New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security reviewers must not have a conflict of interest #156
Comments
at the very least anyone actively contributing to the opinions published to the TOC should (voluntarily) PR their own attestation. whether it is vetted or not is secondary...at least we will have something in the commit stream that we can refer back to later if ever needed. maybe it is as simple as: _ I have no known conflicts of interest. |
this is a great suggestion -- where would we put this? it might be most convenient in the issue or perhaps a template for each security assessment...? |
This would be a great issue for someone to take on who is interested in getting involved with security assessments (or just willing to help with governance). Next steps would be a specific suggestion of which doc(s) to add this to and how to adjust the process to include this step. |
I will take this up. Assigning myself. |
Just wrote up cncf/toc#270 to suggest that there be guidelines from the TOC, which we don't have to wait for, but definitely want to reference and contribute to. |
Thanks @ultrasaurus ! Sorry been a bit behind on this. I will write this up soon, and also probably will be one of the first to test this out because of Redhat Keycloak assessment. :) |
We are practicing this, but we need some language that describes exactly what we believe represents a conflict of interest.
For starters:
The text was updated successfully, but these errors were encountered: