| Re: [iot-pmc] How we want to do things in the IoT PMC |
Jens I think this is great you are writing some of this down. J I also agree for the security issue. I would like to see the PMC request that all IoT projects do the following: 1) ensure the project leader has reviewed the Eclipse Foundation security policy, 2) include on the project page a link to ‘how to report a security vulnerability’ so it is clear how people can report a vulnerability, and 3) as you mentioned, a list of security vulnerabilities that have been fixed. Does this make sense? Ian From: iot-pmc-bounces@xxxxxxxxxxx [mailto:iot-pmc-bounces@xxxxxxxxxxx] On Behalf Of Jens Reimann Hi everyone, There are some things the IoT PMC, we agree upon in the past, but we never wrote that down. As we now welcomed Kai (the second) to the PMC, it turns out he has no where to look that up. No one else has either. So I would like to start a discussion about writing things down, probably on a Wiki page, so that people and we ourselves find that information. In general the Eclipse Foundation already has a set of rules and policies on how to do things (like the voting). So writing this down again doesn't make any sense to me, if not stated otherwise, we follow these rules! The following is just a braindump and please correct me if I am wrong or suggest any changes, because now would be the right time. If something is unclear, please let me know and I will explain: * We simply vote for 3rd party works-with/pre-requisite requests * Transition to GitHub always gets at +1 * We don't put any limitations on dependencies or tools project use * The PMC +1 for a release will be concluded by a vote * For CQs, the person giving the first comment finally closes up with a +1/-1, of course anyone else can comment * We don't vote on projects we (PMC) are involved ourselves I would also like to suggest a new addition for releases: * Projects should provide a dependency report for every release When a projects want to do a release, we should require them to provide a dependency report, like [1], scanning for vulnerabilities in dependencies. The report must be published together with the release review and all known security vulnerabilities in dependencies must be disclosed in the section "Security Issues". * All fixed security issues must be disclosed in the section "Security Issues" as well * If there are none the section should contain a sentence like "No security issues are known in required dependencies" and "No security issues had to be fixed". I do think that security is important, especially for IoT. So we should put a focus on that. Showing that Eclipse IoT project take security serious. I also think that using tools for scanning dependencies is fine and recommended. But not required. If a projects wants to do that manually, that is fine with me as well. Let me know what you think Cheers Jens
Jens Reimann |