Re: [eclipse.org-architecture-council] Update the EDP to include a Proje

[Mikael Barbero <mikael.barbero@xxxxxxxxxxxxxxxxxxxxxx>]

On 30 May 2024 at 23:39:03, Jesse McConnell via eclipse.org-architecture-council <eclipse.org-architecture-council@xxxxxxxxxxx> wrote:

What is the intention to allow non-committer members as members of the Project Security Team ?

This would include any of the Eclipse Security team, wouldn't it? Or are they a part of this by being at Eclipse regardless, and these non-committer members would be part of a company-sponsored project by having their security team be on this new team as well?

The Eclipse Foundation Security Team is part of this, as specified by the current policy Eclipse Security Policy https://www.eclipse.org/security/policy/.

The intention is to allow projects to officially involve security experts to assist with vulnerability reports without granting them full committer rights, e.g., write permissions on the code repositories. This has been a recurring request from large, mature projects where the security response team can be quite separate from the development team. It also alleviates the burden of demonstrating previous contributions to the project to onboard security experts.

However, this is the exception rather than the default, where all committers are part of the security team. Any deviation from this norm (where the security team should only be a subset of the committers or include non-committers) is subject to a vote by the project committers and the PMC.

 

This seems to contradict the default where membership in the Project Security Team is automatically revoked when Committer status is revoked.

This is a good point. I wonder if the policy should include a yearly re-vote for non-committer members to reassure committers that they are still actively engaged. This is unlikely to ever be a factor in our project, but based on other experience, I could see it being an issue.

Indeed, good point. When the project security team is distinct from the project committers, its members can be retired by the Project Leads (PL) just as they can do for committers. What about adding a paragraph similar to the one for committers:

There are times when the Project Security Team may become inactive for various reasons. The security of the project relies on active members who respond to vulnerability reports in a timely manner. The Project Leads are responsible for ensuring the smooth operation of the project. A Project Security Team member who is disruptive, does not participate actively, or has been inactive for an extended period may have their commit status revoked by the unanimous consent of the Project Leads. Unless otherwise specified, "an extended period" is defined as "no activity for more than six months".

Would something like that help?

You can review the background and previous discussions that led to this request to update the EDP on the following help desk ticket: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/1709 

Cheers,

Mikaël Barbero 

Head of Security | Eclipse Foundation

🐦 @mikbarbero

📅 Book an appointment

Eclipse Foundation: The Community for Open Innovation and Collaboration