On Sun, Dec 27, 2020 at 11:29 AM Jarek Potiuk <jarek.pot...@polidea.com> wrote:
> For the records - I also looked up the discussion we had about the > Github Action issues > > That was a discussion on 7th of October on priv...@airflow.apache.org > (for those who have access there - here is the link: > https://lists.apache.org/thread.html/re92b77f64e5923ec0044edf3a060339b9e170f9438e2fde0811bf6d2%40%3Cprivate.airflow.apache.org%3E > > The title was "Potential Security issues with custom GitHub Actions". We > came to the conclusion that just following the official recommendations > from GitHub was enough for us: > https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions > But we have not thought it might be un-enforceable for the overall Apache > community. It looks like then it was me, who have not "bubble" it up. I > should have escalated it to infra/security (and I will for sure do it next > time we stumble on smth like this). > > For the future, I'd love to know what is the best way to do so? > Definitely email security@ when you see problems that might affect other projects(*). They will open an internal ticket, and track the problem to an appropriate conclusion (pulling in Infra as-needed). There are a number of operational groups at the Foundation where Infra works as their "hands" to get things done, and Security, and Legal, are two of the most important groups that we provide work effort for. Cheers, -g (*) if you believe it is Infra-related, then a cc: to private@infra is fine (ASF Members only) or root@apache if particularly sensitive. Note that builds@apache is worldwide-public, and users@infra is committer-available.
