Project Name: Cloud Native Buildpacks
Github URL: https://github.com/buildpacks
Website: https://buildpacks.io
Self-assessment: https://docs.google.com/document/d/1jcggI-0uwMsmALiNwUfPDITK4KKbuUHX5SK5ZRp91oE/edit#
Security Provider: no
Hi @sclevine , Thanks for submitting the self-assesment. I don't seem to have permissions to view it.
Apologies @lumjjb, should be fixed now
This issue has been automatically marked as inactive because it has not had recent activity.
Since it was decided for the Parsec assessment to be done at a later time, I'm happy to take the lead on this one.
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - YES
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Okay, great. We need a lead from their side to step forward.
We will also need other reviewers as well to get this going.
I am the author of the draft document and can serve as project security lead for this assessment.
This issue has been automatically marked as inactive because it has not had recent activity.
@sclevine Apologies for the wait here. From discussing in the SIG meeting today, we are ready to revitalize this thread and move ahead with this assessment.
I'm calling for other volunteers to participate. Currently looking for 2 or more reviewers.
This issue has been automatically marked as inactive because it has not had recent activity.
@anvega as discussed in the SIG meeting, I'm interested in getting involved here and understanding more about how the assessment process works..
I'm interested in getting involved and shadowing / reviewing this project as well.
I'm interested in getting involved as well. It looks like the slack channel was created as #sec-assessment-buildpacks
Great to have you onboard, @mattj-io, @magnologan, @dant24 & @danpopSD!
Can each of you please read through security reviewer guidelines and declare here you've got no conflicts (even if you are only shadowing)?
Thanks!
I have no conflicts
I have no conflicts
On Thu, Dec 3, 2020 at 3:14 AM Matt Jarvis notifications@github.com wrote:
I have no conflicts
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/cncf/sig-security/issues/377#issuecomment-737740101,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AFLK3LGSP2FYVPONOO7W4G3SS5CFXANCNFSM4MEDGARA
.>
Dan "POP" Papandrea
Field CTO
LinkedIn https://www.linkedin.com/in/danpapandrea/|Twitter
https://twitter.com/danpopnyc|Email pop@sysdig.com
sysdig.com http://www.sysdig.com
I have no conflicts
No conflicts
@mattj-io , @dant24 , @danpopSD , @magnologan Super happy you all are volunteering - to ensure everyone has their statements clearly defined please "indicat[e] all hard and soft conflicts they maintain prior starting the security assessment." as described in section 3 of the assessment guide using the below "no conflict formatting":
Hard Conflicts | Y/N
-- | --
Reviewer is a currently a maintainer of the project | Â N
Reviewer is direct report of/to a current maintainer of the project | Â N
Reviewer is paid to work on the project | Â N
Reviewer has significant financial interest directly ties to the success of the project | Â N
Soft Conflicts | Y/N
-- | --
Reviewer belongs to the same company/organization of the project, but does not work on the project | Â N
Reviewer uses the project in his/her work | Â N
Reviewer has contributed to the project | Â N
Reviewer has a personal stake in the project (personal relationships, etc.) | Â N
Hard Conflicts | Y/N
-- | --
Reviewer is a currently a maintainer of the project | N
Reviewer is direct report of/to a current maintainer of the project | N
Reviewer is paid to work on the project | N
Reviewer has significant financial interest directly ties to the success of the project | N
Soft Conflicts | Y/N
-- | --
Reviewer belongs to the same company/organization of the project, but does not work on the project | N
Reviewer uses the project in his/her work | N
Reviewer has contributed to the project | N
Reviewer has a personal stake in the project (personal relationships, etc.) | N
Hard Conflicts | Y/N
-- | --
Reviewer is a currently a maintainer of the project | N
Reviewer is direct report of/to a current maintainer of the project | N
Reviewer is paid to work on the project | N
Reviewer has significant financial interest directly ties to the success of the project | N
Soft Conflicts | Y/N
-- | --
Reviewer belongs to the same company/organization of the project, but does not work on the project | N
Reviewer uses the project in his/her work | N
Reviewer has contributed to the project | N
Reviewer has a personal stake in the project (personal relationships, etc.) | N
Hard Conflicts Y/N
Reviewer is a currently a maintainer of the project N
Reviewer is direct report of/to a current maintainer of the project N
Reviewer is paid to work on the project N
Reviewer has significant financial interest directly ties to the success of the project N
Soft Conflicts Y/N
Reviewer belongs to the same company/organization of the project, but does not work on the project N
Reviewer uses the project in his/her work N
Reviewer has contributed to the project N
Reviewer has a personal stake in the project (personal relationships, etc.) N
Thanks Dan, LGTM
Hard Conflicts Y/N
Reviewer is a currently a maintainer of the project N
Reviewer is direct report of/to a current maintainer of the project N
Reviewer is paid to work on the project N
Reviewer has significant financial interest directly ties to the success of the project N
Soft Conflicts Y/N
Reviewer belongs to the same company/organization of the project, but does not work on the project N
Reviewer uses the project in his/her work N
Reviewer has contributed to the project N
Reviewer has a personal stake in the project (personal relationships, etc.) N
Thanks Daniel, LGTM
Hard Conflicts | Y/N
-- | --
Reviewer is a currently a maintainer of the project | N
Reviewer is direct report of/to a current maintainer of the project | N
Reviewer is paid to work on the project | N
Reviewer has significant financial interest directly ties to the success of the project | N
Soft Conflicts | Y/N
-- | --
Reviewer belongs to the same company/organization of the project, but does not work on the project | N
Reviewer uses the project in his/her work | N
Reviewer has contributed to the project | N
Reviewer has a personal stake in the project (personal relationships, etc.) | N
Hard Conflicts | Y/N
-- | --
Reviewer is a currently a maintainer of the project | N
Reviewer is direct report of/to a current maintainer of the project | N
Reviewer is paid to work on the project | N
Reviewer has significant financial interest directly ties to the success of the project | N
Soft Conflicts | Y/N
-- | --
Reviewer belongs to the same company/organization of the project, but does not work on the project | N
Reviewer uses the project in his/her work | N
Reviewer has contributed to the project | N
Reviewer has a personal stake in the project (personal relationships, etc.) | N
@magnologan @mattj-io looks good.
@anvega I can participate either as a reviewer or as a shadow.
Hard Conflicts | Y/N
-- | --
Reviewer is a currently a maintainer of the project | N
Reviewer is direct report of/to a current maintainer of the project | N
Reviewer is paid to work on the project | N
Reviewer has significant financial interest directly ties to the success of the project | N
Soft Conflicts | Y/N
-- | --
Reviewer belongs to the same company/organization of the project, but does not work on the project | N
Reviewer uses the project in his/her work | N
Reviewer has contributed to the project | N
Reviewer has a personal stake in the project (personal relationships, etc.) | N
I have reviewed all conflict of interest declarations from the volunteered reviewers. There are no hard-conflicts that have been expressed.
The assembled review crew is able to provide a balanced and fair assessment. I believe we are in a good position to come up with a review timeline/schedule and kick the assessment off.
@TheFoxAtWork @pragashj @ultrasaurus
I approve. @pragashj @ultrasaurus
@anvega move this forward. @pragashj provided approval previously and confirmed with me yesterday.
from discussion with the project security lead, we'll reconvene in 2021 with an assessment schedule.
I talked to @anvega offline about this and would like to shadow this security assessment
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project - NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
doing a friendly triage ping while going through issues, last mention was to reconvene in 2021.
Wanted to check in on how this is progressing? CC @JustinCappos
We are long overdue here. I'll kick this off Monday by starting the first pass of naive questions myself, and we'll go from there.
@anvega glad to tag-team on this if you want to share a google doc
Same
I've completed the pass of naive questions.
The document is succinct and thorough. The project security lead has done a great job answering and resolving most of my questions.
Reminder for all other reviewers that the google doc for the assessment is linked on the first comment of this issue.
Wanted to check in on this. We have Cloud Custodian in the backlog and it waiting to be moved forward.
@anvega I think I've addressed your feedback in the doc, and we've added CII best practices badges to relevant repos. What are next steps?
Waiting on @lumjjb to give it a once over. I believe he was also going to include @IAXES in the process.
Most helpful comment
We are long overdue here. I'll kick this off Monday by starting the first pass of naive questions myself, and we'll go from there.