Re: [apache/tvm-rfcs] [RFC][Roadmap] TVM Continuous Integration & Testing Roadmap (PR #54)
> @leandron @Mousius thanks for taking a look! @denise-k updated the RFC to > address and scope security. I agree this is important. I think this covers > the bit you're mentioning about CI security; I think given the themes of the > roadmap, TVM security should fall more into a "release-oriented" roadmap. > Currently we haven't specified a roadmap to hold any work around release > infra. We could expand this one to hold it, but I'd rather merge this so we > can make forward progress on adding the CI & Testing tasks we have now to the > existing roadmap, and contemplate a release roadmap in a follow-on RFC. I do > indeed want to continue hacking on my poetry-based Python dependency > management thing soon. Could you clarify how security is limited to a release? The tooling we use to automate detection of insecure packages and vulnerable code should be ran across all changes rather than checking it as part of a release. We should aim to keep our own CI and development environments secure as a general practice with CI automation to aid us. -- Reply to this email directly or view it on GitHub: https://github.com/apache/tvm-rfcs/pull/54#issuecomment-1031287280 You are receiving this because you are subscribed to this thread. Message ID:
Re: [apache/tvm-rfcs] [RFC][Roadmap] TVM Continuous Integration & Testing Roadmap (PR #54)
@Mousius One way to group the various security related tasks is like so: - Infra work: adding e.g. vuln scanners to CI or elsewhere - Security problems with CI infra: issues outside the TVM codebase, but which are encountered only because we need to run a CI. Things related to e.g. Jenkins version, patching OS base box vulnerabilities, etc. Likely handled by those TVM committers working on CI. - Security problems with TVM dependencies: issues whose root cause are outside the TVM codebase, but which any TVM user might encounter in the course of using TVM. Ultimately resolved by updating dependencies, but likely requires some collaboration between folks working on TVM core and folks working on making a TVM release (e.g. which would actually specify the dependency versioning requirements and presumably where a future test might run) - Security vulnerabilities in the TVM code itself: memory overflows and kin, privilege escalation, etc. Resolved just like any other TVM change, but requires a direct resolution in the TVM codebase. The first two problems, we can tackle without considering how to message those in a release, because they have immediate resolution. The latter two require us to consider how our release process would message these issues, whether we would cherry-pick a workaround/fix to earlier releases, etc. So let's table those two here until we sort out the release process and determine where they'll land then. It's entirely possible we should just create a separate Roadmap for security to track everything centrally, but we're just trying to land this one piece here. We added the security item to address @leandron 's comment, which I think is entirely reasonable, but I think his request was scoped to just the CI infra if I understand it correctly. Would prefer to proceed on this one and consider security holistically in a follow-on RFC. -- Reply to this email directly or view it on GitHub: https://github.com/apache/tvm-rfcs/pull/54#issuecomment-1031667756 You are receiving this because you are subscribed to this thread. Message ID:
Re: [apache/tvm-rfcs] [RFC][Roadmap] TVM Continuous Integration & Testing Roadmap (PR #54)
@areusch helped me understand the contention here, there's a release process for managing things such as bugs, security vulnerabilities and other forms of fixes in a release cycle and accounting for all of those things in this roadmap is definitely out of scope :smile_cat: My confusion was that "Security problems with TVM dependencies" and "Security vulnerabilities in the TVM code itself" can be monitored by automation, which is what I'm suggesting to include as part of this roadmap. The actual tactics of remediation for issues would be defined elsewhere, likely alongside release processes or as part of a another roadmap. -- Reply to this email directly or view it on GitHub: https://github.com/apache/tvm-rfcs/pull/54#issuecomment-1031909240 You are receiving this because you are subscribed to this thread. Message ID:
