Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggested process for kubernetes-distributors list #647

Closed
dankohn opened this issue May 20, 2017 · 5 comments
Closed

Suggested process for kubernetes-distributors list #647

dankohn opened this issue May 20, 2017 · 5 comments
Labels
committee/security-response Denotes an issue or PR intended to be handled by the product security committee.

Comments

@dankohn
Copy link
Contributor

dankohn commented May 20, 2017

The security release process says:

The Fix Lead will email the patches to kubernetes-distributors-announce@googlegroups.com so distributors can prepare builds to be available to users on the day of the issue's announcement. Distributors can ask to be added to this list by emailing kubernetes-security@googlegroups.com and it is up to the Product Security Team's discretion to manage the list.
TODO: Figure out process for getting folks onto this list.

The K8s software conformance working group is maintaining a public spreadsheet of all known Kubernetes offerings, which was initially created by @josephjacks.

I propose adding a security contact column to the spreadsheet and soliciting the security contact (or comma separated list of contacts) for each offering. Some comments and open questions:

  • Here are some details on how the Linux kernel distro list is managed: https://lwn.net/Articles/566123/
  • Many folks (including CNCF staff) are monitoring the spreadsheet, and only @josephjacks and I can edit, so we should be able to avoid bad actors adding their email addresses.
  • I presume we should limit security contacts to come from the appropriate domain (e.g., redhat.com for OpenShift).
  • Can we just email new submissions to kubernetes-security@googlegroups.com or is there a better process for administering list membership? We would escalate any questionable entries to the security group.

Cc: @philips @jessfraz @WilliamDenniss @gregkh
@jessfraz
Copy link
Contributor

I propose adding a security contact column to the spreadsheet and soliciting the security contact (or comma separated list of contacts) for each offering.

The less people added, the more likely embargo will not be leaked so at most we should say 1 person from each, pending certain circumstances. Security emails can also not be an internal mailing list group but should be required to be an individual, since groups would be up to the vendor to maintain who is on it and is out of our control.

Can we just email new submissions to kubernetes-security@googlegroups.com or is there a better process for administering list membership? We would escalate any questionable entries to the security group.

I do think the request should ultimately be handled by the group, but can be based off the spreadsheet.

@k8s-github-robot k8s-github-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Aug 15, 2017
@k8s-github-robot k8s-github-robot removed the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Aug 16, 2017
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 10, 2018
@jessfraz
Copy link
Contributor

This was handled by #1153 so I think it can be closed :)

@cblecker
Copy link
Member

So it was! Thanks @jessfraz
/close

@justaugustus
Copy link
Member

/remove-lifecycle stale
/remove-sig pm
/committee product-security

@k8s-ci-robot k8s-ci-robot added committee/security-response Denotes an issue or PR intended to be handled by the product security committee. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. sig/pm labels Jan 21, 2020
danehans pushed a commit to danehans/community that referenced this issue Jul 18, 2023
@angaluri
Replaced Doug Davis (IBM) with Srihari Angaluri (IBM). (kubernetes#647)
06369d9 
* Replaced Doug David (IBM) with Srihari Angaluri (IBM).

* Sorted the members table by last name.

* Sorted members table based on last names.

* Moved April's name back up again in the sorting order :)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
committee/security-response Denotes an issue or PR intended to be handled by the product security committee.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@justaugustus @cblecker @jessfraz @dankohn @k8s-github-robot @k8s-ci-robot @fejta-bot