Questions for use with SDL

[artiomn]

We follow a formal process (Secure Development Lifecycle) and some questions (mostly formal) need to be answered to satisfy the requirements.

Could you please clarify the following points:

• What data is logged, where and for how long are the logs stored, and what is the procedure for accessing these logs, if any?
• Is there user authentication via SSO, what other authentication methods are used besides “login” and “password” authentication, and which of them are mandatory?
• How can we view/export (in what format) the list of project participants and information about their roles in the project, and who is authorized to do this?
• How can we remove a participant from the project or change their role?
• How are passwords and secrets stored, and is it possible to store passwords in GitHub secrets or another password management system?

[woodruffw]

Hi @artiomn, did you check https://policies.python.org/ before opening this? That should answer the majority of your questions.

The rest should be answered by https://packaging.python.org/en/latest/ and https://docs.pypi.org/, as well as by logging into PyPI and navigating through your account's features.

[artiomn]

Thank you for the answers.

Probably, when the questions were written, this was checked.

I looked at these documents and the longest one is the "Acceptable Use Policy". Most of the document is about to any sexual harassment, bullying, "wrong thoughts" and other, mostly useless and not acceptable for SDL and security things.

Other documents in the policies section don't contain information to ask questions.

The rest should be answered by https://packaging.python.org/en/latest/ and https://docs.pypi.org/, as well as by logging into PyPI and navigating through your account's features.

Ok, probably this is helpful: https://pypi.org/help/ . And some answers can be obtained from this. But some are not. Of course it can be investigated from the source code. But the next question will be: "Are the decisions permanent or will they be changed in the next version?"

In addition, the security department has a better understanding of direct answers to questions.

Given that their questions are formal and I'm not the only one who might ask them, could you please answer these 5 questions if it doesn't take much of your time?

[miketheman]

But the next question will be: "Are the decisions permanent or will they be changed in the next version?"

Hard to predict the future. If I could I'd be able to answer that, but I can't so I won't 😉

As to the other questions, I think @woodruffw pointed you in the right direction to self-serve - we do not have formal responses to formal questions right now.

I understand this might not be satisfying, but please feel free to explore the codebase, documentation, and you'll likely find the majority of your answers since it's all open source. There may be other repos in the pypi GitHub organization that contain otherparts of interest.