Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Team #39

Open
wants to merge 5 commits into
base: master
from
Open

Security Team #39

wants to merge 5 commits into from

Conversation

@j01tz
Copy link
Contributor

j01tz commented Jan 24, 2020

Rendered link to RFC document

This is a proposal to create a security team for Grin.

@lehnberg

This comment has been minimized.

Copy link
Contributor

lehnberg commented Jan 28, 2020

@j01tz it was brought to my attention that as both security team and core team are intermixed in the document, vetoes that the security team members have might mistakenly be read as applying to core team decisions. Perhaps it could be made clearer that the vetoes only apply on security team decisions?

Also following gov meeting just now, would be great if you could drop "sub-team" for just "team" instead in the doc. :)

@lehnberg lehnberg self-assigned this Jan 28, 2020
@j01tz

This comment has been minimized.

Copy link
Contributor Author

j01tz commented Jan 28, 2020

Following your comment, I'm debating language use in veto section

Any member of the security team may veto an impactful security-related decision

or

Any member of the security team may veto an impactful security team decision

The former gives the team the ability to broadly veto any impactful security-related decision (though doesn't guarantee its awareness of these situations). The latter restricts it to "security team decisions" which would be narrowly interpreted as what is specified in the RFC document and what is explicitly delegated by core.

Depending on the approach we could do a better job in the RFC of spelling out what are explicitly security team decisions if we don't want to leave "security-related decisions" up to interpretation.

@lehnberg

This comment has been minimized.

Copy link
Contributor

lehnberg commented Jan 28, 2020

I’d be inclined to go with the latter: security team decision

Practically speaking, the remits of the security team is contained within the security team itself. It cannot get veto powers on matters that are not handled by the team.

@j01tz j01tz changed the title [WIP] Security Subteam [WIP] Security Team Jan 28, 2020
@j01tz

This comment has been minimized.

Copy link
Contributor Author

j01tz commented Jan 28, 2020

Thanks very much for the feedback.

  • Changed the "subteam" language to reflect updates from the meeting
  • Added language to clarify "security team decisions" for vetoes and deadlocks
j01tz added 2 commits Jan 28, 2020
@j01tz j01tz changed the title [WIP] Security Team Security Team Feb 10, 2020
@j01tz j01tz marked this pull request as ready for review Feb 10, 2020
@lehnberg

This comment has been minimized.

Copy link
Contributor

lehnberg commented Feb 10, 2020

Looks good @j01tz, bar any objections from others I'm going to recommend that this RFC moves into Final Comment Period with a disposition to merge tomorrow during the governance meeting. 👍

@lehnberg

This comment has been minimized.

Copy link
Contributor

lehnberg commented Feb 11, 2020

Following discussion in today's Governance meeting, and in line with our governance process, this RFC can be considered being in Final Comment Period from today, with a disposition to merge in two weeks time, on February 25.

Please ensure any comments are made before then!

Copy link
Contributor

lehnberg left a comment

Took quite a detailed pass @j01tz, let me know what you think 👍

text/0000-security-team.md Outdated Show resolved Hide resolved
text/0000-security-team.md Outdated Show resolved Hide resolved
text/0000-security-team.md Show resolved Hide resolved
text/0000-security-team.md Outdated Show resolved Hide resolved
text/0000-security-team.md Outdated Show resolved Hide resolved
text/0000-security-team.md Outdated Show resolved Hide resolved
text/0000-security-team.md Outdated Show resolved Hide resolved
# Drawbacks
[drawbacks]: #drawbacks

* The core team is already busy

This comment has been minimized.

Copy link
@lehnberg

lehnberg Feb 20, 2020

Contributor

How is this a drawback for the formation of a security team?

This comment has been minimized.

Copy link
@j01tz

j01tz Feb 20, 2020

Author Contributor

Clarified here, thanks 👍

* Adds bulk to Grin's governance structure
* The community may trust core more than a team to make critical security decisions

# Rationale and alternatives

This comment has been minimized.

Copy link
@lehnberg

lehnberg Feb 20, 2020

Contributor

Another alternative that could be highlighted is to not have a dedicated team at all and instead just rely on an open community to handle all incidents as they come in. It might be wroth writing a couple of lines why this might be less desirable than a dedicated team.

This comment has been minimized.

Copy link
@j01tz

j01tz Feb 20, 2020

Author Contributor

Took a shot at exploring this alternative, let me know if I'm missing any important pros or cons.

text/0000-security-team.md Outdated Show resolved Hide resolved
@j01tz

This comment has been minimized.

Copy link
Contributor Author

j01tz commented Feb 20, 2020

Thanks for the feedback @lehnberg. I think I was able to address your comments. I also added a line for clarification in the decision making section.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.