tag-security
tag-security copied to clipboard
cncf
[Assessment] Argo
Project Name: Argo
Github URL: https://github.com/argoproj
https://github.com/cncf/toc/pull/299 (Incubation) https://github.com/cncf/toc/pull/604 (Graduation - in process)
Self Assessments: Argo CD Argo Rollouts Argo Workflows Argo Events
Security Provider: No
- [x] Identify team
- [x] Project security lead - @jannfis
- [x] Project assessment facilitator - @IAXES
- [x] Lead security reviewer @jlk @IAXES
- [x] 1 or more additional reviewer(s) @apmarshall @moswil @hyakuhei @nadgowdas @ashutosh-narkar
- [x] Every reviewer has read security reviewer guidelines and stated declaration of conflict
- [x] Sign off by 2 chairs on reviewer conflicts - @lumjjb no need for 2 chairs since no reviewer conflicts
- [x] Create slack channel ( #sec-assessment-argo) Argo CD
- [x] "Naive question phase" Lead Security Reviewer asks clarifying questions
- [x] Assign issue to security reviewers
- [x] Initial review
Argo Workflows
- [x] "Naive question phase" Lead Security Reviewer asks clarifying questions
- [x] Assign issue to security reviewers
- [x] Initial review
Argo Rollouts
- [x] "Naive question phase" Lead Security Reviewer asks clarifying questions
- [x] Assign issue to security reviewers
- [x] Initial review
Argo Events
- [x] "Naive question phase" Lead Security Reviewer asks clarifying questions
- [x] Assign issue to security reviewers
- [x] Initial review
Joint Review
- [ ] Project lead provides draft document - see outline
- [ ] Share draft findings with project
- [ ] Presentation & discussion
- [ ] Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
- [ ] CNCF TOC presentation (if requested by TOC)
Thanks for opening this issue up! We will process this when we have our intake prioritization review, which should be soon.. But looks likely to be scheduled after cloud custodian review, which will be about the Sep/Oct timeframe!
@ashutosh-narkar @IAXES
Good day @hblixt , @sbose78 ;
If we have any questions with respect to the self-assessment (and associated documentation), should I reach out to both of you (i.e. via the CNCF Slack instance or this ticket), or are there additional team members we should include?
I've gone ahead and created a dedicated channel, sec-assessment-argo, although it won't be actively used until the assessment commences in the timeframe @lumjjb noted above.
Good to meet you!
Thanks for your interest in being part of the review team. It would be great if y'all and any other folks interested to be part of the review team state their conflict of interest. Thanks!
Here's me:
Conflict of interest statement template:
| Hard Conflicts | Y/N |
|---|---|
| Reviewer is a currently a maintainer of the project | N |
| Reviewer is direct report of/to a current maintainer of the project | N |
| Reviewer is paid to work on the project | N |
| Reviewer has significant financial interest directly ties to the success of the project | N |
| Soft Conflicts | Y/N |
|---|---|
| Reviewer belongs to the same company/organization of the project, but does not work on the project | (Does CNCF count?) |
| Reviewer uses the project in their work | N |
| Reviewer has contributed to the project | N |
| Reviewer has a personal stake in the project (personal relationships, etc.) | N |
Hard conflicts:
Reviewer is a maintainer of the project - NO
Reviewer is a direct report of/to a maintainer of the project - NO
Reviewer is paid to work on the project -NO
Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts:
Reviewer belongs to the same company/organization of the project, but does not work on the project - NO
Reviewer uses the project in his/her work - NO
Reviewer has contributed to the project. - NO
Reviewer has a personal stake in the project (personal relationships, etc.) - NO
- Matthew
@IAXES Greetings!
Could you please include @jannfis ( Jann Fischer, Red Hat ) in your list of primary folks to reach out to.
Hard conflicts: Reviewer is a maintainer of the project - NO Reviewer is a direct report of/to a maintainer of the project - NO Reviewer is paid to work on the project -NO Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO Reviewer uses the project in his/her work - NO - but my previous employer did an integration w/ Argo. I was not involved. Reviewer has contributed to the project. - NO Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Good day,
Just a heads-up to the Argo team and their reps: I'm aiming to start assembling reviewers mid-September. I expect it to be a busy time with Kubecon approaching in October.
In case anyone hasn't already joined: I'll be using the Slack channel as the primary means of communication (https://cloud-native.slack.com/archives/C029KLSQBD2). I have also put together a private Google group (i.e. mailing list) as a fallback means of communication (typically everything is done through Slack, but if we need to schedule a meeting on short notice through a tool like Doodle, for example, I'll make a point of mentioning it both via Slack and the mailing list). The mailing list will be posted in the Slack channel and anyone that wants to join just needs to ping me via Slack.
Have a great week!
Interested to help.
Hard conflicts: Reviewer is a maintainer of the project - NO Reviewer is a direct report of/to a maintainer of the project - NO Reviewer is paid to work on the project -NO Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO Reviewer uses the project in his/her work - NO - but my previous employer did an integration w/ Argo. I was not involved. Reviewer has contributed to the project. - NO Reviewer has a personal stake in the project (personal relationships, etc.) - NO
+CC: @ashutosh-narkar @lumjjb @rficcaglia
Good day everyone,
Hope Kubecon went well for everyone! Calling out for security reviewers and security review leads for the Argo assessment. I'll also forward this to Brandon and Ash to relay during our Wednesday meeting (I'm unfortunately unable to attend said meetings at the moment due to a recurring scheduling conflict).
Good day,
Here's the dedicated Slack channel for the assessment: #sec-assessment-argo (https://cloud-native.slack.com/archives/C029KLSQBD2). Could everyone that plans to take part in the assessment (i.e. security assessors, security assessment lead, etc.) please register with Slack (if not already registered) and join this channel?
- Have conflict of interest disclosure and added to Slack channel:
- @jlk @apmarshall
- Have conflict of interest disclosure; still needs to join Slack channel:
- @moswil
- Added to slack channel; still needs to submit conflict of interest disclosure in this Github issue:
- @nadgowdas
- Need the conflict of interest disclosure and to join the Slack channel:
- @hyakuhei
Once we've wrapped up the COI disclosures and have everyone added to the Slack channel, we can setup some last-minute details (i.e. any additional contact details needed, how meetings will be scheduled, etc.), and we can get this underway.
Thank you to our security assessors and leads!
Edit: reviewers also need to go over this document prior to concluding the COI signoff/disclosure: https://github.com/cncf/tag-security/blob/main/assessments/guide/security-reviewer.md
Hard conflicts: Reviewer is a maintainer of the project - NO Reviewer is a direct report of/to a maintainer of the project - NO Reviewer is paid to work on the project -NO Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO Reviewer uses the project in his/her work - NO - but my previous employer did an integration w/ Argo. I was not involved. Reviewer has contributed to the project. - NO Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Hard conflicts: Reviewer is a maintainer of the project - NO Reviewer is a direct report of/to a maintainer of the project - NO Reviewer is paid to work on the project -NO Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO Reviewer uses the project in his/her work - NO - but my previous employer did an integration w/ Argo. I was not involved. Reviewer has contributed to the project. - NO Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Thanks everyone! Updating the list:
- Have conflict of interest disclosure and added to Slack channel:
- @jlk @apmarshall @nadgowdas
- Have conflict of interest disclosure; still needs to join Slack channel:
- @moswil
- Need the conflict of interest disclosure and to join the Slack channel:
- @hyakuhei
@moswil When time permits, could you please join the #sec-assessment-argo channel in Slack? We'll use it for a lot of correspondence going forward.
Now to get things in motion: @jlk @apmarshall @nadgowdas @moswil Is there any preference for a live meeting (i.e. I throw together a Doodle invite to see if I can get a good meeting time going to setup the team structure, depending on the time zones and schedule of everyone, or shall we just proceed asynchronously via Slack)? Once that's in place, the security lead plus security reviewers can take over from there. :)
Hard conflicts: Reviewer is a maintainer of the project - NO Reviewer is a direct report of/to a maintainer of the project - NO Reviewer is paid to work on the project -NO Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO - I'm sure someone somewhere in Amazon might use it but I have no knowledge of such use and am not influence by it. Reviewer uses the project in his/her work - NO Reviewer has contributed to the project. - NO Reviewer has a personal stake in the project (personal relationships, etc.) - NO
For those not watching Slack - we're doing the first call for the group this Thursday at 7AM Pacific Time.
Setting up a sync-up meeting for 07:00 - 08:00 PST, Thursday Jan. 13th. We can wrap up the naive question ("NQ") phase rapidly (i.e. if there's anything not already covered in the GitHub comments on the review), and then slice up the 4x sub-reviews and get those done.
Good day,
Pinging to confirm who will still be able to join in the review (i.e. in case Slack notifications emails end up being spam-filtered).
Cheers.
I'd like to help as a shadow reviewer.
Hard conflicts: Reviewer is a maintainer of the project - NO Reviewer is a direct report of/to a maintainer of the project - NO Reviewer is paid to work on the project -NO Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO Reviewer uses the project in his/her work - NO Reviewer has contributed to the project. - NO Reviewer has a personal stake in the project (personal relationships, etc.) - NO
Hey team,
Unfortunately I'm not going to be able to contribute to this effort.
-Rob
I have never reviewed before but I wanted to sign up to be a shadow reviewer.
Hard conflicts: Reviewer is a maintainer of the project - NO Reviewer is a direct report of/to a maintainer of the project - NO Reviewer is paid to work on the project -NO Reviewer has significant financial interest directly tied to success of the project - NO
Soft conflicts: Reviewer belongs to the same company/organization of the project, but does not work on the project - NO Reviewer uses the project in his/her work - NO Reviewer has contributed to the project. - NO Reviewer has a personal stake in the project (personal relationships, etc.) - NO
