Onboarding Tracker for Artigraph about foundation HOT 13 CLOSED

@ErinThacker Just made one - it should be JacobHayes!

from foundation.

@JacobHayes @ErinThacker - I activated LFX Security.

@JacobHayes - a few more steps. LFX Security is now onboarded in the PCC at (https://projectadmin.lfx.linuxfoundation.org/project/a092M00001KWvNqQAL/tools/security/overview)

It requires the security bot to be installed on the repo by someone with admin access. Once you're there, navigate to the + sign on the right of the "Connect" field, enter artigraph as the GitHub repo, and follow the instructions for installing the security bot.

This is a new process for us, so please don't hesitate to reach out if you have any issues with installing the security bot. Once you've finished this task, let me know and I'll let our team know the project is ready to be secured. Thx!

from foundation.

@JacobHayes - this has been fixed, thank you!

from foundation.

@JacobHayes - re: the CII Silver badge question: all projects should have thelinuxfoundation & ibrahimhaddad added which should suffice for that requirement. @ibrahimhaddad - can you please confirm?

On LFX Security - sorry about the current limitations, you can consider this item "done" until more access is available.

from foundation.

@JacobHayes - do you have a Linux Foundation ID (LF ID)? If not, can you sign up for one here? [https://identity.linuxfoundation.org/user/login?destination=user]

We're in the middle of a migration to another platform, so if you have issues creating a new ID, let me know.

from foundation.

@JacobHayes - a few more steps. LFX Security is now onboarded in the PCC at (https://projectadmin.lfx.linuxfoundation.org/project/a092M00001KWvNqQAL/tools/security/overview)

It requires the security bot to be installed on the repo by someone with admin access. Once you're there, navigate to the + sign on the right of the "Connect" field, enter artigraph as the GitHub repo, and follow the instructions for installing the security bot.

This is a new process for us, so please don't hesitate to reach out if you have any issues with installing the security bot. Once you've finished this task, let me know and I'll let our team know the project is ready to be secured. Thx!

from foundation.

@ErinThacker @ibrahimhaddad FYI - I don't have access to https://projectadmin.lfx.linuxfoundation.org/project/a092M00001KWvNqQAL/tools/security/overview, but I requested access for the future.

from foundation.

The https://lists.lfaidata.foundation/g/artigraph-security description says "Use this mailing list to report security vulnerabilities in the OpenBytes project" rather than "the Artigraph project". Can this be updated? I don't appear to be able to.

from foundation.

Question on this CII Silver badge question:

The project MUST be able to continue with minimal interruption if any one person dies, is incapacitated, or is otherwise unable or unwilling to continue support of the project. In particular, the project MUST be able to create and close issues, accept proposed changes, and release versions of software, within a week of confirmation of the loss of support from any one individual. This MAY be done by ensuring someone else has any necessary keys, passwords, and legal rights to continue the project. Individuals who run a FLOSS project MAY do this by providing keys in a lockbox and a will providing any needed legal rights (e.g., for DNS names). (URL required) [access_continuity]

I'm currently the only project member, but @ibrahimhaddad has been added to the @artigraph organization - will that suffice? I guess pypi keys aren't shared / releases automated in GH yet.

Similar on this question:

The project SHOULD have a "bus factor" of 2 or more.

from foundation.

Also, FYI - I won't be able to access LFX Security for Artigraph as I'm not part of a backing organization (support ticket). That's probably fine, I just can't see what security issues were detected (only that there were 230 😅).

from foundation.

@ibrahimhaddad and @ErinThacker -- We are pretty close to finishing the onboarding for Artigraph. Can you take a look an the open items you are working on and update the tracker?

@ErinThacker If you have any questions, please reach out.

from foundation.

@ibrahimhaddad - can you give me an update on these items: Licensing (FOSSology scan) and Project Assets (artwork)

from foundation.

No artwork at this time as this is a Sandbox project. Upon graduation to Incubation stage, logo will become available.

from foundation.