Do project self-assessment

[baentsch]

As per CNCF

[baentsch]

First cut below. It would be great if you could take a look and maybe provide actionable feedback @anvega . Most things are pretty obvious but I'm feeling an ethical obligation to first witness more committed contributors before implementing/declaring as "good" things this self-assessment suggests. Otherwise, I'd be afraid this would create a false sense of reliability to users ("badges", "alliance endorsement", etc marketing fluff) -- all the while the code is maintained thanklessly by the proverbial random guy in Nebraska (err, Switzerland :).

oqsprovider-self-assessment-20240726.md

[baentsch]

@anvega Thanks for taking up this initial self-assessment. @dstebila by now corrected my incomplete understanding and reference as to the responsibilities of the LF triage team and I'll need to update that section once I better understand how it's been set up by LF.

@ryjones : Can you shed some light on this? Who gets notified if someone "privately" reports a vulnerability via GH? Is this going to the maintainers? Is (handling that) part of the undocumented responsibilities of LF maintainers? Who else gets these notifications? You as LF admin?

[ryjones]

@baentsch:

Organization administrators, repository administrators, and teams with the security manager role

These teams are security managers:

• open-quantum-safe/core
• open-quantum-safe/tsc

[baentsch]

Thanks for the explanation, @ryjones . This seems a bit broad and completely contradicting the public documentation indicating a "responsibly small" set (only admins) to see this:

Created https://github.com/open-quantum-safe/tsc/issues/60 to track/improve. Tagging @dstebila @hartm as meeting follow-up.

@anvega : Updated oqsprovider-self-assessment-20240731.md to properly document this.

[ryjones]

The project can make that list as large or small as they like. If you want to create a specific team for security, you can do that, and I'll replace the current list with that one.

[anvega]

Thanks @baentsch and @ryjones.

I've converted the markdown to Google Docs for easier commenting. I've also completed my first pass with some initial naive questions. As a recommendation through the assessment, I suggest rephrasing the text where questions might arise, to preemptively address them rather than discussing them in the comments. This approach ensures that when we convert back to markdown, the content is there

A few more people have shown interest in participating in the review. I'm waiting for formal approval from @JustinCappos to initiate the joint assessment process. Once approved, I’d like to give the reviewers a chance to ask their initial questions before we convene for a group discussion with you the project team, and the other reviewers.

[baentsch]

I've also completed my first pass with some initial naive questions.

How/where do I see those questions? How could I comment on them? I see the Google doc, but can't seem to change "Mode" or "Comments".

[baentsch]

Oh, and the underlying document is the wrong (old) version. Please use the new version labelled 20240731 attached above, @anvega .

[baentsch]

Now I understood that you used my personal email address for this (getting edit access). Please don't do that for such "public documents": I don't want to receive spam in there. In the order of preference, please use my github ID, my public github email address (57787676+baentsch@...) or the private one I created only for GH interactions (info@....). I guess when that's changed I'll also get to see questions and can respond.

[baentsch]

Thanks, @anvega -- problem's resolved.

[anvega]

Apologies for the mix up with the document versions. I've now updated the Security Issue Resolution section to reflect the changes in the latest version.

I've also removed your personal email address and used the info@... address for Google access since the GH one wasn't accepted by Google.

Regarding your inability to see the comments, you should be able to view them even with just viewing access. Try clicking on View > Comments > Expand all comments. If this doesn't work, I can relay the questions to you via another method, such as a markdown file.

[dehatideep]

@baentsch I have added my Qs in the same doc, please see and clarify. Thank you.

[baentsch]

@dehatideep Thanks for your questions. Please check whether my answers in the doc are clear enough or whether I need to provide more background.