Hello Hive community, The Hive project is struggling to perform its security duties[0]: there are unusually old security reports that the Hive Security Team / PMC has not disclosed yet, and triaging new incoming security reports also takes longer than responsible. This not only falls short of what is expected as an Apache project, but longer-term could have legal consequences for the ASF and individual contributors, with legislation such as the CRA coming into force in Europe and similar measures being expected around the world.
The ASF Security Team has expressed its concern before, leading to the first formal escalation step [1] of issuing a call for help on your public mailinglist [2] back in March, after an earlier call by your PMC in September [3]. This yielded one volunteer. As far as I can tell the PMC has not enlisted this volunteer yet. If the Hive project cannot return to a healthy cadence of dealing with security issues, the only responsible decision for the PMC (which is collectively responsible for the oversight of the project) would be to initiate the move to the Attic. Of course we hope this can be prevented. Kind regards, Arnout Engelen ASF Security Team [0] https://apache.org/security/committers.html [1] https://cwiki.apache.org/confluence/display/SECURITY/Project+Security+Response+Formal+Escalation [2] https://lists.apache.org/thread/8wghsxdlj8bfygf2ptcdb8pojlvxwjx8 [3] https://lists.apache.org/thread/j0ztt61wjz9gc46dj6fpor30xh437h9n
