@Mousius One way to group the various security related tasks is like so: - Infra work: adding e.g. vuln scanners to CI or elsewhere - Security problems with CI infra: issues outside the TVM codebase, but which are encountered only because we need to run a CI. Things related to e.g. Jenkins version, patching OS base box vulnerabilities, etc. Likely handled by those TVM committers working on CI. - Security problems with TVM dependencies: issues whose root cause are outside the TVM codebase, but which any TVM user might encounter in the course of using TVM. Ultimately resolved by updating dependencies, but likely requires some collaboration between folks working on TVM core and folks working on making a TVM release (e.g. which would actually specify the dependency versioning requirements and presumably where a future test might run) - Security vulnerabilities in the TVM code itself: memory overflows and kin, privilege escalation, etc. Resolved just like any other TVM change, but requires a direct resolution in the TVM codebase.
The first two problems, we can tackle without considering how to message those in a release, because they have immediate resolution. The latter two require us to consider how our release process would message these issues, whether we would cherry-pick a workaround/fix to earlier releases, etc. So let's table those two here until we sort out the release process and determine where they'll land then. It's entirely possible we should just create a separate Roadmap for security to track everything centrally, but we're just trying to land this one piece here. We added the security item to address @leandron 's comment, which I think is entirely reasonable, but I think his request was scoped to just the CI infra if I understand it correctly. Would prefer to proceed on this one and consider security holistically in a follow-on RFC. -- Reply to this email directly or view it on GitHub: https://github.com/apache/tvm-rfcs/pull/54#issuecomment-1031667756 You are receiving this because you are subscribed to this thread. Message ID: <apache/tvm-rfcs/pull/54/c1031667...@github.com>
