Open smoya opened 3 years ago
Welcome to AsyncAPI. Thanks a lot for reporting your first issue. Please check out our contributors guide and the instructions about a basic recommended setup useful for opening a pull request.
Keep in mind there are also other channels you can use to interact with AsyncAPI community. For more details check out this issue.
This issue has been automatically marked as stale because it has not had recent activity :sleeping: It will be closed in 60 days if no further activity occurs. To unstale this issue, add a comment with detailed explanation. Thank you for your contributions :heart:
This just to raise awareness on some of the security issues.
After looking more into the security requirements they have, it is gonna be seriously hard to pull off. I used these guidelines to suggest the process here: https://github.com/asyncapi/community/issues/32#issuecomment-871500759
Just for the Passing
level, we need to fulfill the following:
There MUST be no unpatched vulnerabilities of medium or higher severity that have been publicly known for more than 60 days. [vulnerabilities_fixed_60_days] Projects SHOULD fix all critical vulnerabilities rapidly after they are reported. [vulnerabilities_critical_fixed]
As it varies a lot how active maintainers are this will be almost impossible. For the other two levels, there are also points that are gonna be difficult to pull off as we cant 100% control the process.
I think I am gonna try take a swing at this issue, if it is decided we want to invest time in this.
@derberg how do I propose this for TSC?
I believe it must be done the same way as with code coverage. First, do it for one repo and check out how it went, what was missing, etc. Then we introduce to TSC so all codeowners follow it in their repos, voting style
Started going through it for Modelina, to achieve Passing level - https://bestpractices.coreinfrastructure.org/en/projects/5279
The following steps are still missing:
Reason/Context
All projects from the AsyncAPI Initiative are licensed as Open Source Software, in particular Apache 2.0 license is used by default for new projects.
In an effort to offer high-quality software, not just in terms of code but also in terms of security, transparency, and accessibility, in alignment with our Vision The AsyncAPI community grows 400% stated here we (may) want to adopt the Linux Foundation Core Infrastructure Initiative Best Practices. It also sounds ideal after our announcement made here about AsyncAPI joining a foundation.
Some context:
There are different badges for the different criteria levels a project can achieve. Ordered from the most permissive to the most restrictive:
Description
Even though we may want to achieve the Gold level, Passing and Silver criteria levels should be previously achieved. That's perfect for splitting this task into smaller actionables so we can adopt each level iteratively.
At least one GH issue should be created per level so we can properly track progress isolated. We can list them right here: