[
https://issues.apache.org/jira/browse/LOG4J2-3260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volkan Yazici closed LOG4J2-3260.
---------------------------------
Resolution: Won't Fix
The PMC couldn't have a consensus on enabling branch protection settings.
> Missing branch protection settings on log4j2 repo
> -------------------------------------------------
>
> Key: LOG4J2-3260
> URL: https://issues.apache.org/jira/browse/LOG4J2-3260
> Project: Log4j 2
> Issue Type: Improvement
> Reporter: Abhishek Arya
> Assignee: Volkan Yazici
> Priority: Trivial
> Attachments: 20211224-scorecard-report.txt
>
>
> The branch protection setting is missing on
> [https://github.com/apache/logging-log4j2] repo. Please check
> [https://github.com/ossf/scorecard/blob/090ae4f0bbc3b6956971bec83530c86696e1e75d/docs/checks.md#branch-protection]
> for reason why this setting is important. This setting is easy to enable and
> needs to be done for main and all release branches using
> [https://github.com/apache/logging-log4j2/settings/branches].
> You can run OpenSSF Scorecard to see the failures::
> ./scorecard --repo [https://github.com/apache/logging-log4j2] --show-details
> You will see some failures, but this branch protection check failure is the
> the most important failure out of them.
> Different types of branch protection protect against different risks:
> * Require code review: requires at least one reviewer, which greatly reduces
> the risk that a compromised contributor can inject malicious code. Review
> also increases the likelihood that an unintentional vulnerability in a
> contribution will be detected and fixed before the change is accepted.
> * Prevent force push: prevents use of the {{--force}} command on public
> branches, which overwrites code irrevocably. This protection prevents the
> rewriting of public history without external notice.
> * Require [status
> checks|https://docs.github.com/en/github/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks]:
> ensures that all required CI tests are met before a change is accepted.
> Next good one to have is to enable CodeQL CI/CD check. Also, in the near
> future, please consider installing the OpenSSF AllStar app
> (https://github.com/ossf/allstar) on your github organization. It will help
> with continuous enforcement of various security policies (including branch
> protection).
> -Abhishek Arya, Principal Engineer and Manager, Google Open Source Security
> Team
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
