docs: add a basic security policy #1266
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@lucistanescu and @setharnold would you mind having a look over this? |
|
I like it, it could certainly work as-is. It might be worth trying to say what inputs are completely trusted or which inputs are untrusted, to try to scale expectations of how it could and should be used, but this is already a good start. Thanks |
benhoyt
approved these changes
Jun 23, 2024
Co-authored-by: Ben Hoyt <benhoyt@gmail.com>
Personally, just to have an easy way for people to figure out how to report security issues, without having to go through the "this is from Canonical, I should look for a Canonical system" thought path. @benhoyt are you ok with saying that 2.x is supported for security fixes? It's < 2 years ago, so my thinking was that if there was something that needed to be addressed it would likely not be too difficult to port it back there, and then do 13+ point releases (and yank the bad releases). A non-trivial amount of work, but not huge, and given the likelihood it seemed ok to me. If you'd rather be more aggressive, maybe we could make it one year, or something like that? The downside of that approach is needing to update the file each month if we're going to explicitly list versions. |
My first thought was that that's fine and seems quite reasonable to me. However, then I realized that this would mean doing actual patch releases for all the minor releases we've done, which is non-ideal. Then again, also pretty unlikely, as we push people to use the latest Ops. I'm okay with it, but I do like putting a time-cap on it. To avoid constantly updating the text, we could just say "2.x versions in the last 12 months" or something. |
tonyandrewmeyer
commented
Jun 24, 2024
dimaqq
reviewed
Jun 24, 2024
tonyandrewmeyer
commented
Jun 24, 2024
dimaqq
approved these changes
Jun 25, 2024
We will switch to using pinned versions of the charm (latest `main`) for our charm tests in the GitHub Actions. This PR adds a release step to update the pinned versions, and what to do if they fail. --------- Co-authored-by: Tony Meyer <tony.meyer@canonical.com> Co-authored-by: Dima Tisnek <dima.tisnek@canonical.com>
This is an automated PR to update pins of the external repositories that the operator framework is tested against Co-authored-by: github-actions <github-actions@github.com>
This is an automated PR to update pins of the external repositories that the operator framework is tested against Co-authored-by: github-actions <github-actions@github.com>
Fix the links to [version.py](ops/version.py) so that they render correctly.
…044c6a2f0870ad to e815787b53c690d006e582ef03e43f08d56d64ba (canonical#1244) Bumps [canonical/setup-lxd](https://github.com/canonical/setup-lxd) from 7be523c4c2724a31218a627809044c6a2f0870ad to e815787b53c690d006e582ef03e43f08d56d64ba.
Without this fix, running this raises the following: ``` TypeError: catching classes that do not inherit from BaseException is not allowed ``` Not sure how to silence pyright without the type: ignores. I guess we haven't used this script in a while. :-)
I've noticed that when a new commit is pushed to a PR, the same tests are run twice: once triggered by `on: push` and another by `on: pull_request: synchronize` --- Note that the two runs are not exactly same, if the target (main) branch has received updates in the meantime, because: ### on: push Trigger: This workflow runs the tests on the new commit in the feature branch as it stands alone. It doesn't consider any changes that might have been merged into the main branch since the feature branch was last updated. ### on: pull_request: synchronize Trigger: This workflow runs the tests on the combined state of the feature branch and the main branch. It effectively simulates a merge between the feature branch and the main branch to see if the combined state would pass the tests. --- to do - [x] agree on approach - [x] apply to other workflows
* No intro text as found on the GitHub page and various announcements. * No attribution. * No links to issues. * Remove conventional commit type in favour of headings.
…,secret-rotate (canonical#1233) Extends the test for not being able to `defer()` an action event to also cover the other events where this is the case. This was missed in canonical#1122.
…cal#1247) This is the fix for the issue described at canonical#1246. Essentially, if the Pebble timeout has already elapsed, Pebble will happily wait indefinitely for the connect to go through, and the Python side will hang. Add a timeout during the connect phase to cut this short. Fixes canonical#1246. --------- Co-authored-by: Tony Meyer <tony.meyer@gmail.com>
Bumps [tornado](https://github.com/tornadoweb/tornado) from 6.4 to 6.4.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/tornadoweb/tornado/blob/master/docs/releases.rst">tornado's changelog</a>.</em></p> <blockquote> <h1>Release notes</h1> <p>.. toctree:: :maxdepth: 2</p> <p>releases/v6.4.1 releases/v6.4.0 releases/v6.3.3 releases/v6.3.2 releases/v6.3.1 releases/v6.3.0 releases/v6.2.0 releases/v6.1.0 releases/v6.0.4 releases/v6.0.3 releases/v6.0.2 releases/v6.0.1 releases/v6.0.0 releases/v5.1.1 releases/v5.1.0 releases/v5.0.2 releases/v5.0.1 releases/v5.0.0 releases/v4.5.3 releases/v4.5.2 releases/v4.5.1 releases/v4.5.0 releases/v4.4.3 releases/v4.4.2 releases/v4.4.1 releases/v4.4.0 releases/v4.3.0 releases/v4.2.1 releases/v4.2.0 releases/v4.1.0 releases/v4.0.2 releases/v4.0.1 releases/v4.0.0 releases/v3.2.2 releases/v3.2.1 releases/v3.2.0 releases/v3.1.1 releases/v3.1.0 releases/v3.0.2 releases/v3.0.1 releases/v3.0.0 releases/v2.4.1 releases/v2.4.0 releases/v2.3.0</p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/tornadoweb/tornado/commit/2a0e1d13b5222dca4388c0ec8a4bb74ea6fa4af2"><code>2a0e1d1</code></a> Merge pull request <a href="https://redirect.github.com/tornadoweb/tornado/issues/3388">#3388</a> from bdarnell/release-641</li> <li><a href="https://github.com/tornadoweb/tornado/commit/b7af4e8f5ee578b78e1be5ade43fdb1103659a0e"><code>b7af4e8</code></a> Release notes and version bump for version 6.4.1</li> <li><a href="https://github.com/tornadoweb/tornado/commit/d65f6e71a77f53a1ff0a0dc55704be13f04eb572"><code>d65f6e7</code></a> Merge pull request <a href="https://redirect.github.com/tornadoweb/tornado/issues/3387">#3387</a> from bdarnell/chunked-parsing</li> <li><a href="https://github.com/tornadoweb/tornado/commit/8d721a877dd5c2bc0693d9c4d3954eb11fbd404b"><code>8d721a8</code></a> httputil: Only strip tabs and spaces from header values</li> <li><a href="https://github.com/tornadoweb/tornado/commit/7786f09f84c9f3f2012c4cf3878417cb9f053669"><code>7786f09</code></a> Merge pull request <a href="https://redirect.github.com/tornadoweb/tornado/issues/3386">#3386</a> from bdarnell/curl-crlf</li> <li><a href="https://github.com/tornadoweb/tornado/commit/fb119c767e9c43e71ea823311b0d53f566d86b73"><code>fb119c7</code></a> http1connection: Stricter handling of transfer-encoding</li> <li><a href="https://github.com/tornadoweb/tornado/commit/b0ffc58e02f33f6aa480f008b74495601d988ce1"><code>b0ffc58</code></a> curl_httpclient,http1connection: Prohibit CR and LF in headers</li> <li><a href="https://github.com/tornadoweb/tornado/commit/0efa9a42b4c94ee98549d86992c68227f83efd4e"><code>0efa9a4</code></a> Merge pull request <a href="https://redirect.github.com/tornadoweb/tornado/issues/3385">#3385</a> from bdarnell/update-black</li> <li><a href="https://github.com/tornadoweb/tornado/commit/2757c6e4874968dd2f74a4d08b450da795de5b6c"><code>2757c6e</code></a> Merge pull request <a href="https://redirect.github.com/tornadoweb/tornado/issues/3384">#3384</a> from tornadoweb/dependabot/pip/requests-2.32.2</li> <li><a href="https://github.com/tornadoweb/tornado/commit/291d1b661be273b86792e965ac65f9bced8d4ebe"><code>291d1b6</code></a> *: Update black</li> <li>Additional commits viewable in <a href="https://github.com/tornadoweb/tornado/compare/v6.4.0...v6.4.1">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/canonical/operator/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This is an automated PR to update pins of the external repositories that the operator framework is tested against Co-authored-by: github-actions <github-actions@github.com>
…e43f08d56d64ba to 87f9a0dbf8855632e12fad0a45795338e4e97d12 (canonical#1256) Bumps [canonical/setup-lxd](https://github.com/canonical/setup-lxd) from e815787b53c690d006e582ef03e43f08d56d64ba to 87f9a0dbf8855632e12fad0a45795338e4e97d12. <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/canonical/setup-lxd/commit/87f9a0dbf8855632e12fad0a45795338e4e97d12"><code>87f9a0d</code></a> Merge pull request <a href="https://redirect.github.com/canonical/setup-lxd/issues/17">#17</a> from simondeziel/ci-24.04</li> <li><a href="https://github.com/canonical/setup-lxd/commit/92842e8464bd29a2935302cd9a87137a874bb22c"><code>92842e8</code></a> github: extend integration tests to cover 24.04</li> <li>See full diff in <a href="https://github.com/canonical/setup-lxd/compare/e815787b53c690d006e582ef03e43f08d56d64ba...87f9a0dbf8855632e12fad0a45795338e4e97d12">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
We had originally included the wrong email address (.com instead of .net). This fixes that. All the thousands of fan mails that have been inevitably sent to us have been lost forever. ;-)
…anonical#1259) Calling `setup_root_logging` changes `sys.excepthook`. The tests should undo this in the same way that they clear out the logging handlers that `setup_root_logging` adds.
The link to `HACKING.md` needs to be a fully-qualified link so that it shows up correctly on PyPI
…in) (canonical#1252) Explain that we use conventional commits, and list the types and scopes that we're starting with.
…nonical#1260) Unfortunately dependabot.yaml doesn't support saying "25th of each month", just "monthly" which is hard-coded to the 1st. But that's probably okay for that one.
Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.2.1 to 2.2.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/releases">urllib3's releases</a>.</em></p> <blockquote> <h2>2.2.2</h2> <h2>🚀 urllib3 is fundraising for HTTP/2 support</h2> <p><a href="https://sethmlarson.dev/urllib3-is-fundraising-for-http2-support">urllib3 is raising ~$40,000 USD</a> to release HTTP/2 support and ensure long-term sustainable maintenance of the project after a sharp decline in financial support for 2023. If your company or organization uses Python and would benefit from HTTP/2 support in Requests, pip, cloud SDKs, and thousands of other projects <a href="https://opencollective.com/urllib3">please consider contributing financially</a> to ensure HTTP/2 support is developed sustainably and maintained for the long-haul.</p> <p>Thank you for your support.</p> <h2>Changes</h2> <ul> <li>Added the <code>Proxy-Authorization</code> header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via <code>Retry.remove_headers_on_redirect</code>.</li> <li>Allowed passing negative integers as <code>amt</code> to read methods of <code>http.client.HTTPResponse</code> as an alternative to <code>None</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3122">#3122</a>)</li> <li>Fixed return types representing copying actions to use <code>typing.Self</code>. (<a href="https://redirect.github.com/urllib3/urllib3/issues/3363">#3363</a>)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/urllib3/urllib3/compare/2.2.1...2.2.2">https://github.com/urllib3/urllib3/compare/2.2.1...2.2.2</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/urllib3/urllib3/blob/main/CHANGES.rst">urllib3's changelog</a>.</em></p> <blockquote> <h1>2.2.2 (2024-06-17)</h1> <ul> <li>Added the <code>Proxy-Authorization</code> header to the list of headers to strip from requests when redirecting to a different host. As before, different headers can be set via <code>Retry.remove_headers_on_redirect</code>.</li> <li>Allowed passing negative integers as <code>amt</code> to read methods of <code>http.client.HTTPResponse</code> as an alternative to <code>None</code>. (<code>[#3122](urllib3/urllib3#3122) <https://github.com/urllib3/urllib3/issues/3122></code>__)</li> <li>Fixed return types representing copying actions to use <code>typing.Self</code>. (<code>[#3363](urllib3/urllib3#3363) <https://github.com/urllib3/urllib3/issues/3363></code>__)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/urllib3/urllib3/commit/27e2a5c5a7ab6a517252cc8dcef3ffa6ffb8f61a"><code>27e2a5c</code></a> Release 2.2.2 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3406">#3406</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/accff72ecc2f6cf5a76d9570198a93ac7c90270e"><code>accff72</code></a> Merge pull request from GHSA-34jh-p97f-mpxf</li> <li><a href="https://github.com/urllib3/urllib3/commit/34be4a57e59eb7365bcc37d52e9f8271b5b8d0d3"><code>34be4a5</code></a> Pin CFFI to a new release candidate instead of a Git commit (<a href="https://redirect.github.com/urllib3/urllib3/issues/3398">#3398</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/da410581b6b3df73da976b5ce5eb20a4bd030437"><code>da41058</code></a> Bump browser-actions/setup-chrome from 1.6.0 to 1.7.1 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3399">#3399</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/b07a669bd970d69847801148286b726f0570b625"><code>b07a669</code></a> Bump github/codeql-action from 2.13.4 to 3.25.6 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3396">#3396</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/b8589ec9f8c4da91511e601b632ac06af7e7c10e"><code>b8589ec</code></a> Measure coverage with v4 of artifact actions (<a href="https://redirect.github.com/urllib3/urllib3/issues/3394">#3394</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/f3bdc5585111429e22c81b5fb26c3ec164d98b81"><code>f3bdc55</code></a> Allow triggering CI manually (<a href="https://redirect.github.com/urllib3/urllib3/issues/3391">#3391</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/52392654b30183129cf3ec06010306f517d9c146"><code>5239265</code></a> Fix HTTP version in debug log (<a href="https://redirect.github.com/urllib3/urllib3/issues/3316">#3316</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/b34619f94ece0c40e691a5aaf1304953d88089de"><code>b34619f</code></a> Bump actions/checkout to 4.1.4 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3387">#3387</a>)</li> <li><a href="https://github.com/urllib3/urllib3/commit/9961d14de7c920091d42d42ed76d5d479b80064d"><code>9961d14</code></a> Bump browser-actions/setup-chrome from 1.5.0 to 1.6.0 (<a href="https://redirect.github.com/urllib3/urllib3/issues/3386">#3386</a>)</li> <li>Additional commits viewable in <a href="https://github.com/urllib3/urllib3/compare/2.2.1...2.2.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/canonical/operator/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
As documented in canonical#1252 - types taken from the doc PR - scopes were scraped from project PR history
Adjust Harness so that the errors match what Juju does in practice (I tested each case - the results are in a table in a comment in canonical#1229). * When Juju responds with a message including "not found", we raise `SecretNotFoundError` * When Juju responds with any other message (such as "permission denied"), we raise `ModelError` * When Juju succeeds and only fails at the completion of the hook, we raise `RuntimeError` - in production, the charm cannot catch this, but we do want to surface this error, so `RuntimeError` seems most approprate In addition: * Update the documentation to clarify when secret content is cached (this was a request from the discussion with the data platform team in Madrid) * Correct the documentation regarding when `ModelError` and when `SecretNotFoundError` will be raised with the secret methods * Don't clear the `Secret` object local cache of the secret content on `set_contents`. The contents won't change until `refresh` is used, so there's no point forcing the next call to get the content from Juju. Juju may change the responses so that there is increased consistency (probably via [this bug](https://bugs.launchpad.net/juju/+bug/2067336)) but it seems best if we fix the behaviour to match now, and then if Juju changes in the future, we can update ops then (also deciding at that time how to handle the issue that different Juju versions will have different behaviour). Fixes canonical#1229.
When running `poetry lock` in the CI workloads, only update the ops dependency, not all dependencies. We want to know whether the proposed changes to ops would break the charm's tests, not whether updating all dependencies, including the proposed ops changes, would do so. This is one of the suggestions in canonical#1272. Using `poetry add --lock` seems slightly cleaner than the `sed` system we currently use, but I wasn't able to easily figure out how to do that with a `ops = { path = "ci/path/for/ops/branch" }` type specifier. It seems like this approach is at least an improvement on the existing one, even if not perfect. (It also will unblock other PRs, given that the tests fail because we're re-locking in entirety). Fixes canonical#1272.
This PR adds [artefact attestation](https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/) to the ops builds. Essentially: users are able to verify that the wheel and source dist tarball produced by the build script were actually generated by the workflow in this repo (and not, for example, uploaded by someone else that got access to the PyPI account). The `test-publish` workflow is also updated to use the `build` backend, which was missed when the main script was migrated. Annoyingly, [we are still waiting for access to the operator package on test.pypi.org](pypi/support#3349).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adds a simple security policy, so that users can easily find out how to privately report security issues.
The policy states that 2.x will get security updates, which seems reasonable to me, but we could make that more recent versions if that was better.
The policy offers reporting via GitHub (which would need to be turned on) and to the security@ubuntu.com address - I think it's important to still offer an email (particularly encrypted email) mechanism, not just the GitHub one.
This is based on the LXD policy, and the work to develop a Canonical security policy template (internal link only, sorry).
See also this Mattermost discussion (also internal only, sorry).