From 3c1c062b7c7973a43e33acbe92701fed93e1dd85 Mon Sep 17 00:00:00 2001 From: Stephen Curran Date: Mon, 19 Jun 2023 22:21:43 +0000 Subject: [PATCH 1/2] Updates to the README and other Admin files in the repository Signed-off-by: Stephen Curran --- CODE_OF_CONDUCT.md | 166 +++++++++++++++++++++++++++++++++++++++++++++ MAINTAINERS.md | 129 ++++++++++++++++++++++++----------- README.md | 69 +++++++++++++++++-- SECURITY.md | 19 ++++++ 4 files changed, 337 insertions(+), 46 deletions(-) create mode 100644 CODE_OF_CONDUCT.md create mode 100644 SECURITY.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 000000000..82defcd4c --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,166 @@ +# [Hyperledger Code of Conduct](https://wiki.hyperledger.org/community/hyperledger-project-code-of-conduct) + +Hyperledger is a collaborative project at The Linux Foundation. It is an open-source and open +community project where participants choose to work together, and in that process experience +differences in language, location, nationality, and experience. In such a diverse environment, +misunderstandings and disagreements happen, which in most cases can be resolved informally. In rare +cases, however, behavior can intimidate, harass, or otherwise disrupt one or more people in the +community, which Hyperledger will not tolerate. + +A **Code of Conduct** is useful to define accepted and acceptable behaviors and to promote high +standards of professional practice. It also provides a benchmark for self evaluation and acts as a +vehicle for better identity of the organization. + +This code (**CoC**) applies to any member of the Hyperledger community – developers, participants in +meetings, teleconferences, mailing lists, conferences or functions, etc. Note that this code +complements rather than replaces legal rights and obligations pertaining to any particular +situation. + +## Statement of Intent + +Hyperledger is committed to maintain a **positive** [work environment](#work-environment). This +commitment calls for a workplace where [participants](#participant) at all levels behave according +to the rules of the following code. A foundational concept of this code is that we all share +responsibility for our work environment. + +## Code + +1. Treat each other with [respect](#respect), professionalism, fairness, and sensitivity to our many + differences and strengths, including in situations of high pressure and urgency. + +2. Never [harass](#harassment) or [bully](#workplace-bullying) anyone verbally, physically or + [sexually](#sexual-harassment). + +3. Never [discriminate](#discrimination) on the basis of personal characteristics or group + membership. + +4. Communicate constructively and avoid [demeaning](#demeaning-behavior) or + [insulting](#insulting-behavior) behavior or language. + +5. Seek, accept, and offer objective work criticism, and [acknowledge](#acknowledgement) properly + the contributions of others. + +6. Be honest about your own qualifications, and about any circumstances that might lead to conflicts + of interest. + +7. Respect the privacy of others and the confidentiality of data you access. + +8. With respect to cultural differences, be conservative in what you do and liberal in what you + accept from others, but not to the point of accepting disrespectful, unprofessional or unfair or + [unwelcome behavior](#unwelcome-behavior) or [advances](#unwelcome-sexual-advance). + +9. Promote the rules of this Code and take action (especially if you are in a + [leadership position](#leadership-position)) to bring the discussion back to a more civil level + whenever inappropriate behaviors are observed. + +10. Stay on topic: Make sure that you are posting to the correct channel and avoid off-topic + discussions. Remember when you update an issue or respond to an email you are potentially + sending to a large number of people. + +11. Step down considerately: Members of every project come and go, and the Hyperledger is no + different. When you leave or disengage from the project, in whole or in part, we ask that you do + so in a way that minimizes disruption to the project. This means you should tell people you are + leaving and take the proper steps to ensure that others can pick up where you left off. + +## Glossary + +### Demeaning Behavior + +is acting in a way that reduces another person's dignity, sense of self-worth or respect within the +community. + +### Discrimination + +is the prejudicial treatment of an individual based on criteria such as: physical appearance, race, +ethnic origin, genetic differences, national or social origin, name, religion, gender, sexual +orientation, family or health situation, pregnancy, disability, age, education, wealth, domicile, +political view, morals, employment, or union activity. + +### Insulting Behavior + +is treating another person with scorn or disrespect. + +### Acknowledgement + +is a record of the origin(s) and author(s) of a contribution. + +### Harassment + +is any conduct, verbal or physical, that has the intent or effect of interfering with an individual, +or that creates an intimidating, hostile, or offensive environment. + +### Leadership Position + +includes group Chairs, project maintainers, staff members, and Board members. + +### Participant + +includes the following persons: + +- Developers +- Member representatives +- Staff members +- Anyone from the Public partaking in the Hyperledger work environment (e.g. contribute code, + comment on our code or specs, email us, attend our conferences, functions, etc) + +### Respect + +is the genuine consideration you have for someone (if only because of their status as participant in +Hyperledger, like yourself), and that you show by treating them in a polite and kind way. + +### Sexual Harassment + +includes visual displays of degrading sexual images, sexually suggestive conduct, offensive remarks +of a sexual nature, requests for sexual favors, unwelcome physical contact, and sexual assault. + +### Unwelcome Behavior + +Hard to define? Some questions to ask yourself are: + +- how would I feel if I were in the position of the recipient? +- would my spouse, parent, child, sibling or friend like to be treated this way? +- would I like an account of my behavior published in the organization's newsletter? +- could my behavior offend or hurt other members of the work group? +- could someone misinterpret my behavior as intentionally harmful or harassing? +- would I treat my boss or a person I admire at work like that ? +- Summary: if you are unsure whether something might be welcome or unwelcome, don't do it. + +### Unwelcome Sexual Advance + +includes requests for sexual favors, and other verbal or physical conduct of a sexual nature, where: + +- submission to such conduct is made either explicitly or implicitly a term or condition of an + individual's employment, +- submission to or rejection of such conduct by an individual is used as a basis for employment + decisions affecting the individual, +- such conduct has the purpose or effect of unreasonably interfering with an individual's work + performance or creating an intimidating hostile or offensive working environment. + +### Workplace Bullying + +is a tendency of individuals or groups to use persistent aggressive or unreasonable behavior (e.g. +verbal or written abuse, offensive conduct or any interference which undermines or impedes work) +against a co-worker or any professional relations. + +### Work Environment + +is the set of all available means of collaboration, including, but not limited to messages to +mailing lists, private correspondence, Web pages, chat channels, phone and video teleconferences, +and any kind of face-to-face meetings or discussions. + +## Incident Procedure + +To report incidents or to appeal reports of incidents, send email to Mike Dolan +(mdolan@linuxfoundation.org) or Angela Brown (angela@linuxfoundation.org). Please include any +available relevant information, including links to any publicly accessible material relating to the +matter. Every effort will be taken to ensure a safe and collegial environment in which to +collaborate on matters relating to the Project. In order to protect the community, the Project +reserves the right to take appropriate action, potentially including the removal of an individual +from any and all participation in the project. The Project will work towards an equitable resolution +in the event of a misunderstanding. + +## Credits + +This code is based on the +[W3C’s Code of Ethics and Professional Conduct](https://www.w3.org/Consortium/cepc) with some +additions from the [Cloud Foundry](https://www.cloudfoundry.org/)‘s Code of Conduct. \ No newline at end of file diff --git a/MAINTAINERS.md b/MAINTAINERS.md index e292845fa..91ceeecc9 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -1,55 +1,92 @@ # Maintainers +## Maintainer Scopes, GitHub Roles and GitHub Teams + +Maintainers are assigned the following scopes in this repository: + +| Scope | Definition | GitHub Role | GitHub Team | +| ---------- | ------------------------ | ----------- | ----------------------------------- | +| Admin | | Admin | [aries-admins] | +| Maintainer | The GitHub Maintain role | Maintain | [aries-askar committers] | +| Maintainer | The GitHub Maintain role | Maintain | [aries committers] | +| Read | The GitHub Read role | Read | [Aries Contributors] | +| Read | The GitHub Read role | Read | [TOC] | + +[aries-admins]: https://github.com/orgs/hyperledger/teams/aries-admins +[aries-cloudagent-python committers]: https://github.com/orgs/hyperledger/teams/aries-cloudagent-python-committers +[aries-askar committers]: https://github.com/orgs/hyperledger/teams/aries-askar-committers +[Aries Contributors]: https://github.com/orgs/hyperledger/teams/aries-contributors +[TOC]: https://github.com/orgs/hyperledger/teams/toc + ## Active Maintainers -| Name | Github | LFID | -| ---------------- | ---------------- | ---------------- | -| Andrew Whitehead | andrewwhitehead | | -| Berend Sliedrecht | blu3beri | | -| Ian Costanzo | ianco | | -| Wade Barnes | WadeBarnes | | +| GitHub ID | Name | Scope | LFID | Discord ID | Email | Company Affiliation | +| --------------- | ----------------- | ---------- | ---- | ---------- | ------------------------ | ------------------- | +| andrewwhitehead | Andrew Whitehead | Admin | | | cywolf@gmail.com | BC Gov | +| dbluhm | Daniel Bluhm | Admin | | | daniel@indicio.tech | Indicio PBC | +| blu3beri | Berend Sliedrecht | Maintainer | | | berend@animo.id | Animo Solutions | +| dh1128 | Daniel Hardman | Admin | | | daniel.hardman@gmail.com | Provident | +| ianco | Ian Costanzo | Maintainer | | | iancostanzo@gmail.com | Anon Solutions | +| nage | Nathan George | Maintainer | | | nathang@kiva.org | Kiva | +| swcurran | Stephen Curran | Admin | | | swcurran@cloudcompass.ca | BC Gov | +| WadeBarnes | Wade Barnes | Admin | | | wade@neoterictech.ca | BC Gov | ## Emeritus Maintainers -| Name | Github | LFID | -|--------------|---------|---------| -| | | | +| Name | GitHub ID | Scope | LFID | Discord ID | Email | Company Affiliation | +|----- | --------- | ----- | ---- | ---------- | ----- | ------------------- | +| | | | | | | | + +## The Duties of a Maintainer + +Maintainers are expected to perform the following duties for this repository. The duties are listed in more or less priority order: + +- Review, respond, and act on any security vulnerabilities reported against the repository. +- Review, provide feedback on, and merge or reject GitHub Pull Requests from + Contributors. +- Review, triage, comment on, and close GitHub Issues + submitted by Contributors. +- When appropriate, lead/facilitate architectural discussions in the community. +- When appropriate, lead/facilitate the creation of a product roadmap. +- Create, clarify, and label issues to be worked on by Contributors. +- Ensure that there is a well defined (and ideally automated) product test and + release pipeline, including the publication of release artifacts. +- When appropriate, execute the product release process. +- Maintain the repository CONTRIBUTING.md file and getting started documents to + give guidance and encouragement to those wanting to contribute to the product, and those wanting to become maintainers. +- Contribute to the product via GitHub Pull Requests. +- Monitor requests from the Hyperledger Technical Oversight Committee about the +contents and management of Hyperledger repositories, such as branch handling, +required files in repositories and so on. +- Contribute to the Hyperledger Project's Quarterly Report. ## Becoming a Maintainer -The Aries Askar community welcomes contributions. Contributors may progress to become a -maintainer. To become a maintainer the following steps occur, roughly in order. - -- 5 significant changes have been authored by the proposed maintainer and - accepted. -- The proposed maintainer has the sponsorship of at least one other maintainer. - - This sponsoring maintainer will create a PR modifying the list of - maintainers. - - The proposed maintainer accepts the nomination and expresses a willingness - to be a long-term (more than 6 month) committer. - - This would be a comment in the above PR. - - This PR will be communicated in all appropriate communication channels. It - should be mentioned in any maintainer/community call. It should also be - posted to the appropriate mailing list or chat channels if they exist. -- Approval by at least 3 current maintainers within two weeks of the proposal or - an absolute majority of current maintainers. - - These votes will be recorded in the PR modifying the list of maintainers. -- No veto by another maintainer within two weeks of proposal are recorded. - - All vetoes must be accompanied by a public explanation as a comment in the - PR for adding this maintainer - - The explanation of the veto must be reasonable. - - A veto can be retracted, in that case the approval/veto timeframe is reset. - - It is bad form to veto, retract, and veto again. -- The proposed maintainer becomes a maintainer - - Either two weeks have passed since the third approval, - - Or an absolute majority of maintainers approve. - - In either case, no maintainer presents a veto. +This community welcomes contributions. Interested contributors are encouraged to +progress to become maintainers. To become a maintainer the following steps +occur, roughly in order. + +- The proposed maintainer establishes their reputation in the community, + including authoring five (5) significant merged pull requests, and expresses + an interest in becoming a maintainer for the repository. +- A PR is created to update this file to add the proposed maintainer to the list of active maintainers. +- The PR is authored by an existing maintainer or has a comment on the PR from an existing maintainer supporting the proposal. +- The PR is authored by the proposed maintainer or has a comment on the PR from the proposed maintainer confirming their interest in being a maintainer. + - The PR or comment from the proposed maintainer must include their + willingness to be a long-term (more than 6 month) maintainer. +- Once the PR and necessary comments have been received, an approval timeframe begins. +- The PR **MUST** be communicated on all appropriate communication channels, including relevant community calls, chat channels and mailing lists. Comments of support from the community are welcome. +- The PR is merged and the proposed maintainer becomes a maintainer if either: + - Two weeks have passed since at least three (3) Maintainer PR approvals have been recorded, OR + - An absolute majority of maintainers have approved the PR. +- If the PR does not get the requisite PR approvals, it may be closed. +- Once the add maintainer PR has been merged, any necessary updates to the GitHub Teams are made. ## Removing Maintainers -Being a maintainer is not a status symbol or a title to be maintained +Being a maintainer is not a status symbol or a title to be carried indefinitely. It will occasionally be necessary and appropriate to move a maintainer to emeritus status. This can occur in the following situations: @@ -57,14 +94,24 @@ maintainer to emeritus status. This can occur in the following situations: - Violation of the Code of Conduct warranting removal. - Inactivity. - A general measure of inactivity will be no commits or code review comments - for one reporting quarter, although this will not be strictly enforced if + for one reporting quarter. This will not be strictly enforced if the maintainer expresses a reasonable intent to continue contributing. - Reasonable exceptions to inactivity will be granted for known long term leave such as parental leave and medical leave. -- Other unspecified circumstances. +- Other circumstances at the discretion of the other Maintainers. + +The process to move a maintainer from active to emeritus status is comparable to the process for adding a maintainer, outlined above. In the case of voluntary +resignation, the Pull Request can be merged following a maintainer PR approval. If the removal is for any other reason, the following steps **SHOULD** be followed: -Like adding a maintainer the record and governance process for moving a -maintainer to emeritus status is recorded in the github PR making that change. +- A PR is created to update this file to move the maintainer to the list of emeritus maintainers. +- The PR is authored by, or has a comment supporting the proposal from, an existing maintainer or Hyperledger GitHub organization administrator. +- Once the PR and necessary comments have been received, the approval timeframe begins. +- The PR **MAY** be communicated on appropriate communication channels, including relevant community calls, chat channels and mailing lists. +- The PR is merged and the maintainer transitions to maintainer emeritus if: + - The PR is approved by the maintainer to be transitioned, OR + - Two weeks have passed since at least three (3) Maintainer PR approvals have been recorded, OR + - An absolute majority of maintainers have approved the PR. +- If the PR does not get the requisite PR approvals, it may be closed. Returning to active status from emeritus status uses the same steps as adding a new maintainer. Note that the emeritus maintainer already has the 5 required diff --git a/README.md b/README.md index 9d3ba2024..de6a19d29 100644 --- a/README.md +++ b/README.md @@ -5,15 +5,70 @@ [![Rust Documentation](https://docs.rs/aries-askar/badge.svg)](https://docs.rs/aries-askar) [![Python Package](https://img.shields.io/pypi/v/aries_askar)](https://pypi.org/project/aries-askar/) -Secure storage and cryptographic support designed for Hyperledger Aries agents. +Aries Askar is a secure (encrypted at rest) storage and a key management service +suitable for use with [Hyperledger Aries] agents and possibly other digital +trust agents. Askar is a re-implementation (with lessons learned!) of the +[indy-wallet] part of the [Hyperledger Indy SDK]. Askar has been demonstrated to +be more performant and stable than the Indy SDK when under comparable load. + +Askar has a pluggable storage interface that currently supports in-memory (for +testing only), [SQLite] and [PostgreSQL] databases. For details about the +storage scheme used in Askar, please this [storage] overview in the `docs` +folder. + +Askar is implemented in Rust and this repository contains Askar wrappers for +Askar JavaScript and Python, reflecting the key Aries frameworks that embed +Askar, [Aries Framework JavaScript] and [Aries Cloud Agent Python]. Other +wrappers are welcome, although there is some debate as to whether the wrappers +should be within this repository or in their own repository. + +The name Askar (from the Arabic askar, meaning “guard” or “soldier”) is used +because of the "guard" reference, and because it is an alternate name for the +star [Hamal in the constellation of Aries], the 50th brightest star in our sky. + +[Hyperledger Aries]: https://www.hyperledger.org/projects/aries +[indy-wallet]: https://github.com/hyperledger/indy-sdk/tree/main/libindy/indy-wallet +[Hyperledger Indy SDK]: https://github.com/hyperledger/indy-sdk +[SQLite]: https://www.sqlite.org/index.html +[PostgreSQL]: https://www.postgresql.org/ +[storage]: /docs/storage.md +[Aries Framework JavaScript]: https://github.com/hyperledger/aries-framework-javascript +[Aries Cloud Agent Python]: https://github.com/hyperledger/aries-cloudagent-python +[Hamal in the constellation of Aries]: https://www.star-facts.com/hamal/ + +## Askar Concepts Borrowed from the indy-wallet Implementation + +As noted above, Askar is a re-implementation (with lessons learned!) of the +[indy-wallet] part of the [Hyperledger Indy SDK]. As such, a number of the +concept documents written about [indy-wallet] apply similarly to Askar. These +are linked here: + +* [Encryption and storage passphrases](https://github.com/hyperledger/indy-sdk/blob/main/docs/concepts/default-wallet.md) +* [Object Storage](https://github.com/hyperledger/indy-sdk/blob/main/docs/design/003-wallet-storage/README.md) +* [Storage Import/Export](https://github.com/hyperledger/indy-sdk/blob/main/docs/design/009-wallet-export-import/README.md) + +> **To Do**: These documents should be copied to this repository and updated +> specifically for the Askar implementation. + +## Migrating to Aries Askar + +If you have an implementation of Aries that is currently based on the [Hyperledger Indy SDK], there are migration tools +built into Askar. The use of these tools is demonstrated in the [Aries Cloud Agent Python] migration tool that can be +found in the [aries-acapy-tools] repository. + +[aries-acapy-tools]: https://github.com/hyperledger/aries-acapy-tools ## Credit -The initial implementation of `aries-askar` was developed by the Verifiable Organizations Network (VON) team based at the Province of British Columbia, and inspired by the wallet design within [Hyperledger Indy-SDK](https://github.com/hyperledger/indy-sdk). To learn more about VON and what's happening with decentralized identity in British Columbia, please go to [https://vonx.io](https://vonx.io). +The initial implementation of `aries-askar` was developed by the Digital Trust +team within the Province of British Columbia, and inspired by the wallet design +within [Hyperledger Indy SDK]. To learn +more about BC's Digital Trust Team, and what's happening with decentralized identity in British +Columbia, please go to [Digital Trust website](https://digital.gov.bc.ca/digital-trust/). ## Contributing -Pull requests are welcome! Please read our [contributions guide](https://github.com/hyperledger/aries-askar/blob/master/CONTRIBUTING.md) and submit your PRs. We enforce [developer certificate of origin](https://developercertificate.org/) (DCO) commit signing. See guidance [here](https://github.com/apps/dco). +Pull requests are welcome! Please read our [contributions guide](https://github.com/hyperledger/aries-askar/blob/main/CONTRIBUTING.md) and submit your PRs. We enforce [developer certificate of origin](https://developercertificate.org/) (DCO) commit signing. See guidance [here](https://github.com/apps/dco). We also welcome issues submitted about problems you encounter in using `aries-askar`. @@ -21,7 +76,11 @@ We also welcome issues submitted about problems you encounter in using `aries-as Licensed under either of -- Apache License, Version 2.0 ([LICENSE-APACHE](https://github.com/hyperledger/aries-askar/blob/main/LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0) -- MIT license ([LICENSE-MIT](https://github.com/hyperledger/aries-askar/blob/main/LICENSE-MIT) or http://opensource.org/licenses/MIT) +- Apache License, Version 2.0 + ([LICENSE-APACHE](https://github.com/hyperledger/aries-askar/blob/main/LICENSE-APACHE) + or http://www.apache.org/licenses/LICENSE-2.0) +- MIT license + ([LICENSE-MIT](https://github.com/hyperledger/aries-askar/blob/main/LICENSE-MIT) + or [https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT)) at your option. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..576db5ab0 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,19 @@ +# Hyperledger Security Policy + +## Reporting a Security Bug + +If you think you have discovered a security issue in any of the Hyperledger projects, we'd love to +hear from you. We will take all security bugs seriously and if confirmed upon investigation we will +patch it within a reasonable amount of time and release a public security bulletin discussing the +impact and credit the discoverer. + +If you have found what you think is a vulnerability in the code in this +repository, please email a description of the flaw and any related information +(e.g. reproduction steps, version) to +[security@hyperledger.org](mailto:security@hyperledger.org). If we agree with +your assessment, we'll open a GitHub security issue in the reposioty, and invite +you to collaborate towards resolving the issue. + +The process by which the Hyperledger Security Team handles security bugs is documented further in +our [Defect Response page](https://wiki.hyperledger.org/display/SEC/Defect+Response) on our +[wiki](https://wiki.hyperledger.org). From 3aee1e5485551c6733c57ac538e5f843bd51a7a7 Mon Sep 17 00:00:00 2001 From: Stephen Curran Date: Mon, 26 Jun 2023 21:59:48 +0000 Subject: [PATCH 2/2] Update relationship to Indy - replacement not a re-implementation Signed-off-by: Stephen Curran --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index de6a19d29..324dec183 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ Aries Askar is a secure (encrypted at rest) storage and a key management service suitable for use with [Hyperledger Aries] agents and possibly other digital -trust agents. Askar is a re-implementation (with lessons learned!) of the +trust agents. Askar is a replacement implementation (with lessons learned!) of the [indy-wallet] part of the [Hyperledger Indy SDK]. Askar has been demonstrated to be more performant and stable than the Indy SDK when under comparable load.