The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxd/pull/6267
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) ===
From be9ab19f2d3be4c16ffa04de3d1dfeed9f046cc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Mon, 30 Sep 2019 22:00:26 -0400 Subject: [PATCH 1/2] doc: Initial Github security policy MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- .github/SECURITY.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 .github/SECURITY.md diff --git a/.github/SECURITY.md b/.github/SECURITY.md new file mode 100644 index 0000000000..3af01da148 --- /dev/null +++ b/.github/SECURITY.md @@ -0,0 +1,37 @@ +# Security policy +## Supported versions +LXD has two type of releases: + - Monthly feature releases + - LTS releases + +For feature releases, only the latest one is supported and we usually +won't be doing point releases on those, instead just having our users +wait until the next monthly release. + +For LTS releases, we do periodic bugfix releases which includes an +accumulation of bugfixes from the feature releases, no new features are +included. + +## What qualify as a security issue +We don't consider privileged containers to be root safe, so any exploit +allowing someone to escape them, will not qualify as a security issue. +This doesn't mean that we're not interested in preventing such escapes +but we simply do not consider such containers to be root safe. + +Unprivileged container escapes are certainly something we'd consider a +security issue, especially if somehow facilitated by LXD. + +More details can be found here: https://linuxcontainers.org/lxc/security/ + +## Reporting a vulnerability +The easiest way to report a security issue is to e-mail: secur...@linuxcontainers.org + +This e-mail address will reach the three main maintainers for LXC/LXD/LXCFS: + - Christian Brauner + - Stéphane Graber + - Serge Hallyn + +We will be working with you to determine whether this does qualify as a +security issue, if so in what component and then handle figuring out a +fix, getting a CVE assigned and coordinating the release of the fix to +the various Linux distributions. From 88d74ae3d023384b5f8cd8fcfec32f70b55e56d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgra...@ubuntu.com> Date: Mon, 30 Sep 2019 22:01:47 -0400 Subject: [PATCH 2/2] doc: Initial Github code of conduct MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Stéphane Graber <stgra...@ubuntu.com> --- .github/CODE_OF_CONDUCT.md | 65 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 .github/CODE_OF_CONDUCT.md diff --git a/.github/CODE_OF_CONDUCT.md b/.github/CODE_OF_CONDUCT.md new file mode 100644 index 0000000000..40f3730531 --- /dev/null +++ b/.github/CODE_OF_CONDUCT.md @@ -0,0 +1,65 @@ +# Contributor Covenant Code of Conduct +## Our Pledge +In the interest of fostering an open and welcoming environment, we as +contributors and maintainers pledge to making participation in our project and +our community a harassment-free experience for everyone, regardless of age, body +size, disability, ethnicity, sex characteristics, gender identity and expression, +level of experience, education, socio-economic status, nationality, personal +appearance, race, religion, or sexual identity and orientation. + +## Our Standards +Examples of behavior that contributes to creating a positive environment +include: + +* Using welcoming and inclusive language +* Being respectful of differing viewpoints and experiences +* Gracefully accepting constructive criticism +* Focusing on what is best for the community +* Showing empathy towards other community members + +Examples of unacceptable behavior by participants include: + +* The use of sexualized language or imagery and unwelcome sexual attention or advances +* Trolling, insulting/derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or electronic address, without explicit permission +* Other conduct which could reasonably be considered inappropriate in a professional setting + +## Our Responsibilities +Project maintainers are responsible for clarifying the standards of acceptable +behavior and are expected to take appropriate and fair corrective action in +response to any instances of unacceptable behavior. + +Project maintainers have the right and responsibility to remove, edit, or +reject comments, commits, code, wiki edits, issues, and other contributions +that are not aligned to this Code of Conduct, or to ban temporarily or +permanently any contributor for other behaviors that they deem inappropriate, +threatening, offensive, or harmful. + +## Scope +This Code of Conduct applies both within project spaces and in public spaces +when an individual is representing the project or its community. Examples of +representing a project or community include using an official project e-mail +address, posting via an official social media account, or acting as an appointed +representative at an online or offline event. Representation of a project may be +further defined and clarified by project maintainers. + +## Enforcement +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported by contacting the project team at maintain...@linuxcontainers.org. All +complaints will be reviewed and investigated and will result in a response that +is deemed necessary and appropriate to the circumstances. The project team is +obligated to maintain confidentiality with regard to the reporter of an incident. +Further details of specific enforcement policies may be posted separately. + +Project maintainers who do not follow or enforce the Code of Conduct in good +faith may face temporary or permanent repercussions as determined by other +members of the project's leadership. + +## Attribution +This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, +available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html + +[homepage]: https://www.contributor-covenant.org + +For answers to common questions about this code of conduct, see https://www.contributor-covenant.org/faq
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel
