Create SECURITY.md #48
Conversation
|
Is this some "good practice"? |
|
I did a bit of reading, it looks like Having said that, this PR doesn't actually help since the contents of the file are just boilerplate. I reckon no one except maybe @AntonOsika could actually know what to write in there, especially since the repo is very young and not many people know the code inside out to know the pain points when it comes to security. Also, since we are using openai API that is where the vast majority of security issues would be, I am sure they are taking better care of that than anyone of us would. Closing in favour of keeping things clean. |
|
Here is a list of common markdown files you see in well maintained repos: README.md
CHANGELOG.md
SUPPORT.md
LICENSE.md
AUTHORS.md
ACKNOWLEDGMENTS.md
FAQ.md
NOTICE.md
ROADMAP.md
TODO.md
DIRECTORY_LIST.md
.github\CODE_OF_CONDUCT.md
.github\CONTRIBUTING.md
.github\FUNDING.yml
.github\SECURITY.md
.github\PULL_REQUEST_TEMPLATE\PULL_REQUEST_TEMPLATE.md
.github\ISSUE_TEMPLATE\ISSUE_TEMPLATE.md
.github\CODEOWNERS.mdI actually have a script which will automatically generate all of these with template/boilerplate text for each of them. Let me know if any of these makes sense to add. |
|
As I see it now, most of these would be "nice to have" but not critical. Nonetheless, if you feel comfortable creating any of them and filling them properly, please create a PR with it! |
|
@patillacode sure here you go: We need to add a contact method, where I stubbed out '[INSERT CONTACT METHOD].' so feel free to add the appropriate person, email, twitter, reddit, etc etc for a point of contact. # Contributor Covenant Code of Conduct
## Our Pledge
We as members, contributors, and leaders pledge to make participation in our
community a harassment-free experience for everyone, regardless of age, body
size, visible or invisible disability, ethnicity, sex characteristics, gender
identity and expression, level of experience, education, socio-economic status,
nationality, personal appearance, race, caste, color, religion, or sexual
identity and orientation.
We pledge to act and interact in ways that contribute to an open, welcoming,
diverse, inclusive, and healthy community.
## Our Standards
Examples of behavior that contributes to a positive environment for our
community include:
* Demonstrating empathy and kindness toward other people
* Being respectful of differing opinions, viewpoints, and experiences
* Giving and gracefully accepting constructive feedback
* Accepting responsibility and apologizing to those affected by our mistakes,
and learning from the experience
* Focusing on what is best not just for us as individuals, but for the overall
community
Examples of unacceptable behavior include:
* The use of sexualized language or imagery, and sexual attention or advances of
any kind
* Trolling, insulting or derogatory comments, and personal or political attacks
* Public or private harassment
* Publishing others' private information, such as a physical or email address,
without their explicit permission
* Other conduct which could reasonably be considered inappropriate in a
professional setting
## Enforcement Responsibilities
Community leaders are responsible for clarifying and enforcing our standards of
acceptable behavior and will take appropriate and fair corrective action in
response to any behavior that they deem inappropriate, threatening, offensive,
or harmful.
Community leaders have the right and responsibility to remove, edit, or reject
comments, commits, code, wiki edits, issues, and other contributions that are
not aligned to this Code of Conduct, and will communicate reasons for moderation
decisions when appropriate.
## Scope
This Code of Conduct applies within all community spaces, and also applies when
an individual is officially representing the community in public spaces.
Examples of representing our community include using an official e-mail address,
posting via an official social media account, or acting as an appointed
representative at an online or offline event.
## Enforcement
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported to the community leaders responsible for enforcement at
[INSERT CONTACT METHOD].
All complaints will be reviewed and investigated promptly and fairly.
All community leaders are obligated to respect the privacy and security of the
reporter of any incident.
## Enforcement Guidelines
Community leaders will follow these Community Impact Guidelines in determining
the consequences for any action they deem in violation of this Code of Conduct:
### 1. Correction
**Community Impact**: Use of inappropriate language or other behavior deemed
unprofessional or unwelcome in the community.
**Consequence**: A private, written warning from community leaders, providing
clarity around the nature of the violation and an explanation of why the
behavior was inappropriate. A public apology may be requested.
### 2. Warning
**Community Impact**: A violation through a single incident or series of
actions.
**Consequence**: A warning with consequences for continued behavior. No
interaction with the people involved, including unsolicited interaction with
those enforcing the Code of Conduct, for a specified period of time. This
includes avoiding interactions in community spaces as well as external channels
like social media. Violating these terms may lead to a temporary or permanent
ban.
### 3. Temporary Ban
**Community Impact**: A serious violation of community standards, including
sustained inappropriate behavior.
**Consequence**: A temporary ban from any sort of interaction or public
communication with the community for a specified period of time. No public or
private interaction with the people involved, including unsolicited interaction
with those enforcing the Code of Conduct, is allowed during this period.
Violating these terms may lead to a permanent ban.
### 4. Permanent Ban
**Community Impact**: Demonstrating a pattern of violation of community
standards, including sustained inappropriate behavior, harassment of an
individual, or aggression toward or disparagement of classes of individuals.
**Consequence**: A permanent ban from any sort of public interaction within the
community.
## Attribution
This Code of Conduct is adapted from the [Contributor Covenant][homepage],
version 2.1, available at
[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
Community Impact Guidelines were inspired by
[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
For answers to common questions about this code of conduct, see the FAQ at
[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
[https://www.contributor-covenant.org/translations][translations].
[homepage]: https://www.contributor-covenant.org
[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
[Mozilla CoC]: https://github.com/mozilla/diversity
[FAQ]: https://www.contributor-covenant.org/faq
[translations]: https://www.contributor-covenant.org/translations |
|
@patillacode let me know when we need other ones. I think PR templates might start becoming necessary really quick... and Issue templates as well. |
|
Also a change log file will be useful for new merges and releases.: Here is a template using the 'Keep a Changelog' standards (purely an example template not adapted for this project): # Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## Cheat sheet
### Added - for new features.
### Changed - for changes in existing functionality.
### Deprecated - for soon-to-be removed features.
### Removed - for now removed features.
### Fixed - for any bug fixes.
### Security - in case of vulnerabilities.
## [Unreleased] - 2023-03-05
## [0.0.1] - 2023-03-01
### Added
- .gitignore
- .gitattributes
- .gitmodules
- .mailmap
- README.md
- CHANGELOG.md
- SUPPORT.md
- LICENSE.md
- CONTRIBUTORS.md
- AUTHORS.md
- ACKNOWLEDGMENTS.md
- FREQUENTLY_ASKED_QUESTIONS.md
- NOTICE.md
- ROADMAP.md
- TODO.md
- DIRECTORY_LIST.md
- .github\CODE_OF_CONDUCT.md
- .github\CONTRIBUTING.md
- .github\FUNDING.yml
- .github\SECURITY.md
- .github\PULL_REQUEST_TEMPLATE.md
- .github\ISSUE_TEMPLATE.md
- .github\CODEOWNERS |
|
@patillacode like I said I actually have script that goes through an generates the full list of files shown in the previous post so it takes seconds to generate. took a few weeks doing research to compile all the templates and standards for the files and such. |
|
Hi @jebarpg, I appreciate your help, would you please create a PR for this? It is the way to go, good practice, plus I don't want to copy/paste it in an unrelated PR. |
|
Do we have a point of contact to add to the document? Before I make a PR I think it's important to provide it. I don't want to be assumptuous by using anton.osika email. |
|
@patillacode btw what are your thoughts about code being posted in issues. I personally find it helpful for review sake initially, but I can understand that another work flow through PRs is more proper since the point of a repo is version control (keeping track of changes). |
Not an official one, for now please put the owner's email, public in his profile
As long as it helps I am ok with it, sometimes can make threads a bit more difficult to read, longer etc but overall to show some specificities it helps a lot. Anyway, in this specific case it needs to go through a PR. |
|
@patillacode for sure, will do. |
@jebarpg , Can I work on the Issue and PR templates? |
|
@aroramrinaal sure, feel free to edit these and fill them out with what makes sense for this repo. Here is what I have for starting # Issue Template
## Prerequisites
Please answer the following questions for yourself before submitting an issue. **YOU MAY DELETE THE PREREQUISITES SECTION.**
- [ ] I am running the latest version
- [ ] I checked the documentation and found no answer
- [ ] I checked to make sure that this issue has not already been filed
- [ ] I'm reporting the issue to the correct repository (for multi-repository projects)
## Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.
* Firmware Version:
* Operating System:
* SDK version:
* Toolchain version:
## Expected Behavior
Please describe the behavior you are expecting
## Current Behavior
What is the current behavior?
## Failure Information (for bugs)
Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.
### Steps to Reproduce
Please provide detailed steps for reproducing the issue.
1. step 1
2. step 2
3. you get it...
### Failure Logs
Please include any relevant log snippets or files here.# Pull Request Template
## Description
Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.
Fixes # (issue)
## Type of change
Please delete options that are not relevant.
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] This change requires a documentation update
## How Has This Been Tested?
Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration
- [ ] Test A
- [ ] Test B
**Test Configuration**:
* Firmware version:
* Hardware:
* Toolchain:
* SDK:
## Checklist:
- [ ] My code follows the style guidelines of this project
- [ ] I have performed a self-review of my own code
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] I have made corresponding changes to the documentation
- [ ] My changes generate no new warnings
- [ ] I have added tests that prove my fix is effective or that my feature works
- [ ] New and existing unit tests pass locally with my changes
- [ ] Any dependent changes have been merged and published in downstream modules
- [ ] I have checked my code and corrected any misspellings |
No description provided.