-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create security_baseline.md #353
Conversation
GitHub version of the security baseline for TAC review. Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
LGTM but I have a couple of nits and a comment/question:
If, as discussed, we create a SIG to work on this, are we expecting them to work on this document in the TAC repo? That doesn't seem really desirable. Maybe they could create a copy of this document to work on in another repo. The instance in the TAC repo would then be refreshed from time to time when the SIG produces a new version that the TAC agrees to adopt. So, the instance in the TAC repo would remain the governing version while another copy exists in some other repo for the SIG to work on. Does that sound like a workable process? Any other idea? |
I agree that we should have something external and only when read do we bring it into the TAC repo. I am making the assumption here that any material change to the baseline would require the TAC to approve. |
Exactly. That's my assumption too. I don't think we want to delegate the responsibility of managing the baseline for the whole organization to the SIG. |
Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
This is to fix the path issue in PR #353. Unfortunately I cannot use the original PR to move the file to the parent folder. Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Moving the file to process folder Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Is this baseline only for the OpenSSF, or is the intention for this be a baseline applicable to many foundations? Perhaps at one time this was OpenSSF-only, but I think the longer goal is to create a "security baseline" that's useful for many foundations. It's fine to put in the TAC repo in the short term, but I think in the long term it should NOT be in the TAC repo. It should instead eventually have its own repo or be part of the Best Practices WG repo (the latter would probably be easiest). I think that location will provide a stronger indication that this baseline can be used by other foundations. |
The baseline is for OpenSSF. Can we put it here for now so that we can start updating the life cycle document and get the adoption going? |
@david-a-wheeler, that's what @mlieberman85 and I were talking about. My take is that this is only meant for OpenSSF for now. When a SIG is launched with a goal to create one for the larger community they can create their own. Then, the TAC can decide how/when to revise this one. |
@lehors said:
Oh, I see. This PR is for an OpenSSF-specific baseline, and there will likely be a SIG created that starts with & builds on this material to create something for multiple foundations. Presumably, when that SIG is done, the TAC will decide if this PR's text will be replaced. That makes sense. Thanks so much for the clarification! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for submitting this PR @Danajoyluck ! I've reviewed the first half of the document, and I like the direction this is going. I do have several comments around clarity and specificity that will hopefully help improve this document.
fix a typo Co-authored-by: Marcela Melara <marcela.melara@intel.com> Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Agree with the recommendation. Co-authored-by: Marcela Melara <marcela.melara@intel.com> Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
agree with the recommendation Co-authored-by: Marcela Melara <marcela.melara@intel.com> Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Updated the basic operating principles: changed "without imposing new requirements" to "with minimal new requirements" for principle "Minimal, Achievable, and Practical Baseline Requirements" updated "Documented Governance Process" to make the objective more clear Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Updated two sections of the life cycle: 1. added "Baseline - Once Sandbox" link to "Sandbox" -> "Project Responsibilities" 2. added "Baseline - To Become Incubating" link to "Incubating" -> "Incubation Entry Requirements and Considerations" The links reference to merging security baseline to TAC repo. I will update the links once the baseline merge is complete. #353 Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
added reference for automation and automatibility RE @marcelamelara comment. Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
address comments from @marcelamelara Updated success criteria around adoption, made adoption more specific. Consolidated continuous improvements operating principle into governance process Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
added reference for automation Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Co-authored-by: Marcela Melara <marcela.melara@intel.com> Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Co-authored-by: Marcela Melara <marcela.melara@intel.com> Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
@marcelamelara added goals for once sandbox Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Updated "SHOULD" to "MUST" for Scorecard onboarding for to becoming incubating Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
A few changes: For "Data in transit must be protected by cryptographic means.", added "TAC project lifecycle governance process SHALL be followed if encryption is not achievable" Change "Baseline" to "Security Baseline" for the heading of each level Changed "internet service" to "internet or infrastructure service" to consider RSTUF as an infrastructure service Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I approve
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, there's a few caveats but as mentioned in chat I think we are at the point where we can iterate in the SIG and among the pilot projects like GUAC, OpenVEX, protobom, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I look forward to seeing how our pilot projects work through achieving the baseline!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a bunch of minor, nit-picky feedback. Great job synthesizing this complex topic, and I can't wait to get feedback from projects as we roll this out!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the updates @Danajoyluck ! There are still some edits I'd like to see eventually, but I think this is ready for us and the SIG to begin iterating over.
Co-authored-by: Zach Steindler <steiza@github.com> Signed-off-by: Dana Wang <Danajoyluck@users.noreply.github.com>
Co-authored-by: Zach Steindler <steiza@github.com> Signed-off-by: CRob <69357996+SecurityCRob@users.noreply.github.com>
GitHub version of the security baseline for TAC review.