> @leandron @Mousius thanks for taking a look! @denise-k updated the RFC to > address and scope security. I agree this is important. I think this covers > the bit you're mentioning about CI security; I think given the themes of the > roadmap, TVM security should fall more into a "release-oriented" roadmap. > Currently we haven't specified a roadmap to hold any work around release > infra. We could expand this one to hold it, but I'd rather merge this so we > can make forward progress on adding the CI & Testing tasks we have now to the > existing roadmap, and contemplate a release roadmap in a follow-on RFC. I do > indeed want to continue hacking on my poetry-based Python dependency > management thing soon.
Could you clarify how security is limited to a release? The tooling we use to automate detection of insecure packages and vulnerable code should be ran across all changes rather than checking it as part of a release. We should aim to keep our own CI and development environments secure as a general practice with CI automation to aid us. -- Reply to this email directly or view it on GitHub: https://github.com/apache/tvm-rfcs/pull/54#issuecomment-1031287280 You are receiving this because you are subscribed to this thread. Message ID: <apache/tvm-rfcs/pull/54/c1031287...@github.com>
