hello,
as you may have seen Joel Smith from the Product Security Committee
has recently created a number of tickets in the kubernetes/kubernetes
repository to update SECURITY_CONTACTS files in our staged
repositories. this is due to the PSC delegating the per-repository
security contact to the repository owners.
e.g.
https://github.com/kubernetes/kubernetes/issues/92092
https://github.com/kubernetes/kubernetes/labels/committee%2Fproduct-security
for reference, the SECURITY_CONTACTS idea was announced here:
https://groups.google.com/forum/#!topic/kubernetes-dev/codeiIoQ6QE
instead of including individuals and given this is not part of GitHub
user automation, can we have the SECURITY_CONTACTS files direct users
towards mailing list email addresses where volunteers from SIGs can be
on rotation?
for example:
- SIG Foo can have a "sig-foo-security" mailing list.
- all repositories owned by SIG Foo can have "sig-foo-security"
present in SECURITY_CONTACTS.
- it would be up to the SIG to keep the security mailing list up-to-date.
the current method has a couple of issues:
- can be noisy if regular changes are required.
- a GitHub username *is not* really a security contact unless it
matches the local-part of an email address or a slack nickname (i'm
excluding communication on private GitHub repositories as a scenario).
- suffers from the same problem as OWNERS files; a person steps down
from working on the project and the enumerated contact is no longer
active.
lubomir
--