Project Name: Harbor
Github URL: https://github.com/goharbor
Website: https://goharbor.io
Security Provider: yes
Document for the CNCF SIG-Security review is located at https://docs.google.com/document/d/1OiBGl2D2kBUjLEippHUPgpZgSDTFIeCwpA6RxzQJpoc/edit?usp=sharing
I'm happy to participate as a reviewer. I've read the guideline and have no conflict.
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Happy to be an assessment reviewer :+1:
I cannot seem to edit the top line item. But if someone can add me as an additional reviewer that would be swell.
Happy to be added as an security review observer
I'd like to participate in the security review for Harbor.
Like participate in the security review for Harbor. Thanks
For Harbor, there is a combined document created by SIG-Runtime to gather reviews and concerns from all the different SIGs: http://bit.ly/harbor-graduation-dd. Can you please update the doc once you have completed the review? Thanks!
Here is my conflict statement:
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO (except to Notary via TUF)
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Here is my conflict statement:
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Here is my conflict statement:
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
@cseader @anvega @pchychi-blox Would you please add your conflict statements?
I'd like to propose the following schedule:
March 30 - April 3 - Dumb questions phase (Only project team and lead security reviewer involved)
April 6 - 10 : Security review phase - Security reviewers add comments on the doc and conversation around edits to the doc continues
April 15 - Present assessment to SIG-Security (At least 1 representative from project team and security reviewers)
By April 17: Address all remaining comments, and finalize assessment summary
How does this work for everyone else?
@JustinCappos I edited my prior comment to include conflict statements.
Here is my conflict statement:
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Reviewer has contributed to the project. - NO (except to Notary via TUF)
I didn't know you are a TUF contributor. Was this a typo?
@anvega Since we haven't heard from @cseader , should we move on without them? I can remove them from the list.
@JustinCappos I pinged @cseader to see if he can respond today, while I get going on the dumb questions phase. If we don't hear back from him by tomorrow we can remove him from the list.
Here is my conflict statement:
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
@ultrasaurus @pragashj @dshaw Ready for sign-off from chairs about conflicts...
I'm signing off on the conflict statements.
Co-chair sign-off confirming conflict statement reviews for @anvega @justincappos @cseader @chasemp @vinayvenkat @pchychi-blox. Thank you all.
Hopefully it isn't too late to join as an observer in this assessment.
Here is my conflict statement:
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - YES
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
I wrote that I have a soft conflict with Reviewer belongs to the same company/organization of the project, but does not work on the project because Harbor was initially created at VMware and I work there although Harbor was donated to CNCF for year and a half already.
@JustinCappos @dshaw am I accepted as an observer in this assessment?
@JustinCappos @dshaw am I accepted as an observer in this assessment?
yes, done!
@anvega is the process that sig-security performs a TOC presentation for a security assessment? the other SIGs that did an assessment for Harbor's graduation bid just wrote their assessment in a doc and shared the findings. i am asking since we need to reserve the TOC slot in advance.
@caniszczyk for your thoughts as well.
@michmike The assessment summary once committed and merged will be used as a reference. Looking back no presentations have been made to share the summary from SIG-Security to TOC.
got it. thanks @anvega
PR for the self-assessment is at https://github.com/cncf/sig-security/pull/378
Security Assessment complete. We are now finalizing due diligence documentation.
Due diligence and SIG-Security's recommendation that Harbor graduate has been submitted to the TOC. https://github.com/cncf/toc/pull/311
I'm going to leave this open for SIG-Security Assessment feedback and commendation with the Tech Leads in two weeks. All expected actions from the Harbor team are complete.
I'm going to leave this open for SIG-Security Assessment feedback and commendation with the Tech Leads in two weeks. All expected actions from the Harbor team are complete.
Looks like that time has passed! I'll close this issue and mark this as done.