AFAIK, the official way to report vulnerabilities in any apache project
is to write to secur...@apache.org and/or notify the respective PMC. So
far, we had several reports that went this route, hence I'm not
convinced that an additional ML is required.
I would be fine with an additional paragraph somewhere outlining this
though.
On 14/11/2019 06:57, Jark Wu wrote:
Hi Dian,
Good idea and +1 to setup security mailing list.
Security vulnerabilities should not be publicly disclosed (e.g. via dev ML
or JIRA) until the project has responded.
However, AFAIK, Flink doesn't have an official process to
report vulnerabilities.
It would be nice to have one to protect Flink users and response security
problems quickly.
Btw, we may also need a dedicated page to describe the security
vulnerabilities report process and CVE list on the website.
Best,
Jark
On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <chenghe...@gmail.com> wrote:
Hi Dian,
Good idea! +1 to have a security mailing list.
It is nice for Flink to have an official procedure to handle security
problems, e.g., reporting, addressing and publishing.
Best, Hequn
On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <zjf...@gmail.com> wrote:
Thanks Dian Fu for this proposal. +1 for creating security mail list. To
be
noticed, security mail list is private mail list, could not be subscribed
publicly.
FYI, apache member can create mail list using this self service tool
https://selfserve.apache.org/
jincheng sun <sunjincheng...@gmail.com> 于2019年11月14日周四 下午12:25写道:
Hi Dian,
Thanks a lot for bringing up this discussion. This is very important
for
Flink community!
I think setup a security mailing list for Flink is pretty nice
although `
secur...@apache.org` can be used and the report will be forwarded to
Flink
private mailing list if there is no project specific security mailing
list. One thing that is pretty sure is that we should guide users on
how
to
report security issues in Flink website as security vulnerabilities
should
not be entered into a project's public bug tracker directly according
to
the guidance for how to handling the security vulnerabilities in ASF
site[1].
Besides, we need also add a security page in Flink which shows the
information about the security vulnerabilities per the guidance of the
security vulnerabilities in ASF site[2]. Projects such as spark[3],
kafka[4], etc already have such a page.
Best,Jincheng
[1]
https://www.apache.org/security/committers.html#vulnerability-handling
[2]
https://www.apache.org/security/committers.html#publishing-information
[3] https://spark.apache.org/security.html
[4] https://kafka.apache.org/cve-list
Dian Fu <dian0511...@gmail.com> 于2019年11月14日周四 下午12:12写道:
Hi all,
I'm reaching out to see if there is an existing security specific
mailing
list in Flink. If there is, we should expose it in the offcial web
site
of
Flink [1] to guide people to report security issues to this mailing
list.
If it still doesn't exist, I'm here to propose to setup a
secur...@flink.apache.org mailing list for reporting and discussion
of
security specific issues. Currently, most well known apache projects
such
as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc
have a
security specific mailing list. It would be nice if there is also a
security specific mailing list for Flink.
Note that users should report security issues to the security mailing
list.
Looking forward to your feedback!
Regards,
Dian
[1] https://flink.apache.org/community.html
[2] https://commons.apache.org/mail-lists.html
[3] https://hadoop.apache.org/mailing_lists.html
[4] https://spark.apache.org/community.html
[5] https://kafka.apache.org/project-security.html
[6] https://hive.apache.org/mailing_lists.html
--
Best Regards
Jeff Zhang
