Comments (17)
@nschonni I agree.
This control is mainly for the comfort of my organization. But I may change it.
http://git.661346.n2.nabble.com/GPG-signing-for-git-commit-td2582986.html#a2583316
That is an interesting read on Linus Torvalds opinion on signing commits.
I think it would be better if it was changed to signing tags.
So something like.
Signed Tags
Releases should be tagged and signed by a maintainer. This should ensure the source code is not modified after the fact.
from open-source-logiciel-libre.
from open-source-logiciel-libre.
That sounds like a good practice. Although I usually tell people that tags should be immutable, some people sometimes want to delete or force push them.
Maybe GoC X.0 plan will have the next Entrust replacement work as a Git signing key
from open-source-logiciel-libre.
Yeah that's an issue for sure, the reason for signing is I've had comments from folks in our IT sec teams about the risk of hosting source code on a platform we don't control. There are concerns that a malicious actor could modify our code without our knowledge.
from open-source-logiciel-libre.
The wording for the peer review seems to harsh. The point of code review is to ensure code quality, not to lay blame for bugs.
from open-source-logiciel-libre.
In the latest version of the requirements, we're removing the security aspect as there are already existing policy instruments and will try to address/guide through the playbook instead.
Policy instrument (current document) should address the rules whereas the Playbook should provide all the required guidance and clarification for nuances to not create redundancies.
That's the intent so far. Happy to hear suggestions!
from open-source-logiciel-libre.
from open-source-logiciel-libre.
@LaurentGoderre good point, the goal isn't to spread blame but spread responsibility, so if someone is gone and there is a question about some code the reviewer should be able to answer it.
from open-source-logiciel-libre.
Yeah, that makes sense.
from open-source-logiciel-libre.
And we're actually going back with sections on Security as some of them are not necessarily covering specific topics found in the current discussion.
from open-source-logiciel-libre.
There should also be a formal process to do periodic reviews just to ensure quality of commits, too. SCA is nice, but having external review by a security assessor or someone trained by one is likely a good idea.
from open-source-logiciel-libre.
There should also be a formal process to do periodic reviews just to ensure quality of commits, too. SCA is nice, but having external review by a security assessor or someone trained by one is likely a good idea.
So the idea would be to review some commits or to review the project itself?
I don't think external reviews are a horrible idea but am curious as to what they would be reviewing for?
Do you have examples of things that they could look for that say an automated process couldn't catch?
from open-source-logiciel-libre.
@CalvinRodo : Both commits and the over-all stance of the project make sense to me. The idea would be to do little bits so the big picture is easier later.
As for external reviews: psychologists talk about what is called "confirmation bias". This is the very human weakness of only seeking evidence in something's favour rather than looking for disconfirming evidence too. The role of a security assessor in any context the way I see it is to help avoid confirmation bias - and that's why they are at arm's length.
As for examples: depends on the tool chain, but detecting vulnerabilities is an undecidable (in the sense of computability theory) process so having lots of different "ways to think about it" help. Specific examples where the tools tend to do badly are at boundaries between systems or processes, etc., things like weak or broken authentication, possible race conditions, ...
from open-source-logiciel-libre.
I think periodic audits of code quality by an external party is fine just as long as we don't make it a mandatory part of a release.
I can't think of a better way to slow down something then to bring in someone with little to no knowledge of the business or the context of the work to review every single line of code or commit.
from open-source-logiciel-libre.
We've thought a lot more since my earlier remarks and are working internally on a more Agile version of the SA&A process. Note that regardless - the security controls for the project etc. is not really up to the dev teams at all - they can certainly go "above and beyond", but by the letter of the law (so to speak) IT security has to decide what is necessary (based on what business needs are present). We're working on a way to have these needs partially determined up front so they can be added to back log items immediately.
from open-source-logiciel-libre.
@keithdouglas security can't block development practices that are universally recognized in the name of security. ITSec should focus on helping dev team improve security instead of acting as a gate keeper, especially since security is an ongoing effort, not something that only should happen at checkpoints.
from open-source-logiciel-libre.
@LaurentGoderre, that's precisely why we want a version of the "business needs for security" to be started as soon as an Idea document or any other little piece of governance for the a project is available - thus reducing what is done at checkpoints.
As for "universally recognized", I agree, but provided it is done relative to the security stance of what is being developed. And for that one needs a risk assessment (and a background context) and hence also a security assessor to determine these.
from open-source-logiciel-libre.
Related Issues (20)
- Link from pages to the repository HOT 1
- Security HOT 9
- Guidance on engaging the community for contributions HOT 1
- Additional publishing open source guidance HOT 4
- Ensuring that open source software be actively.... HOT 4
- Are we being too specific? HOT 4
- IP still belongs to the Crown HOT 14
- Why reciprocal license restrictions in "Guide for Using Open Source Software"? HOT 10
- Link to actual TBS definition of "open standard". HOT 1
- GPL version and license notices needs improvement HOT 10
- The "open core" section has problems and is not sufficient. HOT 2
- Directive on Automated Decision-Making; Releasing source code. HOT 4
- Guide to apply specific licence needs a bit more details HOT 2
- Considerations for Open Source Software Evaluation HOT 2
- Modeling the OSS Standard in Archimate
- Change "Prior to Starting" to "Open Source Software Acquisition" HOT 1
- Guide for Open Source Software Acquisition and Modeling
- Add redirects for renamed files
- Add new files to navigation
- Change site theme from GCWeb
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from open-source-logiciel-libre.