[lxc-devel] [lxd/master] Add security policy and code of conduct

stgraber on Github lxc-bot at linuxcontainers.org
Tue Oct 1 02:02:49 UTC 2019


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190930/95765b60/attachment.bin>
-------------- next part --------------
From be9ab19f2d3be4c16ffa04de3d1dfeed9f046cc5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 30 Sep 2019 22:00:26 -0400
Subject: [PATCH 1/2] doc: Initial Github security policy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 .github/SECURITY.md | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 .github/SECURITY.md

diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 0000000000..3af01da148
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,37 @@
+# Security policy
+## Supported versions
+LXD has two type of releases:
+ - Monthly feature releases
+ - LTS releases
+
+For feature releases, only the latest one is supported and we usually
+won't be doing point releases on those, instead just having our users
+wait until the next monthly release.
+
+For LTS releases, we do periodic bugfix releases which includes an
+accumulation of bugfixes from the feature releases, no new features are
+included.
+
+## What qualify as a security issue
+We don't consider privileged containers to be root safe, so any exploit
+allowing someone to escape them, will not qualify as a security issue.
+This doesn't mean that we're not interested in preventing such escapes
+but we simply do not consider such containers to be root safe.
+
+Unprivileged container escapes are certainly something we'd consider a
+security issue, especially if somehow facilitated by LXD.
+
+More details can be found here: https://linuxcontainers.org/lxc/security/
+
+## Reporting a vulnerability
+The easiest way to report a security issue is to e-mail: security at linuxcontainers.org
+
+This e-mail address will reach the three main maintainers for LXC/LXD/LXCFS:
+ - Christian Brauner
+ - Stéphane Graber
+ - Serge Hallyn
+
+We will be working with you to determine whether this does qualify as a
+security issue, if so in what component and then handle figuring out a
+fix, getting a CVE assigned and coordinating the release of the fix to
+the various Linux distributions.

From 88d74ae3d023384b5f8cd8fcfec32f70b55e56d9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 30 Sep 2019 22:01:47 -0400
Subject: [PATCH 2/2] doc: Initial Github code of conduct
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 .github/CODE_OF_CONDUCT.md | 65 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 .github/CODE_OF_CONDUCT.md

diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md
new file mode 100644
index 0000000000..40f3730531
--- /dev/null
+++ b/.github/CODE_OF_CONDUCT.md
@@ -0,0 +1,65 @@
+# Contributor Covenant Code of Conduct
+## Our Pledge
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, sex characteristics, gender identity and expression,
+level of experience, education, socio-economic status, nationality, personal
+appearance, race, religion, or sexual identity and orientation.
+
+## Our Standards
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a  professional setting
+
+## Our Responsibilities
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at maintainers at linuxcontainers.org. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see https://www.contributor-covenant.org/faq


More information about the lxc-devel mailing list