Create developers security guidelines?

Talking with @gaba about https://gitlab.torproject.org/tpo/network-health/sbws and bwauths operational/infrastructure security guidelines (see tpo/community/relays#14 (moved)), we thought it might be interesting to have some guidelines for Tor developers.

For example, having a dedicated laptop for development or running qubes on it, physical keys to sign releases or to deploy software via ssh.

I think there was some workshops in the past, but i don't know if there's something documented.

Maybe this issues doesn't belong to this project, but created here for now.