Retrospective from the recent XZ vuln
evelikov opened this issue · 1 comments
evelikov commented
As many of you have seen in the news XZ suffered a very serious vulnerability recently. Looking through the various discussions and reflecting, here are some actions I would love to see:
- encourage cross reviews from everyone - add to CONTRIBUTING
- maintenance lack of time vs funds - ditto mention in the CONTRIBUTING/README
- the fix and test must be in same PR - ditto CONTRIBUTING
- ban direct pushes to master branch in GH settings - document in MAINTAINERS
- add protect tags (pattern) in GH settings - MAINTAINERS
- use signed tags for releases - MAINTAINERS
- require signed commits for maintainers (how to check/enforce?), recommend for others - CONTRIBUTING
- list current maintainers (in MAINTAINERS) and general response time (CONTRIBUTING)
- set security policy (use Github?) and add some docs