steveloughran commented on PR #16538: URL: https://github.com/apache/iceberg/pull/16538#issuecomment-4579026589
This is good; I do think the ASF needs some templates here for the security models (file formats, servers/services, databases, cluster workload engines). This is a good example of one. I'm working on one elsewhere where I've added developers and CI into the model, as supply chain attacks are things we want audits to pick up, and as instructions to agents. Again, something we really need some ASF-wide templates to get started with. There is a security-discuss list for these topics, though it's pretty quiet right now. --- ### Development Environment Threat Model The project is built on developer systems, and in CI systems. The threat model includes the risk of subverted github actions and build tooling. * git checksum references MUST be made to GitHub actions, rather than tags; include the version as a comment so dependabot will track and maintain them. * [Zizmor](https://zizmor.sh/) SHALL be used to audit GHAs. * GHA triggers on PRs MUST NOT be triggers which provide unrestricted github tokens to the actions. For example, there MUST NOT be `pull_request_target`, `workflow_run`, or `issue_comment` triggers. * Github Actions SHALL follow GitHub's [secure use](https://docs.github.com/en/actions/reference/security/secure-use) guidelines, and in particular use [Intermediate Environment Variables](https://docs.github.com/en/actions/reference/security/secure-use#use-an-intermediate-environment-variable) to safely process untrusted inputs. * All inputs from pull requests, including titles, comments, authors and code SHALL be considered untrusted. The CI build output will be publicly visible, so the threat model includes - unobfuscated logging of any cloud credentials provided by CI runs. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
