From 383b3911b08ba43eab26b1ed1260d30031150929 Mon Sep 17 00:00:00 2001 From: Kevin Wang Date: Thu, 7 Nov 2024 03:24:50 +0800 Subject: [PATCH] address review comments from @angellk Signed-off-by: Kevin Wang --- projects/chubaofs/cubefs-graduation-dd.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/projects/chubaofs/cubefs-graduation-dd.md b/projects/chubaofs/cubefs-graduation-dd.md index 00f00977c..bb26f13e1 100644 --- a/projects/chubaofs/cubefs-graduation-dd.md +++ b/projects/chubaofs/cubefs-graduation-dd.md @@ -37,6 +37,8 @@ The following recommendations were provided to the project that are non-blocking - TOC Reviewer recommends organizing dedicated TSC meeting, in order to keep TSC members engaged. - To enhance community decision-making transparency, the TOC Reviewer recommends the project provide explicit records of voting processes, e.g. manual vote counts or using [gitvote](https://github.com/cncf/gitvote). - TOC Reviewer recommends to add explicit descripion of platforms supported in the [RELEASE.md](https://github.com/cubefs/cubefs/blob/206d5ddadf1f99abde6401b7aa18b57fc46e6bed/RELEASE.md) +- TOC Reviewer recommends to cross reference the [roadmap governance(https://github.com/cubefs/cubefs/blob/206d5ddadf1f99abde6401b7aa18b57fc46e6bed/GOVERNANCE.md#roadmap)] and [change process](https://github.com/cubefs/cubefs/blob/206d5ddadf1f99abde6401b7aa18b57fc46e6bed/GOVERNANCE.md#changes-in-project-roadmap) on the [ROADMAP.md](https://github.com/cubefs/cubefs/blob/206d5ddadf1f99abde6401b7aa18b57fc46e6bed/ROADMAP.md) to make it easier to find for potential contributors. +- TOC Reviewer recommends to update security policy to include an embargo and private disclosure period before doing public disclosure for security vulnerbilities. And tagging a release clearly as "security-fixes-only" will help users to prioritize an upgrade. ### Adoption Evaluation @@ -329,7 +331,8 @@ N/A - [x] **Tagging as stable, unstable, and security related releases** CubeFS uses beta to mark their unstable releases. Ref: [RELEASE.md#types-of-releases](https://github.com/cubefs/cubefs/blob/206d5ddadf1f99abde6401b7aa18b57fc46e6bed/RELEASE.md#types-of-releases). - Security release process is documented at: [security-release-process.md](https://github.com/cubefs/cubefs/blob/206d5ddadf1f99abde6401b7aa18b57fc46e6bed/security/security-release-process.md) + + Security release process is documented at: [security-release-process.md](https://github.com/cubefs/cubefs/blob/206d5ddadf1f99abde6401b7aa18b57fc46e6bed/security/security-release-process.md). CubeFS doesn't have explict tagging rule for security releases. Though this is not required, tagging a release with "security-fixes-only" alike markers would be helpful for users to prioritize upgrades. - [x] **Information on branch and tag strategies**