Versions Compared

Old Version 47

changes.mady.by.user David Boswell

Saved on

compared with

New Version 48

changes.mady.by.user David Enyeart

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Provide named security contacts per project (at least two contacts)

  • Define security issue reporting process in SECURITY.md with reference to Hyperledger reporting process

  • Review, respond, and act on reported security vulnerabilities

  • Follow security issue disclosure process - see Disclosure task force

  • Leverage automated scans, tooling depends on language but usually includes some combination of:

    • linters

    • Software Composition Analysis dependency scans, e.g. Dependabot, Govulncheck 

    • Static Application Security Testing (SAST) aka static analysis scans, e.g. CodeQL, Snyk

  • Pin dependencies and keep dependencies up to date,  e.g. using Dependabot, although be wary of auto-upgrades and look for malware.

  • Engage with Hyperledger staff on possibility of security audits for Graduated project major releases, address audit results and socialize

  • Review OpenSSF secure developer guide and OpenSSF overview presentation to TOC (charts, replay)

  • Review and obtain OpenSSF Best Practices Badge - criteria

  • Sign release artifacts (TBD) - see proposed Security Artifact Signing task force

...

  • User guide including Getting Started / Tutorial

  • Project developer guide including coding guidelines, build instructions, test instructions

  • Application developer guide

  • Recommended documentation platform?


Project management

  • Maintain a written project roadmap
  • Create, clarify, and label issues in Github for contributors
  • Review, triage, comment on, and close Github issues


Releases

  • Follow an established Release taxonomy - either SemVer or CalVer

  • Document release strategy, release process, branch strategy (one branch per major.minor release works well so that it can be maintained in isolation with major.minor.patch releases)

  • Document Long-term support (LTS) release strategy - example https://github.com/hyperledger/fabric-rfcs/blob/main/text/0005-lts-release-strategy.md

  • Use Github actions to automate release process, e.g. publish artifacts and release notes upon drafting a GitHub release

  • Release artifacts - attached to GitHub release, docker images in GitHub Packages versus Dockerhub?

...