feat: Create sig-security #116
Conversation
Signed-off-by: Dan Garfield <dan@codefresh.io>
todaywasawesome
force-pushed
the
sig-security
branch
from
30d3311
to
381df96
Compare
| ## Security Policy and Reporting Issues | ||
| Argo Project security policy and instructions for reporting issues is availabile [here](https://github.com/argoproj/argoproj/blob/master/SECURITY.md). | ||
|
|
||
| ## Members |
There was a problem hiding this comment.
I recommend keeping the members as the maintainers and also engineers. I haven't seen Sasha once in any Argo meetings. I am hesitant to agree to grant the privileges and membership here.
There was a problem hiding this comment.
To be clear and comprehensive, no membership doesn't prevent interested individuals and parties to participate in the discussion, putting effort, resources. However, I feel only the contributors are more entitled to the membership as it could be translated to make/represent some key decisions for the communities, and those people who are doing the day-to-day coding, should be trusted more in the security context.
There was a problem hiding this comment.
Sasha has joined several of the sig-security meetings and contributed there.
There was a problem hiding this comment.
I tend to agree with the concerns of @wanghong230. However, I also think it's great to have someone with a more external (and specialized) point of view (e.g. to see things that we as maintainers do not see due to "operational blindness" or are just not aware of).
I don't know, but how do we think suggestions from the SIG security will be operationalized? Will they run through maintainer approval (like other important change requests do), or does the SIG have something like an "override" on that? In the former case, I see no problems with having someone "external" on board. In the latter case, how about having something like an "Adivsory council" or "Advisory board" without voting power within the SIG?
|
|
||
| ## Security Policy and Reporting Issues | ||
| Argo Project security policy and instructions for reporting issues is availabile [here](https://github.com/argoproj/argoproj/blob/master/SECURITY.md). | ||
|
|
There was a problem hiding this comment.
| ## Membership Requirements | |
| - Must be an Argo project maintainer from the current list (https://github.com/argoproj/argoproj/blob/master/MAINTAINERS.md). | |
| - Must have shown competency in discovering, solving, and communicating in the project security context. | |
| - Must have shown a proven record of solid coding development. | |
| - Must represent the open-source community’s best interest with a vendor-neutral practice. | |
| - The membership will be revisited every calendar year. |
There was a problem hiding this comment.
The team agrees on the maintainer requirement.
There was a problem hiding this comment.
Line 13/14: replace to "The maintainers to decide the membership." "Define a process for adding/removing."
There was a problem hiding this comment.
Open questions:
- How is membership determined?
- What is the responsibility of the members?
sigs/sig-security/README.md
Outdated
| Argo Sig Security is focused on improving security across the Argo project, promoting best practices, and ensuring a high level of security for end users. | ||
|
|
||
| ## Meetings | ||
| Sig security meetings include public and non-public sections and are held twice monthly. Meetings can be found in the [Argo Project public calendar](https://calendar.google.com/calendar/embed?src=argoproj%40gmail.com&ctz=America%2FDenver). |
There was a problem hiding this comment.
| Sig security meetings include public and non-public sections and are held twice monthly. Meetings can be found in the [Argo Project public calendar](https://calendar.google.com/calendar/embed?src=argoproj%40gmail.com&ctz=America%2FDenver). | |
| SIG security meetings include public and non-public sections and are held twice monthly. Meetings can be found in the [Argo Project public calendar](https://calendar.google.com/calendar/embed?src=argoproj%40gmail.com&ctz=America%2FDenver). |
Signed-off-by: Dan Garfield <dan@codefresh.io> Co-authored-by: jannfis <jann@mistrust.net>
Signed-off-by: Dan Garfield <dan@codefresh.io> Co-authored-by: jannfis <jann@mistrust.net>
Signed-off-by: Dan Garfield <dan@codefresh.io> Co-authored-by: jannfis <jann@mistrust.net>
Signed-off-by: Dan Garfield <dan@codefresh.io> Co-authored-by: jannfis <jann@mistrust.net>
Signed-off-by: Dan Garfield <dan@codefresh.io> Co-authored-by: jannfis <jann@mistrust.net>
|
Can we merge/close this? |
|
Any further comments? |
|
Assuming the meetings are still taking place, I'm going to take this in so that the same is reflected in our community/governance docs. Please feel free to update this doc when needed. |
| ## Members | ||
| | Name | Company | Email | | ||
| |--------|------|------| | ||
| | Alexander Matyushentsev | Intuit | | |
There was a problem hiding this comment.
The org name needs to change here :)
Team, we established sig-security a few months ago, are holding regular meetings, and are taking action. This PR is to begin the process of formalizing sig-security.