Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Controls should be less prescriptive and less focused on specifics of Github, etc. #36

Open
JustinCappos opened this issue Oct 23, 2024 · 2 comments
Open

Controls should be less prescriptive and less focused on specifics of Github, etc. #36

JustinCappos opened this issue Oct 23, 2024 · 2 comments

Comments

@JustinCappos
Copy link

My view is the baseline is too focused on assumptions that the projects are using Github, etc. and are less flexible than they could be about other ways to meet the same security properties. This has the potential for us to bake in a lot of things that don't make sense into the future and also be seen as pushing projects to specific vendors.

For example:

OSPS-02 1 Access Control The project's version control system MUST restrict collaborator permissions to the lowest available privileges by default.

Looking at this, I think what is meant is that one must set Github's collaborator permissions in a specific manner for a repo. However, other version control systems may not have this exact way of setting permissions. In gittuf, there isn't a central place to set collaborator permissions, but this is intertwined with functionality that this is found in places like the CODEOWNERS file for Github. I've heard from the group discussions that the intent with this rule isn't to require CODEOWNERS / file access permissions on the repo itself / blocking read access to different repos, or similar functionality, but this isn't clear enough from this statement, since these permissions are all available and could be set this way by default.

A focused question is what are "collaborator permissions" outside of the context of Github? What does this mean for a vanilla git repository?

My suggestion to fix this is to give an example for each control about what you're trying to achieve and to explain the purpose rather than being so prescriptive.
@TheFoxAtWork
Copy link

+1 - the Collaborator definition may be the appropriate place to expand on this.
perhaps:

projects MUST define permissions to the lowest available privileges by default for their version control system

@david-a-wheeler
Copy link
Contributor

+1. I've started trying to help do this, but it will require multiple eyes.

Sometimes it's just terminology, e.g., GitHub says "pull request" while practically everyone else uses the term "merge request" for the same idea. But the bigger problem is when things fundamentally work differently to achieve the same result. I often try to use the Linux kernel as a counter-example; it's very widely used, but it does things differently (due to scale), and considering it can help us focus on the objectives instead of being overly prescriptive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@david-a-wheeler @JustinCappos @TheFoxAtWork