This repository has been archived by the owner on May 9, 2024. It is now read-only.
forked from artefactual-sdps/enduro
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add contributing and security markdown files (artefactual-sdps#788)
* Add contributing and security markdown files
- Loading branch information
Showing
2 changed files
with
140 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| # Contributing | ||
|
|
||
| This repository is the place to file Enduro bug reports as well as make | ||
| suggestions for new or enhanced features. Anyone with a GitHub account can add | ||
| an issue, comment on someone else's issue, or make a pull request. | ||
|
|
||
| ## Security | ||
|
|
||
| If you have a security concern about Enduro or any of its companion | ||
| repositories, please do not file it here. See the [security policy](SECURITY.md) | ||
| in this repository for directions on how to report security issues. | ||
|
|
||
| ## Filing an issue | ||
|
|
||
| All changes to Enduro should start with an issue, including bug fixes, new | ||
| features, and enhancements to existing features. | ||
|
|
||
| To file an issue, go to [the Issues | ||
| tab](https://github.com/artefactual-sdps/enduro/issues) and click the green | ||
| **New issue** button in the top right-hand corner. You can select the | ||
| appropriate template from the list. Fill out the template with as much | ||
| information as you can. | ||
|
|
||
| An issue should describe a behaviour without implying a solution. The pull | ||
| request that may follow, if changes to the codebase are necessary, fixes the | ||
| problem. Framing your issue as a problem statement helps everyone understand why | ||
| the issue is important - it describes how Enduro is not performing as it | ||
| should (bug) or as it could (enhancement). Please title your issue as a problem | ||
| statement, starting with "Problem:". You can check [existing | ||
| issues](https://github.com/archivematica/Issues/issues) for examples. | ||
|
|
||
| ### Reporting a bug | ||
|
|
||
| To report a bug, select **Bug report** from the issue templates and fill out the | ||
| fields with as much information as possible. | ||
|
|
||
| Useful information to provide includes: | ||
|
|
||
| * What version of Enduro are you using? | ||
| * Was Enduro installed with a3m or Archivematica? | ||
| * How was it installed? | ||
| * Was this a fresh install or an upgrade? | ||
| * What did you do to cause this bug to happen? | ||
| * What did you expect to happen? | ||
| * What did you see instead? | ||
| * Can you reproduce this reliably? | ||
|
|
||
| ### Submitting an enhancement idea | ||
|
|
||
| To suggest a new feature or an enhancement to an existing feature, select | ||
| **Feature request** from the issue templates and fill out the fields with as | ||
| much information as possible. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| # Security Policy | ||
|
|
||
| This document outlines security procedures and general policies for the Enduro | ||
| project. | ||
|
|
||
| **Contents** | ||
|
|
||
| - [Security Policy](#security-policy) | ||
| - [Reporting a security vulnerability](#reporting-a-security-vulnerability) | ||
| - [Disclosure policy](#disclosure-policy) | ||
| - [Supported versions](#supported-versions) | ||
| - [Reporting general bugs](#reporting-general-bugs) | ||
|
|
||
| ## Reporting a security vulnerability | ||
|
|
||
| The Enduro development team takes security seriously and will investigate all | ||
| reported vulnerabilities. | ||
|
|
||
| If you would like to report a vulnerability or have a security concern regarding | ||
| Enduro, **please do not file a public issue in our GitHub repository.** It is | ||
| critical to the safety of other users that security issues are reported in a | ||
| secure manner. Instead, please email a report to: | ||
|
|
||
| * [security@artefactual.com](mailto:security@artefactual.com) | ||
|
|
||
| We will be better able to evaluate and respond to your report if it includes | ||
| all the details needed for us to reproduce the issue locally. Please include | ||
| the following information in your email: | ||
|
|
||
| * The version of Enduro you are using. | ||
| * Basic information about your installation environment, including operating | ||
| system and dependency versions. | ||
| * Steps to reproduce the issue. | ||
| * The resulting error or vulnerability. | ||
| * If there are any error logs related to the issue, please include the | ||
| relevant parts as well. | ||
|
|
||
| Your report will be acknowledged within 2 business days, and we’ll follow up | ||
| with a more detailed response indicating the next steps we intend to take | ||
| within 1 week. | ||
|
|
||
| If you haven’t received a reply to your submission after 5 business days of | ||
| the original report, please email Artefactual's info address: | ||
| [info@artefactual.com](info@artefactual.com) | ||
|
|
||
| Any information you share with the Enduro development team as a part of this | ||
| process will be kept confidential within the team. If we determine that the | ||
| vulnerability is located upstream in one of the libraries or dependencies that | ||
| Enduro uses, we may need to share some information about the report with the | ||
| dependency’s core team - in this case, we will notify you before proceeding. | ||
|
|
||
| If the vulnerability is first reported by you, we will credit you with the | ||
| discovery in the public disclosure, unless you tell us you would prefer to | ||
| remain anonymous. | ||
|
|
||
| ## Disclosure policy | ||
|
|
||
| When the Enduro development team receives a security bug report, we will assign | ||
| it to a primary handler. This person will coordinate the fix and release | ||
| process, involving the following steps: | ||
|
|
||
| * Confirm the problem and determine the affected versions. | ||
| * Audit code to find any similar potential problems. | ||
| * Prepare fixes for all releases still under maintenance. These fixes will be | ||
| released as fast as possible. | ||
|
|
||
| Once new releases and/or security patches have been prepared, tested, and made | ||
| publicly available, we will publicize the fix and encourage users to upgrade (or | ||
| apply the supplied patch) as soon as possible. Any internal tickets created in | ||
| our issue tracker related to the issue will be made public after disclosure, and | ||
| referenced in the release notes for the new version(s). | ||
|
|
||
| ## Supported versions | ||
|
|
||
| In the case of a confirmed security issue, we will add the fix to the most | ||
| recent stable branch and the current development branch. If the severity of the | ||
| issue is high, we may in some cases also backport the fix to the previous stable | ||
| branch as well (e.g. `stable/1.11.x`) so that users running a legacy version | ||
| have the option of adding the fix as a patch to their local installations. We | ||
| will attempt to ensure that fixes, and/or a confirmed workaround that resolves | ||
| the security issue, are available prior to disclosing any security issues | ||
| publicly. | ||
|
|
||
| ## Reporting general bugs | ||
|
|
||
| If you have discovered an issue in Archivematica that is **not related to a | ||
| security vulnerability**, we welcome you to file an issue in the | ||
| [Enduro repository](https://github.com/artefactual-sdps/enduro). |