From 95150991ff6d0f0d461d3a7781d7c04a3337c217 Mon Sep 17 00:00:00 2001 From: Robert Zieba Date: Wed, 5 Feb 2025 17:50:50 -0700 Subject: [PATCH] Update and add missing docs --- CODE_OF_CONDUCT.md | 97 ++++++++++++++++++++++++++++++++++++++++++++++ CONTRIBUTING.md | 31 +++++++++++---- LICENSE | 2 +- SECURITY.md | 50 ++++++++++++++++++++++++ 4 files changed, 172 insertions(+), 8 deletions(-) create mode 100644 CODE_OF_CONDUCT.md create mode 100644 SECURITY.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..1fc101b --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,97 @@ +# Contributor Covenant Code of Conduct +## Our Pledge +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, caste, color, religion, or sexual +identity and orientation. +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. +## Our Standards +Examples of behavior that contributes to a positive environment for our +community include: +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the overall + community +Examples of unacceptable behavior include: +* The use of sexualized language or imagery, and sexual attention or advances of + any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email address, + without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting +## Enforcement Responsibilities +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. +## Scope +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official e-mail address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. +## Enforcement +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement at +odpadmin@microsoft.com. +All complaints will be reviewed and investigated promptly and fairly. +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. +## Enforcement Guidelines +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: +### 1. Correction +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. +### 2. Warning +**Community Impact**: A violation through a single incident or series of +actions. +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or permanent +ban. +### 3. Temporary Ban +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. +### 4. Permanent Ban +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. +**Consequence**: A permanent ban from any sort of public interaction within the +community. +## Attribution +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.1, available at +[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1]. +Community Impact Guidelines were inspired by +[Mozilla's code of conduct enforcement ladder][Mozilla CoC]. +For answers to common questions about this code of conduct, see the FAQ at +[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at +[https://www.contributor-covenant.org/translations][translations]. +[homepage]: https://www.contributor-covenant.org +[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html +[Mozilla CoC]: https://github.com/mozilla/diversity +[FAQ]: https://www.contributor-covenant.org/faq +[translations]: https://www.contributor-covenant.org/translations \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index f72cb1e..65b4b13 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,18 +1,35 @@ -# Contribution Guideline +# Contributing to Open Device Partnership + +The Open Device Partnership project welcomes your suggestions and contributions! Before opening your first issue or pull request, please review our +[Code of Conduct](CODE_OF_CONDUCT.md) to understand how our community interacts in an inclusive and respectful manner. + +## Contribution Licensing + +Most of our code is distributed under the terms of the [MIT license](LICENSE), and when you contribute code that you wrote to our repositories, +you agree that you are contributing under those same terms. In addition, by submitting your contributions you are indicating that +you have the right to submit those contributions under those terms. + +## Other Contribution Information + +If you wish to contribute code or documentation authored by others, or using the terms of any other license, please indicate that clearly in your +pull request so that the project team can discuss the situation with you. + +## Commit Message * Use meaningful commit messages. See [this blogpost](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) -# PR Etiquette +## PR Etiquette * Create a draft PR first * Make sure that your branch has `.github` folder and all the code linting/sanity check workflows are passing in your draft PR before sending it out to code reviewers. -# Clean Commit History +## Clean Commit History We disabled squashing of commit and would like to maintain a clean commit history. So please reorganize your commits with the following items: - * Each commit builds successfully without warning from `rustc` or `clippy` - * Miscellaneous commits to fix typos + formatting are squashed -# Regressions +* Each commit builds successfully without warning +* Miscellaneous commits to fix typos + formatting are squashed + +## Regressions -When reporting a regression, please ensure that you use `git bisect` to find the first offending commit, as that will help us finding the culprit a lot faster. +When reporting a regression, please ensure that you use `git bisect` to find the first offending commit, as that will help us finding the culprit a lot faster. \ No newline at end of file diff --git a/LICENSE b/LICENSE index 1a078b6..609bd42 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2024 pop-project +Copyright (c) 2025 Open Device Partnership Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..215a231 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,50 @@ +# Vulnerability Disclosure and Embargo Policy +The Open Device Partnership project welcomes the responsible disclosure of vulnerabilities. +## Initial Contact +All security bugs in Open Device Partnership should be reported to the security team. +To do so, please reach out in the form of a +[Github Security Advisory](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities). +You will be invited to join this private area to discuss specifics. Doing so +allows us to start with a high level of confidentiality and relax it if the +issue is less critical, moving to work on the fix in the open. +Your initial contact will be acknowledged within 48 hours, and you’ll receive +a more detailed response within 96 hours indicating the next steps in handling +your report. +After the initial reply to your report, the security team will endeavor to +keep you informed of the progress being made towards a fix and full +announcement. As recommended by +[RFPolicy](https://dl.packetstormsecurity.net/papers/general/rfpolicy-2.0.txt), +these updates will be sent at least every five working days. +## Disclosure Policy +The Open Device Partnership project has a 5 step disclosure process. +1. Contact is established, a private channel created, and the security report + is received and is assigned a primary handler. This person will coordinate + the fix and release process. +2. The problem is confirmed and a list of all affected versions is determined. + If an embargo is needed (see below), details of the embargo are decided. +3. Code is audited to find any potential similar problems. +4. Fixes are prepared for all releases which are still under maintenance. In + case of embargo, these fixes are not committed to the public repository but + rather held in a private fork pending the announcement. +5. The changes are pushed to the public repository and new builds are deployed. +This process can take some time, especially when coordination is required +with maintainers of other projects. Every effort will be made to handle the bug +in as timely a manner as possible, however it is important that we follow the +release process above to ensure that the disclosure is handled in a consistent +manner. +## Embargoes +While the Open Device Partnership project aims to follow the highest standards of +transparency and openness, handling some security issues may pose such an +immediate threat to various stakeholders and require coordination between +various actors that it cannot be made immediately public. +In this case, security issues will fall under an embargo. +An embargo can be called for in various cases: +- when disclosing the issue without simultaneously providing a mitigation + would seriously endanger users, +- when producing a fix requires coordinating between multiple actors (such as + upstream or downstream/dependency projects), or simply +- when proper analysis of the issue and its ramifications demands time. +If we determine that an issue you report requires an embargo, we will discuss +this with you and try to find a reasonable expiry date (aka “embargo +completion date”), as well as who should be included in the list of +need-to-know people. \ No newline at end of file