Security Guidelines milo.adobe.com Documentation

[elaineskpt]

Jira linked to this Thread https://jira.corp.adobe.com/browse/MWPW-157861

Based on the Security Guidelines, Documentation for Open Source Community should live in Git, where milo consumers have the flexibility to enhance and edit as needed.

The Documentation on milo.adobe.com is mainly for our Internal Author and Projects, having it open for the public will need changes in samples we add, links, groups, images and videos. This stop us from using the Milo Docs as one source and have the need to divide the information in internal wiki pages.

We met with Brian Scott from Security Guidelines for Adobe Open Source and Milo Core Team.

The output from the call is the following:

1. milo.adobe.com to be available only via VPN as the information in these pages are mainly for Internal Authors
   With this change extra wiki pages for non-public information will not be needed and we have one source for whole Authoring Docs.
2. Any information that will serve the public community will be added to Git Wiki page, this will be the main Public Open-Source Documentation.

Goal of these changes:

1. Avoid the split of documentation between milo.adobe.com and wiki pages.
2. Have one documentation source and be able to add all information necessary for our acom Authors.
3. Avoid issues with Open Source Security Guidelines

@narcis-radu @mokimo @overmyheadandbody @vhargrave @robert-bogos @npeltier

[vhargrave]

@elaineskpt just to clarify, you're saying that everything just under the docs folder would be behind the VPN right? If we put all milo.adobe.com behind the vpn, then as I've understood it, that would break all our sites because the code gets served from milo.adobe.com/libs

As for having the open source code on github, I personally think that's a good thing. My hope would be though that our main focus is keeping the open-source documentation updated vs internal documentation.

[mokimo]

No production site should fetch from milo.adobe.com/libs - it's not meant for consumer consumption and introduces a TLS-Handshake, which is bad from a performance standpoint.

However, you bring up a great point that this does or at least historically did happen. We would need to ensure only milo.adobe.com/docs/* gets protected if we go down this route.

[vhargrave]

exactly , and even for the live sites. I thought we just have mapping on the cdn which makes adobe.com/libs points to milo.adobe.com/libs to save on the TLS handshake. But the code is coming from milo.adobe.com at the end of the day (I thought). @auniverseaway would know for sure though.

[mokimo]

I checked our CDN configs and we fetch libs from the defined origin itself (the AEM EDS one) not milo.adobe.com.

[vhargrave]

ok , good to know 👍 and thanks for checking 🙌
so yeah, we'll definitely want to restrict this VPN change to just /docs or we'll break all our live sites.