Security Team members are listed in the Metal3 user-guide under the
Project Security Policy.
The security team is responsible for responding to all security issues reported
to Metal3 project. The team can be reached at metal3-security@googlegroups.com.
(Please do not report any security vulnerability to the committee members
directly.) The security team ensures that the issues are mitigated and
a responsible disclosure process is followed in a reasonable time. The security
team has a designated Security Lead. Currently,
Tuomo Tanskanen is acting as the Metal3 Security
Lead. Below are the responsibilities of the Security team.
-
Responsibilities:
- Thoroughly investigate all reports to the Security Team
- Does not share any vulnerability information with others unless necessary to fix the issue
- Security lead notifies the reporter as the security issue moves through the identification and resolution process
- Uphold the Project Security Policy.
-
Qualifications:
- Has a solid grasp of the overall architecture of Metal3, its usage in production environments, and its threat model.
- Established the trust of Metal3 community members that they will uphold the security posture of Metal3
-
Privileges:
- Access to security reports
- Membership of the security team mailing list
- Security Lead has elevated access to Metal3 github organization through
the
metal3_security_teamGitHub team.
The process of becoming a security team member is:
- Nominated by a security team member and by an Metal3 Org Admin.
- Shadowing an existing security team member
The CI team works to keep the CI infrastructure up and running. Please contact
CI team at metal3-ci@googlegroups.com.
-
Responsibilities:
- Keeping CI infrastructure healthy
- Investigating CI infrastructure problems
- Provide visibility into CI spend and status
-
Qualifications:
- Must be a Metal3 Org member
- A basic understanding of how the CI system works
-
Privileges:
- Privileged access rights to configuring CI infrastructure is available to a small subset of people currently. The process definition of becoming a CI Team member is still work in progress.
The Release team is responsible for releasing minor and patch releases from
different repositories in Metal3. Please contact Release team at
metal3-release@googlegroups.com.
-
Responsibilities:
- Making sure the repositories are ready to be released
- Performing minor and patch releases
- Communicate the releases to the community
-
Qualifications:
- Must be a Metal3 Org member
- A proper understanding of release process of different Metal3 repositories
-
Privileges:
- Release team requires elevated access to Metal3 Github organization through
the
metal3_release_teamGithub team.
- Release team requires elevated access to Metal3 Github organization through
the
The process of becoming a release team member is:
- Nominated by a community member and seconded by an Metal3 Org Admin
- Shadowing an existing release team member
Maintainers are very established contributors who are responsible for the entire project. Detailed responsibilities and guideline to become a maintainer is documented here.
- Maintainers with Github org admin access are responsible for managing access permissions of different teams. They can also add/remove members in specific teams.
- Maintainers and existing team members can onboard a new team member and onboard the member regarding the teams duties, rules and responsibilities.
- Maintainers can also off-board a team member. In case a team member is off-boarded, any related secrets, passwords, keys etc should also be rotated.
- If a team is completely inactive or deemed unnecessary, maintainers can remove the team based on consensus.