-
Notifications
You must be signed in to change notification settings - Fork 526
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Assessment] SPIFFE/SPIRE #308
Comments
I am willing to volunteer be a security reviewer for this assessment, and am able to lead. |
Context: I did the "assessment" before for the project before there was a
SIG-Security process.
I'm happy to participate in this one as well and would be happy for Brandon
to lead. :)
…On Thu, Dec 12, 2019 at 4:01 PM Brandon Lum ***@***.***> wrote:
I am willing to volunteer be a security reviewer for this assessment, and
am able to lead.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#308>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGROD46TSIKBONHEQRNUPDQYKRCBANCNFSM4J2EII5Q>
.
|
Link issue for previous assessment by @JustinCappos #97 |
Here is the project's self assessment: https://docs.google.com/document/d/1PCTrSSpM62S8WLLocb7_UU4XtoHLROp-Q92ZpfLBgeA/edit |
Conflict declaration: No conflicts with this project. |
No conflict from my side either. I like the folks there a lot, but it won't impact my objectivity in a security assessment. :) |
Happy to help, No experience as lead assessor but will help anyway i can:
|
@TheFoxAtWork volunteered as well! |
👋 hi everyone! Sorry I'm late to the party :) I made some minor updates to the self assessment today, but nothing major - I think @anvega did a pretty thorough job (thanks Andres!!). We have removed the One thing that probably needs some attention is that the previous assessment (the results of which are in the self assessment) did not account for "Evil Server / Victim Server" attack vector. There may also be a modifier there of "Same Trust Domain" and "Different Trust Domain". I'm not sure if the old assessment methodology applies to the new process. |
We're doing a lighter process here (no collusion matrices for most projects). I think we might have still taken a few steps down this path here because the setup and trust relationships are fairly complex. |
Here is the proposed schedule. How does this look like for all? Jan 6-10: "Dumb questions phase" Jan 13 - 22: Security review phase - security reviewers add comments on the doc and conversation around edits to the doc continues Jan 22: Presentation to SIG-security meeting (MOVED to Feb 5) By Jan 24: Address all remaining comments, and finalize TOC summary (1 slide) (MOVED to Feb 7) (To be scheduled) 1 slide sharing to the TOC |
I've read the reviewer guidelines. |
@evan2645 Does this timeline work for you? |
I've read reviewer guidelines |
@ultrasaurus @dshaw @pragashj require 2 co-chairs on reviewer conflicts |
Note, as per discussion on slack, the initial "Dumb Question Phase" is not a full time commitment but more of an asynchronous process. I've allocated a bit of a buffer due to 18 hour timezone difference between myself and Evan, and my travel from SIN->SFO on 9-10 Jan. |
@lumjjb it looks like there are no reviewer conflicts, so we don't need chair review -- or did I miss something? |
@ultrasaurus Wording may need to be revised. We interpreted the checkbox item as 2 SIG-chairs asserting that there are no reviewer conflicts and not a signoff where a conflict exists. |
@JustinCappos Sure, I think that will work OK. I'm not traveling over the holiday season so am free to start whenever, but of course I understand that I'm probably the outlier :-D One thing I will note is that I will probably be unavailable from Jan ~8-19th. I have spoken to @azdagron about this though, and he is willing to cover and help answer any questions in my absence as I'm not sure what my internet access will look like during that time. @azdagron is a SPIRE maintainer. |
@evan2645 yep that is fine. @TheFoxAtWork how does schedule look for you? |
yep yep works for me @lumjjb |
@ultrasaurus @dshaw @pragashj Can we get the chair signoff so we can move this to completed? I think this means that @TheFoxAtWork @lumjjb and me need to submit our conflict forms as well... |
Hard conflicts: Reviewer is a maintainer of the project - NO Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO |
@JustinCappos It’s been some time since the assessment was merged. I heard mention of this during today's SIG-Security call. Is there anything needed to close this issue and mark it done? |
I think we're just waiting on the administrative items below from the SIG-Security side. Let's give people a day or two, but it should be closed this week.
|
Okay, given the chairs are preoccupied. I'm signing off on the COI. |
The self-assessment doc here isn't accessible anymore |
The assessment doc is now part of the repo as an |
Project Name: SPIFFE/SPIRE
Github URL: https://github.com/spiffe/spire
Security Provider: yes
The text was updated successfully, but these errors were encountered: