Project roles and responsibilities - NEW - OSPS-DO-16 #119
Conversation
added suggestion for criteria OSPS-DO-16 which covers project roles & responsibilities Signed-off-by: CRob <[email protected]>
|
Not 100% convinced this is a "docs", but open to alternate landing suggestions |
baseline.yaml
Outdated
| Projects need to document the Roles and | ||
| Responsibilities of the project to provide for | ||
| Seperation of Duties, Dual Control, and other | ||
| requirements. |
There was a problem hiding this comment.
How does this differ from OSPS-DO-11?
The project documentation MUST have a policy that code contributors are reviewed prior to granting escalated permissions to sensitive resources.
There was a problem hiding this comment.
do-11 is about access review of those that get the commit-bit, this is broader, "document whom can do what" within the project
|
It feels like there is probably a "governance" section waiting to happen. I'd nominate OSPS-DO-01, OSPS-DO-02, OSPS-DO-06, OSPS-DO-11 for inclusion, or it could be combined with the LE- line if desired. |
SecurityCRob
added
documentation
Co-authored-by: Evan Anderson <[email protected]> Signed-off-by: CRob <[email protected]>
...yeah, I was thinking that today too. What does the rest of the group think? |
|
I'm in favor of creating a Governance category, as proposed. |
|
A general comment on this PR: there are a lot of capital letters in places I don't expect. Maybe that's something for Eddie to include in the style guide (#112) |
Signed-off-by: CRob <[email protected]>
|
What about one-person projects? It's obviously possible to document roles & responsibilities even in that case, in the hopes that the project will grow, but is that important while there's only one person? |
One-person projects are unlikely to care about the baseline anyway. If nothing else, they wouldn't be able to meet the pending OSPS-AC-08 (#123) requirement. |
Yeah -- I'm wondering whether we should have a profile for single-person projects that excludes certain types of practices that only make sense for teams (like lowest privileges). At the same time, it seems fair to cap a 1-person project to e.g. maturity level 1, because there's a single point of failure for the whole project if that person has life happen. |
Co-authored-by: David A. Wheeler <[email protected]> Signed-off-by: CRob <[email protected]>
|
I'm +1 on creating a "governance" section. Seems reasonable. |
funnelfiasco
changed the title
| - id: OSPS-DO-16 | ||
| maturity_level: 2 | ||
| category: Documentation | ||
| criteria: | |
There was a problem hiding this comment.
nit: This should be breaking CI, I'm confused why it doesn't 🤔
There was a problem hiding this comment.
I don't think the CI has been re-run since that change was made. If it were to run now, the CI check should fail.
|
The changes in this PR are consolidated in #134 |
added suggestion for criteria OSPS-DO-16 which covers project roles & responsibilities