are reporting a security issue, do not create an issue or file a pull | |||
The security@opencontainers.org mailing list is for *maintainers only*, and is to be used for technical discussion about potential security issues. It is not a place for the TOB to have votes about specification-related business, simply because it is not sane to include people who are not maintainers of projects in critical security discussions of said projects. If in the future we discover that we need to have a place to vote on security issues, the TOB can do that on their own private mailing list. For now, we should focus on making sure that security disclosures on *actual shipping code* is actually done properly. Signed-off-by: Aleksa Sarai <asarai@suse.de>
|
LGTM |
2 similar comments
|
LGTM |
|
LGTM |
|
On Wed, Nov 30, 2016 at 01:26:29AM -0800, Aleksa Sarai wrote:
The ***@***.*** mailing list is for *maintainers only*,
and is to be used for technical discussion about potential security
issues. It is not a place for the TOB to have votes about
specification-related business…
GOVERNANCE.md is about maintainers voting on project direction, not
about the TOB (which is why I pushed back against involving the TOB
here at all [1]). You still need *maintainer* votes about handling
the security issue, because the actions will be things like:
* This is not actually a security issue, it can go in a public
issue/PR.
* This is a security issue, and we're accepting this patch for a new
1.0.1 patch release. We're pushing that release out to trusted
consumers privately and will make the patch and release public once
they've had time to deploy it.
Both of those are important enough decisions that I think the usual
formal governance process applies. You just want the motions and
votes to happen in secret (to be published later).
[1]: opencontainers/tob#15 (comment)
|
|
@wking Read the patch -- you're in violent agreement with the main change (that it's for maintainers not the TOB). I disagree that we need to go through motions and counter-motions to fix a security issue -- that's just adding friction to maintenance of a project which is just insanity and process for process's sake. |
|
On Wed, Nov 30, 2016 at 11:02:51PM -0800, Aleksa Sarai wrote:
… you're in violent agreement with the main change (that it's for
maintainers not the TOB).
Yes. But you cited “not a place for the TOB to have votes” in your
motivation, so I wanted to point out that the old language was not
about the TOB having votes. The TOB was providing a channel for the
maintainers to reach a consensus and helping to notify “affected
parties” (although who that is is still not clear).
I disagree that we need to go through motions and counter-motions to
fix a security issue -- that's just adding friction to maintenance
of a project which is just **insanity** and **process for process's
sake**.
Saying “here's what I think we should do: $MOTION” followed by a
string of LGTMs doesn't seem like overly much process to me. With
active maintainers, that sort of thing should go quickly and smoothly
in most cases. When it doesn't go quickly and smoothly, it will be
because there isn't a landslide consensus yet, and that's exactly the
case where you want a formal procedure for determining a consensus.
One of the hiccups with the current governance approach is that often
several maintainers don't vote at all. I expect they'd be more
attentive to security notices though. And where the security issue
impacts a non-spec repo's release you only need the lesser of three
LGTMs or ⅔ of maintainers [1]. So I really doubt collecting that many
LGTMs for a security release would be a serious hurdle.
[1]: https://github.com/opencontainers/project-template/blob/3eec2a6382c7264073542b4a95024678ee41f0bc/GOVERNANCE.md#quorum
|
wking
reviewed
Dec 1, 2016
| Motions with sensitive security implications MUST be proposed on the security@opencontainers.org mailing list instead of dev@opencontainers.org, but should otherwise follow the standard [proposal](#proposing-a-motion) process. | ||
| The security@opencontainers.org mailing list includes all members of the TOB. | ||
| The TOB will contact the project maintainers and provide a channel for discussing and voting on the motion, but voting will otherwise follow the standard [voting](#voting) and [quorum](#quorum) rules. | ||
| The TOB and project maintainers will work together to notify affected parties before making an adopted motion public. |
There was a problem hiding this comment.
To put something concrete behind my desire to remove the TOB but keep this section, I'd like something like:
Motions with sensitive security implications MUST be proposed on the security@opencontainers.org mailing list instead of dev@opencontainers.org, but should otherwise follow the standard proposal process. The security@opencontainers.org mailing list includes maintainers of all OCI projects. Project maintainers SHOULD notify affected parties before making an adopted motion public.
Although I'd be even happier with {project}+security@ lists (in addition to an all-maintainer security@ for folks who can't figure out which project their bug belongs to?) and clarity around “affected parties”.
|
@caniszczyk please take a look. |
|
LGTM |
|
On Thu, Dec 01, 2016 at 11:56:15AM -0800, Chris Aniszczyk wrote:
Merged #22.
My impression was that GOVERNANCE.md amendments were supposed to
follow the usual voting procedures [1]. Ignoring the mailing list
recommendation (only a SHOULD) [2] and counting @cyphar as a LGTM
(although #18 is still in flight and it doesn't look like he
explicitly LGTMed this PR) this motion is still:
* +4 -0 #18 for the OCI as a whole.
* +3 -0 #6 for runtime-spec.
* +2 -0 #5 for image-spec.
* +3 -0 #8 for runtime-tools.
* +2 -0 #7 for image-tools and runC.
Perhaps we should revise the amendment procedure to reflect our
desired approach? Or is the goal to merge things with a few LGTMs
here and then have more formal acceptance votes on a per-project
basis? If the latter, that seems like it might make consistency
difficult, since there's less incentive for projects to agree on
changes at the OCI level.
[1]: https://github.com/opencontainers/project-template/blob/3eec2a6382c7264073542b4a95024678ee41f0bc/GOVERNANCE.md#amendments
[2]: https://github.com/opencontainers/project-template/blob/3eec2a6382c7264073542b4a95024678ee41f0bc/GOVERNANCE.md#proposing-a-motion
|
wking
added a commit
to wking/oci-project-template
that referenced
this pull request
Jan 11, 2017
Catching up with opencontainers/tob@ce087c84 9Merge pull request opencontainers#22 from opencontainers/digest-proposal, 2017-01-05). I'd still rather drop the parenthetical entirely and link to a place that listed OCI Projects, but we don't have a canonical target for that yet (opencontainers/tob#2) and the current closest instance seems to be the GitHub section in [1] (which doesn't have the "OCI Project" words). [1]: https://www.opencontainers.org/community Signed-off-by: W. Trevor King <wking@tremily.us>
wking
added a commit
to wking/oci-project-template
that referenced
this pull request
Mar 20, 2017
Catch up with f562576 (*: clarify how security issues are handled, 2016-11-30, opencontainers#22). Signed-off-by: W. Trevor King <wking@tremily.us>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is in response to the discussions on the ML about the new
security mailing list and how these documents don't match what
the security@opencontainers.org mailing list should be for.
The security@opencontainers.org mailing list is for maintainers only,
and is to be used for technical discussion about potential security
issues. It is not a place for the TOB to have votes about
specification-related business, simply because it is not sane to include
people who are not maintainers of projects in critical security
discussions of said projects.
If in the future we discover that we need to have a place to vote on
security issues, the TOB can do that on their own private mailing list.
For now, we should focus on making sure that security disclosures on
actual shipping code is actually done properly.
Signed-off-by: Aleksa Sarai asarai@suse.de