Uploaded image for project: 'Rust Driver'
  1. Rust Driver
  2. RUST-1907

Policy: DBX Repository and Commit Security

    • Type: Icon: Task Task
    • Resolution: Unresolved
    • Priority: Icon: Unknown Unknown
    • None
    • Affects Version/s: None
    • Component/s: None
    • Hide

      DRIVERS-2890:
      Summary of necessary driver changes

      All drivers MUST enable branch protections as outlined in the policy:

      • All branches that contain a supported release (e.g. support branches for minor versions) as well as the main development branch MUST require a pull request and MUST NOT allow direct pushes
      • Pull request MUST be reviewed by at least one other engineer on the team before being mergeable
      • Pull request MUST pass checks before being mergeable. Static checks (e.g. compiling, linters, static analysis) MUST be required; teams MAY add additional checks (e.g. certain evergreen tasks) as requirements for merging
      • Use repository rules (not branch protection settings) as they offer more flexibility. In a GitHub repository, go to "Settings -> Rules -> Rulesets" to configure them. For convenience, you can store the files in this gist and import the rules; then select branches they apply to and checks to apply.
      • It is recommended to leave rules in the "Evaluate" state before enabling them. That way, checks are not enforced and can be reviewed using the "Settings -> Rules -> Insights" page to fine-tune rules to avoid disruption.

      TPMs will then review access to each repository and limit write access (and admin access) to relevant teams/people.

      The "Signing git artifacts" portion requires that all tags pushed to repositories containing supported releases be cryptographically signed. Until automated releases and signing via garasign is implemented, engineers MUST sign using their own gpg key which MUST contain their full name and MongoDB email address. Note that the requirement for the signing key to be signed by the department key does not apply yet, as we don't have such a key.

      Show
      DRIVERS-2890: Summary of necessary driver changes All drivers MUST enable branch protections as outlined in the policy : All branches that contain a supported release (e.g. support branches for minor versions) as well as the main development branch MUST require a pull request and MUST NOT allow direct pushes Pull request MUST be reviewed by at least one other engineer on the team before being mergeable Pull request MUST pass checks before being mergeable. Static checks (e.g. compiling, linters, static analysis) MUST be required; teams MAY add additional checks (e.g. certain evergreen tasks) as requirements for merging Use repository rules (not branch protection settings) as they offer more flexibility. In a GitHub repository, go to "Settings -> Rules -> Rulesets" to configure them. For convenience, you can store the files in this gist and import the rules; then select branches they apply to and checks to apply. It is recommended to leave rules in the "Evaluate" state before enabling them. That way, checks are not enforced and can be reviewed using the "Settings -> Rules -> Insights" page to fine-tune rules to avoid disruption. TPMs will then review access to each repository and limit write access (and admin access) to relevant teams/people. The "Signing git artifacts" portion requires that all tags pushed to repositories containing supported releases be cryptographically signed. Until automated releases and signing via garasign is implemented, engineers MUST sign using their own gpg key which MUST contain their full name and MongoDB email address. Note that the requirement for the signing key to be signed by the department key does not apply yet, as we don't have such a key.
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?

      This ticket was split from DRIVERS-2890, please see that ticket for a detailed description.

            Assignee:
            Unassigned Unassigned
            Reporter:
            dbeng-pm-bot PM Bot
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: