mirror of
https://github.com/opentffoundation/opentf.git
synced 2025-12-25 01:00:16 -05:00
59d24390b7
Signed-off-by: Christian Mesh <christianmesh1@gmail.com> Co-authored-by: Arel Rabinowitz <arel.rabinowitz@env0.com> Co-authored-by: Igor Savchenko <igor@scalr.com> Co-authored-by: James Humphries <jamesh@spacelift.io> Co-authored-by: Roger Simms <roger.simms@harness.io> Co-authored-by: Zach Goldberg <zach@gruntwork.io> Co-authored-by: Scott Nicholas <snicholas@linuxfoundation.org> Co-authored-by: James Humphries <James@james-humphries.co.uk>
2.5 KiB
2.5 KiB
2024-10-01
Attendees
- Christan Mesh (@cam72cam) (OpenTofu Tech Lead)
- Roger Simms (@allofthesepeople)
- Igor Savchenko (@DiscyDel)
- Yousif Akbar (@yhakbar) (On behalf of Zach Goldberg)
Agenda
Static Evaluation Sensitivity Bug
- Christian: I'm working on a draft to report a security issue with static evaluation of variables.
- It can lead to variables marked sensitive being exposed, due to the fact that static evaluation of sensitive variables in module sources, versions, etc might result in sensitive values being written to disk.
- What is the best way to tackle breaking this behavior? Should it be removed in a patch release?
- Igor: This is an issue, but breaking behavior in a patch release is not ideal.
- It might be best to fix it in a minor release.
- There's risk that some users consider a breaking change like this really surprising.
- Yousif: I agree with Igor. The behavior should be addressed in a minor release.
- In the interim, would it be possible to emit a warning when users are using sensitive variables in contexts that might expose them?
- Users could then be made aware of the issue and take steps to mitigate it before the fix is released.
- We could also consider adding a flag to opt-in to allowing sensitive variables in these contexts.
- Christian: I'll look into adding a warning, but I'm not sure there's a sensible reason to use sensitive variables in these contexts.
- Igor: Many community members asked for this functionality to be able to include tokens for fetching private modules.
- They'll rely on the ability to use sensitive variables in contexts where they might be exposed in
.terraform.lock.hclfiles.
- They'll rely on the ability to use sensitive variables in contexts where they might be exposed in
- Christian: That's a good point. Users might need a mechanism to opt-in to existing behavior.
- I'll report this issue, then communicate the plan to address it with a warning in a patch, and fix it in a minor release.
OpenTofu Registry Policy
This topic is complex, and the committee is working to finalize a policy that will be acceptable to all parties.
To avoid harassment of any committee members, the comments made by individual members will not be attributed to them in the minutes.
It was discussed that the policy should be clear on what the OpenTofu Steering Committee must do by law, and how much flexibility the committee has in making decisions.
The committee agreed to revisit the topic in the following meeting.