Hi all, Yesterday the security team raised concerns about the security health of the Hive project [1]. I started going over the secur...@hive.apache.org list to find pending issues/reports but I realised that there are few problems with this approach.
First, it's not easy to navigate through the discussions and have a holistic view for the progress of each report due to noise, overlapping threads, and lack of structure. Second, there is no clear owner/assignee for each issue/report. This leads to issues trailing forever, uneven distribution of work between the team, and credit buried into email threads. Third, when someone volunteers to help it is tricky to point them to specific issues and get them up to speed fast. To overcome this, I would propose to track every incoming report using JIRA issues [2]. Obviously, the security related issues should remain private and hidden from the general public till the CVE is published. To achieve this we can create a new JIRA project (eg., HIVESEC) where everything is restricted by default or use the existing JIRA project (i.e., HIVE) with appropriate security configurations [3] enabled. Both approaches have been implemented by other Apache projects so it just requires some INFRA ticket(s) to put this in place. Personally, I am leaning towards using the existing JIRA project and tuning issue security so that security issues are only visible to Hive committers (or another custom group). For each report that we receive in security@hive we should log a JIRA ticket immediately, find an owner, and continue the discussion there. As usual thoughts, and feedback regarding this proposal are very welcomed. Best, Stamatis [1] https://lists.apache.org/thread/w5ty0tl7wqjmyvvyw2zr8knmo7o83t17 [2] https://issues.apache.org/jira [3] https://issues.apache.org/jira/plugins/servlet/project-config/HIVE/issuesecurity
