SECURITY_CONTACTS contact information

[tallclair]

SECURITY_CONTACTS files currently use github user names, but github doesn't have private messaging, and users don't always have public email addresses.

We need a better solution, so that the PSC is able to reach out to the security contacts through a private channel. A few ideas include:

1. deprecate SECURITY_CONTACTS, and adopt github's new security advisory functionality
2. maintain a private contact information database for security contacts (bleh)
3. Just require email addresses in addition to github user IDs

/help

[k8s-ci-robot]

@tallclair:
This request has been marked as needing help from a contributor.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

Details

In response to this:

SECURITY_CONTACTS files currently use github user names, but github doesn't have private messaging, and users don't always have public email addresses.

We need a better solution, so that the PSC is able to reach out to the security contacts through a private channel. A few ideas include:

1. deprecate SECURITY_CONTACTS, and adopt github's new security advisory functionality
2. maintain a private contact information database for security contacts (bleh)
3. Just require email addresses in addition to github user IDs

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[tallclair]

/remove-lifecycle stale

Updated proposal:

1. Migrate SECURITY_CONTACTS to SECURITY.md, with a templated security policy
2. Security policy should include the security contacts, with both github user ID, email ID, and slack ID (email/slack optional, email strongly encouraged)

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[tallclair]

/remove-lifecycle stale

[BenTheElder]

+1 #56 (comment)
What blocks us from moving on this?

[tallclair]

@BenTheElder Nothing (just someone to do the work), except for the concerns raised in the discussion thread about confusing the intent of security contacts.

xref: kubernetes/kubernetes-template-project#35

[BenTheElder]

Thanks! I agree that the current concept is confusing. Will think on the easy access to email issue as well (just caught up on the thread).

…

On Thu, Jul 23, 2020 at 1:54 PM Tim Allclair ***@***.***> wrote: @BenTheElder <https://github.com/BenTheElder> Nothing (just someone to do the work), except for the concerns raised in the discussion thread <https://groups.google.com/d/msg/kubernetes-sig-architecture/0MUJBDGf3jg/wYrr8i1tBQAJ> about confusing the intent of security contacts. xref: kubernetes/kubernetes-template-project#35 <kubernetes/kubernetes-template-project#35> — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#56 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAHADKY5EOU5LVRMSM63PB3R5CPRPANCNFSM4JNSBF4Q> .