Skip to content

Latest commit

 

History

History
79 lines (45 loc) · 7.91 KB

TRIAGING.md

File metadata and controls

79 lines (45 loc) · 7.91 KB

The maintainers of the OpenSearch-Security Repo seek to promote an inclusive and engaged community of contributors. In order to facilitate this, weekly triage meetings are open-to-all and attendance is encouraged for anyone who hopes to contribute, discuss an issue, or learn more about the project. To learn more about contributing to the OpenSearch-security Repo visit the Contributing documentation.

Do I need to attend for my issue to be addressed/triaged?

Attendance is not required for your issue to be triaged or addressed. All new issues are triaged weekly.

What happens if my issue does not get covered this time?

Each meeting we seek to address all new issues. However, should we run out of time before your issue is discussed, you are always welcome to attend the next meeting or to follow up on the issue post itself.

How do I join the Backlog & Triage meeting?

Meetings are hosted regularly at 11 AM Eastern Time (8AM Pacific Time) and can be joined via the links posted on the OpenSearch Meetup Group list of events. The event will be titled Development Backlog & Triage Meeting - Security.

After joining the Zoom meeting, you can enable your video / voice to join the discussion. If you do not have a webcam or microphone available, you can still join in via the text chat.

If you have an issue you'd like to bring forth please consider getting a link to the issue so it can be presented to everyone in the meeting.

Is there an agenda for each week?

Meetings are 60 minutes and structured as follows:

  1. Initial Gathering: As we gather, feel free to turn on video and engage in informal and open-to-all conversation. After a bit a volunteer will share their screen and proceed with the agenda.
  2. Announcements: If there are any announcements to be made they will happen at the start of the meeting.
  3. Review of New Issues: The meetings always start with reviewing all untriaged issues for the security and security-dashboards repositories.
  4. Member Requests: Opportunity for any meeting member to ask for consideration of an issue or pull request.
  5. Untriaged Items: Review any issues that might have had the 'untriaged' label removed but require additional triage discussion.
  6. Pull Request Discussion: Then, we review the status of outstanding pull requests from the security and security-dashboards repositories.
  7. Open Discussion: Allow for members of the meeting to surface any topics without issues filed or pull request created.

There is no specific ordering within each category.

If you have an issue you would like to discuss but do not have the ability to attend the entire meeting please attend when is best for you and signal that you have an issue to discuss when you arrive.

Do I need to have already contributed to the project to attend a triage meeting?

No, all are welcome and encouraged to attend. Attending the Backlog & Triage meetings is a great way for a new contributor to learn about the project as well as explore different avenues of contribution.

What if I have an issue that is almost a duplicate, should I open a new one to be triaged?

You can always open an issue including one that you think may be a duplicate. However, in cases where you believe there is an important distinction to be made between an existing issue and your newly created one, you are encouraged to attend the triaging meeting to explain.

What if I have follow-up questions on an issue?

If you have an existing issue you would like to discuss, you can always comment on the issue itself. Alternatively, you are welcome to come to the triage meeting to discuss.

Is this meeting a good place to get help setting up security features on my OpenSearch instance?

While we are always happy to help the community, the best resource for implementation questions is the OpenSearch forum.

There you can find answers to many common questions as well as speak with implementation experts.

What are the issue labels associated with triaging?

Yes, there are several labels that are used to identify the 'state' of issues filed in OpenSearch and the Security Plugin.

Label When applied Meaning
Untriaged When issues are created or re-opened. Issues labeled as 'Untriaged' require the attention of the repository maintainers and may need to be prioritized for quicker resolution. It's crucial to keep the count of 'Untriaged' labels low to ensure all potential security issues are addressed in a timely manner. See SECURITY.md for more details on handling these issues.
Triaged During triage meetings. Issues labeled as 'Triaged' have been reviewed and are deemed actionable. Opening a pull request for an issue with the 'Triaged' label has a higher likelihood of approval from the project maintainers, particularly in novel areas.
Neither Label During triage meetings. This category is for issues that lack sufficient details to formulate a potential solution. Until more details are provided, it's difficult to ascertain if a proposed solution would be acceptable. When dealing with an 'Untriaged' issue that falls into this category, the triage team should provide further insights so the issue can be appropriately closed or labeled as 'Triaged'. Issues in this state are reviewed during every triage meeting.
Help Wanted Anytime. Issues marked as 'Help Wanted' signal that they are actionable and not the current focus of the project maintainers. Community contributions are especially encouraged for these issues.
Good First Issue Anytime. Issues labeled as 'Good First Issue' are small in scope and can be resolved with a single pull request. These are recommended starting points for newcomers looking to make their first contributions.

What if my issue is critical to OpenSearch operations, do I have to wait for the weekly meeting for it to be addressed?

All new issues for the security repo and security-dashboards repo are reviewed daily to check for critical issues which require immediate triaging. If an issue relates to a severe concern for OpenSearch operation, it will be triaged by a maintainer mid-week. You can still come to discuss an issue at the following meeting even if it has already been triaged during the week.

Is this where I should bring up potential security vulnerabilities?

Due to the sensitive nature of security vulnerabilities, please report all potential vulnerabilities directly by following the steps outlined on the SECURITY.md document.

Who should I contact if I have further questions?

You can always file an issue for any question you have about the project. Alternatively, you can reach out to specific contacts helping to organize the project: Stephen Crawford (steecraw@amazon.com), Dave Lago (davelago@amazon.com), and Peter Nied (petern@amazon.com).