[Security Review] Dragonfly

[gaius-qi]

Project Name: Dragonfly

Github URL: https://github.com/dragonflyoss/Dragonfly2

Project Security Lead: Wenbo Qi(Gaius)

CNCF project stage and issue (NA if not applicable): Incubation, applying for graduation.

Security Provider: no

• Identify team
  • Project security lead @gaius-qi
  • Lead security reviewer: @mnm678
  • 1 or more additional reviewer(s) @JustinCappos @nyrahul @mrcdb @hubbertsmith
  • Every reviewer has read security reviewer guidelines and stated declaration of conflict
  • Sign off by facilitator on reviewer conflicts
• Create slack channel (#sec-assessment-dragonfly)
• Project lead provides draft document
• "Naive question phase" Lead Security Reviewer asks clarifying questions
• Assign issue to security reviewers
• Initial review
• Presentation & discussion
• Share draft findings with project
• Assessment summary and doc checked into /assessments/projects/project-name (require at least 1 co-chair approval)
• CNCF TOC presentation (if requested by TOC)

[JustinCappos]

@gaius-qi Okay, can you edit the info above to mention who from the dragonfly side will be the "Project Security Lead"? Please also link to the self assessment as the "Project lead provides draft document"?

[JustinCappos]

I am willing to be a security reviewer for this project.

I have read the security reviewer guidelines (in the past, before their link was broken... 😦 ), and have no conflicts.

[nyrahul]

Hey @JustinCappos, I would like to volunteer with the security review (depending on eligibility).

@gaius-qi, The "security reviewer guidelines" link and the "outline" links are not working in your initial comment. I would love to go through those.

Disclosure: I have not done a CNCF project security review before. However, I am working in the security domain and have done threat modeling, security review of other projects outside of CNCF.

[JustinCappos]

Hey @JustinCappos, I would like to volunteer with the security review (depending on eligibility).

@gaius-qi, The "security reviewer guidelines" link and the "outline" links are not working in your initial comment. I would love to go through those.

Disclosure: I have not done a CNCF project security review before. However, I am working in the security domain and have done threat modeling, security review of other projects outside of CNCF.

Super, adding you. Would you kindly read this document and comment if you have any conflicts of interest? https://github.com/cncf/tag-security/blob/main/community/assessments/guide/security-reviewer.md (I'll try to get the link fixed.)

[nyrahul]

I have read the security reviewer guidelines, and have no conflicts.

[krishnakv]

Happy to volunteer. Have read the Security Reviewer Guidelines and have no conflicts.

[gaius-qi]

@gaius-qi Okay, can you edit the info above to mention who from the dragonfly side will be the "Project Security Lead"? Please also link to the self assessment as the "Project lead provides draft document"?

@JustinCappos Hey! I have edited the issue to add the "Project Security Lead". Is this PR a "Project lead provides draft document"? Do you need me to provide other content? 😊

Thanks @nyrahul @krishnakv

[JustinCappos]

@gaius-qi Are you also going to be the Dragonfly POC throughout the joint review?

[mrcdb]

I'd be happy to be a security reviewer for this project. I have read the security reviewer guidelines and don't have any hard or soft conflicts.

[gaius-qi]

@gaius-qi Are you also going to be the Dragonfly POC throughout the joint review?

Sure

[hubbertsmith]

I am willing to be a reviewer
I have read the guidlines
I have no conflicts of interest, neither hard nor soft
[email protected]

[mnm678]

I'm willing to be the lead reviewer on this. I have no hard or soft conflicts.

[JustinCappos]

Okay, great! And away we go!

@mnm678 you're all set to kick this off with the naive questions phase...

[mnm678]

@gaius-qi Could you create a draft joint assessment for us to iterate on? Most of the content will be similar to the self assessment that you linked. Maybe in Google docs or similar format for now to allow for comments and discussion.

[nyrahul]

@gaius-qi Could you create a draft joint assessment for us to iterate on? Most of the content will be similar to the self assessment that you linked. Maybe in Google docs or similar format for now to allow for comments and discussion.

@gaius-qi , Gentle reminder.

[JustinCappos]

pinging again on this... Just want to make sure we're no dropping this issue...

[gaius-qi]

@gaius-qi Could you create a draft joint assessment for us to iterate on? Most of the content will be similar to the self assessment that you linked. Maybe in Google docs or similar format for now to allow for comments and discussion.

@gaius-qi , Gentle reminder.

@nyrahul @JustinCappos I'm sorry sir, I'm very busy with work recently. I will provide a draft joint assessment before September 28th. 🙏🙏🙏

[gaius-qi]

@mnm678 @nyrahul @JustinCappos Hey, I have finished a draft jonit assessment.