Hi Becket, Thanks for the kind remind. Definitely agree with you. I have updated the progress of this vote on the discussion thread[1] and submitted a PR which updates the flink website on how to report security issues.
Thanks, Dian [1] http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951 <http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951> > 在 2019年12月4日,上午7:29,Becket Qin <becket....@gmail.com> 写道: > > Hi Dian, > > Thanks for driving the effort regardless. > > Even if we don't setup a security@f.a.o ML for Flink, we probably should > have a clear pointer to the ASF guideline and secur...@apache.org in the > project website. I think many people are not aware of the > secur...@apache.org address. If they failed to find information in the > Flink site, they will simply assume there is no special procedure for > security problems. > > Thanks, > > Jiangjie (Becket) Qin > > On Tue, Dec 3, 2019 at 4:54 PM Dian Fu <dian0511...@gmail.com> wrote: > >> Hi all, >> >> Thanks everyone for participating this vote. As we have received only two >> +1 and there is also one -1 for this vote, according to the bylaws, I'm >> sorry to announce that this proposal was rejected. >> >> Neverthless, I think we can always restart the discussion in the future if >> we see more evidence that such a mailing list is necessary. >> >> Thanks, >> Dian >> >> >>> 在 2019年12月3日,下午4:53,Dian Fu <dian0511...@gmail.com> 写道: >>> >>> Actually I have tried to find out the reason why so many apache projects >> choose to set up a project specific security mailing list in case that the >> general secur...@apache.org mailing list seems working well. >> Unfortunately, there is no open discussions in these projects and there is >> also no clear guideline/standard in the ASF site whether a project should >> set up such a mailing list (The project specific security mailing list >> seems only an optional and we noticed that at the beginning of the >> discussion). This is also one of the main reasons we start such a >> discussion to see if somebody has more thoughts about this. >>> >>>> 在 2019年12月2日,下午6:03,Chesnay Schepler <ches...@apache.org> 写道: >>>> >>>> Would security@f.a.o work as any other private ML? >>>> >>>> Contrary to what Becket said in the discussion thread, >> secur...@apache.org is not just "another hop"; it provides guiding >> material, the security team checks for activity and can be pinged easily as >> they are cc'd in the initial report. >>>> >>>> I vastly prefer this over a separate mailing list; if these benefits >> don't apply to security@f.a.o I'm -1 on this. >>>> >>>> On 02/12/2019 02:28, Becket Qin wrote: >>>>> Thanks for driving this, Dian. >>>>> >>>>> +1 from me, for the reasons I mentioned in the discussion thread. >>>>> >>>>> On Tue, Nov 26, 2019 at 12:08 PM Dian Fu <dian0511...@gmail.com> >> wrote: >>>>> >>>>>> NOTE: Only PMC votes is binding. >>>>>> >>>>>> Thanks for sharing your thoughts. I also think that this doesn't fall >> into >>>>>> any of the existing categories listed in the bylaws. Maybe we could >> do some >>>>>> improvements for the bylaws. >>>>>> >>>>>> This is not codebase change as Robert mentioned and it's related to >> how to >>>>>> manage Flink's development in a good way. So, I agree with Robert and >>>>>> Jincheng that this VOTE should only count PMC votes for now. >>>>>> >>>>>> Thanks, >>>>>> Dian >>>>>> >>>>>>> 在 2019年11月26日,上午11:43,jincheng sun <sunjincheng...@gmail.com> 写道: >>>>>>> >>>>>>> I also think that we should only count PMC votes. >>>>>>> >>>>>>> This ML is to improve the security mechanism for Flink. Of course we >>>>>> don't >>>>>>> expect to use this >>>>>>> ML often. I hope that it's perfect if this ML is never used. >> However, the >>>>>>> Flink community is growing rapidly, it's better to >>>>>>> make our security mechanism as convenient as possible. But I agree >> that >>>>>>> this ML is not a must to have, it's nice to have. >>>>>>> >>>>>>> So, I give the vote as +1(binding). >>>>>>> >>>>>>> Best, >>>>>>> Jincheng >>>>>>> >>>>>>> Robert Metzger <rmetz...@apache.org> 于2019年11月25日周一 下午9:45写道: >>>>>>> >>>>>>>> I agree that we are only counting PMC votes (because this decision >> goes >>>>>>>> beyond the codebase) >>>>>>>> >>>>>>>> I'm undecided what to vote :) I'm not against setting up a new >> mailing >>>>>>>> list, but I also don't think the benefit (having a private list with >>>>>> PMC + >>>>>>>> committers) is enough to justify the work involved. As far as I >>>>>> remember, >>>>>>>> we have received 2 security issue notices, both basically about the >> same >>>>>>>> issue. I'll leave it to other PMC members to support this if they >> want >>>>>> to >>>>>>>> ... >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Nov 25, 2019 at 9:15 AM Dawid Wysakowicz < >>>>>> dwysakow...@apache.org> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> What is the voting scheme for it? I am not sure if it falls into >> any of >>>>>>>>> the categories we have listed in our bylaws. Are committers votes >>>>>>>>> binding or just PMCs'? (Personally I think it should be PMCs') Is >> this >>>>>> a >>>>>>>>> binding vote or just an informational vote? >>>>>>>>> >>>>>>>>> Best, >>>>>>>>> >>>>>>>>> Dawid >>>>>>>>> >>>>>>>>> On 25/11/2019 07:34, jincheng sun wrote: >>>>>>>>>> +1 >>>>>>>>>> >>>>>>>>>> Dian Fu <dian0511...@gmail.com> 于2019年11月21日周四 下午4:11写道: >>>>>>>>>> >>>>>>>>>>> Hi all, >>>>>>>>>>> >>>>>>>>>>> According to our previous discussion in [1], I'd like to bring >> up a >>>>>>>> vote >>>>>>>>>>> to set up a secur...@flink.apache.org mailing list. >>>>>>>>>>> >>>>>>>>>>> The vote will be open for at least 72 hours (excluding weekend). >> I'll >>>>>>>>> try >>>>>>>>>>> to close it by 2019-11-26 18:00 UTC, unless there is an >> objection or >>>>>>>> not >>>>>>>>>>> enough votes. >>>>>>>>>>> >>>>>>>>>>> Regards, >>>>>>>>>>> Dian >>>>>>>>>>> >>>>>>>>>>> [1] >>>>>>>>>>> >>>>>> >> http://apache-flink-mailing-list-archive.1008284.n3.nabble.com/DISCUSS-Expose-or-setup-a-security-flink-apache-org-mailing-list-for-security-report-and-discussion-tt34950.html#a34951 >>>>>>>>> >>>>>> >>>> >>> >> >>
