Skip to content

Commit d0cf428

Browse files
authored
Merge pull request #158 from JameelHao/main
Add SECURITY.md and CONTRIBUTING.md
2 parents 49a1949 + 959d291 commit d0cf428

File tree

2 files changed

+81
-0
lines changed

2 files changed

+81
-0
lines changed

CONTRIBUTING.md

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
# Contributing to Orion Proxy
2+
3+
Before contributing, please consider the terms of the license (Apache License 2.0). We chose this license for two reasons:
4+
5+
- To be more compatible with the general Rust ecosystem
6+
- So that this software can be liberally used with few restrictions
7+
8+
After ensuring the license options are compatible with the aims of the contribution, then please submit your PR for review and we will review as soon as possible. My only ask is that you do not do this for free, unless it's something that is a passion or learning project for you. Please, find a way to be paid for your work. You are worth it.
9+
10+
## Understanding the design
11+
12+
Please familiarize yourself with the overall architecture and design of Orion Proxy by reviewing the codebase and examples. Orion is designed as a high-performance L7 proxy compatible with Envoy's xDS configuration format while providing superior performance through Rust's memory safety guarantees.
13+
14+
## Submitting PRs
15+
16+
Before submitting a PR it would be good to discuss the change in an issue so as to avoid wasted work, also feel free to reach out via GitHub Discussions. Please, consider keep PRs focused on one issue at a time. While issues are not required for a PR to be accepted they are encouraged, especially for anything that would change behavior, change an API, or be a medium to large change.
17+
18+
When submitting PRs please keep refactoring commits separate from functional change commits. Breaking up the PR into multiple commits such that a reviewer can follow the change improves the review experience. This is not necessary, but can make it easier for a reviewer to follow the changes and will result in PRs getting merged more quickly.
19+
20+
### Test policy
21+
22+
All PRs *must* be passing all tests. Ideally any PR submitted should have more than 85% code coverage, but this is not mandated.
23+
24+
## Performing a Release, for Maintainers
25+
26+
Releases are somewhat automated. The github action, `publish`, watches for any tags on the project. It then attempts to perform a release of all the libraries, this does not always work, for various reasons.
27+
28+
1. Create a new branch like `git checkout -b prepare-0.1.6`
29+
1. Update all Cargo.toml files to the new version, `version = 0.1.6`
30+
1. Update dependencies, `cargo update`
31+
1. Update all inter-dependent crates, i.e. orion-core to use the new versions
32+
1. Push to Github, create a PR and merge in `main` or the target release branch.
33+
1. Go to [Releases](https://github.com/kmesh-net/orion/releases) and `Draft a new release`
34+
1. Give it a `Tag Version` of `vX.x.x`, e.g. `v0.1.6`, *make sure this is tagging the correct branch, e.g. `main` or `release/0.1`*
35+
1. Give it a `Release Title` of something key to the release
36+
1. Generate release notes
37+
1. `Publish Release`, this will kick off the publish workflow
38+
39+
## FAQ
40+
41+
- Why are there so few maintainers?
42+
43+
There have not been that many people familiar with proxy internals, networking, security, and Rust that the list of maintainers has been relatively small.
44+
45+
- Will new maintainers be considered?
46+
47+
Yes! There is no formal process, and generally it's a goal to open up to anyone who's been committing regularly to the project. We'd ask that you are committed to the goals of an open high-performance proxy implementation that anyone can freely use as they see fit. Please reach out via GitHub Discussions if you'd like to become a maintainer and discuss with us.
48+
49+
## Thank you!
50+
51+
Seriously, thank you for contributing to this project. Orion Proxy would not be where it is today without the support of contributors like you.

SECURITY.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
The Orion Proxy team fully supports the most recent minor release train and will consider patches to
6+
prior versions depending on prevalence of the affected version(s) and severity of the reported
7+
issue. For example, if the most recent release is 0.1.5, we would provide a fix in a 0.1.x
8+
release, but we might not backport the fix to earlier major versions.
9+
10+
Orion Proxy is a high-performance L7 proxy implemented in Rust, designed to support Envoy-compatible
11+
configurations as well as Cloud and AI native networking scenarios.
12+
13+
## Reporting a Vulnerability
14+
15+
Please do not report vulnerabilities via public issue reports or pull requests. Instead, report
16+
vulnerabilities via GitHub's private [report a vulnerability](https://github.com/kmesh-net/orion/security/advisories/new)
17+
link. The Orion Proxy team will make every effort to respond to vulnerability disclosures within 5
18+
working days. After initial triage, we will work with the reporting researcher on a disclosure
19+
time-frame and mutually agreeable embargo date, taking into account the work needed to:
20+
21+
* Identify affected versions
22+
* Prepare a fix and regression test
23+
* Coordinate response with downstream projects in the Kmesh ecosystem
24+
25+
After testing a fix and upon the end of the embargo date we will:
26+
27+
* Submit an advisory to [rustsec/advisory-db](https://github.com/RustSec/advisory-db)
28+
* Publish fixed releases on crates.io and deprecate prior releases as appropriate
29+
* Publish release notes and security advisories on the [GitHub Releases](https://github.com/kmesh-net/orion/releases) page
30+
* Notify the Kmesh community via official communication channels

0 commit comments

Comments
 (0)