Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

External dependency release maturity #10471

Closed
htuch opened this issue Mar 20, 2020 · 20 comments · Fixed by #14334
Closed

External dependency release maturity #10471

htuch opened this issue Mar 20, 2020 · 20 comments · Fixed by #14334
Labels
area/security design proposal Needs design doc/proposal before implementation no stalebot Disables stalebot from closing an issue

Comments

@htuch
Copy link
Member

htuch commented Mar 20, 2020

I have recently been looking at our external dependencies and noticed that a number of external dependencies, e.g. https://github.com/grpc-ecosystem/grpc-httpjson-transcoding, https://github.com/google/jwt_verify_lib/, https://github.com/circonus-labs/libcircllhist, do not provide versioned releases.

I think this is a concern from a security perspective, since it is challenging to systematically monitor for new releases when security issues creep into our external dependencies. You essentially have to watch every commit. There are other problems, for example being unclear when it's safe to take a master snapshot and call it stable.

I would like to propose that we revise our security policy to disallow any new external repositories that might impact the data plane unless they show some release discipline. Basically, they should have some history of cutting releases and providing release notes. We should also downgrade the security posture of extensions relying on external repositories directly that do not have release discipline.

@envoyproxy/security-team

@htuch htuch added area/security design proposal Needs design doc/proposal before implementation labels Mar 20, 2020
@htuch
Copy link
Member Author

htuch commented Mar 20, 2020

@htuch
Copy link
Member Author

htuch commented Mar 20, 2020

Also CC @qiwzhang @kyessenov, do you folks know if you could add versioned releases and release notes to the repositories you own and pin Envoy to them? Thanks.

@kyessenov
Copy link
Contributor

google/cel-cpp#51

@moderation
Copy link
Contributor

moderation commented Mar 20, 2020

My highly manual and not scalable solution is to track all dependencies in RSS. I usually run latest commit versions of all dependencies without releases. I'll occasionally include the updates in the regular dependency update PRs I make but there has been push back in the past on updating the non-release deps.

Full list of deps that don't have releases:

So the issue is quite large.

In addition to bazel/repository_locations.bzl there are the following in api/bazel/repository_locations.bzl. OpenCensus and PGV do have releases but they are not kept current.

* Either has releases we don't use or releases not updated to required commit

@antoniovicente
Copy link
Contributor

How do we reconcile support for older Envoy releases with the need to pick up security fixes for base dependencies? We can't count on base libraries releasing fixes on a particular schedule. I think we wanted to avoid frequent updates to older releases.

Also, what can we do about existing dependencies that don't have regular releases?

@mattklein123
Copy link
Member

FYI I'm going to raise this issue with CNCF SIG-security as dependency tracking is an issue that has come up multiple times for many projects.

Also, what can we do about existing dependencies that don't have regular releases?

We probably need to start by enumerating all of our dependencies as we have started to do above, trying to get rid of as many dependencies as possible that we don't actually need, and then looking at the remainder on a case by case basis. The obvious issues here is that just because a dependency has released doesn't actually mean anything security wise so per @htuch we probably need to get some idea of what we want to see from dependencies in addition to arbitrarily snapped releases.

@htuch
Copy link
Member Author

htuch commented Mar 23, 2020

The obvious issues here is that just because a dependency has released doesn't actually mean anything security wise so per @htuch we probably need to get some idea of what we want to see from dependencies in addition to arbitrarily snapped releases.

Yep. I think snapped releases is a necessary, not sufficient condition, and a smell if missing. A more complete list of criteria for what constitutes a dependency we're willing to take would make sense.

Other things I'd like to see:

  • A security release policy (ideally in GH tab).
  • A security bug report contact address or bug system.
  • A history of having issued specific security releases.

Some of this might be hard to apply to smaller dependencies, but it's a sign of project maturity for the larger ones.

@twghu
Copy link
Contributor

twghu commented Mar 25, 2020

Wondering what is the vetting process for new dependencies.

Is there a gating procedure (apart from code reviews) that is currently in play?

  • cpe assignment
  • cna (CVE Numbering Authority, who can assign CVEs for specific dependencies)
  • transitive dependencies
  • recommendation of potential duplicity. (a new X lib provides functionality already provided by a current dependency Y)
  • security status (aka has security analysis been performed on said dependencies.

@htuch
Copy link
Member Author

htuch commented Mar 25, 2020

@twghu I think these are all good points, I will put together a strawman policy document taking this and other points above into consideration.

@moderation
Copy link
Contributor

@keith
Copy link
Member

keith commented Apr 6, 2020

Note that bazel has some upcoming license aggregation features that might help normalize some of this bazelbuild/bazel#10687

htuch added a commit to htuch/envoy that referenced this issue Aug 13, 2020
This patch introduces a set of automatically generated tables (based on repository_locations.bzl)
that enumerate the external dependencies that feature on Envoy's data/control planes, test, build, etc.

Version and CPE information is currently included. In the future, we will also have last updated,
distinguish core vs. extensions and populate with external dependency process maturity information.

Part of envoyproxy#10471

Signed-off-by: Harvey Tuch <htuch@google.com>
@htuch
Copy link
Member Author

htuch commented Aug 16, 2020

Fun fact, we now have over 60 dependencies total and over 30 on the data plane (if you include Thrift/Kafka/Wasm/LuaJIT etc.). We (Google) will be doing some work in the next few months in this area and want to help drive the policy forward. The first step is to understand what we have today, which is what #12639 is aimed at.

htuch added a commit that referenced this issue Aug 18, 2020
This patch introduces a set of automatically generated tables (based on repository_locations.bzl)
that enumerate the external dependencies that feature on Envoy's data/control planes, test, build, etc.

Version and CPE information is currently included. In the future, we will also have last updated,
distinguish core vs. extensions and populate with external dependency process maturity information.

Part of #10471. This is essentially providing a programmatic variant of #10471 (comment). Future enhancements are
tracked at #12673.

Signed-off-by: Harvey Tuch <htuch@google.com>
@htuch
Copy link
Member Author

htuch commented Aug 21, 2020

While reading https://www.linuxfoundation.org/wp-content/uploads/2020/02/oss_supply_chain_security.pdf, one thing came up that should feed into our maturity definition. While Envoy repository requires GitHub 2FA/MFA for all developers, it's unclear if this also applies to our dependencies. It seems reasonable to ask for this basic security practice in repositories we rely on given the history of developer account compromises discussed in the paper. I don't know if GH provides a mechanism to determine this programatically.

stedsome pushed a commit to stedsome/envoy that referenced this issue Aug 22, 2020
Signed-off-by: Yifan Yang <needyyang@google.com>

the introduction of post processing script

Signed-off-by: Yifan Yang <needyyang@google.com>

add the macos dependency installation

Signed-off-by: Yifan Yang <needyyang@google.com>

install macos dependency

Signed-off-by: Yifan Yang <needyyang@google.com>

comment out the slack functionality

Signed-off-by: Yifan Yang <needyyang@google.com>

introduce flaky tests

Signed-off-by: Yifan Yang <needyyang@google.com>

formatting the flaky tests

Signed-off-by: Yifan Yang <needyyang@google.com>

commentout the format checks for debugging

Signed-off-by: Yifan Yang <needyyang@google.com>

configuration

Signed-off-by: Yifan Yang <needyyang@google.com>

configuration

Signed-off-by: Yifan Yang <needyyang@google.com>

configuration

Signed-off-by: Yifan Yang <needyyang@google.com>

configuration

Signed-off-by: Yifan Yang <needyyang@google.com>

more configuration

Signed-off-by: Yifan Yang <needyyang@google.com>

debugging

Signed-off-by: Yifan Yang <needyyang@google.com>

install slack package for real

Signed-off-by: Yifan Yang <needyyang@google.com>

add_condition

Signed-off-by: Yifan Yang <needyyang@google.com>

try to install slack

Signed-off-by: Yifan Yang <needyyang@google.com>

changed find path

Signed-off-by: Yifan Yang <needyyang@google.com>

trying to locate the test result folders

Signed-off-by: Yifan Yang <needyyang@google.com>

trying to find the test folders

Signed-off-by: Yifan Yang <needyyang@google.com>

trying to find the test folders

Signed-off-by: Yifan Yang <needyyang@google.com>

trying to find the test folders

Signed-off-by: Yifan Yang <needyyang@google.com>

trying to find the test folders

Signed-off-by: Yifan Yang <needyyang@google.com>

trying to find the test folders

Signed-off-by: Yifan Yang <needyyang@google.com>

finding test files

Signed-off-by: Yifan Yang <needyyang@google.com>

finding test files

Signed-off-by: Yifan Yang <needyyang@google.com>

finding test files

Signed-off-by: Yifan Yang <needyyang@google.com>

finding test files

Signed-off-by: Yifan Yang <needyyang@google.com>

finding test files

Signed-off-by: Yifan Yang <needyyang@google.com>

finding test files

Signed-off-by: Yifan Yang <needyyang@google.com>

find the test files

Signed-off-by: Yifan Yang <needyyang@google.com>

find the test files

Signed-off-by: Yifan Yang <needyyang@google.com>

find the test files

Signed-off-by: Yifan Yang <needyyang@google.com>

find the test files

Signed-off-by: Yifan Yang <needyyang@google.com>

find the test files

Signed-off-by: Yifan Yang <needyyang@google.com>

find the test files

Signed-off-by: Yifan Yang <needyyang@google.com>

find the test files

Signed-off-by: Yifan Yang <needyyang@google.com>

find the test files

Signed-off-by: Yifan Yang <needyyang@google.com>

find the test files

Signed-off-by: Yifan Yang <needyyang@google.com>

find the test files

Signed-off-by: Yifan Yang <needyyang@google.com>

find the test files

Signed-off-by: Yifan Yang <needyyang@google.com>

python dependencies

Signed-off-by: Yifan Yang <needyyang@google.com>

python dependencies

Signed-off-by: Yifan Yang <needyyang@google.com>

python dependencies

Signed-off-by: Yifan Yang <needyyang@google.com>

python dependencies

Signed-off-by: Yifan Yang <needyyang@google.com>

python dependencies

Signed-off-by: Yifan Yang <needyyang@google.com>

python dependencies

Signed-off-by: Yifan Yang <needyyang@google.com>

python dependencies

Signed-off-by: Yifan Yang <needyyang@google.com>

testing coverage builds

Signed-off-by: Yifan Yang <needyyang@google.com>

testing coverage builds

Signed-off-by: Yifan Yang <needyyang@google.com>

try to figure out coverage builds

Signed-off-by: Yifan Yang <needyyang@google.com>

comment out slack

Signed-off-by: Yifan Yang <needyyang@google.com>

testing coverage build

Signed-off-by: Yifan Yang <needyyang@google.com>

testing coverage build

Signed-off-by: Yifan Yang <needyyang@google.com>

trying slack features

Signed-off-by: Yifan Yang <needyyang@google.com>

more formatting

Signed-off-by: Yifan Yang <needyyang@google.com>

slack

Signed-off-by: Yifan Yang <needyyang@google.com>

adding CI_Target to output msg

Signed-off-by: Yifan Yang <needyyang@google.com>

force a run

Signed-off-by: Yifan Yang <needyyang@google.com>

fuzz: added fuzz test for listener filter tls_inspector (envoyproxy#12617)

Created tls_inspector_corpus and populated with testcases (valid and invalid client hellos)

Risk Level: Low
Testing: increased function coverage of tls_inspector.cc to 100.0% and line coverage to 87.3% after running fuzzer (covers all parse states except errors related to socket read failure).
Docs Changes: N/A
Release Notes: N/A

Signed-off-by: Arthur Yan <arthuryan@google.com>

scoped_rds_integration_test migrate from api v2 to api v3. (envoyproxy#12633)

Migrate the integration test of scoped rds from api v2 to api v3. Fix a bug in scoped_rds.cc: ScopedRdsConfigSubscription should use the resource version of srds, not the resource version of rds.

Risk Level: Low

Signed-off-by: chaoqinli <chaoqinli@google.com>

add 'explicit' restriction. (envoyproxy#12643)

Commit Message: The intent, when providing Stats::Utility::counterFromElements, is that dynamic segments should be easy to construct, but still searchable. We should be trying to avoid dynamic segments whenever possible, so having them implicitly created from string data is not idea.
Additional Description:
Risk Level: none for the repo, but possibly will require trivial edits outside the repo
Testing: //test/...
Docs Changes: n/a
Release Notes: n/a

Signed-off-by: Joshua Marantz <jmarantz@google.com>

[fuzz]added an input check in writefilter fuzzer and added test cases (envoyproxy#12628)

Added a handle for nullptr in HeaderPercentageProvider::percentage to avoid crash in mongo_proxy.
Added many unit test cases into corpus so that the coverage can be improved. All those filters' coverage was increased by 20%-40%.
Signed-off-by: jianwen <jianwendong@google.com>

test: fix http_timeout_integration_test flake (envoyproxy#12654)

Fixes envoyproxy#12653

Signed-off-by: Matt Klein <mklein@lyft.com>

logger: support log control in admin interface and command line option for Fancy Logger (envoyproxy#12369)

Add log control (list and modify log level) in admin interface for Fancy Logger, a new fine-grained logger for Envoy, and provide command line option --enable-fine-grain-logging for developers.

Additional Description: A doc of overview is provided here: source/docs/fancy_logger.md.
Risk Level: Medium
Testing: Unit tests.
Docs Changes: Added a new option --enable-fine-grain-logging and doc it.
Release Notes: Added to current.rst.

Signed-off-by: Jinhui Song <jinhuisong@google.com>

Decreased the flakiness of Watchdog tests running real time system. (envoyproxy#12659)

Signed-off-by: Kevin Baichoo <kbaichoo@google.com>

test: fix ext auth flake (envoyproxy#12660)

Fixes envoyproxy#12657

Signed-off-by: Matt Klein <mklein@lyft.com>

test: deflake timer test, not completely (envoyproxy#12642)

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

test: fix ProtocolIntegrationTest.LargeRequestMethod flake (envoyproxy#12661)

Fixes envoyproxy#12484

Signed-off-by: Matt Klein <mklein@lyft.com>

Fix proto_sync.py (envoyproxy#12434)

Fix path in proto_sync.py generated comments and regenerate.

Signed-off-by: wzshiming <wzshiming@foxmail.com>

udp: Add some log when session is deleted (envoyproxy#12669)

It is very helpful for debugging.

Signed-off-by: DongRyeol Cha <dr83.cha@samsung.com>

DNS filter: set default resolver timeout (envoyproxy#12293)

Fix an ASAN failure in certain env.

Risk Level: low
Testing: n/a
Docs Changes: n/a
Release Notes: n/a
Signed-off-by: Yuchen Dai <silentdai@gmail.com>

http: remove deprecated envoy.reloadable_features.connection_header_sanitization runtime guard (envoyproxy#12500)

http: Remove deprecated envoy.reloadable_features.connection_header_sanitization runtime guard

Signed-off-by: Alvin Baptiste alvinsb@gmail.com

Commit Message: http: remove deprecated runtime guard for connection header sanitization
Risk Level: Low
Testing: bazel test //test/...
Release Notes: Added
Fixes envoyproxy#11933
Removed: envoy.reloadable_features.connection_header_sanitization

Signed-off-by: Alvin Baptiste <alvinsb@gmail.com>

Fix broken codeb lock style (envoyproxy#12667)

Fix broken code block style in docs
Signed-off-by: Takao Shibata <chise.alter.pasta@gmail.com>

lua: Manage imported public keys in stream handle (envoyproxy#12664)

This patch manages the imported public keys in the stream-handle object instead of "exposing" it as pointer through lua_pushlightuserdata while preserving the current Lua APIs.

Signed-off-by: Dhi Aurrahman <dio@tetrate.io>

lua API: add base64Escape function to stream handle (envoyproxy#12552)

This makes it easy for Lua filters to base64 escape strings without
needing to provide their own base64 helper.

Signed-off-by: Michael Puncel <mpuncel@squareup.com>

[Windows] Fixes Udp listener tests (envoyproxy#12635)

Fixes UDP listener tests on Windows by modernizing iovecToWSABUF and msghdrToWSAMSG from pointer arithmetic to c++ and makes message.msg_controllen the proper length.

Signed-off-by: Sotiris Nanopoulos <sonanopo@microsoft.com>

api: deprecate the node.listening_addresses field (envoyproxy#12691)

This was added for gRPC server support, but we've decided to use resource names instead to explicitly request the listeners we want by name. This is more in-line with the new naming scheme described in the "xDS Transport Next Steps" design.

Signed-off-by: Mark D. Roth <roth@google.com>

Fix broken reST style (envoyproxy#12668)

Signed-off-by: Takao Shibata <chise.alter.pasta@gmail.com>

Windows: Fix filesystem subscription impl tests (envoyproxy#12597)

Windows: Fix filesystem subscription impl tests

Replace dispatcher and watcher with mocks and orchestrate the test
harness to capture filesystem subscription impl file event callback and
invoke it directly. Test no longer relies on watching real filesystem
events and avoids timing discrepancies causing flakiness.

Additional Description: N/A
Risk Level: Low
Testing: Modifies unit tests, tested locally on Windows
Docs Changes: N/A
Release Notes: N/A

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
Co-authored-by: William A Rowe Jr <wrowe@vmware.com>

Fixes stack overflow in http inspector test (envoyproxy#12577)

Fixes stack overflow exception in HttpInspectorTest.Http1WithLargeRequestLine and makes the test faster.

Additional Description:
While I was working on level vs edge based events I observed that the test is causing a stack overflow on Windows/MSVC.

The testlist http_inspector_test now passes on Windows but it should not because it relies on Event::FileTriggerType::Edge which are not supported. This is why I did not enable it for the CI.

Risk Level: N/A
Testing: N/A
Docs Changes: N/A
Release Notes: N/A

Signed-off-by: Sotiris Nanopoulos <sonanopo@microsoft.com>

docs: external dependency dashboard. (envoyproxy#12639)

This patch introduces a set of automatically generated tables (based on repository_locations.bzl)
that enumerate the external dependencies that feature on Envoy's data/control planes, test, build, etc.

Version and CPE information is currently included. In the future, we will also have last updated,
distinguish core vs. extensions and populate with external dependency process maturity information.

Part of envoyproxy#10471. This is essentially providing a programmatic variant of envoyproxy#10471 (comment). Future enhancements are
tracked at envoyproxy#12673.

Signed-off-by: Harvey Tuch <htuch@google.com>

[fuzz]expand readfilter_fuzzer to cover mongo_proxy and mysql_proxy (envoyproxy#12612)

Added coverage for mongo_proxy and mysql_proxy
Added test cases(corpus) for them.
Signed-off-by: jianwen <jianwendong@google.com>

xds: allow updating listener back to original state (envoyproxy#12645)

since addOrUpdateListenerInternal returns early in the case of a duplicate active/warming listener being added, it means you cannot update a listener back to its original state after updating it to a warming state

consider the following sequence of actions:
* add listener_0 referencing route_config_0, make it active
* update listener_0 referencing route_config_1, keep it warming (Envoy keeps the original listener_0 active until the new warms)
* update listener_0 back to route_config_0, which should remove the warming listener and return Envoy to its initial state, so that a future addition of route_config_1 won't cause the listener to change to that state, but right now it doesn't make a small change in listener_manager_impl.cc to allow this to happen

update xds_verifier.cc and add a unit test for this case

Risk Level: Medium
Testing: Passes existing fuzz corpora and a few minutes on libfuzzer, passes ads_integration_test and lds_api_test
Docs Changes: N/A
Release Notes: N/A
Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=24888

Signed-off-by: Sam Flattery <samflattery@google.com>

ci: refactor docker ci script and enable docker job in presubmit (envoyproxy#12662)

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

[test] using reserve and commit in watermark_buffer overflow high value test (envoyproxy#12494)

Improving the test by avoiding actual copying of bytes, but just reserving and committing slices.

Signed-off-by: Adi Suissa-Peleg <adip@google.com>

Greenlight and reclassify //test/... with the current progress for Windows (envoyproxy#12695)

Co-authored-by: William A Rowe Jr <wrowe@vmware.com>
Co-authored-by: Sunjay Bhatia <sunjayb@vmware.com>
Signed-off-by: William A Rowe Jr <wrowe@vmware.com>
Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>

hds: group endpoint health response by cluster and locality (envoyproxy#12452)

Currently, the health discovery service takes a specifier with information about which endpoints to perform health checks on, which already supports information about cluster structure and locality information. However, when when forming a response holding endpoint health information, all notion of cluster or locality is dropped and endpoint information is stored in a flat list. This is problematic when there are several endpoints with the same address or port but with a different locality, cluster, or path.

This PR uses the previous proto change in Issue envoyproxy#12153 which added support for grouping endpoint health information by their respective cluster and locality.

Risk Level: Low
Testing: Added a unit test in test/common/upstream/hds_test, which sends a specifier to HdsDelegate with several clusters, localties, and endpoints. It then verifies that the response holds the same structure. Existing integration tests were also changed to check for the new proto structure, specifically ones that already group several endpoints by differing clusters or localities.

Signed-off-by: Drew S. Ortega <drewortega@google.com>

network: socket and address build cleanup (envoyproxy#12710)

- split socket interface from socket
- add default socket interface library
- move io handle to default socket interface library from address

Signed-off-by: Florin Coras <fcoras@cisco.com>

thrift: envoy_cc_test -> envoy_extension_cc_test (envoyproxy#12697)

Signed-off-by: Roelof DuToit <roelof.dutoit@broadcom.com>

test: Add test socket interface that allows overriding IoHandle behavior (envoyproxy#12528)

Add test socket interface that allows overriding IoHandle behavior of accepted sockets.
Change flood tests to use exact frame counts needed for flooding.
Fix DATA frame flood test.

Signed-off-by: Yan Avlasov <yavlasov@google.com>

fix main branch merge issue (envoyproxy#12722)

Signed-off-by: Florin Coras <fcoras@cisco.com>

ci: fix VRP image push (envoyproxy#12715)

Signed-off-by: Lizan Zhou <lizan@tetrate.io>

cosmetic changes

Signed-off-by: Yifan Yang <needyyang@google.com>

add a flaky test in macOS build

Signed-off-by: Yifan Yang <needyyang@google.com>

add a flaky test in macOS build

Signed-off-by: Yifan Yang <needyyang@google.com>

changed the flaky test

Signed-off-by: Yifan Yang <needyyang@google.com>

changed the flaky test

Signed-off-by: Yifan Yang <needyyang@google.com>

have a wrapper script

Signed-off-by: Yifan Yang <needyyang@google.com>

trying necessary dependencies

Signed-off-by: Yifan Yang <needyyang@google.com>

trying necessary dependencies

Signed-off-by: Yifan Yang <needyyang@google.com>

testing python dependencies

Signed-off-by: Yifan Yang <needyyang@google.com>

add a shell script wrapper and use python_venv

Signed-off-by: Yifan Yang <needyyang@google.com>

moved functionality into do_ci.sh and added the hyperlink

Signed-off-by: Yifan Yang <needyyang@google.com>

moved functionality into do_ci.sh and added the hyperlink

Signed-off-by: Yifan Yang <needyyang@google.com>

put it out of ci_do.sh

Signed-off-by: Yifan Yang <needyyang@google.com>

put it out of ci_do.sh

Signed-off-by: Yifan Yang <needyyang@google.com>

put it out of ci_do.sh

Signed-off-by: Yifan Yang <needyyang@google.com>

ci_do.sh

Signed-off-by: Yifan Yang <needyyang@google.com>

ci_do.sh

Signed-off-by: Yifan Yang <needyyang@google.com>

ci_do.sh

Signed-off-by: Yifan Yang <needyyang@google.com>

more setup

Signed-off-by: Yifan Yang <needyyang@google.com>

more setup

Signed-off-by: Yifan Yang <needyyang@google.com>

more setup

Signed-off-by: Yifan Yang <needyyang@google.com>

more setup

Signed-off-by: Yifan Yang <needyyang@google.com>

more setup

Signed-off-by: Yifan Yang <needyyang@google.com>

more setup

Signed-off-by: Yifan Yang <needyyang@google.com>

more setup

Signed-off-by: Yifan Yang <needyyang@google.com>

test hyperlink

Signed-off-by: Yifan Yang <needyyang@google.com>

installing with py3

Signed-off-by: Yifan Yang <needyyang@google.com>

making it work

Signed-off-by: Yifan Yang <needyyang@google.com>

pass the CI-target in

Signed-off-by: Yifan Yang <needyyang@google.com>

changing the search path

Signed-off-by: Yifan Yang <needyyang@google.com>

changing the search path

Signed-off-by: Yifan Yang <needyyang@google.com>

add a set to keep track of seen problem

Signed-off-by: Yifan Yang <needyyang@google.com>

fix of something stupid

Signed-off-by: Yifan Yang <needyyang@google.com>

add some comments and retry arm64

Signed-off-by: Yifan Yang <needyyang@google.com>

getting it ready for shipping

Signed-off-by: Yifan Yang <needyyang@google.com>

format

Signed-off-by: Yifan Yang <needyyang@google.com>

more format

Signed-off-by: Yifan Yang <needyyang@google.com>

format

Signed-off-by: Yifan Yang <needyyang@google.com>

try again with arm64

Signed-off-by: Yifan Yang <needyyang@google.com>

testing arm build

Signed-off-by: Yifan Yang <needyyang@google.com>

update requirement for arm

Signed-off-by: Yifan Yang <needyyang@google.com>

trying out arm dependencies

Signed-off-by: Yifan Yang <needyyang@google.com>

debugging

Signed-off-by: Yifan Yang <needyyang@google.com>

opting out of arm arch for now

Signed-off-by: Yifan Yang <needyyang@google.com>

cleanup

Signed-off-by: Yifan Yang <needyyang@google.com>

commentout formatting for faster builds

Signed-off-by: Yifan Yang <needyyang@google.com>

upgrading setuptools

Signed-off-by: Yifan Yang <needyyang@google.com>

dependency

Signed-off-by: Yifan Yang <needyyang@google.com>

dependency

Signed-off-by: Yifan Yang <needyyang@google.com>

dependency

Signed-off-by: Yifan Yang <needyyang@google.com>

dependency

Signed-off-by: Yifan Yang <needyyang@google.com>

dependency

Signed-off-by: Yifan Yang <needyyang@google.com>

dependency

Signed-off-by: Yifan Yang <needyyang@google.com>

dependency

Signed-off-by: Yifan Yang <needyyang@google.com>

dependency

Signed-off-by: Yifan Yang <needyyang@google.com>

sanity check

Signed-off-by: Yifan Yang <needyyang@google.com>
htuch added a commit that referenced this issue Sep 9, 2020
This will apply to all changes to external dependencies in future PRs.

Part of #10471

Signed-off-by: Harvey Tuch <htuch@google.com>
@htuch
Copy link
Member Author

htuch commented Oct 5, 2020

https://bestpractices.coreinfrastructure.org/en/criteria/0 is a pretty decent list of best practices we could build on.

@htuch
Copy link
Member Author

htuch commented Oct 8, 2020

@htuch
Copy link
Member Author

htuch commented Nov 10, 2020

The OSSF Scorecards project just released some automatable checks, see https://github.com/ossf/scorecard#checks. This seems like a good baseline to adopt.

@htuch
Copy link
Member Author

htuch commented Nov 19, 2020

I've put together a proposal for discussion at https://docs.google.com/document/d/1HbREo7pv7rgeIIjQn6mNpySzQE5rx2Yv9dXm5NqR2N8/edit#, feedback and further input welcome.

@htuch
Copy link
Member Author

htuch commented Nov 23, 2020

@envoyproxy/dependency-shepherds have reviewed #10471 (comment), it might be also a good idea to get feedback from @envoyproxy/maintainers on this proposal as it has implications for future dependencies as well as existing ones.

@htuch
Copy link
Member Author

htuch commented Nov 25, 2020

I've run OSSF Scorecard criteria that we might adopt against all of the eligible deps, results at https://docs.google.com/spreadsheets/d/1caO4qMmG8o5i2nGoEof1qMpD5_WicfiC5WcxA_5isTY/edit#gid=0.

htuch added a commit that referenced this issue Nov 26, 2020
This script runs https://github.com/ossf/scorecard against the runtime Envoy deps. The criteria for
use_category and scorecard selection are described at
https://docs.google.com/document/d/1HbREo7pv7rgeIIjQn6mNpySzQE5rx2Yv9dXm5NqR2N8/edit#heading=h.xnpvc6pk0h0v.

Example output is at
https://docs.google.com/spreadsheets/d/1caO4qMmG8o5i2nGoEof1qMpD5_WicfiC5WcxA_5isTY/edit#gid=0.

The goal will be to evolve this script to help generate and validate metadata describing dependency
conformance.

Part of #10471.

Signed-off-by: Harvey Tuch <htuch@google.com>
@htuch
Copy link
Member Author

htuch commented Dec 3, 2020

Feedback has been incorporated in https://docs.google.com/document/d/1HbREo7pv7rgeIIjQn6mNpySzQE5rx2Yv9dXm5NqR2N8/edit#. I'm wondering if there is anything else left before we can turn this into plan-of-record and start building out metadata/tooling for enforcement?

htuch added a commit to htuch/envoy that referenced this issue Dec 8, 2020
This patch converts
https://docs.google.com/document/d/1HbREo7pv7rgeIIjQn6mNpySzQE5rx2Yv9dXm5NqR2N8/edit#
to Markdown and provides a PR-based review of the policy, following
discussion in the doc and various offline threads.

Fixes envoyproxy#10471

Signed-off-by: Harvey Tuch <htuch@google.com>
htuch added a commit that referenced this issue Dec 11, 2020
This patch converts
https://docs.google.com/document/d/1HbREo7pv7rgeIIjQn6mNpySzQE5rx2Yv9dXm5NqR2N8/edit#
to Markdown and provides a PR-based review of the policy, following
discussion in the doc and various offline threads.

Fixes #10471

Signed-off-by: Harvey Tuch <htuch@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/security design proposal Needs design doc/proposal before implementation no stalebot Disables stalebot from closing an issue
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants