jprdonnelly/opentf
1
0
Fork 0
mirror of https://github.com/opentffoundation/opentf.git synced 2025-12-19 17:59:05 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
b82ed64756670f0ff54f034120d1e71aefa21358
opentf/TSC/2024-01-22_NOTES.md
Christian Mesh 59d24390b7 OpenTofu Charter and Governance (#2830) 
Signed-off-by: Christian Mesh <christianmesh1@gmail.com>
Co-authored-by: Arel Rabinowitz <arel.rabinowitz@env0.com>
Co-authored-by: Igor Savchenko <igor@scalr.com>
Co-authored-by: James Humphries <jamesh@spacelift.io>
Co-authored-by: Roger Simms <roger.simms@harness.io>
Co-authored-by: Zach Goldberg <zach@gruntwork.io>
Co-authored-by: Scott Nicholas <snicholas@linuxfoundation.org>
Co-authored-by: James Humphries <James@james-humphries.co.uk>
2025-05-23 08:18:56 -04:00

2.2 KiB
Raw Blame History

2024-01-22 (async)

Attendees

  • n/a, we discussed directly in Notion;

Agenda

  1. How many historic releases we support
    1. Context HashiCorps approach is to introduce patches for the most recent major (which means in their lingua changes to X and Y in X.Y.Z) release, as well as up to two prior ones. Which means that there are three supported releases at any given point in time.
    2. Discussion We discussed 3 options:
      1. One release. Only do patches for the most recent major release. So we are only supporting one release at any given point in time.
      2. Two releases. Only do patches for the most recent major release and the one before it. So we are only supporting one release at any given point in time.
      3. Three releases. Stick with HashiCorps approach: patches for the most recent major release, as well as up to two prior ones. So we support up to three releases at any given point in time.
    3. Vote: unanimous for option 3.
  2. Certifications
    1. Context Prominent community member asks us to provide some sort of certifications they can use to prove that we take security seriously.
    2. Discussion We discussed the following non-exclusive options:
      1. SOC2 / ISO 27001. Try to achieve these official certifications. Not clear how to do this for an open source organization though.
      2. Code audit. Perform an external code / security audit on the codebase.
      3. Security scanning tools. Install a variety of security scanning tools on the codebase: e.g., Snyk, DependaBot, Go Report Card, etc.
      4. Security disclosure process. Ensure we have a clear, well-defined, written process for (a) community members to disclose vulnerabilities to us, (b) us to escalate those and resolve them quickly, and (c) us to notify the rest of the community and roll out the patches.
    3. Vote: unanimous vote for security scanning tools and security disclosure process. Vote by Yevgeniy Brikman for code audit.
    4. Follow-up: Spacelift's Head of Security investigated certification and code audit, we will have him present his findings to the TSC at one of the following meetings.
Reference in New Issue View Git Blame Copy Permalink