dell/dkms

Retrospective from the recent XZ vuln

evelikov opened this issue · 1 comments

As many of you have seen in the news XZ suffered a very serious vulnerability recently. Looking through the various discussions and reflecting, here are some actions I would love to see:

  • encourage cross reviews from everyone - add to CONTRIBUTING
  • maintenance lack of time vs funds - ditto mention in the CONTRIBUTING/README
  • the fix and test must be in same PR - ditto CONTRIBUTING
  • ban direct pushes to master branch in GH settings - document in MAINTAINERS
  • add protect tags (pattern) in GH settings - MAINTAINERS
  • use signed tags for releases - MAINTAINERS
  • require signed commits for maintainers (how to check/enforce?), recommend for others - CONTRIBUTING
  • list current maintainers (in MAINTAINERS) and general response time (CONTRIBUTING)
  • set security policy (use Github?) and add some docs

@scaronni @xuzhen what do you think?

Hi @evelikov I'm fine with all of them. In the meanwhile I've made you an admin, as my time is really limited:

image

Feel free! I would suggest protecting the master branch is an easy win. Thanks!