[PATCH] D70326: [docs] LLVM Security Group and Process
Renato Golin via Phabricator via llvm-commits
llvm-commits at lists.llvm.org
Wed Jun 17 05:21:47 PDT 2020
rengolin added inline comments.
================
Comment at: llvm/docs/Security.rst:25
+
+The initial security group will start small and grow following the process established below. The LLVM Board will pick 10 community members. These members shall represent a wide cross-section of the community, and meet the criteria for inclusion below.
+
----------------
aadg wrote:
> I understand we have to solve a chicken & egg problem here to get the group started ; I think we should rather say that a call for application to the initial security group should be made, and the board will pick 10 candidates amongst the applications. The board can not possibly know everyone in the community, and to be effective, this group needs volunteers, not people who have been volunteered.
>
> 10 seems like a big number of people for an initial group --- given the number of people who expressed interest in the forming of this group, so what should we do if there are less than 10 volunteers ?
>
> The initial task for this group will probably be to finish fleshing up this proposal.
I agree on both points. We shouldn't burden the foundation with it nor we should restrict the number of members to a fixed size.
================
Comment at: llvm/docs/Security.rst:52
+
+ - If already in the LLVM Security Group, has actively participated in one (if any) security issue in the last year.
+ - If already in the LLVM Security Group, has actively participated in most membership discussions in the last year.
----------------
Redundant wording. Perhaps sub-bullet points?
================
Comment at: llvm/docs/Security.rst:112
+
+Following the process below, the LLVM Security Group decides on embargo date for public disclosure for each Security issue. An embargo may be lifted before the agreed-upon date if all vendors planning to ship a fix have already done so, and if the reporter does not object.
+
----------------
What if the group doesn't have a member from an affected vendor? How do we handle external vendor/country embargo?
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D70326/new/
https://reviews.llvm.org/D70326
More information about the llvm-commits
mailing list