I don't know that we'd need to make the shadow period too formal, we all come from diverse backgrounds. One of the reasons I didn't step up for the "full-time" position is that I have no real background in the security side of things and I didn't want to be a drain. But I'd consider a rotation, with the understanding that I'm definitely there to learn and won't likely be good for much more than chasing down leads someone else comes up with. I can google and stack-overflow with the rest of them, given some direction. :P
- ferruzzi ________________________________ From: Aritra Basu <aritrabasu1...@gmail.com> Sent: Monday, December 4, 2023 5:40 AM To: dev@airflow.apache.org Cc: secur...@airflow.apache.org Subject: RE: [EXTERNAL] [COURRIEL EXTERNE] [PROPOSAL] Security team rotation introduction to our process CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe. AVERTISSEMENT: Ce courrier électronique provient d’un expéditeur externe. Ne cliquez sur aucun lien et n’ouvrez aucune pièce jointe si vous ne pouvez pas confirmer l’identité de l’expéditeur et si vous n’êtes pas certain que le contenu ne présente aucun risque. I think overall it is a great idea to slowly bring in more people into rotation. It should help with adding redundancy and help prevent burnout for the people who are doing it now. I would propose perhaps a gradual introduction via a brief shadow period where a new member would monitor the happenings but not partake in decision making and once they are done with the shadow period they take on full responsibility. -- Regards, Aritra Basu On Mon, Dec 4, 2023, 6:20 PM Jarek Potiuk <ja...@potiuk.com> wrote: > Hello everyone, > > *TL;DR; *I have a proposal of refinements we can apply to our security team > and I am looking for comments and feedback (PR is out there in [1]). In > short I am proposing that we introduce rotation of the security team > members, so that we can avoid burnout, give a chance to others to learn > about security and make security team membership effectively temporary - > which might help people with their decision to sign-up for a few months to > learn new skills and see how it works. > > *Context:* > > It's been quite a few months since we introduced the security team. see > that as a pretty successful change we implemented. I've given a talk [2] > about it together with Arnout from the ASF Security team. But we can always > improve and iterate on the idea and I think rotation is a good idea for the > team to continue doing a great job and to bring more people in the realm of > security. > > *Quick summary of where we : * > > * From > 20 issues in March, some of them > 150 days old, we are down to > literally reported 2 (!) issues not being addressed yet (few weeks old and > we target to close them in the upcoming 2.8.0) > > * We introduced and iterated on both our Security Model [3] and Security > Policy [4] - some of that is still to be released in 2.8.0 release > > * We have successful cooperation with Kei - the security researcher that > brought a wealth of great insights and we've learned a ton from him and how > to approach security handling. > > * Thanks to funding 4 of the PMC members got from Sovereign Tech Fund we > were able to also address a lot of potential (and real) threats in our > release and build process as well as improve it and harden it - and in the > near future also expose SBOM and better vulnerability exchange information > to Airflow users > > * As a new "ASF Security Committee" member - I already used experiences > from our team setup to help other projects to build their own > processes (somewhat competing with us "Apache Dolphin Scheduler"). > > *My personal view:* > > I think being part of the security team is a fantastic learning > opportunity. Security is becoming more and more important in Software > Development - we are at the verge of regulations that will change a lot > when it comes to approach to security issues, vulnerabilities, > vulnerability exchange, upgrading software and a lot more. > > This is an important experience and it's useful to have security-focus and > security experience/skills in the future software development industry - > both from technical skill level but also process-wise. > > The rumour is that the CRA (the Cyber Resilience Act) that is about to > regulate security approach for software development in Europe has just > completed the intra-EU-policymakers negotiation phase and it already took a > final shape. It looks like it is actually very pragmatic and good for the > Open Source community at large, as they seem to address literally all the > concerns we raised seeing some initial versions of those regulations). It > will still, however, mean that our processes have to be sound - and it also > seems that we in the ASF and Airflow particularly are well ahead of > everyone else and it's us who will be setting the "golden standards" or how > things should be done. > > There are very few people out there who could say they have "a real, proven > experience" with handling well established security processes in > Open-Source software, and I think it's good to have more people exposed to > it, and it's also good for the people to gain the experience (of course if > they are security-minded and they do not see it as "boring" - which many > people do). > > Looking forward to comments/feedback. Do you think it's a good idea in > general? > > J. > > [1] PR: "Add security team rotation proposal to our security team process" > https://github.com/apache/airflow/pull/36049 > [2] {Presentation: "Lessons Learned: Improving the security process of an > Apache project" > > https://docs.google.com/presentation/d/1EIw4_NHI34v-9KzRDqFi7TS8Pn-O3DgUmjuKqlbghZU/edit#slide=id.p > [3] Airflow Security Model > > https://airflow.apache.org/docs/apache-airflow/stable/security/security_model.html > [4] Airflow Security Policy > https://github.com/apache/airflow/security/policy > > J. >
