-
Notifications
You must be signed in to change notification settings - Fork 24
CONTRIBUTING: Lead off with the security section #57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
wking
wants to merge
1
commit into
opencontainers:main
Choose a base branch
from
wking:security-first
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,20 @@ | ||
| # Contribution Guidelines | ||
|
|
||
| Development happens on GitHub. | ||
| Issues are used for bugs and actionable items and longer discussions can happen on the [mailing list](#mailing-list). | ||
| ## Security issues | ||
|
|
||
| The content of this repository is licensed under the [Apache License, Version 2.0](LICENSE). | ||
| If you are reporting a security issue, *do not* create an issue or file a pull request on GitHub. | ||
| Instead, disclose the issue responsibly by sending an email to [[email protected]](mailto:[email protected]) (which is inhabited only by the maintainers of the various OCI projects). | ||
|
|
||
| ## Code of Conduct | ||
|
|
||
| Participation in the Open Container community is governed by [Open Container Code of Conduct][code-of-conduct]. | ||
|
|
||
| ## Discussion | ||
|
|
||
| Development happens on GitHub. | ||
| Issues are used for non-security bugs and actionable items; longer discussions can happen on the [mailing list](#mailing-list). | ||
| Responsible disclosure for security issues is discussed [above](#security-issues). | ||
|
|
||
| ## Meetings | ||
|
|
||
| The contributors and maintainers of all OCI projects have monthly meetings at 2:00 PM (USA Pacific) on the first Wednesday of every month. | ||
|
|
@@ -20,25 +26,24 @@ Minutes from past meetings are archived [here][minutes]. | |
| ## Mailing list | ||
|
|
||
| You can subscribe and browse the mailing list on [Google Groups][mailing-list]. | ||
| Responsible disclosure for security issues is discussed [above](#security-issues). | ||
|
|
||
| ## IRC | ||
|
|
||
| OCI discussion happens on #opencontainers on [Freenode][] ([logs][irc-logs]). | ||
| Non-security OCI discussion happens on #opencontainers on [Freenode][] ([logs][irc-logs]). | ||
| Responsible disclosure for security issues is discussed [above](#security-issues). | ||
|
|
||
| ## Git | ||
|
|
||
| ### Security issues | ||
|
|
||
| If you are reporting a security issue, do not create an issue or file a pull | ||
| request on GitHub. Instead, disclose the issue responsibly by sending an email | ||
| to [email protected] (which is inhabited only by the maintainers of | ||
| the various OCI projects). | ||
| The content of this repository is licensed under the [Apache License, Version 2.0](LICENSE). | ||
|
|
||
| ### Pull requests are always welcome | ||
|
|
||
| We are always thrilled to receive pull requests, and do our best to | ||
| process them as fast as possible. Not sure if that typo is worth a pull | ||
| request? Do it! We will appreciate it. | ||
| We are always thrilled to receive pull requests for non-security changes, and do our best to process them as fast as possible. | ||
| Not sure if that typo is worth a pull request? | ||
| Do it! | ||
| We will appreciate it. | ||
| Responsible disclosure for security issues is discussed [above](#security-issues). | ||
|
|
||
| If your pull request is not accepted on the first try, don't be | ||
| discouraged! If there's a problem with the implementation, hopefully you | ||
|
|
@@ -51,8 +56,9 @@ incorporating a new feature. | |
| ### Conventions | ||
|
|
||
| Fork the repo and make changes on your fork in a feature branch. | ||
| For larger bugs and enhancements, consider filing a leader issue or mailing-list thread for discussion that is independent of the implementation. | ||
| For larger non-security bugs and enhancements, consider filing a leader issue or mailing-list thread for discussion that is independent of the implementation. | ||
| Small changes or changes that have been discussed on the [project mailing list](#mailing-list) may be submitted without a leader issue. | ||
| Responsible disclosure for security issues is discussed [above](#security-issues). | ||
|
|
||
| If the project has a test suite, submit unit tests for your changes. Take a | ||
| look at existing tests for inspiration. Run the full test suite on your branch | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think you need to repeat this sentence in every section. Just expand the opening line to say "do not create an issue, file a pull request, send a public message on the mailing list or IRC, or discuss it in the monthly meeting".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, that's:
from my initial post. Are you confident that folks with a security issue will notice the opening section of this file, even if they find it via a
.../CONTRIBUTING.md#mailing-listlink (for example)? You could also make this argument more narrowly, and say something like:But I'm fine droping whichever back-refs folks want me to drop. Do you want me to drop all of them? Or just from a few sections? Or maybe we can get a security ref that sticks to the top of the browser window (something like this if GitHub won't strip that out).
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a no-go, because GitHub strips
styleattributes.