1. Cncf-Toc
  2. Messages

Re: [EXTERNAL] Re: [cncf-toc] An interesting issue wrt CLA

Brendan Burns
 

I will definitely ping GitHub folks about this, but I thought it useful to at least document the desired approach in general.


From: cncf-toc@... <cncf-toc@...> on behalf of Matt Farina via Lists.Cncf.Io <matt=mattfarina.com@...>
Sent: Tuesday, January 7, 2020 11:30 AM
To: CNCF TOC <cncf-toc@...>
Cc: cncf-toc@... <cncf-toc@...>
Subject: [EXTERNAL] Re: [cncf-toc] An interesting issue wrt CLA
 
Bots can have delegated authority to sign things on behalf of their makers.

Dependabot is a service now owned by GitHub. Do we want to expect all people offering a service like this to sign the CNCF CLA and associate their bot with it? The person choosing to use the bot is different from those providing it and the person choosing to use it is a member of the project.

Dependabot is automatically generating a PR to update vulnerable dependencies, but of course the CNCF CLA is required

This problem only affects those using the CLA. Dependabot appropriately signs for the DCO. The majority of CNCF projects are not affected by this issue.

It seems like it would be even more important for this kind of a bot to have a signature since if it was compromised or impersonated (can I say that about a bot?) that could be a pretty powerful attack vector.

Dependabot creates a PR like any other random person to come along on GitHub. A person with merge access has to merge the PR and the PR has to pass tests and review as if a person were suggesting the same change. https://dependabot.com/#how-it-works

What would an attack vector for a bot like this be? If a bot had write access to the code I would be concerned.

Any thoughts about the right approach here?

A thought for this case...  GitHub is a CNCF member and has a signed CLA (I assume) since GitHub employees contribute to Kubernetes. Is there someone there who can add Dependabots account to the CLA?

This would be the quick and easy approach. It would not scale to similar services.

- Matt Farina

On Tue, Jan 7, 2020, at 2:05 PM, Sarah Allen wrote:
Bots can have delegated authority to sign things on behalf of their makers.  It seems like it would be even more important for this kind of a bot to have a signature since if it was compromised or impersonated (can I say that about a bot?) that could be a pretty powerful attack vector.

Thanks for raising this question!

Sarah



On Tue, Jan 7, 2020 at 10:50 AM Brendan Burns via Lists.Cncf.Io <bburns=microsoft.com@...> wrote:
Folks,
See:

Dependabot is automatically generating a PR to update vulnerable dependencies, but of course the CNCF CLA is required, and dependabot (being a bot) has no ability to sign.

Any thoughts about the right approach here? (for this specific one I'm going to clone the PR myself, but in general it's an interesting issue)

Thanks
--brendan
Join cncf-toc@lists.cncf.io to automatically receive all group messages.