Some near term goals in my head:
So concretely, what I'd like to do:
(Started from conversation on k-security-discuss.)
/assign
/cc @kubernetes/sig-release-admins @kubernetes/release-engineering @kubernetes/product-security-committee
/area release-eng
/priority important-soon
/kind feature cleanup
/milestone v1.16
(PSC) Grant access for SIG Release Chairs to manage [email protected]
@tpepper and @justaugustus are added as managers of the list, and can add/manager additional members/managers
Rename [email protected] to [email protected]
Given the type of communications sent to the security release team list, I think the list name should reflect its security-sensitive or private nature. (e.g. [email protected], [email protected], etc)
@liggitt @jonpulsifer -- sounds good.
How's:
that seems reasonable
+1, sgtm
+1
Let me know which I can help with.
+1
let me know as well where i can help
@idealhack @cpanato -- Most of this will need to be handled by administrators of the relevant properties (SIG Chairs, PSC, kubernetes.io GSuite Admins), but I'll let you know if there's anything we can delegate! :)
+1, lgtm
@justaugustus what will the [email protected] list be used for? Do you think we should consider using the https://github.com/kubernetes/k8s.io/blob/fc4218bdc7de25fc2fe4b7dca00d61c5bde61366/groups/groups.yaml automation?
@philips i have been thinking the same thing. though currently the automation that drives the groups.yaml has a hard coded prefix k8s-infra- to avoid stomping existing google groups. i have to figure out how to do better ..
@philips -- @jbeda created the group for me earlier. I've closed out the steering issue (https://github.com/kubernetes/steering/issues/115). We'll use [email protected] for general communications for all Release Managers and [email protected] for private comms (PSC + internal comms for Patch Release Team, SIG Chairs, and Build Admins). Both will also be used for permissions to SIG Release projects on GCP.
And yes, I definitely want to use the yaml-based configs eventually, but as @dims mentioned, there is currently a restriction on group naming. I've added an item for it above.
The mailing list changes have been approved in this thread.
I've issued a PR (https://github.com/kubernetes/sig-release/pull/747) to change the references to mailing lists and a lazy consensus period of Wednesday, 8/7 at 6pm ET.
I'll wait until that time passes and all potential members of the private mailing list have agreed to uphold the security embargo before proceeding with any group membership changes/renames/archivals.
Notified k-security-discuss, release-managers, k-release-managers-private, k-sig-release, k-release-team, steering, community of changes and lazy consensus period: https://groups.google.com/d/topic/kubernetes-sig-release/xHrHQcjwWjk/discussion
Lazy consensus for mailing lists changes has been achieved.
@jbeda has granted me owner access to [email protected] and I've changed the list email address to [email protected].
Holds have been released on https://github.com/kubernetes/sig-release/pull/747 and https://github.com/kubernetes/test-infra/pull/13793.
Documentation updates: https://github.com/kubernetes/security/pull/45, https://github.com/kubernetes/sig-release/pull/751
Before granting [email protected] GCP access, I'd like to clean up membership leaving only Release Managers. IIUC, the PSC was only on this list to manage membership, which is no longer required.
Any issues with removing the following people?
Additionally, can we create [email protected], which would contain:
Per @tallclair's suggestion on the thread, this (and unnesting release-managers-private@ from security@) would allow us to minimize traffic to release-managers-private@ to be only release-focused.
Will send to ML as well.
Most of the non-nebulous, cross-group tasks here have been completed, so we're just about ready to close this out.
@kubernetes/product-security-committee -- How do we want to handle coordinating security releases?
Continue as-is, with release-managers-private@ nested within security@.
Allows Patch Release Team advance heads-up on potential CVEs and minimizes list sprawl
Use security-release-team@.
Right now, I'm the only member, but this would be expanded to nest:
release-managers-private@security@Here, Patch Release Team members would have to be explicitly added to the thread to action on coordinating a release.
Let me know what you think.
Ping @kubernetes/release-engineering for any last-minute thoughts...
Looks good to me! 馃憤
@kubernetes/product-security-committee -- How do we want to handle coordinating security releases?
PSC is trending towards option two, so I've opened https://github.com/kubernetes/k8s.io/pull/492 for discussion/review.
Opened https://github.com/kubernetes/sig-release/issues/896 to track documentation updates.
https://github.com/kubernetes/k8s.io/pull/492 has merged and I've confirmed that the security-release-team@ list is now active: https://groups.google.com/a/kubernetes.io/d/topic/security/QzotN1Lq93U/discussion
The remaining tasks on the list have been opened as individual issues:
/close
@justaugustus: Closing this issue.
In response to this:
https://github.com/kubernetes/k8s.io/pull/492 has merged and I've confirmed that the
security-release-team@list is now active: https://groups.google.com/a/kubernetes.io/d/topic/security/QzotN1Lq93U/discussionThe remaining tasks on the list have been opened as individual issues:
- Ensure SIG Release Chairs own all SIG Release assets: https://github.com/kubernetes/sig-release/issues/897
- Audit and prune extraneous user and service accounts from the kubernetes-release-test GCP project: https://github.com/kubernetes/sig-release/issues/898
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Most helpful comment
@liggitt @jonpulsifer -- sounds good.
How's: