-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add baseline security process #4
Conversation
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Amazing stuff Steve, thanks very much!
The one comment I have is about scope: since this is supposed to apply globally, I think we should create a github.com/veraison/policies
repo and move this (and similarly scoped) content there. Then have each repo link the relevant bits.
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
This is ready for review.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks! I left a couple of comments inline.
Signed-off-by: Steve Lasker <stevenlasker@hotmail.com>
Thanks @thomas-fossati, I've updated all the feedback. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚢 it!
Well... wouldn't it be cooler, if we set ourselves a deadline, before which we must have reacted and such? You know, in support of responsible disclosure; at the same time warning about the consequences of "wild disclosure"? Or is that out-of-scope? |
Also, full disclosure, after at least two 3rd party code review would be a nice-to-have, so others can learn from mistakes made. Not sure, if we can guarantee the resources for that, though. |
In an ideal world, yes. In the real world it's too risky. |
That's a good aspiration. However, as you also noted, we are not in a position to commit anyone outside the 1st party ring. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you Steve! LGTM!
Great Job!
Thanks @yogeshbdeshpandec @thomas-fossati, @henkbirkholz Great to see the finishings come together |
Hmm working on a USA Holiday! Great stuff! |
Adds a baseline security process.
Note: Majority of the content copied from: https://github.com/helm/helm/blob/main/SECURITY.md
There are still a few todos
Signed-off-by: Steve Lasker stevenlasker@hotmail.com