Project Name: Cloud Custodian
Github URL: https://github.com/cloud-custodian/cloud-custodian
Security Provider: yes, although its often used independently from security concerns, for many users its part of their security tooling.
will raise hand to be a reviewer but due to time constraints cannot be lead on this one, sorry!
edit: no conflicts AFAIK
thanks - where else can/should we enlist reviewers?
I'll volunteer to review too.
@ashutosh-narkar , would you be able to participate as a reviewer? I think your perspective would be very helpful.
We can find someone else to lead.
Sure @JustinCappos, I would be happy to be a reviewer.
EDIT: markdown strikethrough not cooperating...
Falco seems to be ready to go so I'll have to revert to reviewer instead of the lead. sorry!
On Sat, Dec 14, 2019 at 2:28 PM Ashutosh Narkar notifications@github.com
wrote:
Sure @JustinCappos https://github.com/JustinCappos, I would be happy to
be a reviewer.—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/cncf/sig-security/issues/307?email_source=notifications&email_token=AAGENIWBAFDHJKPAGPQ6OHTQYVMXZA5CNFSM4JZT4WL2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG4MVNQ#issuecomment-565758646,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGENIQXJ2SF67Q4VMI4AP3QYVMXZANCNFSM4JZT4WLQ
.
Okay, I'll let @ultrasaurus weigh in on priorities, likely after getting TOC guidance.
thank you - wait, isn't Falco already a sandbox project? In which case, haven't they already gone through some assessment?
Just curious - what is the bar to becoming a sandbox project? - @ultrasaurus
Falco did a code audit via the TOC before this SIG had established any
assessment process. The idea though is that the SIG assessment would be
complimentary to, and not a substitute for, a code audit (or operational
pen test, or in situ vulnerability assessment, etc).
As Sarah and others have articulated elsewhere, the scope of the SIG
assessment is more around threat model, default secure configuration
options, and project team capabilities and values to maintain secure design
and implementation practices over time....rather than a snapshot
point-in-time audit. Or at least that’s how I see it.
Falco still has yet to complete the SIG assessment. OPA was already sandbox
when they underwent this SIG assessment process. You can discuss with them
the perceived or actual benefits of the process, and overall feedback. I
presume they would also have some suggestions on how to efficiently
complete the process, too.
The sig assessment is not current a requirement for any CNCF milestone.
That is under discussion with the TOC as I understand. Some of us (at
least one of us ;) think it should be, or at the very least accelerate
acceptance or focus resources on those who do voluntarily complete it,
especially security-oriented projects.
On Sun, Dec 15, 2019 at 7:22 AM John Mark notifications@github.com wrote:
thank you - wait, isn't Falco already a sandbox project? In which case,
haven't they already gone through some assessment?Just curious - what is the bar to becoming a sandbox project? -
@ultrasaurus https://github.com/ultrasaurus—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/cncf/sig-security/issues/307?email_source=notifications&email_token=AAGENIUDYTENZKWXCAUCAY3QYZDT3A5CNFSM4JZT4WL2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG43M4Q#issuecomment-565818994,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGENIRIGHXTUF4U4EYMT2LQYZDT3ANCNFSM4JZT4WLQ
.
Thank you for the context - that is helpful.
as reviewer here is my conflict declaration:
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project -NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
I'm open to be a reviewer as well, although I would not be able to be lead due to a soft conflict.
Hard conflicts:
Reviewer is a maintainer of the project - No
Reviewer is a direct report of/to a maintainer of the project - No
Reviewer is paid to work on the project - No
Reviewer has significant financial interest directly tied to success of the project - No
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - No
Reviewer uses the project in his/her work - Yes
Reviewer has contributed to the project. - Pending
Reviewer has a personal stake in the project (personal relationships, etc.) - No
@ericavonb I think was maybe willing/able to volunteer as lead, and I said I'd help her through the process...that was discussed pre-holidays on the last Policy WG call, so not sure if she has had time to reconsider and run away (Monty Python skit comes to mind ;) )
I'm open to be a reviewer. Here is my conflict declaration:
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project -NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project -NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
We need a lead reviewer. @ericavonb Would you be willing to take on this role?
@JustinCappos we discussed at the last sig-security meeting that it would be best if someone who was on a previous security review could take the lead. Wdyt?
cc @rficcaglia @ultrasaurus
That only really leaves @ashutosh-narkar, I think. Ash, are you willing to do this?
Hello @JustinCappos, I would like to get some experience in the reviewer role before leading a review. I would more comfortable leading the next one. Hope that's fine.
Okay. @ericavonb , I'd be happy to have you lead this. I understand the concern about not having done this, but you can rely on @rficcaglia, @ultrasaurus, and me to help out if you have questions / problems. Are you comfortable taking the lead role with us supporting?
Yes I’m definitely happy to help!
On Fri, Jan 17, 2020 at 8:59 AM Justin Cappos notifications@github.com
wrote:
Okay. @ericavonb https://github.com/ericavonb , I'd be happy to have
you lead this. I understand the concern about not having done this, but you
can rely on @rficcaglia https://github.com/rficcaglia, @ultrasaurus
https://github.com/ultrasaurus, and me to help out if you have
questions / problems. Are you comfortable taking the lead role with us
supporting?—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cncf/sig-security/issues/307?email_source=notifications&email_token=AAGENIRZTDD55OQJ2SF7ZJ3Q6HBWBA5CNFSM4JZT4WL2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJH6BRQ#issuecomment-575660230,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGENIUYLJ6VOGDT23ESPCDQ6HBWBANCNFSM4JZT4WLQ
.
I think it is important to have someone in the lead role who run the process before -- from a SIG-Security perspective, we're not just working on this assessment. We're also testing the process. (This will be # 5 of our FIRST FIVE https://github.com/cncf/sig-security/issues/167).
Of our experienced reviewers, @rficcaglia is leading Falco, @lumjjb is leading SPIFFE/SPIRE. looping in @justincormack to see if he might be open to leading this one.
_Hard conflicts:_
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
_Soft conflicts:_
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
I could lead this, and mentor @ericavonb if that works better.
I could lead this, and mentor @ericavonb if that works better.
Great! @justincormack Would you kindly post your conflict statement?
Hard conflicts:
Reviewer is a maintainer of the project - No
Reviewer is a direct report of/to a maintainer of the project - No
Reviewer is paid to work on the project - No
Reviewer has significant financial interest directly tied to success of the project - No
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - No
Reviewer uses the project in his/her work - Not at present, it is something we are considering
Reviewer has contributed to the project. - No
Reviewer has a personal stake in the project (personal relationships, etc.) - No
Okay, it looks like the next step is that the chairs need to review the conflicts. @ultrasaurus @dshaw @pragashj
âś… Co-chair sign-off on reviewer conflicts
sorry to be a blocker here -- we talked about not needing chair review for this level of little-to-no-conflict, and I've just written an issue as a placeholder: https://github.com/cncf/sig-security/issues/341
and just in case anyone is concerned, here's my...
âś… Co-chair sign-off on reviewer conflicts
Apologies, I am not going to be able to lead this.
Apologies, I am not going to be able to lead this.
That's unfortunate, but understandable given your new role on the TOC. I understand you'd like to potentially sponsor the project and feel that it's a little too much reliance on your perspective....
We do need someone to step up and lead here though now...
Can we put this on tomorrow's meeting for discussion?
Let's see if we can get this moving asynchronously... Cloud Custodian folks have been waiting a while! While we get organized and find a new leader, it would be great if someone could volunteer to give the self-assessment a careful read, primarily:
Any takers from the review team?
@amye the current agenda for tmr's meeting is for SPIFFE/SPIRE assessment presentation. i can make an announcement tmr on this to get volunteers for lead.
It looks like Sarah's on it, an announcement is just fine.
On Tue, Feb 18, 2020 at 2:36 PM Brandon Lum notifications@github.com
wrote:
@amye https://github.com/amye the current agenda for tmr's meeting is
for SPIFFE/SPIRE assessment presentation. i can make an announcement tmr on
this to get volunteers for lead.—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cncf/sig-security/issues/307?email_source=notifications&email_token=AAA2FGI3XHO2VMRDCNMRCDLRDRPHHA5CNFSM4JZT4WL2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMFTZ6Y#issuecomment-587939067,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAA2FGJ7IXZZK5VUTM7VDXDRDRPHHANCNFSM4JZT4WLQ
.
--
Amye Scavarda Perrin | Program Manager | [email protected]
@rficcaglia has volunteered to take a first look at the self-assessment
updated lead reviewer, though I'm not available until next week so really appreciate @rficcaglia volunteering to take a first look at self-assessment and give feedback. I'll sync up with @cseader and will circle back by early next week on target kick-off date.
Greetings y'all - we appreciate everyone's time on this. We wanted to propose that we move forward with a scaled-down or limited scope review commensurate with a sandbox project.
We feel that the effort we've put forth thus far meets the minimum requirement for a sandbox project. Please advise as to next steps.
Thanks!
// @ultrasaurus @rficcaglia @cseader @kapilt
// @tmbjmu
Greetings y'all - we appreciate everyone's time on this. We wanted to propose that we move forward with a scaled-down or limited scope review commensurate with a sandbox project.
We feel that the effort we've put forth thus far meets the minimum requirement for a sandbox project.
Is this in response to the clarifying issues raised by @rficcaglia ? Can you provide more context?
Right now we have a process that all projects follow. I can discuss with the chairs, but I am strongly opposed to customizing the process for different projects based upon how much work they want to put in. in-toto (a sandbox project) went through a more rigorous process than this also, as have other projects. It's fine if as a project you now decide you don't want to participate, but I'm sure we all have the same goal of having CNCF projects have a reasonable level of security and can represent that clearly to the community...
Hi @JustinCappos thanks for your response and further context. I'm trying to understand what, exactly, is the criteria for sandbox approval and what is MVP, not creating a customized process. We're responding to the comments on the draft doc and hope to pull something together ASAP. Thanks!
@johnmark to answer your question about the sandbox process, take a look at https://github.com/cncf/toc/blob/master/process/sandbox.md -- recent clarification of sandbox requirements
@cseader and I will review the self-assessment by early next week and can provide some quick feedback about how much effort will be involved in going thru the assessment process -- our hypothesis is that for SIG-Security, the self-assessment should cover everything we need to report back to the TOC, so I'll also validate that part of the process too :)
thanks @ultrasaurus !
Checking in on this, thanks!
@JustinCappos: Can you elaborate on the Blocked?
My understanding is that we're waiting on the project and that given everything else happening, we do not expect them to be ready to resume soon. @ultrasaurus please chime in if I'm off base.
This issue has been automatically marked as inactive because it has not had recent activity.
@kapilt I think you were going to refresh things soon?
@rficcaglia we're currently working on some issues with our azure serverless policies, violating the cis benchmark for azure. I'm planning on getting back to the assessment after that.
This should be closed as Cloud Custodian is included in Sandbox out of the 6/23 TOC meeting.
This should be closed as Cloud Custodian is included in Sandbox out of the 6/23 TOC meeting.
Are we indicating then that we're not doing assessments for sandbox projects (not necessarily as a prerequisite, but afterwards)?
These are no longer required for entry into the sandbox, but incubation reviews are still on deck. I am suggesting to close this to focus on the incubation reviews.
okay, I think this makes sense regardless. It has been long enough that we would need to reconstitute the team. I, for one, had forgotten I had even volunteered.
I presume the time to create the incubation assessment/review is when the
GHI for incubation is created, yes?
On Fri, Jun 26, 2020 at 3:10 PM Amye Scavarda Perrin <
[email protected]> wrote:
These are no longer required for entry into the sandbox, but incubation
reviews are still on deck. I am suggesting to close this to focus on the
incubation reviews.—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cncf/sig-security/issues/307#issuecomment-650425683,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGENITQJLLNVBSVDMZWAMLRYUMFHANCNFSM4JZT4WLQ
.
We should have this done well ahead of their incubation assessment. We may need to shift our review team, but I think we can do this to cover this project.
I'd encourage @kapilt and others to let us know as soon as they are ready to work on this. Right now, we have capacity to get this moving forward.
They're in sandbox, not incubating.
we've got capacity/bandwidth to drive to finish on this. we'd like to aim for moving to incubating post sandbox as its more reflective of the project's usage and maturity. can this issue be re-opened @JustinCappos ?
We will need to get participants set up again. I'm going to remove everyone from the list, but I do hope that many of: @rficcaglia , @JustinCappos , @ashutosh-narkar , @steven-hadfield , @ericavonb, @ultrasaurus, @cseader can participate again.
Please weigh in here if you can work on this assessment.
I would be happy to participate as an additional reviewer.
My conflict statement (no conflicts) is the same as above.
yes - still able to participate as reviewer (or lead if desired) - no
change to the conflict statement (still no conflicts as above)
On Wed, Jul 1, 2020 at 10:32 AM Justin Cappos notifications@github.com
wrote:
We will need to get participants set up again. I'm going to remove
everyone from the list, but I do hope that many of: @rficcaglia
https://github.com/rficcaglia , @JustinCappos
https://github.com/JustinCappos , @ashutosh-narkar
https://github.com/ashutosh-narkar , @steven-hadfield
https://github.com/steven-hadfield , @ericavonb
https://github.com/ericavonb, @ultrasaurus
https://github.com/ultrasaurus, @cseader https://github.com/cseader
can participate again.Please weigh in here if you can work on this assessment.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cncf/sig-security/issues/307#issuecomment-652553007,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGENIVR43XRKUIMXKMQM73RZNXJ7ANCNFSM4JZT4WLQ
.
yes - still able to participate as reviewer (or lead if desired) - no change to the conflict statement (still no conflicts as above)
…
Okay, I'll list you as lead above (for at least the time being). I think you'd do well in the role.
@kapilt can we pick a (re)kick-off date as a forcing function, maybe 7/22 or 7/29?
update: completed (re)kick-off call.
topics covered:
action items:
Hi all, In the previous sig-security meeting I volunteered to review. I understand I need to post my COI statement here:
Hard conflicts:
Reviewer is a maintainer of the project - No
Reviewer is a direct report of/to a maintainer of the project - No
Reviewer is paid to work on the project - No
Reviewer has significant financial interest directly tied to success of the project - No
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - No
Reviewer uses the project in his/her work - No
Reviewer has contributed to the project. - No
Reviewer has a personal stake in the project (personal relationships, etc.) - No
This issue has been automatically marked as inactive because it has not had recent activity.
Hello! I am Liz! I have taken over this much belabored, long-awaited, breathlessly anticipated project!
I have addressed the comments in the assessment first draft in Google Docs and have a final draft ready to go.
Will look into what the rest of the process is -- just wanted to revive this issue for now!
SIG and Project participants to this Security Review. Please comment if you are still available to conduct this review by 28 MAR 2021.
Hi Liz! Great to hear!
I will connect with Brandon and Ash on next steps. Since we started this a
long time ago, the assessment process has been revised.
Also we had assembled a team of volunteers back then but since things went
quiet we will need to engage the group anew and see if anyone is available.
Luckily I have been here since the beginning I can certainly “page in” some
historical context and actually use custodian quite frequently so still
very familiar with it. (More so since I am working on a PR for Policy
Result CRD support.)
Onwards and upwards!
On Fri, Mar 19, 2021 at 1:46 PM Liz Acosta @.*> wrote:
Hello! I am Liz! I have taken over this much belabored, long-awaited,
breathlessly anticipated project!I have addressed the comments in the assessment first draft in Google Docs
https://docs.google.com/document/d/12Ym5CHhgViRK8mLBcpZ3TH9BTPbcBKj9kOFVn-orreM/edit?usp=sharing
and have a final draft ready to go.Will look into what the rest of the process is -- just wanted to revive
this issue for now!—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cncf/sig-security/issues/307#issuecomment-803115789,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGENISUZXYLFVNEX6JCTMTTEOZZHANCNFSM4JZT4WLQ
.
Emily, our comments crossed in the ether...l have reviewed the c7n google
doc many times before, but I’m not sure how many additional reviewers we
can get by 3/28. Just out of curiosity what is driving that particular date?
On Fri, Mar 19, 2021 at 3:10 PM Emily Fox @.*> wrote:
SIG and Project participants to this Security Review. Please comment if
you are still available to conduct this review by 28 MAR 2021.—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cncf/sig-security/issues/307#issuecomment-803162910,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGENISRWWTHABVCAX27ZT3TEPDUFANCNFSM4JZT4WLQ
.
Just wanting to confirm if folx are still available that previously volunteered with a deadline so we can move this forward, if we don't have enough, we can likely source more after said date once others have confirmed. :smile:
Hello hello!
Thank y'all for your swift response! 3/28 due date does seem a little tight!
Just wanna confirm: First step is to submit the self-assessment and next step is a presentation?
What do I need to do right away?
Again -- thank you for your assistance and patience! This is all brand new territory for me and I am so excited to learn all the things!
@liz-acosta fwiw, this was presented to sig security pre-covid in 2019, not sure if we need to do that again. i'll defer to sig folks, afaik the whole TOC presentation thing is part of a different process then whats current.
AFAIK there is no connection between the SIG review (assessment is no
longer the correct term) and the TOC processes. The new review process
readme notes that the TOC may request a review, but I don’t see anywhere
that a review is required for any step in the CNCF project phases. (Emily
or Brandon may have more recent info, though.)
There is however - and was always part of the v1 assessment process - a
presentation from the reviewer and project to the SIG first, and then if
desired ( it is is presumed it will be) to the TOC. Again this is not a
required input to the TOC processes, this is merely the SIG and the project
asking the TOC if they are interested in reviewing the SIG findings.
I would characterize this as an opportunity for a project to be seen as
security forward by the TOC and SIG and investing in educating the
community vs a check the box exercise.
On Mon, Mar 22, 2021 at 7:23 AM Kapil Thangavelu @.*>
wrote:
@liz-acosta https://github.com/liz-acosta fwiw, this was presented to
sig security pre-covid in 2019, not sure if we need to do that again. i'll
defer to sig folks, afaik the whole TOC presentation thing is part of a
different process then whats current.—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cncf/sig-security/issues/307#issuecomment-804102823,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGENIQTDPWRPC3CAUSF3XDTE5HHRANCNFSM4JZT4WLQ
.
@kapilt Probably best to update the SIG on what's changed, and where your roadmap is heading!
@rficcaglia: The SIG Review is a requirement for incubation and graduation, see https://github.com/cncf/toc/tree/main/process -- https://github.com/cncf/toc/tree/main/process#project-graduation-process-sandbox-to-incubating shows where this exists in the process. SIG Review comes in with a recommendation to the TOC before due diligence.
Thanks Amye! Is that the box in the image “SIG Presentation”?
Also in the detailed TOC guide I see only:
“Have achieved and maintained a Core Infrastructure Initiative Best
Practices Badge.”
Which, in my experience, covers most if not all of the security topics I
like to review with projects, but I don’t see an explicit reference to SIG
Security or a link to the new review (or older assessment) process as a
requirement for any stage. But maybe these eyes are just missing it.
Maybe I should raise a PR to the TOC repo to clarify?
On Mon, Mar 22, 2021 at 8:10 AM Amye Scavarda Perrin <
@.*> wrote:
@kapilt https://github.com/kapilt Probably best to update the SIG on
what's changed, and where your roadmap is heading!
@rficcaglia https://github.com/rficcaglia: The SIG Review is a
requirement for incubation and graduation, see
https://github.com/cncf/toc/tree/main/process --
https://github.com/cncf/toc/tree/main/process#project-graduation-process-sandbox-to-incubating
shows where this exists in the process. SIG Review comes in with a
recommendation to the TOC before due diligence.—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cncf/sig-security/issues/307#issuecomment-804138465,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGENITCFMV3FEICYAT3XADTE5MXBANCNFSM4JZT4WLQ
.
Thanks Amye! Is that the box in the image “SIG Presentation”? Also in the detailed TOC guide I see only: “Have achieved and maintained a Core Infrastructure Initiative Best Practices Badge.” Which, in my experience, covers most if not all of the security topics I like to review with projects, but I don’t see an explicit reference to SIG Security or a link to the new review (or older assessment) process as a requirement for any stage. But maybe these eyes are just missing it. Maybe I should raise a PR to the TOC repo to clarify?
…
On Mon, Mar 22, 2021 at 8:10 AM Amye Scavarda Perrin < @.*> wrote: @kapilt https://github.com/kapilt Probably best to update the SIG on what's changed, and where your roadmap is heading! @rficcaglia https://github.com/rficcaglia: The SIG Review is a requirement for incubation and graduation, see https://github.com/cncf/toc/tree/main/process -- https://github.com/cncf/toc/tree/main/process#project-graduation-process-sandbox-to-incubating shows where this exists in the process. SIG Review comes in with a recommendation to the TOC before due diligence. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#307 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGENITCFMV3FEICYAT3XADTE5MXBANCNFSM4JZT4WLQ .
The flowchart referenced in the doc is the process. SIG Presentation also means a recommendation from the SIG about what things the TOC should know about the project.
The CII requirement is set by the TOC.
Hi everyone!
Thank you for all this clarification!
Just wanted to acknowledge that I've seen your comments and will probably have some followup Qs. Stay tuned!
on the agenda for today's sig-security call.
Hey @liz-acosta: I don't have a PR in with the TOC for moving to Incubation: https://github.com/cncf/toc/pulls
This is a requirement to get a TOC sponsor, and we've had trouble in the past with SIG Reviews that weren't tied to the incubating process -- if that's the goal here.
Hello!
@amye -- Yes! That is the goal! I can go ahead and create that PR.
@sunstonesecure-robert -- Does someone from Cloud Custodian need to be at today's meeting? I don't think I'll be able to attend.
Thank you all for your assistance and patience!
@rficcaglia saw the shout out for non-lead reviewers :) I'm interested and able. Let me know how you want to coordinate. Cheers :)
Hard conflicts:
Reviewer is a maintainer of the project - No
Reviewer is a direct report of/to a maintainer of the project - No
Reviewer is paid to work on the project - No
Reviewer has significant financial interest directly tied to success of the project - No
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - No
Reviewer uses the project in his/her work - No
Reviewer has contributed to the project. - No
Reviewer has a personal stake in the project (personal relationships, etc.) - No
Hello wonderful helpful humans!
Finally got a chance to review the TOC process documentation and I have some clarifying questions!
Thank you once again!!! (And sorry if these are redundant questions answered somewhere in documentation or should be directed elsewhere 🙏🏼 )
Hi @liz-acosta https://github.com/liz-acosta, yes I think the Crossplane
PR looks like a good example. Once you have created a new incubation PR for
custodian, link it here and I'm happy to review it.
c7n mave have most of the criteria covered but I'm not certain on:
The "process change" I think is not related to the TOC process. There are 2
processes:
1) TOC sandbox -> incubation readiness (not sure if this has changed
recently - I think not)
2) sig-security review (changed recently from "assessment" to "review")
@amye is suggesting that #2 highly benefits from completing #1 first
hope that helps!
On Thu, Mar 25, 2021 at 2:03 PM Liz Acosta @.*> wrote:
Hello wonderful helpful humans!
Finally got a chance to review the TOC process documentation
https://github.com/cncf/toc/tree/main/process and I have some
clarifying questions!
- This is the document
https://github.com/cncf/toc/blob/51c35359e7c8f76ea11c9c5211e8ef110b24f0c1/reviews/incubation-crossplane.md
I "inherited" that, as I understand, needed to be submitted for review.- However, the process has changed, and therefore we need to submit a
PR with updated documentation of the points outlined in the TOC process doc
-- yes? (e.g., this PR for review
https://github.com/cncf/toc/blob/51c35359e7c8f76ea11c9c5211e8ef110b24f0c1/reviews/incubation-crossplane.md
)Thank you once again!!! (And sorry if these are redundant questions
answered somewhere in documentation or should be directed elsewhere 🙏🏼 )—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cncf/sig-security/issues/307#issuecomment-807483299,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAGENITWXJLYVJ7NCRKWIATTFOQLXANCNFSM4JZT4WLQ
.
FYI -- moved this to backlog in the project board (https://github.com/cncf/sig-security/projects/2) until a team is assembled
@liz-acosta please take a look at docs here: https://github.com/cncf/sig-security/tree/master/assessments -- this is separate from TOC process (though often used as reference in that process)
removed question label, since it looks like the questions were answered :)
@ultrasaurus I have put this on the agenda for Wed call to reassemble the team. They completed the TOC PR as requested, so I think we're ready to roll.
@kapilt, @rficcaglia this is probably the next security assessment in the queue, what is the outlook like on this for availability for assessment as well as the current status of incubation recommendations?
CC: @IAXES @ashutosh-narkar
@lumjjb we had 2 sets of volunteers ready to go for the 2 prior attempts but most of these have dispersed.
Back in May on the TAG call the consensus was to hold based on incubation status and @TheFoxAtWork requested @kapilt to give a second presentation to the TAG.
@chasemp might still be available?
Personally I can be available second week of July to pick up again if we do get the go.
If Chase is still available, too, I think we need at least 1 more volunteer to go forward.
@lumjjb @sunstonesecure-robert I will be glad to help.
I haven't done a tag-security review yet, but would love to help out. In a previous life I did this professionally...
@lumjjb we've got two folks on the project side to help out @castrojo @liz-acosta re assessment needs .. i'm happy to do a TAG presentation again.
@yannizhang2019 @jlk thanks for volunteering :+1:
I would like to be involved as a shadow reviewer as I have not been a part of any earlier assessments... I would to get involved and learn more about assessment processes.
Most helpful comment
This should be closed as Cloud Custodian is included in Sandbox out of the 6/23 TOC meeting.