docs: deduplicate security content and align with onboarding guidelines#9
docs: deduplicate security content and align with onboarding guidelines#9nexus49 wants to merge 2 commits intoneonephos:mainfrom
Conversation
Remove security-related content from project-guidelines that is covered by the upcoming NeoNephos Security Guidelines, replacing inline requirements with cross-references. Align priority levels and terminology between project-guidelines and onboarding-guidelines. Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com> On-behalf-of: @SAP <bastian.echterhoelter@sap.com>
|
|
||
| * **MUST** publish a project charter (canonical + Markdown). | ||
| * **MUST** adopt the Linux Foundation Code of Conduct. | ||
| * **MUST** adopt the [NeoNephos Code of Conduct](https://github.com/neonephos/.github/blob/main/CODE_OF_CONDUCT.md). |
There was a problem hiding this comment.
This is problematic, as each project has definied in it's techincal charter to use the LF Europe CoC unless the project has it's own pre-approved ( see 4c).
There was a problem hiding this comment.
ok is it NeoNephos Code of Conduct or LF Europe CoC ?
| | **MUST** | By next minor release | TSC | | ||
|
|
||
| Each project **SHOULD** make its project charter publicly available (website or repository). If converted to Markdown, the Markdown version **MUST** remain synchronized with the canonical source. | ||
| Each project **MUST** make its project charter publicly available (website or repository). If converted to Markdown, the Markdown version **MUST** remain synchronized with the canonical source. |
There was a problem hiding this comment.
Let's never say people can convert or copy the charter - we can provide the link to the source doc hosted by the LF.
There was a problem hiding this comment.
we can also change the wording, I took the wording from the onboardind guide here:
https://github.com/neonephos/guidelines-development/blob/main/onboarding/onboarding-guidelines.md?plain=1#L17
I'll adjust to make it a link to the source doc on both documents.
|
|
||
| * Projects **MUST** track third-party licenses. | ||
| * Projects **MAY** generate SBOMs for generated artifacts. | ||
| * For dependency scanning and SBOM requirements, see [NeoNephos Security Guidelines §8 — Supply Chain Security](../security-guidelines/security-guidelines.md#8-supply-chain-security). |
There was a problem hiding this comment.
We should bring in the LF License Scanning program to help here. I can have that lead come to a TAC meeting to discuss.
Projects must link to their centrally hosted charter rather than publishing or converting copies. Signed-off-by: Bastian Echterhölter <bastian.echterhoelter@sap.com> On-behalf-of: @SAP <bastian.echterhoelter@sap.com>
3 participants
Summary
This PR removes duplicated security content from the project guidelines and replaces it with cross-references to the NeoNephos Security Guidelines, establishing a single source of truth for security requirements. It also aligns priority levels and terminology between the project guidelines and onboarding guidelines.
Depends on #7 (security guidelines) being merged first — the cross-references target sections introduced by that PR.
Changes and reasoning
Security deduplication (project-guidelines.md)
MAY generate SBOMsbullet with a reference to Security Guidelines §8 (Supply Chain Security), which defines SBOM, dependency scanning, signing, and provenance requirements.Onboarding alignment (both documents)
MUST designate a Security Officer) that was present in onboarding but missing from project guidelines.Editorial fixes