Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CONTRIBUTING: Lead off with the security section #57

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 20 additions & 14 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -1,14 +1,20 @@
# Contribution Guidelines

Development happens on GitHub.
Issues are used for bugs and actionable items and longer discussions can happen on the [mailing list](#mailing-list).
## Security issues

The content of this repository is licensed under the [Apache License, Version 2.0](LICENSE).
If you are reporting a security issue, *do not* create an issue or file a pull request on GitHub.
Instead, disclose the issue responsibly by sending an email to [security@opencontainers.org](mailto:security@opencontainers.org) (which is inhabited only by the maintainers of the various OCI projects).

## Code of Conduct

Participation in the Open Container community is governed by [Open Container Code of Conduct][code-of-conduct].

## Discussion

Development happens on GitHub.
Issues are used for non-security bugs and actionable items; longer discussions can happen on the [mailing list](#mailing-list).
Responsible disclosure for security issues is discussed [above](#security-issues).

## Meetings

The contributors and maintainers of all OCI projects have monthly meetings at 2:00 PM (USA Pacific) on the first Wednesday of every month.
Expand All @@ -20,25 +26,24 @@ Minutes from past meetings are archived [here][minutes].
## Mailing list

You can subscribe and browse the mailing list on [Google Groups][mailing-list].
Responsible disclosure for security issues is discussed [above](#security-issues).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think you need to repeat this sentence in every section. Just expand the opening line to say "do not create an issue, file a pull request, send a public message on the mailing list or IRC, or discuss it in the monthly meeting".

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think you need to repeat this sentence in every section.

Right, that's:

If we are confident that readers interested in submitting a security issue will not start at a mid-document anchor without reading the beginning of this file, we could drop some or all of these back-refs.

from my initial post. Are you confident that folks with a security issue will notice the opening section of this file, even if they find it via a .../CONTRIBUTING.md#mailing-list link (for example)? You could also make this argument more narrowly, and say something like:

We don't need a back-ref from the mailing list section. Both it and the following IRC section are short, so even a hasty mailing-list-section skimmer is likely to notice the IRC-section back-ref.

But I'm fine droping whichever back-refs folks want me to drop. Do you want me to drop all of them? Or just from a few sections? Or maybe we can get a security ref that sticks to the top of the browser window (something like this if GitHub won't strip that out).

Copy link
Contributor Author

@wking wking Apr 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or maybe we can get a security ref that sticks to the top of the browser window (something like this if GitHub won't strip that out).

This is a no-go, because GitHub strips style attributes.


## IRC

OCI discussion happens on #opencontainers on [Freenode][] ([logs][irc-logs]).
Non-security OCI discussion happens on #opencontainers on [Freenode][] ([logs][irc-logs]).
Responsible disclosure for security issues is discussed [above](#security-issues).

## Git

### Security issues

If you are reporting a security issue, do not create an issue or file a pull
request on GitHub. Instead, disclose the issue responsibly by sending an email
to security@opencontainers.org (which is inhabited only by the maintainers of
the various OCI projects).
The content of this repository is licensed under the [Apache License, Version 2.0](LICENSE).

### Pull requests are always welcome

We are always thrilled to receive pull requests, and do our best to
process them as fast as possible. Not sure if that typo is worth a pull
request? Do it! We will appreciate it.
We are always thrilled to receive pull requests for non-security changes, and do our best to process them as fast as possible.
Not sure if that typo is worth a pull request?
Do it!
We will appreciate it.
Responsible disclosure for security issues is discussed [above](#security-issues).

If your pull request is not accepted on the first try, don't be
discouraged! If there's a problem with the implementation, hopefully you
Expand All @@ -51,8 +56,9 @@ incorporating a new feature.
### Conventions

Fork the repo and make changes on your fork in a feature branch.
For larger bugs and enhancements, consider filing a leader issue or mailing-list thread for discussion that is independent of the implementation.
For larger non-security bugs and enhancements, consider filing a leader issue or mailing-list thread for discussion that is independent of the implementation.
Small changes or changes that have been discussed on the [project mailing list](#mailing-list) may be submitted without a leader issue.
Responsible disclosure for security issues is discussed [above](#security-issues).

If the project has a test suite, submit unit tests for your changes. Take a
look at existing tests for inspiration. Run the full test suite on your branch
Expand Down