| Re: [iot-pmc] How we want to do things in the IoT PMC |
I have updated the wiki page according to my understanding of latest discussions
with Jens.
Does this look right to you guys? In particular the "Reviewing CQs" section ...
--
Mit freundlichen Grüßen / Best regards
Kai Hudalla
Chief Software Architect
Bosch Software Innovations GmbH
Schöneberger Ufer 89-91
10785 Berlin
GERMANY
www.bosch-si.com
Registered office: Berlin, Register court: Amtsgericht Charlottenburg,
HRB 148411 B;
Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn
On Tue, 2017-03-28 at 09:20 +0200, Jens Reimann wrote:
> I just did, I hope that explains it.
>
> And thanks for the changes!
>
> On Tue, Mar 28, 2017 at 9:00 AM, Hudalla Kai (INST/ECS4) <kai.hudalla@bosch-si.
> com> wrote:
> > Hi Jens,
> >
> > thanks a lot for setting up the page on the Wiki :-)
> >
> > I have added some questions regarding things I didn't fully understand (yet).
> > Could you take a look?
> >
> > --
> > Mit freundlichen Grüßen / Best regards
> >
> > Kai Hudalla
> > Chief Software Architect
> >
> > Bosch Software Innovations GmbH
> > Schöneberger Ufer 89-91
> > 10785 Berlin
> > GERMANY
> > www.bosch-si.com
> >
> > Registered office: Berlin, Register court: Amtsgericht Charlottenburg,
> > HRB 148411 B;
> > Executives: Dr.-Ing. Rainer Kallenbach, Michael Hahn
> >
> > On Mon, 2017-03-27 at 16:39 +0200, Jens Reimann wrote:
> > > I tried to capture this in a first version -> https://wiki.eclipse.org/IoT/
> > PMC
> > >
> > > Please have a look and check if I was able to bring our conclusion over to
> > the
> > > document. I also added Ian's remarks about security.
> > >
> > > Thanks everyone!
> > >
> > > On Mon, Mar 27, 2017 at 3:56 PM, Jens Reimann <jreimann@xxxxxxxxxx> wrote:
> > > >
> > > > On Mon, Mar 27, 2017 at 5:56 AM, Kai Kreuzer <kai@xxxxxxxxxxx> wrote:
> > > > > Hi Jens,
> > > > >
> > > > > Many thanks - yes, looks pretty complete to what I remember as past
> > > > > decisions.
> > > > >
> > > > > A few questions regarding your additional suggestions:
> > > > >
> > > > > > * Projects should provide a dependency report for every release
> > > > >
> > > > > I still have to try out the OWASP dependency check plugin (on my todo
> > list
> > > > > since a while)… My assumption is that this might not cover Tycho p2
> > > > > depenencies though, right?
> > > > > Doing a report manually is probably almost impossible for bigger
> > projects -
> > > > > so tooling for that will be key. Do you know if there is e.g. anything
> > > > > available for JS?
> > > > > I therefore don’t know if we can impose the burden of such a mandatory
> > > > > report on every project.
> > > > >
> > > > >
> > > >
> > > > So let's keep this unresolved for the moment an continue working on this.
> > I
> > > > agree that JS is a different story and I hadn't thought about it.
> > > > > > * All fixed security issues must be disclosed in the section
> > "Security
> > > > > > Issues" as well
> > > > >
> > > > > Probably I should be able answer this myself (after re-reading the
> > security
> > > > > policy) - but I am in a plane right now, so I cannot cheat and look up
> > > > > things ;-):
> > > > > Do we have a precise definition of what a “security issue” is?
> > > > >
> > > >
> > > > Yes we have, quoting the Eclipse Security page:
> > > >
> > > > ISO 27005 defines vulnerability as: "A weakness of an asset or group
> > of
> > > > assets that can be exploited by one or more threats."
> > > >
> > > > Looking at CVE's definition [1] I would say that we are talking about a
> > > > "vulnerability".
> > > >
> > > > [1] https://cve.mitre.org/about/terminology.html
> > > >
> > > > > And would you also expect a list of fixed security issues from
> > dependencies
> > > > > (that are fixed for the project, because it moved to a higher version
> > of
> > > > > the dependency)?
> > > > >
> > > >
> > > > Which relates to the dependency issue above ;-) In the end, yes. As a
> > first
> > > > step I would say no. Unless there was a specific issue raised against
> > this
> > > > project.
> > > >
> > > > > Regards,
> > > > > Kai
> > > > >
> > > > >
> > > > > > On 23 Mar 2017, at 09:31, Jens Reimann <jreimann@xxxxxxxxxx> wrote:
> > > > > >
> > > > > > Hi everyone,
> > > > > >
> > > > > > There are some things the IoT PMC, we agree upon in the past, but we
> > > > > > never wrote that down. As we now welcomed Kai (the second) to the
> > PMC, it
> > > > > > turns out he has no where to look that up. No one else has either.
> > > > > >
> > > > > > So I would like to start a discussion about writing things down,
> > probably
> > > > > > on a Wiki page, so that people and we ourselves find that
> > information.
> > > > > >
> > > > > > In general the Eclipse Foundation already has a set of rules and
> > policies
> > > > > > on how to do things (like the voting). So writing this down again
> > doesn't
> > > > > > make any sense to me, if not stated otherwise, we follow these rules!
> > > > > >
> > > > > > ---
> > > > > >
> > > > > > The following is just a braindump and please correct me if I am wrong
> > or
> > > > > > suggest any changes, because now would be the right time. If
> > something is
> > > > > > unclear, please let me know and I will explain:
> > > > > >
> > > > > > * We simply vote for 3rd party works-with/pre-requisite requests
> > > > > > * Transition to GitHub always gets at +1
> > > > > > * We don't put any limitations on dependencies or tools project use
> > > > > > * The PMC +1 for a release will be concluded by a vote
> > > > > > * For CQs, the person giving the first comment finally closes up with
> > a
> > > > > > +1/-1, of course anyone else can comment
> > > > > > * We don't vote on projects we (PMC) are involved ourselves
> > > > > >
> > > > > > ---
> > > > > >
> > > > > > I would also like to suggest a new addition for releases:
> > > > > >
> > > > > > * Projects should provide a dependency report for every release
> > > > > > When a projects want to do a release, we should require them to
> > provide a
> > > > > > dependency report, like [1], scanning for vulnerabilities in
> > > > > > dependencies. The report must be published together with the release
> > > > > > review and all known security vulnerabilities in dependencies must be
> > > > > > disclosed in the section "Security Issues".
> > > > > > * All fixed security issues must be disclosed in the section
> > "Security
> > > > > > Issues" as well
> > > > > > * If there are none the section should contain a sentence like "No
> > > > > > security issues are known in required dependencies" and "No security
> > > > > > issues had to be fixed".
> > > > > >
> > > > > > I do think that security is important, especially for IoT. So we
> > should
> > > > > > put a focus on that. Showing that Eclipse IoT project take security
> > > > > > serious. I also think that using tools for scanning dependencies is
> > fine
> > > > > > and recommended. But not required. If a projects wants to do that
> > > > > > manually, that is fine with me as well.
> > > > > >
> > > > > > [1] https://www.owasp.org/index.php/OWASP_Dependency_Check
> > > > > > ---
> > > > > >
> > > > > > Let me know what you think
> > > > > >
> > > > > > Cheers
> > > > > >
> > > > > > Jens
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Jens Reimann
> > > > > > Senior Software Engineer / EMEA ENG Middleware
> > > > > > Werner-von-Siemens-Ring 14
> > > > > > 85630 Grasbrunn
> > > > > > Germany
> > > > > > phone: +49 89 2050 71286
> > > > > >
> > ____________________________________________________________ _____________
> > > > > > ____
> > > > > >
> > > > > > Red Hat GmbH, www.de.redhat.com,
> > > > > > Registered seat: Grasbrunn, Commercial register: Amtsgericht
> > Muenchen,
> > > > > > HRB 153243,
> > > > > > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham,
> > > > > > Michael O'Neill
> > > > > > _______________________________________________
> > > > > > iot-pmc mailing list
> > > > > > iot-pmc@xxxxxxxxxxx
> > > > > > To change your delivery options, retrieve your password, or
> > unsubscribe
> > > > > > from this list, visit
> > > > > > https://dev.eclipse.org/mailman/listinfo/iot-pmc
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > iot-pmc mailing list
> > > > > iot-pmc@xxxxxxxxxxx
> > > > > To change your delivery options, retrieve your password, or unsubscribe
> > > > > from this list, visit
> > > > > https://dev.eclipse.org/mailman/listinfo/iot-pmc
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Jens Reimann
> > > > Senior Software Engineer / EMEA ENG Middleware
> > > > Werner-von-Siemens-Ring 14
> > > > 85630 Grasbrunn
> > > > Germany
> > > > phone: +49 89 2050 71286
> > > >
> > ____________________________________________________________ _________________
> > > >
> > > > Red Hat GmbH, www.de.redhat.com,
> > > > Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen,
> > HRB
> > > > 153243,
> > > > Managing Directors: Paul Argiry, Charles Cachera, Michael Cunningham,
> > Michael
> > > > O'Neill
> > > >
> > >
> > >
> > >
> > > _______________________________________________
> > > iot-pmc mailing list
> > > iot-pmc@xxxxxxxxxxx
> > > To change your delivery options, retrieve your password, or unsubscribe
> > from
> > > this list, visit
> > > https://dev.eclipse.org/mailman/listinfo/iot-pmc
> > _______________________________________________
> > iot-pmc mailing list
> > iot-pmc@xxxxxxxxxxx
> > To change your delivery options, retrieve your password, or unsubscribe from
> > this list, visit
> > https://dev.eclipse.org/mailman/listinfo/iot-pmc
> >
>
>
>
> _______________________________________________
> iot-pmc mailing list
> iot-pmc@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/iot-pmc
_______________________________________________
iot-pmc mailing list
iot-pmc@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/iot-pmc