[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [iot-pmc] How we want to do things in the IoT PMC
|
Hi Jens,
thanks a lot for setting up the page on the Wiki :-)
I have added some questions regarding things I didn't fully understand (yet).
Could you take a look?
--
Mit freundlichen Grüßen / Best regards
Kai Hudalla
Chief Software Architect
Bosch Software Innovations GmbH
Schöneberger Ufer 89-91
10785 Berlin
GERMANY
www.bosch-si.com
Registered office: Berlin, Register court: Amtsgericht Charlottenburg,
HRB 148411 B;
Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn
On Mon, 2017-03-27 at 16:39 +0200, Jens Reimann wrote:
> I tried to capture this in a first version -> https://wiki.eclipse.org/IoT/PMC
>
> Please have a look and check if I was able to bring our conclusion over to the
> document. I also added Ian's remarks about security.
>
> Thanks everyone!
>
> On Mon, Mar 27, 2017 at 3:56 PM, Jens Reimann <jreimann@xxxxxxxxxx> wrote:
> >
> > On Mon, Mar 27, 2017 at 5:56 AM, Kai Kreuzer <kai@xxxxxxxxxxx> wrote:
> > > Hi Jens,
> > >
> > > Many thanks - yes, looks pretty complete to what I remember as past
> > > decisions.
> > >
> > > A few questions regarding your additional suggestions:
> > >
> > > > * Projects should provide a dependency report for every release
> > >
> > > I still have to try out the OWASP dependency check plugin (on my todo list
> > > since a while)… My assumption is that this might not cover Tycho p2
> > > depenencies though, right?
> > > Doing a report manually is probably almost impossible for bigger projects -
> > > so tooling for that will be key. Do you know if there is e.g. anything
> > > available for JS?
> > > I therefore don’t know if we can impose the burden of such a mandatory
> > > report on every project.
> > >
> > >
> >
> > So let's keep this unresolved for the moment an continue working on this. I
> > agree that JS is a different story and I hadn't thought about it.
> > > > * All fixed security issues must be disclosed in the section "Security
> > > > Issues" as well
> > >
> > > Probably I should be able answer this myself (after re-reading the security
> > > policy) - but I am in a plane right now, so I cannot cheat and look up
> > > things ;-):
> > > Do we have a precise definition of what a “security issue” is?
> > >
> >
> > Yes we have, quoting the Eclipse Security page:
> >
> > ISO 27005 defines vulnerability as: "A weakness of an asset or group of
> > assets that can be exploited by one or more threats."
> >
> > Looking at CVE's definition [1] I would say that we are talking about a
> > "vulnerability".
> >
> > [1] https://cve.mitre.org/about/terminology.html
> >
> > > And would you also expect a list of fixed security issues from dependencies
> > > (that are fixed for the project, because it moved to a higher version of
> > > the dependency)?
> > >
> >
> > Which relates to the dependency issue above ;-) In the end, yes. As a first
> > step I would say no. Unless there was a specific issue raised against this
> > project.
> >
> > > Regards,
> > > Kai
> > >
> > >
> > > > On 23 Mar 2017, at 09:31, Jens Reimann <jreimann@xxxxxxxxxx> wrote:
> > > >
> > > > Hi everyone,
> > > >
> > > > There are some things the IoT PMC, we agree upon in the past, but we
> > > > never wrote that down. As we now welcomed Kai (the second) to the PMC, it
> > > > turns out he has no where to look that up. No one else has either.
> > > >
> > > > So I would like to start a discussion about writing things down, probably
> > > > on a Wiki page, so that people and we ourselves find that information.
> > > >
> > > > In general the Eclipse Foundation already has a set of rules and policies
> > > > on how to do things (like the voting). So writing this down again doesn't
> > > > make any sense to me, if not stated otherwise, we follow these rules!
> > > >
> > > > ---
> > > >
> > > > The following is just a braindump and please correct me if I am wrong or
> > > > suggest any changes, because now would be the right time. If something is
> > > > unclear, please let me know and I will explain:
> > > >
> > > > * We simply vote for 3rd party works-with/pre-requisite requests
> > > > * Transition to GitHub always gets at +1
> > > > * We don't put any limitations on dependencies or tools project use
> > > > * The PMC +1 for a release will be concluded by a vote
> > > > * For CQs, the person giving the first comment finally closes up with a
> > > > +1/-1, of course anyone else can comment
> > > > * We don't vote on projects we (PMC) are involved ourselves
> > > >
> > > > ---
> > > >
> > > > I would also like to suggest a new addition for releases:
> > > >
> > > > * Projects should provide a dependency report for every release
> > > > When a projects want to do a release, we should require them to provide a
> > > > dependency report, like [1], scanning for vulnerabilities in
> > > > dependencies. The report must be published together with the release
> > > > review and all known security vulnerabilities in dependencies must be
> > > > disclosed in the section "Security Issues".
> > > > * All fixed security issues must be disclosed in the section "Security
> > > > Issues" as well
> > > > * If there are none the section should contain a sentence like "No
> > > > security issues are known in required dependencies" and "No security
> > > > issues had to be fixed".
> > > >
> > > > I do think that security is important, especially for IoT. So we should
> > > > put a focus on that. Showing that Eclipse IoT project take security
> > > > serious. I also think that using tools for scanning dependencies is fine
> > > > and recommended. But not required. If a projects wants to do that
> > > > manually, that is fine with me as well.
> > > >
> > > > [1] https://www.owasp.org/index.php/OWASP_Dependency_Check
> > > > ---
> > > >
> > > > Let me know what you think
> > > >
> > > > Cheers
> > > >
> > > > Jens
> > > >
> > > >
> > > >
> > > > --
> > > > Jens Reimann
> > > > Senior Software Engineer / EMEA ENG Middleware
> > > > Werner-von-Siemens-Ring 14
> > > > 85630 Grasbrunn
> > > > Germany
> > > > phone: +49 89 2050 71286
> > > > _________________________________________________________________________
> > > > ____
> > > >
> > > > Red Hat GmbH, www.de.redhat.com,
> > > > Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen,
> > > > HRB 153243,
> > > > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham,
> > > > Michael O'Neill
> > > > _______________________________________________
> > > > iot-pmc mailing list
> > > > iot-pmc@xxxxxxxxxxx
> > > > To change your delivery options, retrieve your password, or unsubscribe
> > > > from this list, visit
> > > > https://dev.eclipse.org/mailman/listinfo/iot-pmc
> > >
> > >
> > > _______________________________________________
> > > iot-pmc mailing list
> > > iot-pmc@xxxxxxxxxxx
> > > To change your delivery options, retrieve your password, or unsubscribe
> > > from this list, visit
> > > https://dev.eclipse.org/mailman/listinfo/iot-pmc
> > >
> >
> >
> >
> > --
> > Jens Reimann
> > Senior Software Engineer / EMEA ENG Middleware
> > Werner-von-Siemens-Ring 14
> > 85630 Grasbrunn
> > Germany
> > phone: +49 89 2050 71286
> > _____________________________________________________________________________
> >
> > Red Hat GmbH, www.de.redhat.com,
> > Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB
> > 153243,
> > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham, Michael
> > O'Neill
> >
>
>
>
> _______________________________________________
> iot-pmc mailing list
> iot-pmc@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/iot-pmc
