veilid/doc/rfc/cicd.future.md
2022-09-02 13:53:43 -06:00

1.7 KiB

title keywords status
CI/CD Future Planning
dependencies
cicd
security
PROPOSAL

CI/CD Future Planning

Rationale for this document

In the coming year, it is the goal of this project to make a public announcment of Veilid. When that occurs, not only will Veilid become available to users and developers globally, it is also likely to become a high-value target for nefarious actors. This means that, as a team, we must be concerned not only with the functionality of the code, but the integrity of the code base and any deployed assets that originate from the core Veilid project.

In this document I would like to propose some guidelines and processes that can help to minimize the impact of malicious actors upon the core Veilid code base by way of direct commits and/or to its dependencies.

Signing

Commits

Packages

PKI

Some of this work will be toil, but most ought to be automated.

Forked Dependencies

There are a number of dependencies that have been forked to allow us to expand on their capabilities. Some of these forks are hard forks, projects that have diverged enough that the Veilid team will need to continue to maintain them. There are other projects where Veilid changes have been minimal, and where we will want to share our changes upstream.

There may be a very small number of cases where we will have to maintain patched versions of active projects.

For the duration of the project, it will be important that we understand which dependencies fall into which categories.

Soft forks

TODO Note which submodules are soft forks and changes can be contributed upstream

Hard forks

TODO Note which submodules are hard forks and will be maintained by us.