Hi all, There are no new feedbacks and it seems that we have received enough feedback about setup a secur...@flink.apache.org mailing list[1] for security report and discussion. It shows that it's optional as we can use either secur...@flink.apache.org <mailto:secur...@flink.apache.org> or secur...@apache.org. So I'd like to start the vote for setup a secur...@flink.apache.org mailing list to make the final decision.
Thanks, Dian > 在 2019年11月19日,下午6:06,Dian Fu <dian0511...@gmail.com> 写道: > > Hi all, > > Thanks for sharing your thoughts. Appreciated! Let me try to summarize the > information and thoughts received so far. Please feel free to let me know if > there is anything wrong or missing. > > 1. Setup project specific security mailing list > Pros: > - The security reports received by secur...@apache.org > <mailto:secur...@apache.org> will be forwarded to the project private(PMC) > mailing list. Having a project specific security mailing list is helpful in > cases when the best person to address the security issue is not a PMC member, > but a committer. It makes things simple as everyone(both PMCs and committers) > is on the same table. > - Even though the security issues are usually rare, they could be devastating > and thus need to be treated seriously. > - Most notable apache projects such as apache common, hadoop, spark, kafka, > hive, etc have a security specific mailing list. > > Cons: > - The ASF security mailing list secur...@apache.org > <mailto:secur...@apache.org> could be used if there is no project specific > security mailing list. > - The number of security reports is very low. > > Additional information: > - Security mailing list could only be subscribed by PMCs and committers. > However everyone could report security issues to the security mailing list. > > > 2. Guide users to report the security issues > Why: > - Security vulnerabilities should not be publicly disclosed (e.g. via dev ML > or JIRA) until the project has responded. We should guide users on how to > report security issues in Flink website. > > How: > - Option 1: Set up secur...@flink.apache.org > <mailto:secur...@flink.apache.org> and ask users to report security issues > there > - Option 2: Ask users to send security report to secur...@apache.org > <mailto:secur...@apache.org> > - Option 3: Ask users to send security report directly to > priv...@flink.apache.org <mailto:priv...@flink.apache.org> > > > 3. Dedicated page to show the security vulnerabilities > - We may need a dedicated security page to describe the CVE list on the Flink > website. > > I think it makes sense to open separate discussion thread on 2) and 3). I'll > create separate discussion thread for them. Let's focus on 1) in this thread. > > If there is no other feedback on 1), I'll bring up a VOTE for this discussion. > > What do you think? > > Thanks, > Dian > > On Fri, Nov 15, 2019 at 10:18 AM Becket Qin <becket....@gmail.com > <mailto:becket....@gmail.com>> wrote: > Thanks for bringing this up, Dian. > > +1 on creating a project specific security mailing list. My two cents, I > think it is worth doing in practice. > > Although the ASF security ML is always available, usually all the emails > are simply routed to the individual project PMC. This is an additional hop. > And in some cases, the best person to address the reported issue may not be > a PMC member, but a committer, so the PMC have to again involve them into > the loop. This make things unnecessarily complicated. Having a project > specific security ML would make it much easier to have everyone at the same > table. > > Also, one thing to note is that even though the security issues are usually > rare, they could be devastating, thus need to be treated seriously. So I > think it is a good idea to establish the handling mechanism regardless of > the frequency of the reported security vulnerabilities. > > Thanks, > > Jiangjie (Becket) Qin > > On Fri, Nov 15, 2019 at 1:14 AM Yu Li <car...@gmail.com > <mailto:car...@gmail.com>> wrote: > > > Thanks for bringing up this discussion Dian! How to report security bugs to > > our project is a very important topic! > > > > Big +1 on adding some explicit instructions in our document about how to > > report security issues, and I suggest to open another thread to vote the > > reporting way in Flink. > > > > FWIW, known options to report security issues include: > > 1. Set up secur...@flink.apache.org <mailto:secur...@flink.apache.org> and > > ask users to report security > > issues > > there > > 2. Ask users to send security report to secur...@apache.org > > <mailto:secur...@apache.org> > > 3. Ask users to send security report directly to priv...@flink.apache.org > > <mailto:priv...@flink.apache.org> > > > > More details: > > > > Descriptions on http://apache.org/security/ <http://apache.org/security/>: > > *============================================* > > > > *We strongly encourage folks to report security vulnerabilities to one of > > our private security mailing lists first, before disclosing them in a > > public forum.* > > > > *A list of security contacts for Apache projects > > <http://apache.org/security/projects.html > > <http://apache.org/security/projects.html>> is available. If you can't find > > a project specific security e-mail address and you have an undisclosed > > security vulnerability to report then please use the general security > > address below.* > > > > > > *The general security mailing list address is: secur...@apache.org > > <mailto:secur...@apache.org> > > <secur...@apache.org <mailto:secur...@apache.org>>. This is a private > > mailing list.* > > *============================================* > > > > There are also projects directly using private@ mailing list to report > > security issues such as HBase (as documented at the very beginning in its > > online ref-guide book here <http://hbase.apache.org/book.html#_preface > > <http://hbase.apache.org/book.html#_preface>>). > > > > Hope these information helps. Thanks. > > > > Best Regards, > > Yu > > > > > > On Thu, 14 Nov 2019 at 18:11, Chesnay Schepler <ches...@apache.org > > <mailto:ches...@apache.org>> wrote: > > > > > Source: https://www.apache.org/security/ > > > <https://www.apache.org/security/> > > > > > > Now, we can of course setup such a mailing list (as outlined here > > > https://www.apache.org/security/committers.html > > > <https://www.apache.org/security/committers.html>), but I'm not sure if it > > > is necessary since the number of reports is _really_ low. > > > > > > On 14/11/2019 11:03, Chesnay Schepler wrote: > > > > AFAIK, the official way to report vulnerabilities in any apache > > > > project is to write to secur...@apache.org <mailto:secur...@apache.org> > > > > and/or notify the > > > > respective PMC. So far, we had several reports that went this route, > > > > hence I'm not convinced that an additional ML is required. > > > > > > > > I would be fine with an additional paragraph somewhere outlining this > > > > though. > > > > > > > > On 14/11/2019 06:57, Jark Wu wrote: > > > >> Hi Dian, > > > >> > > > >> Good idea and +1 to setup security mailing list. > > > >> Security vulnerabilities should not be publicly disclosed (e.g. via > > > >> dev ML > > > >> or JIRA) until the project has responded. > > > >> However, AFAIK, Flink doesn't have an official process to > > > >> report vulnerabilities. > > > >> It would be nice to have one to protect Flink users and response > > > >> security > > > >> problems quickly. > > > >> > > > >> Btw, we may also need a dedicated page to describe the security > > > >> vulnerabilities report process and CVE list on the website. > > > >> > > > >> Best, > > > >> Jark > > > >> > > > >> > > > >> > > > >> On Thu, 14 Nov 2019 at 13:36, Hequn Cheng <chenghe...@gmail.com > > > >> <mailto:chenghe...@gmail.com>> > > wrote: > > > >> > > > >>> Hi Dian, > > > >>> > > > >>> Good idea! +1 to have a security mailing list. > > > >>> It is nice for Flink to have an official procedure to handle security > > > >>> problems, e.g., reporting, addressing and publishing. > > > >>> > > > >>> Best, Hequn > > > >>> > > > >>> On Thu, Nov 14, 2019 at 1:20 PM Jeff Zhang <zjf...@gmail.com > > > >>> <mailto:zjf...@gmail.com>> wrote: > > > >>> > > > >>>> Thanks Dian Fu for this proposal. +1 for creating security mail > > > >>>> list. To > > > >>> be > > > >>>> noticed, security mail list is private mail list, could not be > > > >>>> subscribed > > > >>>> publicly. > > > >>>> FYI, apache member can create mail list using this self service tool > > > >>>> https://selfserve.apache.org/ <https://selfserve.apache.org/> > > > >>>> > > > >>>> > > > >>>> jincheng sun <sunjincheng...@gmail.com > > > >>>> <mailto:sunjincheng...@gmail.com>> 于2019年11月14日周四 > > > >>>> 下午12:25写道: > > > >>>> > > > >>>>> Hi Dian, > > > >>>>> > > > >>>>> Thanks a lot for bringing up this discussion. This is very > > important > > > >>> for > > > >>>>> Flink community! > > > >>>>> > > > >>>>> I think setup a security mailing list for Flink is pretty nice > > > >>> although ` > > > >>>>> secur...@apache.org <mailto:secur...@apache.org>` can be used and > > > >>>>> the report will be forwarded > > to > > > >>>> Flink > > > >>>>> private mailing list if there is no project specific security > > mailing > > > >>>>> list. One thing that is pretty sure is that we should guide users > > on > > > >>> how > > > >>>> to > > > >>>>> report security issues in Flink website as security vulnerabilities > > > >>>> should > > > >>>>> not be entered into a project's public bug tracker directly > > according > > > >>> to > > > >>>>> the guidance for how to handling the security vulnerabilities in > > ASF > > > >>>>> site[1]. > > > >>>>> > > > >>>>> Besides, we need also add a security page in Flink which shows the > > > >>>>> information about the security vulnerabilities per the guidance of > > > >>>>> the > > > >>>>> security vulnerabilities in ASF site[2]. Projects such as spark[3], > > > >>>>> kafka[4], etc already have such a page. > > > >>>>> > > > >>>>> Best,Jincheng > > > >>>>> > > > >>>>> [1] > > > >>>> > > > https://www.apache.org/security/committers.html#vulnerability-handling > > > <https://www.apache.org/security/committers.html#vulnerability-handling> > > > >>>>> [2] > > > >>>> > > > https://www.apache.org/security/committers.html#publishing-information > > > <https://www.apache.org/security/committers.html#publishing-information> > > > >>>>> [3] https://spark.apache.org/security.html > > > >>>>> <https://spark.apache.org/security.html> > > > >>>>> [4] https://kafka.apache.org/cve-list > > > >>>>> <https://kafka.apache.org/cve-list> > > > >>>>> > > > >>>>> Dian Fu <dian0511...@gmail.com <mailto:dian0511...@gmail.com>> > > > >>>>> 于2019年11月14日周四 下午12:12写道: > > > >>>>> > > > >>>>>> Hi all, > > > >>>>>> > > > >>>>>> I'm reaching out to see if there is an existing security specific > > > >>>> mailing > > > >>>>>> list in Flink. If there is, we should expose it in the offcial web > > > >>> site > > > >>>>> of > > > >>>>>> Flink [1] to guide people to report security issues to this > > mailing > > > >>>> list. > > > >>>>>> If it still doesn't exist, I'm here to propose to setup a > > > >>>>>> secur...@flink.apache.org <mailto:secur...@flink.apache.org> > > > >>>>>> mailing list for reporting and > > discussion > > > >>> of > > > >>>>>> security specific issues. Currently, most well known apache > > projects > > > >>>> such > > > >>>>>> as apache common[2], hadoop[3], spark[4], kafka[5], hive[6], etc > > > >>> have a > > > >>>>>> security specific mailing list. It would be nice if there is also > > a > > > >>>>>> security specific mailing list for Flink. > > > >>>>>> > > > >>>>>> Note that users should report security issues to the security > > > >>>>>> mailing > > > >>>>>> list. > > > >>>>>> > > > >>>>>> Looking forward to your feedback! > > > >>>>>> > > > >>>>>> Regards, > > > >>>>>> Dian > > > >>>>>> > > > >>>>>> [1] https://flink.apache.org/community.html > > > >>>>>> <https://flink.apache.org/community.html> > > > >>>>>> [2] https://commons.apache.org/mail-lists.html > > > >>>>>> <https://commons.apache.org/mail-lists.html> > > > >>>>>> [3] https://hadoop.apache.org/mailing_lists.html > > > >>>>>> <https://hadoop.apache.org/mailing_lists.html> > > > >>>>>> [4] https://spark.apache.org/community.html > > > >>>>>> <https://spark.apache.org/community.html> > > > >>>>>> [5] https://kafka.apache.org/project-security.html > > > >>>>>> <https://kafka.apache.org/project-security.html> > > > >>>>>> [6] https://hive.apache.org/mailing_lists.html > > > >>>>>> <https://hive.apache.org/mailing_lists.html> > > > >>>> > > > >>>> -- > > > >>>> Best Regards > > > >>>> > > > >>>> Jeff Zhang > > > >>>> > > > > > > > > > > > > > > > >
