AGP-43 was always meant to be temporary. The Aragon Association was always meant to be temporary. To help the Aragon Network moves towards a more decentralized model we would like to reduce teams’ dependence on the Aragon Association for their security needs. This does not mean that we do not value security! In fact, it means that we realize the complexity of the security review process and would like to give teams more flexibility to independently navigate that process.
To help Aragon teams become more independent we propose a model where the AA negotiates network wide discounts for Aragon developers, but then Aragon teams manage the security review process on their own. This would allow teams to independently manage their own security while also gaining the advantage of a network wide Aragon security discount. It’s the best of both worlds.
In the future we foresee independent DAOs emerging to provide support initiating and navigating the security review process. To move towards this goal we would like to remove the Aragon Association as the agent that initiates, manages, and pays for network wide security. Instead we would like the AA to focus on building relationships with trusted security partners. We will then extend that relationship to teams building on the network to provide discounts for Aragon teams. To facilitate this transition we will also create best practices and how-to guides around the security review process.
Do we need this or do we need a team/invididual dedicated to security instead?
I mean look, I was reviewing Aragon Black proposal so I was looking around to find out what they do since I don’t specifically follow their work. This is what I get when heading to their blog:
“The certificate for blog.aragon.black expired on 02/11/2019”
Then I wonder, is it maybe better to have someone or a team with the sole purpose of reviewing the security of the Aragon ecosystem? I mean it’s been expired for one entire month without anyone noticing? That’s concerning to me.
The idea is interesting, I like it, but there’s too little support for it. It wouldn’t be good that security measures such as this one, pass without clear and broad support. This discussion has 1 like and no comments other than mines.
A statement from the Aragon Association, currently in charge of handling security audits (my understanding) stating that they believe this would be the right thing to do and that they are prepared to do a progressive, secure transition, would be another key indicator that this move is safe and wise.
I’m on the Aragon Association and this AGP was drafted by the team, but AGP authors must be a single person I so went ahead and submitted the AGP and created this forum thread around it.
Indeed, I saw this recently. Congrats btw and happy there’s a voice in management that most likely understand the importance of anonymous users. Not that the “identified” team members don’t understand, but being an anonymous one certainly put some added emphasis.
Was there a way that I have missed, for me to know this was drafted / approved by the Aragon Association? Either way this would only be a single key indicator, the other point I have mentionned, on community support, is very important too.
I’d be curious to learn more about this, has this been discussed somewhere already?
