Hi Jens,
Many thanks - yes, looks pretty complete to what I remember as past decisions.
A few questions regarding your additional suggestions:
* Projects should provide a dependency report for every release
I still have to try out the OWASP dependency check plugin (on my todo list since a while)… My assumption is that this might not cover Tycho p2 depenencies though, right? Doing a report manually is probably almost impossible for bigger projects - so tooling for that will be key. Do you know if there is e.g. anything available for JS? I therefore don’t know if we can impose the burden of such a mandatory report on every project.
* All fixed security issues must be disclosed in the section "Security Issues" as well
Probably I should be able answer this myself (after re-reading the security policy) - but I am in a plane right now, so I cannot cheat and look up things ;-): Do we have a precise definition of what a “security issue” is? And would you also expect a list of fixed security issues from dependencies (that are fixed for the project, because it moved to a higher version of the dependency)?
Regards, Kai
Hi everyone,
There are some things the IoT PMC, we agree upon in the past, but we never wrote that down. As we now welcomed Kai (the second) to the PMC, it turns out he has no where to look that up. No one else has either. So I would like to start a discussion about writing things down, probably on a Wiki page, so that people and we ourselves find that information. In general the Eclipse Foundation already has a set of rules and policies on how to do things (like the voting). So writing this down again doesn't make any sense to me, if not stated otherwise, we follow these rules! --- The following is just a braindump and please correct me if I am wrong or suggest any changes, because now would be the right time. If something is unclear, please let me know and I will explain: * We simply vote for 3rd party works-with/pre-requisite requests
* Transition to GitHub always gets at +1
* We don't put any limitations on dependencies or tools project use * The PMC +1 for a release will be concluded by a vote * For CQs, the person giving the first comment finally closes up with a +1/-1, of course anyone else can comment * We don't vote on projects we (PMC) are involved ourselves --- I would also like to suggest a new addition for releases: * Projects should provide a dependency report for every release When a projects want to do a release, we should require them to provide a dependency report, like [1], scanning for vulnerabilities in dependencies. The report must be published together with the release review and all known security vulnerabilities in dependencies must be disclosed in the section "Security Issues". * All fixed security issues must be disclosed in the section "Security Issues" as well * If there are none the section should contain a sentence like "No security issues are known in required dependencies" and "No security issues had to be fixed". I do think that security is important, especially for IoT. So we should put a focus on that. Showing that Eclipse IoT project take security serious. I also think that using tools for scanning dependencies is fine and recommended. But not required. If a projects wants to do that manually, that is fine with me as well. [1] https://www.owasp.org/index.php/OWASP_Dependency_Check--- Let me know what you think Cheers Jens -- Jens Reimann Senior Software Engineer / EMEA ENG Middleware Werner-von-Siemens-Ring 14 85630 Grasbrunn Germany phone: +49 89 2050 71286 _____________________________________________________________________________ Red Hat GmbH, www.de.redhat.com, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael O'Neill
_______________________________________________ iot-pmc mailing list iot-pmc@xxxxxxxxxxxTo change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/iot-pmc
|
