SECURITY.md updates and ownership #8455
Conversation
SECURITY.md
Outdated
| @@ -2,7 +2,7 @@ | |||
|
|
|||
| ## Supported Versions | |||
|
|
|||
| The current `master` and `release-pismo` branches are supported with security updates. | |||
| The current `master` and latest `agoric-upgrade-*` branches are supported with security updates. | |||
There was a problem hiding this comment.
I'm not sure what the correct descriptor should be, should we include latest and pre-release tagged releases in https://github.com/Agoric/agoric-sdk/releases ?
There was a problem hiding this comment.
Branch of that shape is definitely not correct, it should be agoric-upgrade-* tags, but as you mention without restrictions it would include outdated releases that may have known issues. Maybe something like
The current
masterbranch and theagoric-upgrade-*tags corresponding to the latest release and pre-release versions.
PS: We do have release-* branches, but those are mostly to stage the creation of these release tags, and may similarly become outdated like release-pismo now is.
CODEOWNERS
Outdated
| @@ -0,0 +1 @@ | |||
| SECURITY.md @Agoric/sec | |||
There was a problem hiding this comment.
GH seem to be complaining about this
There was a problem hiding this comment.
The permission changes are pending. This group needs write access to repo which will be done before merging.
SECURITY.md
Outdated
| @@ -2,7 +2,7 @@ | |||
|
|
|||
| ## Supported Versions | |||
|
|
|||
| The current `master` and `release-pismo` branches are supported with security updates. | |||
| The current `master` and latest `agoric-upgrade-*` branches are supported with security updates. | |||
There was a problem hiding this comment.
Branch of that shape is definitely not correct, it should be agoric-upgrade-* tags, but as you mention without restrictions it would include outdated releases that may have known issues. Maybe something like
The current
masterbranch and theagoric-upgrade-*tags corresponding to the latest release and pre-release versions.
PS: We do have release-* branches, but those are mostly to stage the creation of these release tags, and may similarly become outdated like release-pismo now is.
raphdev
force-pushed
the
raph/secmd-owners
branch
from
ba45bd1
to
d77f8ca
Compare
CODEOWNERS
Outdated
| @@ -0,0 +1 @@ | |||
| SECURITY.md @Agoric/security | |||
| @@ -2,7 +2,7 @@ | |||
|
|
|||
| ## Supported Versions | |||
|
|
|||
| The current `master` and `release-pismo` branches are supported with security updates. | |||
| The current `master` and only the latest `agoric-upgrade-*` tagged release and pre-release are supported with security updates. | |||
There was a problem hiding this comment.
Note: I don't expect us to ever have a latest pre-release tag that is older (aka ancestor commit) than the latest release tag, so this works, but it initially worried me about opening ourselves to reports on outdated pre-release tags. More precisely, given our release process, the latest pre-release tag should always be the same revision as the latest release tag, or newer when we're about to release an upgrade.
raphdev
force-pushed
the
raph/secmd-owners
branch
from
d77f8ca
to
f712893
Compare
raphdev
added
automerge:rebase
closes: #8171
Description
This PR makes revisions to
SECURITY.mdto reflect currently supported versions.We also add a
CODEOWNERSfile and makeSECURITY.mdowned by the security team (@Agoric/sec). Since the team is ultimately accountable for the expectations set in this doc, we want to make sure modifications are reviewed by security for awareness and input.