magma icon indicating copy to clipboard operation
magma copied to clipboard
verified publisher icon magma

proposal: triage alerts at severity "high"

Open lucasgonze opened this issue 1 year ago • 4 comments

Update

After the August 12 TSC discussion, I am rewriting the proposal as follows. Note that performing this rewrite clears the votes on the earlier proposal, so that votes prior to Aug 19 2024 are cleared.

Problem

There are too many Dependabot alerts with high severity. We have to find the resources to get them under control.

Solution

To get started on this problem I will work through the alerts for necessary security patches:

  1. Merge any pull requests that don't break the build or any test
  2. Identify and dismiss false positives
  3. Implement upstream patches when feasible
  4. Analyze dependency paths to CVEs and manually update packages as necessary

I will work on this for four calendar weeks.

Non-goals

This work is time-boxed. I am not promising to cover every alert.

This work excludes patching Magma source code. In places where an upgrade requires changes to, for example, React code, that is out of scope.

Bid

I am asking for $5,000 to complete this work.

This deliverable is time-boxed. It is one month best-effort labor. I assume an extra month for billing work. The acceptance criteria is believing that I did a credible job within the time limit.

As many alerts as possible will be triaged. I will either merge a PR, create a PR, write a well-researched ticket and help engineering get underway, or dismiss the item as a false positive.

Note that I am submitting this bid as the first party, under my own name, and not via OSPOCO.

lucasgonze avatar Aug 02 '24 15:08 lucasgonze

Motion: @lucasgonze Seconded: @jordanvrtanoski +1: TBD

More details are requested.

@jim and Som raises a flag on both the gross amount and the budget - would the money be better spent elsewhere.

lucasgonze avatar Aug 12 '24 15:08 lucasgonze

The proposal has been rewritten. The following is the original proposal.

ORIGINAL BID

Problem

Dependabot severe alerts are up to 78. We have to get them under control.

Solution

To get started on this problem I will work through the alerts for necessary security patches:

  1. Merge any pull requests that don't break the build or any test
  2. Identify and dismiss false positives
  3. Implement upstream patches when feasible
  4. Analyze dependency paths to CVEs and manually update packages as necessary

Non-goals

This work excludes patching Magma source code. In places where an upgrade requires changes to, for example, React code, that is out of scope.

Bid

I am asking for $10,000 to complete this work, using the completed proposal for severity "critical" alerts as a yardstick.

Note that I am submitting this bid as the first party, under my own name, and not via OSPOCO.

Acceptance:

  • No upgrades at severity Severe will be untriaged. I will either merge a PR, create a PR, write a well-researched ticket and help engineering get underway, or dismiss the item as a false positive.

lucasgonze avatar Aug 13 '24 14:08 lucasgonze

Motion: @Som-BARNS Second: @lucasgonze

lucasgonze avatar Aug 19 '24 15:08 lucasgonze

+1

jordanvrtanoski avatar Aug 22 '24 18:08 jordanvrtanoski

I started working on this and did a fair amount of work, but did it in the master branch, which is no longer viable. I think this is probably stale until we get master and 1.9 merged and master to a functional state. Blocked on https://github.com/magma/magma/issues/15573

lucasgonze avatar Nov 27 '24 21:11 lucasgonze

https://github.com/magma/magma/issues/15589 is the fix

lucasgonze avatar Dec 16 '24 16:12 lucasgonze