-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Create sig-security #116
Conversation
Signed-off-by: Dan Garfield <dan@codefresh.io>
30d3311
to
381df96
Compare
## Security Policy and Reporting Issues | ||
Argo Project security policy and instructions for reporting issues is availabile [here](https://github.com/argoproj/argoproj/blob/master/SECURITY.md). | ||
|
||
## Members |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I recommend keeping the members as the maintainers and also engineers. I haven't seen Sasha once in any Argo meetings. I am hesitant to agree to grant the privileges and membership here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be clear and comprehensive, no membership doesn't prevent interested individuals and parties to participate in the discussion, putting effort, resources. However, I feel only the contributors are more entitled to the membership as it could be translated to make/represent some key decisions for the communities, and those people who are doing the day-to-day coding, should be trusted more in the security context.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sasha has joined several of the sig-security meetings and contributed there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tend to agree with the concerns of @wanghong230. However, I also think it's great to have someone with a more external (and specialized) point of view (e.g. to see things that we as maintainers do not see due to "operational blindness" or are just not aware of).
I don't know, but how do we think suggestions from the SIG security will be operationalized? Will they run through maintainer approval (like other important change requests do), or does the SIG have something like an "override" on that? In the former case, I see no problems with having someone "external" on board. In the latter case, how about having something like an "Adivsory council" or "Advisory board" without voting power within the SIG?
|
||
## Security Policy and Reporting Issues | ||
Argo Project security policy and instructions for reporting issues is availabile [here](https://github.com/argoproj/argoproj/blob/master/SECURITY.md). | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
## Membership Requirements | |
- Must be an Argo project maintainer from the current list (https://github.com/argoproj/argoproj/blob/master/MAINTAINERS.md). | |
- Must have shown competency in discovering, solving, and communicating in the project security context. | |
- Must have shown a proven record of solid coding development. | |
- Must represent the open-source community’s best interest with a vendor-neutral practice. | |
- The membership will be revisited every calendar year. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The team agrees on the maintainer requirement.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line 13/14: replace to "The maintainers to decide the membership." "Define a process for adding/removing."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Open questions:
- How is membership determined?
- What is the responsibility of the members?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few nits on formatting :)
sigs/sig-security/README.md
Outdated
Argo Sig Security is focused on improving security across the Argo project, promoting best practices, and ensuring a high level of security for end users. | ||
|
||
## Meetings | ||
Sig security meetings include public and non-public sections and are held twice monthly. Meetings can be found in the [Argo Project public calendar](https://calendar.google.com/calendar/embed?src=argoproj%40gmail.com&ctz=America%2FDenver). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sig security meetings include public and non-public sections and are held twice monthly. Meetings can be found in the [Argo Project public calendar](https://calendar.google.com/calendar/embed?src=argoproj%40gmail.com&ctz=America%2FDenver). | |
SIG security meetings include public and non-public sections and are held twice monthly. Meetings can be found in the [Argo Project public calendar](https://calendar.google.com/calendar/embed?src=argoproj%40gmail.com&ctz=America%2FDenver). |
Signed-off-by: Dan Garfield <dan@codefresh.io> Co-authored-by: jannfis <jann@mistrust.net>
Signed-off-by: Dan Garfield <dan@codefresh.io> Co-authored-by: jannfis <jann@mistrust.net>
Signed-off-by: Dan Garfield <dan@codefresh.io> Co-authored-by: jannfis <jann@mistrust.net>
Signed-off-by: Dan Garfield <dan@codefresh.io> Co-authored-by: jannfis <jann@mistrust.net>
Signed-off-by: Dan Garfield <dan@codefresh.io> Co-authored-by: jannfis <jann@mistrust.net>
Can we merge/close this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be good to be taken in?
Any further comments? |
Assuming the meetings are still taking place, I'm going to take this in so that the same is reflected in our community/governance docs. Please feel free to update this doc when needed. |
## Members | ||
| Name | Company | Email | | ||
|--------|------|------| | ||
| Alexander Matyushentsev | Intuit | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The org name needs to change here :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Outtuit, Inkuity
Team, we established sig-security a few months ago, are holding regular meetings, and are taking action. This PR is to begin the process of formalizing sig-security.