Hi Mark, I have added @Oliver Chang <och...@google.com> from the Google OSS-Fuzz to the thread.
I had a short discussion with Oliver. There could be different issues in OSS-Fuzz by design If all apache-commons components will move under apache-commons directory: - it is not scalable and will slow down both fuzzing and triage (e.g. automated bisections, fix verification) - changing the structure this way will invalidate all existing open testcases, and cause new ones to be filed, which will result in a fair bit of spam. My proposal would be that "secur...@commons.apache.org" is added to all individual apache-commons components. I am not sure how it is possible to ensure that future onboardings of apache-commons components will automatically have " secur...@commons.apache.org" as primary contact. OSS-Fuzz could have some additional documentation for that. @Oliver Chang <och...@google.com> do you have any ideas here? Best regards Roman On Tue, Nov 8, 2022 at 5:56 PM Mark Thomas <ma...@apache.org> wrote: > Thanks for the update. > > I'll wait for that PR to be resolved before taking any further action. > > Mark > > > On 08/11/2022 16:42, Roman Wagner wrote: > > Hi Mark, > > > > there is a PR open in oss-fuzz > https://github.com/google/oss-fuzz/pull/8933 > > . > > > > Best regards > > Roman > > > > On Tue, Nov 8, 2022 at 4:15 PM Gary Gregory <garydgreg...@gmail.com> > wrote: > > > >> Sounds good. > >> > >> Gary > >> > >> On Tue, Nov 8, 2022, 10:07 Mark Thomas <ma...@apache.org> wrote: > >> > >>> There has been no response to this email from anyone from Code > >>> Intelligence. > >>> > >>> Unless there are objections from the Apache Commons Community my next > >>> step will be to submit a PR to have the following modules removed from > >>> oss-fuzz: > >>> > >>> apache-commons-bcel > >>> apache-commons-beanutils > >>> apache-commons-cli > >>> apache-commons-codec > >>> apache-commons-collections > >>> apache-commons-configuration > >>> apache-commons-io > >>> apache-commons-jxpath > >>> apache-commons-lang > >>> apache-commons-logging > >>> > >>> Code Intelligence (or anyone else) will remain free to add them back in > >>> the right place - under apache-commons should they wish to do so. > >>> > >>> Mark > >>> > >>> > >>> > >>> On 19/10/2022 10:56, Mark Thomas wrote: > >>>> Hi, > >>>> > >>>> You are receiving this email as you are currently configured as the > >>>> recipients for oss-fuzz reports for Apache Commons JXPath. > >>>> > >>>> As per the discussion on the Apache Commons dev list[1], please make > >>> the > >>>> following configuration changes to the oss-fuzz integrations with > >>>> immediate effect: > >>>> > >>>> - Move all oss-fuzz integrations added for *ALL* Apache Commons > >>>> components to the oss-fuzz module for Apache-Commons: > >>>> > >>>> > >>> https://github.com/google/oss-fuzz/tree/master/projects/apache-commons > >>>> > >>>> There should *NOT* be separate oss-fuzz modules for each component > >>>> > >>>> > >>>> - Add the Google account for "secur...@commons.apache.org" to > >>>> - the notifications for these issues > >>>> - the ACL to enable this account to access the details for each > >>> report > >>>> > >>>> > >>>> Please notify dev@commons.apache.org and secur...@commons.apache.org > >>>> when these changes have been completed. > >>>> > >>>> Thanks, > >>>> > >>>> Mark > >>>> > >>>> > >>>> > >>>> [1] https://lists.apache.org/thread/53vwy3g8w3f8nydz7jvxm8snrqx7msln > >>>> > >>>> --------------------------------------------------------------------- > >>>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >>>> For additional commands, e-mail: dev-h...@commons.apache.org > >>>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > >>> For additional commands, e-mail: dev-h...@commons.apache.org > >>> > >>> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > -- Roman Wagner Application Security Engineer Code Intelligence Rheinwerkallee 6 53227 Bonn Amtsgericht Bonn HRB 23408 Geschäftsführer: Sergej Dechand, Dr. Khaled Yakdan
