Looks like we have our new team members then :) On Sat, Jan 6, 2024 at 4:17 PM Wei Lee <weilee...@gmail.com> wrote: > > Hi Jarek, > > I’m also interested in learning security stuff, but I have no related > experience. I'm not sure whether I fit the criteria. > > Best, > Wei > > > On Jan 6, 2024, at 12:56 PM, Amogh Desai <amoghdesai....@gmail.com> wrote: > > > > Hi Jarek, > > > > I have personally never done much on security, neither followed a lot of > > blogs/learning materials regarding > > it so far. I want to explore this untouched territory by myself, but I am > > not so sure if this will be the right forum for "experimentation". > > > > So, not so sure if I cut the criteria here. > > > > Thanks & Regards, > > Amogh Desai > > > > On Sat, Jan 6, 2024 at 2:14 AM Jarek Potiuk <ja...@potiuk.com> wrote: > > > >> * we have to know the candidate - they have to be either a committer > >> or someone who has contributed a lot and we know who the person is. > >> Stakeholders and community members that we know and can trust might > >> also nominate some people who have security experience and already > >> work on security (especially if they work on Airflow) outside of the > >> community - we know our stakeholders have dedicated security people > >> who have a good experience and they are not known to us simply due to > >> "secrecy" around security. > >> > >> > >> I'd say you both fulfill the criteria :) > >> > >> On Fri, Jan 5, 2024 at 9:22 PM utkarsh sharma <utkarshar...@gmail.com> > >> wrote: > >>> > >>> Hey Jarek, > >>> > >>> I'm very interested in security-related stuff, but not sure if I fit the > >>> bill. :) > >>> > >>> Thanks, > >>> Utkarsh > >>> > >>> On Sat, Jan 6, 2024 at 1:43 AM Ryan Hatter > >>> <ryan.hat...@astronomer.io.invalid> wrote: > >>> > >>>> What are the criteria? Just curious, as I'm quite confident I do not > >> fit > >>>> the criteria 😀 > >>>> > >>>> On Fri, Jan 5, 2024 at 9:21 AM Jarek Potiuk <ja...@potiuk.com> wrote: > >>>> > >>>>> Hello everyone, > >>>>> > >>>>> TL;DR; In short - we are looking for candidates to join our security > >>>>> team. Please send a message to priv...@airflow.apache.org if you > >> would > >>>>> like to be added to the team. > >>>>> > >>>>> Following this: > >>>>> > >>>>> > >>>> > >> https://github.com/apache/airflow/blob/main/CONTRIBUTING.rst#periodic-security-team-rotation > >>>>> I wanted to make a call for new security team members. Some of the > >>>>> people will rotate out the team as well (we want to keep the team > >>>>> small and lean and focused). > >>>>> > >>>>> First of all I have a great pleasure - in the name of the community - > >>>>> to thank for all the work the current security team has accomplished. > >>>>> > >>>>> When we started discussions at the beginning of last year we had ~ 20 > >>>>> outstanding issues, some of them older than 6 months and the process > >>>>> of fixing them was not really cool. Today we have 0 (yes - 0) > >>>>> unhandled issues. And we had >50 issues raised since so we not only > >>>>> managed to fix the backlog but also we handled incoming issues. We > >>>>> have much better understanding on how to handle them, we've improved > >>>>> and clarified our security model, and we even have some standard ways > >>>>> on handling and responding to similar issues when they come. And we > >>>>> have learning material for new team members to take a look at. > >>>>> > >>>>> What's going to happen now? > >>>>> > >>>>> We want to partially rotate the team - first of all to give the > >>>>> experienced and recognized community members an opportunity to learn > >>>>> and participate in our security process, but also to distribute a bit > >>>>> more knowledge on handling security issues in the community. > >>>>> > >>>>> I personally believe that security will become increasingly more > >>>>> important in the years to come - things like Cyber Resilience Act > >>>>> > >> https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act > >>>>> will create a lot of opportunities to make use of the knowledge you > >>>>> can gain by becoming part of security team so I think it's also good > >>>>> to have an experience in it in a professional portflolio. > >>>>> > >>>>> What does it mean to be in a security team? > >>>>> > >>>>> * You will be subscribed to receive reports from security researchers > >>>>> > >>>>> * You will take part in the discussions when we assess the issues - > >>>>> whether they are real issues, what severity they have, how we can > >>>>> address them > >>>>> > >>>>> * You will take part in discussing on how we can improve current > >>>>> processes and even how to improve our security model and whether we > >>>>> need to apply some systematic fixes > >>>>> > >>>>> * You will possibly volunteer to fix or review, or talk to other > >>>>> community members to fix it help with handling some of the security > >>>>> issues > >>>>> > >>>>> * The traffic on our security list (after we got through the backlog) > >>>>> is moderate to small - there are maybe 1 new issue a week (usually > >>>>> less than one) and we have occasional discussions that might be more > >>>>> frequent > >>>>> > >>>>> * For the new team members - we have learning materials to get to > >>>>> understand how things work - I will prepare some "on-boarding" > >>>>> packages. > >>>>> > >>>>> * This is not a permanent "assignment" - as you see now we are doing > >> a > >>>>> partial rotation to get some people out and bring people in, it's ok > >>>>> to leave the team if you have no time to take part and also if you > >>>>> want to leave room for others. We just introduced it and we might > >> want > >>>>> to do ad-hoc rotation or more frequent regular rotation in the > >> future. > >>>>> This will also depend on the needs we will have. > >>>>> > >>>>> Few things for potential candidates: > >>>>> > >>>>> * we have to know the candidate - they have to be either a committer > >>>>> or someone who has contributed a lot and we know who the person is. > >>>>> Stakeholders and community members that we know and can trust might > >>>>> also nominate some people who have security experience and already > >>>>> work on security (especially if they work on Airflow) outside of the > >>>>> community - we know our stakeholders have dedicated security people > >>>>> who have a good experience and they are not known to us simply due to > >>>>> "secrecy" around security. > >>>>> > >>>>> * we do not publicly announce who is in the team - also a bit due to > >>>>> secrecy. But PMC members know who is in it. > >>>>> > >>>>> * joining the team requires signing an ICLA with the Apache Software > >>>>> Foundation https://www.apache.org/licenses/icla.pdf where you state > >>>>> who you are. For obvious reasons. > >>>>> > >>>>> * PMC members might join as they wish. People who are not in the PMC > >>>>> (including committers) have to get a PMC approval. PMC members also > >>>>> have access to the secur...@airflow.apache.org archive, so they can > >>>>> follow the discussions there if they want, they are just not part of > >>>>> the default team to get the notifications > >>>>> > >>>>> * Release managers are members of the security team by default as > >> they > >>>>> need to announce and manage the CVE announcements fixed in the > >>>>> releases > >>>>> > >>>>> * we want the team to be lean and "small-ish" - so we might just > >>>>> select a few people and thank others if we have too many candidates. > >>>>> We currently have 15 people in the team. I think 10-15 is a good > >>>>> number to keep. > >>>>> > >>>>> Feel free to reach out to priv...@airflow.apache.org if you would > >> like > >>>>> to apply and you think you fulfill the criteria :). > >>>>> > >>>>> > >>>>> J. > >>>>> > >>>>> --------------------------------------------------------------------- > >>>>> To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org > >>>>> For additional commands, e-mail: dev-h...@airflow.apache.org > >>>>> > >>>>> > >>>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org > >> For additional commands, e-mail: dev-h...@airflow.apache.org > >> > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org > For additional commands, e-mail: dev-h...@airflow.apache.org >
--------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@airflow.apache.org For additional commands, e-mail: dev-h...@airflow.apache.org
