From 643192430f22bac9fe2e67eee043d90aa72e4ae4 Mon Sep 17 00:00:00 2001 From: Adam Shamblin Date: Fri, 2 Sep 2022 09:14:51 -0600 Subject: [PATCH 1/3] begin cicd rfc --- doc/rfc/cicd.future.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 doc/rfc/cicd.future.md diff --git a/doc/rfc/cicd.future.md b/doc/rfc/cicd.future.md new file mode 100644 index 00000000..49a64c93 --- /dev/null +++ b/doc/rfc/cicd.future.md @@ -0,0 +1,40 @@ +--- +title: CI/CD Future Planning +status: PROPOSAL +--- + + +# CI/CD Future Planning + +## Rationale for this document + +In the coming year, it is the goal of this project to make a public announcment +of Veilid. When that occurs, not only will Veilid become available to users and +developers globally, it is also likely to become a high-value target for +nefarious actors. This means that, as a team, we must be concerned not only with +the functionality of the code, but the integrity of the code base and any +deployed assets that originate from the core Veilid project. + +In this document I would like to propose some guidelines and processes that can +help to minimize the impact of malicious actors upon the core Veilid code base +by way of direct commits and/or to its dependencies. + +Some of this work will be toil, but most ought to be automated. + +## Forked Dependencies + +There are a number of dependencies that have been forked to allow us to expand +on their capabilities. Some of these forks are hard forks, projects that have +diverged enough that the Veilid team will need to continue to maintain them. +There are other projects where Veilid changes have been minimal, and where we +will want to share our changes upstream. + +There may be a very small number of cases where we will have to maintain patched +versions of active projects. + +For the duration of the project, it will be important that we understand which +dependencies fall into which categories. + +### Soft forks + +### Hard forks From 4f26c094c333f0ca80c037330c1cfb4eb6e90724 Mon Sep 17 00:00:00 2001 From: Adam Shamblin Date: Fri, 2 Sep 2022 13:52:47 -0600 Subject: [PATCH 2/3] WIP, add docs folder, begin ci/cd discussion --- doc/rfc/cicd.future.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/doc/rfc/cicd.future.md b/doc/rfc/cicd.future.md index 49a64c93..066bff12 100644 --- a/doc/rfc/cicd.future.md +++ b/doc/rfc/cicd.future.md @@ -1,9 +1,12 @@ --- title: CI/CD Future Planning +keywords: +- dependencies +- cicd +- security status: PROPOSAL --- - # CI/CD Future Planning ## Rationale for this document @@ -37,4 +40,9 @@ dependencies fall into which categories. ### Soft forks +**TODO** _Note which submodules are soft forks and changes can be contributed +upstream_ + ### Hard forks + +**TODO** _Note which submodules are hard forks and will be maintained by us._ From dfe12ce1b01adcd3ce4494e2a5ff6ab80becfff6 Mon Sep 17 00:00:00 2001 From: Adam Shamblin Date: Fri, 2 Sep 2022 13:53:43 -0600 Subject: [PATCH 3/3] WIP, add signing section --- doc/rfc/cicd.future.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/rfc/cicd.future.md b/doc/rfc/cicd.future.md index 066bff12..1b573153 100644 --- a/doc/rfc/cicd.future.md +++ b/doc/rfc/cicd.future.md @@ -22,6 +22,14 @@ In this document I would like to propose some guidelines and processes that can help to minimize the impact of malicious actors upon the core Veilid code base by way of direct commits and/or to its dependencies. +## Signing + +### Commits + +### Packages + +### PKI + Some of this work will be toil, but most ought to be automated. ## Forked Dependencies