Hi all, Thanks for sharing your thoughts. Appreciated! Let me try to summarize the information and thoughts received so far. Please feel free to let me know if there is anything wrong or missing.
1. Setup project specific security mailing list Pros: - The security reports received by secur...@apache.org will be forwarded to the project private(PMC) mailing list. Having a project specific security mailing list is helpful in cases when the best person to address the security issue is not a PMC member, but a committer. It makes things simple as everyone(both PMCs and committers) is on the same table. - Even though the security issues are usually rare, they could be devastating and thus need to be treated seriously. - Most notable apache projects such as apache common, hadoop, spark, kafka, hive, etc have a security specific mailing list. Cons: - The ASF security mailing list secur...@apache.org could be used if there is no project specific security mailing list. - The number of security reports is very low. Additional information: - Security mailing list could only be subscribed by PMCs and committers. However everyone could report security issues to the security mailing list. 2. Guide users to report the security issues Why: - Security vulnerabilities should not be publicly disclosed (e.g. via dev ML or JIRA) until the project has responded. We should guide users on how to report security issues in Flink website. How: - Option 1: Set up secur...@flink.apache.org and ask users to report security issues there - Option 2: Ask users to send security report to secur...@apache.org - Option 3: Ask users to send security report directly to priv...@flink.apache.org 3. Dedicated page to show the security vulnerabilities - We may need a dedicated security page to describe the CVE list on the Flink website. I think it makes sense to open separate discussion thread on 2) and 3). I'll create separate discussion thread for them. Let's focus on 1) in this thread. If there is no other feedback on 1), I'll bring up a VOTE for this discussion. What do you think? Thanks, Dian On Fri, Nov 15, 2019 at 10:18 AM Becket Qin <becket....@gmail.com> wrote: > Thanks for bringing this up, Dian. > > +1 on creating a project specific security mailing list. My two cents, I > think it is worth doing in practice. > > Although the ASF security ML is always available, usually all the emails > are simply routed to the individual project PMC. This is an additional hop. > And in some cases, the best person to address the reported issue may not be > a PMC member, but a committer, so the PMC have to again involve them into > the loop. This make things unnecessarily complicated. Having a project > specific security ML would make it much easier to have everyone at the same > table. > > Also, one thing to note is that even though the security issues are usually > rare, they could be devastating, thus need to be treated seriously. So I > think it is a good idea to establish the handling mechanism regardless of > the frequency of the reported security vulnerabilities. > > Thanks, > > Jiangjie (Becket) Qin > > On Fri, Nov 15, 2019 at 1:14 AM Yu Li <car...@gmail.com> wrote: > > > Thanks for bringing up this discussion Dian! How to report security bugs > to > > our project is a very important topic! > > > > Big +1 on adding some explicit instructions in our document about how to > > report security issues, and I suggest to open another thread to vote the > > reporting way in Flink. > > > > FWIW, known options to report security issues include: > > 1. Set up secur...@flink.apache.org and ask users to report security > > issues > > there > > 2. Ask users to send security report to secur...@apache.org > > 3. Ask users to send security report directly to > priv...@flink.apache.org > > > > More details: > > > > Descriptions on http://apache.org/security/: > > *============================================* > > > > *We strongly encourage folks to report security vulnerabilities to one of > > our private security mailing lists first, before disclosing them in a > > public forum.* > > > > *A list of security contacts for Apache projects > > <http://apache.org/security/projects.html> is available. If you can't > find > > a project specific security e-mail address and you have an undisclosed > > security vulnerability to report then please use the general security > > address below.* > > > > > > *The general security mailing list address is: secur...@apache.org > > <secur...@apache.org>. This is a private mailing list.* > > *============================================* > > > > There are also projects directly using private@ mailing list to report > > security issues such as HBase (as documented at the very beginning in its > > online ref-guide book here <http://hbase.apache.org/book.html#_preface > >). > > > > Hope these information helps. Thanks. > > > > Best Regards, > > Yu > > > > > > On Thu, 14 Nov 2019 at 18:11, Chesnay Schepler <ches...@apache.org> > wrote: > > > > > Source: https://www.apache.org/security/ > > > > > > Now, we can of course setup such a mailing list (as outlined here > > > https://www.apache.org/security/committers.html), but I'm not sure if > it > > > is necessary since the number of reports is _really_ low. > > > > > > On 14/11/2019 11:03, Chesnay Schepler wrote: > > > > AFAIK, the official way to report vulnerabilities in any apache > > > > project is to write to secur...@apache.org and/or notify the > > > > respective PMC. So far, we had several reports that went this route, > > > > hence I'm not convinced that an additional ML is required. > > > > > > > > I would be fine with an additional paragraph somewhere outlining this > > > > though. > > > > > > > > On 14/11/2019 06:57, Jark Wu wrote: > > > >> Hi Dian, > > > >> > > > >> Good idea and +1 to setup security mailing list. > > > >> Security vulnerabilities should not be publicly disclosed (e.g. via > > > >> dev ML > > > >> or JIRA) until the project has responded. > > > >> However, AFAIK, Flink doesn't have an official process to > > > >> report vulnerabilities. > > > >> It would be nice to have one to protect Flink users and response > > > >> security > > > >> problems quickly. > > > >> > > > >> Btw, we may also need a dedicated page to describe the security > > > >> vulnerabilities report process and CVE list on the website. > > > >> > > > >> Best, > > > >> Jark > > > >> > > > >> > > > >> > > > >> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <chenghe...@gmail.com> > > wrote: > > > >> > > > >>> Hi Dian, > > > >>> > > > >>> Good idea! +1 to have a security mailing list. > > > >>> It is nice for Flink to have an official procedure to handle > security > > > >>> problems, e.g., reporting, addressing and publishing. > > > >>> > > > >>> Best, Hequn > > > >>> > > > >>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <zjf...@gmail.com> > wrote: > > > >>> > > > >>>> Thanks Dian Fu for this proposal. +1 for creating security mail > > > >>>> list. To > > > >>> be > > > >>>> noticed, security mail list is private mail list, could not be > > > >>>> subscribed > > > >>>> publicly. > > > >>>> FYI, apache member can create mail list using this self service > tool > > > >>>> https://selfserve.apache.org/ > > > >>>> > > > >>>> > > > >>>> jincheng sun <sunjincheng...@gmail.com> 于2019年11月14日周四 > > > >>>> 下午12:25写道: > > > >>>> > > > >>>>> Hi Dian, > > > >>>>> > > > >>>>> Thanks a lot for bringing up this discussion. This is very > > important > > > >>> for > > > >>>>> Flink community! > > > >>>>> > > > >>>>> I think setup a security mailing list for Flink is pretty nice > > > >>> although ` > > > >>>>> secur...@apache.org` can be used and the report will be > forwarded > > to > > > >>>> Flink > > > >>>>> private mailing list if there is no project specific security > > mailing > > > >>>>> list. One thing that is pretty sure is that we should guide users > > on > > > >>> how > > > >>>> to > > > >>>>> report security issues in Flink website as security > vulnerabilities > > > >>>> should > > > >>>>> not be entered into a project's public bug tracker directly > > according > > > >>> to > > > >>>>> the guidance for how to handling the security vulnerabilities in > > ASF > > > >>>>> site[1]. > > > >>>>> > > > >>>>> Besides, we need also add a security page in Flink which shows > the > > > >>>>> information about the security vulnerabilities per the guidance > of > > > >>>>> the > > > >>>>> security vulnerabilities in ASF site[2]. Projects such as > spark[3], > > > >>>>> kafka[4], etc already have such a page. > > > >>>>> > > > >>>>> Best,Jincheng > > > >>>>> > > > >>>>> [1] > > > >>>> > > > https://www.apache.org/security/committers.html#vulnerability-handling > > > >>>>> [2] > > > >>>> > > > https://www.apache.org/security/committers.html#publishing-information > > > >>>>> [3] https://spark.apache.org/security.html > > > >>>>> [4] https://kafka.apache.org/cve-list > > > >>>>> > > > >>>>> Dian Fu <dian0511...@gmail.com> 于2019年11月14日周四 下午12:12写道: > > > >>>>> > > > >>>>>> Hi all, > > > >>>>>> > > > >>>>>> I'm reaching out to see if there is an existing security > specific > > > >>>> mailing > > > >>>>>> list in Flink. If there is, we should expose it in the offcial > web > > > >>> site > > > >>>>> of > > > >>>>>> Flink [1] to guide people to report security issues to this > > mailing > > > >>>> list. > > > >>>>>> If it still doesn't exist, I'm here to propose to setup a > > > >>>>>> secur...@flink.apache.org mailing list for reporting and > > discussion > > > >>> of > > > >>>>>> security specific issues. Currently, most well known apache > > projects > > > >>>> such > > > >>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc > > > >>> have a > > > >>>>>> security specific mailing list. It would be nice if there is > also > > a > > > >>>>>> security specific mailing list for Flink. > > > >>>>>> > > > >>>>>> Note that users should report security issues to the security > > > >>>>>> mailing > > > >>>>>> list. > > > >>>>>> > > > >>>>>> Looking forward to your feedback! > > > >>>>>> > > > >>>>>> Regards, > > > >>>>>> Dian > > > >>>>>> > > > >>>>>> [1] https://flink.apache.org/community.html > > > >>>>>> [2] https://commons.apache.org/mail-lists.html > > > >>>>>> [3] https://hadoop.apache.org/mailing_lists.html > > > >>>>>> [4] https://spark.apache.org/community.html > > > >>>>>> [5] https://kafka.apache.org/project-security.html > > > >>>>>> [6] https://hive.apache.org/mailing_lists.html > > > >>>> > > > >>>> -- > > > >>>> Best Regards > > > >>>> > > > >>>> Jeff Zhang > > > >>>> > > > > > > > > > > > > > > > > >
