Update Code of Conduct and Security Policy (#23811)

Updates the readme, code of conduct and security policy per OSPO request.
This commit is contained in:
Andy Jordan 2024-06-14 16:44:39 -07:00 committed by GitHub
parent bd8b0bd421
commit 7ec8e4ed8f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 83 additions and 36 deletions

View File

@ -73,13 +73,13 @@ made.
In most cases, it means "one clause/idea per line". In most cases, it means "one clause/idea per line".
* Otherwise, these issues should be treated like any other issue in this repository. * Otherwise, these issues should be treated like any other issue in this repository.
#### Spellchecking documentation #### Spell checking documentation
Documentation is spellchecked. We use the Documentation is spellchecked. We use the
[textlint](https://github.com/textlint/textlint/wiki/Collection-of-textlint-rule) command-line tool, [textlint](https://github.com/textlint/textlint/wiki/Collection-of-textlint-rule) command-line tool,
which can be run in interactive mode to correct typos. which can be run in interactive mode to correct typos.
To run the spellchecker, follow these steps: To run the spell checker, follow these steps:
* install [Node.js](https://nodejs.org/en/) (v10 or up) * install [Node.js](https://nodejs.org/en/) (v10 or up)
* install [textlint](https://github.com/textlint/textlint/wiki/Collection-of-textlint-rule) by * install [textlint](https://github.com/textlint/textlint/wiki/Collection-of-textlint-rule) by
@ -169,7 +169,7 @@ Additional references:
A better example is: "Add Ensure parameter to New-Item cmdlet", with "Fix #5" in the PR's body. A better example is: "Add Ensure parameter to New-Item cmdlet", with "Fix #5" in the PR's body.
* When you create a pull request, * When you create a pull request,
include a summary about your changes in the PR description. include a summary about your changes in the PR description.
The description is used to create change logs, The description is used to create changelogs,
so try to have the first sentence explain the benefit to end users. so try to have the first sentence explain the benefit to end users.
If the changes are related to an existing GitHub issue, If the changes are related to an existing GitHub issue,
please reference the issue in the PR description (e.g. ```Fix #11```). please reference the issue in the PR description (e.g. ```Fix #11```).
@ -234,8 +234,8 @@ Additional references:
* After submitting your pull request, * After submitting your pull request,
our [CI system (Azure DevOps Pipelines)][ci-system] our [CI system (Azure DevOps Pipelines)][ci-system]
will run a suite of tests and automatically update the status of the pull request. will run a suite of tests and automatically update the status of the pull request.
* Our CI contains automated spellchecking and link checking for Markdown files. If there is any false-positive, * Our CI contains automated spell checking and link checking for Markdown files. If there is any false-positive,
[run the spellchecker command-line tool in interactive mode](#spellchecking-documentation) [run the spell checker command-line tool in interactive mode](#spell-checking-documentation)
to add words to the `.spelling` file. to add words to the `.spelling` file.
* Our packaging test may not pass and ask you to update `files.wxs` file if you add/remove/update nuget package references or add/remove assert files. * Our packaging test may not pass and ask you to update `files.wxs` file if you add/remove/update nuget package references or add/remove assert files.
@ -382,8 +382,8 @@ Once you sign a CLA, all your existing and future pull requests will have the st
## Code of Conduct Enforcement ## Code of Conduct Enforcement
Reports of abuse will be reviewed by the PS-Committee and if it has been determined that violations of the Reports of abuse will be reviewed by the [PowerShell Committee][ps-committee] and if it has been determined that violations of the
Code of Conduct has occurred, then a temporary ban may be imposed. [Code of Conduct](../CODE_OF_CONDUCT.md) has occurred, then a temporary ban may be imposed.
The duration of the temporary ban will depend on the impact and/or severity of the infraction. The duration of the temporary ban will depend on the impact and/or severity of the infraction.
This can vary from 1 day, a few days, a week, and up to 30 days. This can vary from 1 day, a few days, a week, and up to 30 days.
Repeat offenses may result in a permanent ban from the PowerShell org. Repeat offenses may result in a permanent ban from the PowerShell org.
@ -409,3 +409,4 @@ Repeat offenses may result in a permanent ban from the PowerShell org.
[coding-guidelines]: ../docs/dev-process/coding-guidelines.md [coding-guidelines]: ../docs/dev-process/coding-guidelines.md
[breaking-changes-contract]: ../docs/dev-process/breaking-change-contract.md [breaking-changes-contract]: ../docs/dev-process/breaking-change-contract.md
[rfc-process]: https://github.com/PowerShell/PowerShell-RFC [rfc-process]: https://github.com/PowerShell/PowerShell-RFC
[ps-committee]: ../docs/community/governance.md#powershell-committee

47
.github/SECURITY.md vendored
View File

@ -1,12 +1,41 @@
# Security Vulnerabilities <!-- BEGIN MICROSOFT SECURITY.MD V0.0.9 BLOCK -->
Security issues are treated very seriously and will, by default, ## Security
takes precedence over other considerations including usability, performance,
etc... Best effort will be used to mitigate side effects of a security
change, but PowerShell must be secure by default.
## Reporting a security vulnerability Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin) and [PowerShell](https://github.com/PowerShell).
If you believe that there is a security vulnerability in PowerShell, If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/security.md/definition), please report it to us as described below.
it **must** be reported using [https://aka.ms/secure-at](https://aka.ms/secure-at) to allow for [Coordinated Vulnerability Disclosure](https://technet.microsoft.com/security/dn467923).
**Only** file an issue, if [MSRC](https://www.microsoft.com/en-us/msrc/faqs-report-an-issue?rtc=1) has confirmed filing an issue is appropriate. ## Reporting Security Issues
**Please do not report security vulnerabilities through public GitHub issues.**
Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/security.md/msrc/create-report).
If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/security.md/msrc/pgp).
You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc).
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
* Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
* Full paths of source file(s) related to the manifestation of the issue
* The location of the affected source code (tag/branch/commit or direct URL)
* Any special configuration required to reproduce the issue
* Step-by-step instructions to reproduce the issue
* Proof-of-concept or exploit code (if possible)
* Impact of the issue, including how an attacker might exploit the issue
This information will help us triage your report more quickly.
If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/security.md/msrc/bounty) page for more details about our active programs.
## Preferred Languages
We prefer all communications to be in English.
## Policy
Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/security.md/cvd).
<!-- END MICROSOFT SECURITY.MD BLOCK -->

1
.markdownlintignore Normal file
View File

@ -0,0 +1 @@
.github/SECURITY.md

View File

@ -1,8 +1,10 @@
# Code of Conduct # Microsoft Open Source Code of Conduct
This project has adopted the [Microsoft Open Source Code of Conduct][conduct-code]. This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
For more information see the [Code of Conduct FAQ][conduct-FAQ] or contact [opencode@microsoft.com][conduct-email] with any additional questions or comments.
[conduct-code]: https://opensource.microsoft.com/codeofconduct/ Resources:
[conduct-FAQ]: https://opensource.microsoft.com/codeofconduct/faq/
[conduct-email]: mailto:opencode@microsoft.com - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
- Employees can reach out at [aka.ms/opensource/moderation-support](https://aka.ms/opensource/moderation-support)

View File

@ -139,12 +139,10 @@ The governance policy for the PowerShell project is described the [PowerShell Go
[gov]: https://github.com/PowerShell/PowerShell/blob/master/docs/community/governance.md [gov]: https://github.com/PowerShell/PowerShell/blob/master/docs/community/governance.md
## [Code of Conduct][conduct-md] ## [Code of Conduct](CODE_OF_CONDUCT.md)
This project has adopted the [Microsoft Open Source Code of Conduct][conduct-code]. Please see our [Code of Conduct](CODE_OF_CONDUCT.md) before participating in this project.
For more information, see the [Code of Conduct FAQ][conduct-FAQ] or contact [opencode@microsoft.com][conduct-email] with any additional questions or comments.
[conduct-code]: https://opensource.microsoft.com/codeofconduct/ ## [Security Policy](.github/SECURITY.md)
[conduct-FAQ]: https://opensource.microsoft.com/codeofconduct/faq/
[conduct-email]: mailto:opencode@microsoft.com For any security issues, please see our [Security Policy](.github/SECURITY.md).
[conduct-md]: https://github.com/PowerShell/PowerShell/tree/master/CODE_OF_CONDUCT.md

View File

@ -6,7 +6,7 @@
approving [RFCs][RFC-repo], and approving new maintainers/committee members approving [RFCs][RFC-repo], and approving new maintainers/committee members
* [**Repository maintainer**](#repository-maintainers): An individual responsible for merging pull requests (PRs) into `master` when all requirements are met (code review, tests, docs, and RFC approval as applicable). * [**Repository maintainer**](#repository-maintainers): An individual responsible for merging pull requests (PRs) into `master` when all requirements are met (code review, tests, docs, and RFC approval as applicable).
Repository Maintainers are the only people with write permissions for the `master` branch. Repository Maintainers are the only people with write permissions for the `master` branch.
* [**Working Groups (WGs)**](#working-groups-(wgs)) are collections of contributors responsible for * [**Working Groups (WGs)**](#working-groups) are collections of contributors responsible for
providing expertise on a specific area of PowerShell in order to help establish consensus within providing expertise on a specific area of PowerShell in order to help establish consensus within
the community and Committee. the community and Committee.
* **Corporation**: The Corporation owns the PowerShell repository and, under extreme circumstances, * **Corporation**: The Corporation owns the PowerShell repository and, under extreme circumstances,
@ -58,15 +58,16 @@ If any Committee Members feels like this behavior is large enough to warrant an
As a PowerShell Committee Member: As a PowerShell Committee Member:
1. **DO** enforce the [Code of Conduct][coc] by taking reports of abuse and violations to the committee for resolution
1. **DO** reply to issues and pull requests with design opinions 1. **DO** reply to issues and pull requests with design opinions
(this could include offering support for good work or exciting new features) (this could include offering support for good work or exciting new features)
1. **DO** encourage healthy discussion about the direction of PowerShell 1. **DO** encourage healthy discussion about the direction of PowerShell
1. **DO** raise "red flags" on PRs that haven't followed the proper RFC process when applicable 1. **DO** raise "red flags" on PRs that haven't followed the proper RFC process when applicable
1. **DO** contribute to documentation and best practices 1. **DO** contribute to documentation and best practices
1. **DO** maintain a presence in the PowerShell community outside of GitHub (Twitter, blogs, StackOverflow, Reddit, Hacker News, etc.) 1. **DO** maintain a presence in the PowerShell community outside of GitHub (Twitter, blogs, Stack Overflow, Reddit, Hacker News, etc.)
1. **DO** heavily incorporate community feedback into the weight of your decisions 1. **DO** heavily incorporate community feedback into the weight of your decisions
1. **DO** be polite and respectful to a wide variety of opinions and perspectives 1. **DO** be polite and respectful to a wide variety of opinions and perspectives
1. **DO** make sure contributors are following the [contributor guidelines](../../.github/CONTRIBUTING.md) 1. **DO** make sure contributors are following the [contributing guidelines](../../.github/CONTRIBUTING.md)
1. **DON'T** constantly raise "red flags" for unimportant or minor problems to the point that the progress of the project is being slowed 1. **DON'T** constantly raise "red flags" for unimportant or minor problems to the point that the progress of the project is being slowed
1. **DON'T** offer up your opinions as the absolute opinion of the PowerShell Committee. 1. **DON'T** offer up your opinions as the absolute opinion of the PowerShell Committee.
@ -82,6 +83,19 @@ At any point in time, a Committee Member can nominate a strong community member
Nominations should be submitted in the form of [RFCs][RFC-repo] detailing why that individual is qualified and how they will contribute. Nominations should be submitted in the form of [RFCs][RFC-repo] detailing why that individual is qualified and how they will contribute.
After the RFC has been discussed, a unanimous vote will be required for the new Committee Member to be confirmed. After the RFC has been discussed, a unanimous vote will be required for the new Committee Member to be confirmed.
### PowerShell Committee Code of Conduct Enforcement
As stated in the [contributing guidelines](../../.github/CONTRIBUTING.md#code-of-conduct-enforcement):
Reports of abuse will be reviewed by the PowerShell Committee and if it has been determined that violations of the
[Code of Conduct][coc] has occurred, then a temporary ban may be imposed.
The duration of the temporary ban will depend on the impact and/or severity of the infraction.
This can vary from 1 day, a few days, a week, and up to 30 days.
Repeat offenses may result in a permanent ban from the PowerShell org.
Microsoft employees on the PowerShell committee should review the available support at
[aka.ms/opensource/moderation-support](https://aka.ms/opensource/moderation-support).
## Repository Maintainers ## Repository Maintainers
Repository Maintainers are trusted stewards of the PowerShell community/repository responsible for maintaining consistency and quality of PowerShell code. Repository Maintainers are trusted stewards of the PowerShell community/repository responsible for maintaining consistency and quality of PowerShell code.
@ -89,7 +103,7 @@ One of their primary responsibilities is merging pull requests after all require
For more information on Repository Maintainers--their responsibilities, who they are, and how one becomes a Maintainer--see the [README for Repository Maintainers][maintainers]. For more information on Repository Maintainers--their responsibilities, who they are, and how one becomes a Maintainer--see the [README for Repository Maintainers][maintainers].
## Working Groups (WGs) ## Working Groups
[Working Groups (WGs)][wg] are collections of contributors with knowledge of specific components or [Working Groups (WGs)][wg] are collections of contributors with knowledge of specific components or
technologies in the PowerShell domain. technologies in the PowerShell domain.
@ -143,6 +157,7 @@ See our [Pull Request Process][pull-request-process]
[pester]: ../testing-guidelines/WritingPesterTests.md [pester]: ../testing-guidelines/WritingPesterTests.md
[breaking-changes]: ../dev-process/breaking-change-contract.md [breaking-changes]: ../dev-process/breaking-change-contract.md
[issue-process]: ../maintainers/issue-management.md [issue-process]: ../maintainers/issue-management.md
[coc]: ../../CODE_OF_CONDUCT.md
[pull-request-process]: ../../.github/CONTRIBUTING.md#lifecycle-of-a-pull-request [pull-request-process]: ../../.github/CONTRIBUTING.md#lifecycle-of-a-pull-request
[docs-contributing]: https://github.com/PowerShell/PowerShell-Docs/blob/staging/CONTRIBUTING.md [docs-contributing]: https://github.com/PowerShell/PowerShell-Docs/blob/staging/CONTRIBUTING.md
[maintainers]: ../maintainers/README.md [maintainers]: ../maintainers/README.md

View File

@ -15,7 +15,6 @@ They have [write access](https://docs.github.com/en/free-pro-team@latest/github/
- [Repository Maintainer Responsibilities](#repository-maintainer-responsibilities) - [Repository Maintainer Responsibilities](#repository-maintainer-responsibilities)
- [Issue Management Process](#issue-management-process) - [Issue Management Process](#issue-management-process)
- [Pull Request Workflow](#pull-request-workflow) - [Pull Request Workflow](#pull-request-workflow)
- [Abandoned Pull Requests](#abandoned-pull-requests)
- [Becoming a Repository Maintainer](#becoming-a-repository-maintainer) - [Becoming a Repository Maintainer](#becoming-a-repository-maintainer)
## Current Repository Maintainers ## Current Repository Maintainers
@ -33,7 +32,7 @@ They have [write access](https://docs.github.com/en/free-pro-team@latest/github/
<!-- please keep in alphabetical order --> <!-- please keep in alphabetical order -->
- Andy Schwartzmeyer ([andschwa](https://github.com/andschwa)) - Andy Jordan ([andyleejordan](https://github.com/andyleejordan))
- Jason Shirk ([lzybkr](https://github.com/lzybkr)) - Jason Shirk ([lzybkr](https://github.com/lzybkr))
- Mike Richmond ([mirichmo](https://github.com/mirichmo)) - Mike Richmond ([mirichmo](https://github.com/mirichmo))
- Sergei Vorobev ([vors](https://github.com/vors)) - Sergei Vorobev ([vors](https://github.com/vors))
@ -44,6 +43,7 @@ Repository Maintainers enable rapid contributions while maintaining a high level
If you are a Repository Maintainer, you: If you are a Repository Maintainer, you:
1. **MUST** abide by the [Code of Conduct](../../CODE_OF_CONDUCT.md) and report suspected violations to the [PowerShell Committee][ps-committee]
1. **MUST** ensure that each contributor has signed a valid Microsoft Contributor License Agreement (CLA) 1. **MUST** ensure that each contributor has signed a valid Microsoft Contributor License Agreement (CLA)
1. **MUST** verify compliance with any third party code license terms (e.g., requiring attribution, etc.) if the contribution contains third party code. 1. **MUST** verify compliance with any third party code license terms (e.g., requiring attribution, etc.) if the contribution contains third party code.
1. **MUST** make sure that [any change requiring approval from the PowerShell Committee](../community/governance.md#changes-that-require-an-rfc) has gone through the proper [RFC][RFC-repo] or approval process 1. **MUST** make sure that [any change requiring approval from the PowerShell Committee](../community/governance.md#changes-that-require-an-rfc) has gone through the proper [RFC][RFC-repo] or approval process
@ -96,10 +96,11 @@ At any point in time, the existing Repository Maintainers can unanimously nomina
Nominations are brought to the PowerShell Committee to understand the reasons and justification. Nominations are brought to the PowerShell Committee to understand the reasons and justification.
A simple majority of the PowerShell Committee is required to veto the nomination. A simple majority of the PowerShell Committee is required to veto the nomination.
When a nominee has been approved, a PR will be submitted by a current Maintainer to update this document to add the nominee's name to When a nominee has been approved, a PR will be submitted by a current Maintainer to update this document to add the nominee's name to
the [Current Repository Maintainers](#Current-Repository-Maintainers) with justification as the description of the PR to serve as the public announcement. the [Current Repository Maintainers](#current-repository-maintainers) with justification as the description of the PR to serve as the public announcement.
[RFC-repo]: https://github.com/PowerShell/PowerShell-RFC [RFC-repo]: https://github.com/PowerShell/PowerShell-RFC
[ci-system]: ../testing-guidelines/testing-guidelines.md#ci-system [ci-system]: ../testing-guidelines/testing-guidelines.md#ci-system
[issue-management]: issue-management.md [issue-management]: issue-management.md
[CONTRIBUTING]: ../../.github/CONTRIBUTING.md [CONTRIBUTING]: ../../.github/CONTRIBUTING.md
[best-practice]: best-practice.md [best-practice]: best-practice.md
[ps-committee]: ../community/governance.md#powershell-committee