From f56257649d3598377cf18758ad555a633e9d2877 Mon Sep 17 00:00:00 2001 From: Aleksa Sarai Date: Wed, 30 Nov 2016 20:23:08 +1100 Subject: [PATCH] *: clarify how security issues are handled The security@opencontainers.org mailing list is for *maintainers only*, and is to be used for technical discussion about potential security issues. It is not a place for the TOB to have votes about specification-related business, simply because it is not sane to include people who are not maintainers of projects in critical security discussions of said projects. If in the future we discover that we need to have a place to vote on security issues, the TOB can do that on their own private mailing list. For now, we should focus on making sure that security disclosures on *actual shipping code* is actually done properly. Signed-off-by: Aleksa Sarai --- CONTRIBUTING.md | 7 +++++++ GOVERNANCE.md | 7 ------- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 6b77b26..0b17319 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,5 +1,12 @@ ## Contribution Guidelines +### Security issues + +If you are reporting a security issue, do not create an issue or file a pull +request on GitHub. Instead, disclose the issue responsibly by sending an email +to security@opencontainers.org (which is inhabited only by the maintainers of +the various OCI projects). + ### Pull requests are always welcome We are always thrilled to receive pull requests, and do our best to diff --git a/GOVERNANCE.md b/GOVERNANCE.md index e5224fb..357c1ee 100644 --- a/GOVERNANCE.md +++ b/GOVERNANCE.md @@ -31,13 +31,6 @@ A quorum is established when at least two-thirds of maintainers have voted. For projects that are not specifications, a [motion to release](#release-approval) MAY be adopted if the tally is at least three LGTMs and no REJECTs, even if three votes does not meet the usual two-thirds quorum. -## Security issues - -Motions with sensitive security implications MUST be proposed on the security@opencontainers.org mailing list instead of dev@opencontainers.org, but should otherwise follow the standard [proposal](#proposing-a-motion) process. -The security@opencontainers.org mailing list includes all members of the TOB. -The TOB will contact the project maintainers and provide a channel for discussing and voting on the motion, but voting will otherwise follow the standard [voting](#voting) and [quorum](#quorum) rules. -The TOB and project maintainers will work together to notify affected parties before making an adopted motion public. - ## Amendments The [project governance](#project-governance) rules and procedures MAY be amended or replaced using the procedures themselves.