Re: [technology-pmc] template/example for project security policy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [technology-pmc] template/example for project security policy

From: Wayne Beaton <wayne.beaton@xxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 11 May 2021 14:00:45 -0400
Delivered-to: technology-pmc@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/technology-pmc/>
List-help: <mailto:technology-pmc-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/technology-pmc>, <mailto:technology-pmc-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/technology-pmc>, <mailto:technology-pmc-request@eclipse.org?subject=unsubscribe>

I assume that you're taking a lead from our release review tracking issue for Eclipse RDF4J 3.7 where it's listed as a recommendation.

At present, we haven't established a best practice for this yet. We included it in the template, at least in part, to give committers notice that this is coming. Practices are evolving in this particular area.

I do have an issue open to address this in the handbook. In that issue, I suggest that a SECURITY file contains:

A pointer to the Eclipse Foundation Vulnerability Reporting Policy;
Description of the mechanism should vulnerabilities be reported;
Description of how vulnerabilities are tracked by the project team; and
By what criteria the project team will decide whether or not a CVE will requested.

I don't think that it needs to be any more complicated than that.

I'd love your input.

Wayne

On Tue, May 11, 2021 at 1:23 AM Gunnar Wagenknecht <gunnar@xxxxxxxxxxxxxxx> wrote:

Jeen, I believe Wayne is working on something. But I don't know of a template top of my head.

-Gunnar

--
Gunnar Wagenknecht
gunnar@xxxxxxxxxxxxxxx, http://guw.io/

On May 11, 2021, at 01:43, Jeen Broekstra <jeen@xxxxxxxxxxxx> wrote:

Hi all,

The project handbook has quite a substantial section on how to deal with security issues (https://www.eclipse.org/projects/handbook/#vulnerability), but I am not sure how we should communicate this to our users.

Github offers the option of formulating a security policy document by adding a markdown document to the repo, I was wondering if anybody had a good example or a template for this.

Jeen
_______________________________________________
technology-pmc mailing list
technology-pmc@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/technology-pmc

_______________________________________________
technology-pmc mailing list
technology-pmc@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/technology-pmc

Wayne Beaton

Director of Open Source Projects | Eclipse Foundation

Follow-Ups:
- Re: [technology-pmc] template/example for project security policy
  - From: Jeen Broekstra

References:
- [technology-pmc] template/example for project security policy
  - From: Jeen Broekstra
- Re: [technology-pmc] template/example for project security policy
  - From: Gunnar Wagenknecht

Prev by Date: Re: [technology-pmc] PMC approval for technology.packaging 4.20.0 (aka EPP 2021-06) release and restructuring review
Next by Date: Re: [technology-pmc] template/example for project security policy
Previous by thread: Re: [technology-pmc] template/example for project security policy
Next by thread: Re: [technology-pmc] template/example for project security policy
Index(es):
- Date
- Thread

Breadcrumbs