Project Management

Under the topic "project management" we describe how we do the organizational stuff besides coding such as on-/off-boarding new maintainers or contributors.

Infrastructure

• We use GitHub for source code and issue management:
  • We have an own organization named secureCodeBox.
  • Management of issues is done with a corresponding project.
• We use the OWASP Google Workspace:
  • A shared drive to store meeting notes.
  • And a project calendar:
    • Internal link
    • Public link
• We have registerded one domain (securecodebox.io) which is sponsored by iteratec.
  • The DNS cone is managed via iteratec Azure Portal by the admin-team.
• The website [https://www.securecodebox.io] is hosted on Netlify.
• We have a Hetzner VM sponsored by iteratec to host the Helm charts and telemetry server.

Domains

We use these full qualified domain names:

• For serving our Helm charts:
  • charts.securecodebox.io -> sky.securecodebox.io
  • sky.securecodebox.io -> 88.99.30.123(Hetzner VM)
• For our telemetry:
  • telemetry.chase.securecodebox.io -> telemetry.securecodebox.io
    • Backward compatibility: Was the old address. Old installations use this one.
  • telemetry.securecodebox.io -> sky.securecodebox.io
• For our main website:
  • www.securecodebox.io -> docs-securecodebox.netlify.app

Website

The website and documentation is based on Docusaurus and hosted on Netlify. The login is documented in our vault.

Teams

GitHub

In our GitHub organization we have several teams:

1. admin-team: Members are the project leads.
2. core-team: Company sponsored core team.
3. contributor-team: Active contributors from the community.
4. bot-team: Team containing all bots allowed to push directly to the main branch.

DockerHub

In our DockerHub organization we have several teams:

1. adminteam: Members are the project leads.
2. coreteam: Company sponsored core team.
3. botteam: Team containing all bot accounts.

Sonatype (Maven Central)

In our Sonatype organization we have the namespace "io.securecodebox" for Java Maven artifacts.

Users of this namespace are the project leads and a bot user for deployments.

FOSSA

We use FOSSA in the free tier option for open source projects to check our dependencies for violating licenses. It is integrated in the repository as a webhook. Individual persons log in there using GitHub after onboarding. We onboard everyone in the admin-team.

Organizational

• The project leads do a regular sync meeting:
  • Monday 16:05-17:00 CET, every 4 weeks from 28.5.25 on. Next meetings: 23.6.25, 21.7.25 etc.
  • We write an agenda beforehand and notes in a Google Doc, one per meeting.
  • There is a template document in the shared drive.

On- and Off-Boarding

For on- and off-boarding we create an issue for each member. On- and off-boardings need to be done by a member of the admin-team.

On-boarding

• core-team:
  • Add to our GitHub organization with following roles:
    • core-team
    • contributor-team
• admin-team (additionally to the core-team on-boarding):
  • Add to our GitHub organization with following roles:
    • admin-team
  • Register user at Sonatype & add to namespace "io.securecodebox"
  • Add to OWASP valut.
  • Invite to FOSSA organization with role Admin (we use the OWASP mail address because GH invite didn't work when tried).

Off-boarding

• core-team:
  • Remove role:
    • core-team
• admin-team:
  • Remove role:
    • admin-team
  • Remove user from namespace "io.securecodebox" in SonaType.
  • Remove access to OWASP vault.
  • Remove from FOSSA organization