+1 on the idea.
On 2024/08/16 09:42:36 Stamatis Zampetakis wrote: > Hi all, > > Yesterday the security team raised concerns about the security health > of the Hive project [1]. I started going over the > secur...@hive.apache.org list to find pending issues/reports but I > realised that there are few problems with this approach. > > First, it's not easy to navigate through the discussions and have a > holistic view for the progress of each report due to noise, > overlapping threads, and lack of structure. > > Second, there is no clear owner/assignee for each issue/report. This > leads to issues trailing forever, uneven distribution of work between > the team, and credit buried into email threads. > > Third, when someone volunteers to help it is tricky to point them to > specific issues and get them up to speed fast. > > To overcome this, I would propose to track every incoming report using > JIRA issues [2]. Obviously, the security related issues should remain > private and hidden from the general public till the CVE is published. > To achieve this we can create a new JIRA project (eg., HIVESEC) where > everything is restricted by default or use the existing JIRA project > (i.e., HIVE) with appropriate security configurations [3] enabled. > Both approaches have been implemented by other Apache projects so it > just requires some INFRA ticket(s) to put this in place. > > Personally, I am leaning towards using the existing JIRA project and > tuning issue security so that security issues are only visible to Hive > committers (or another custom group). For each report that we receive > in security@hive we should log a JIRA ticket immediately, find an > owner, and continue the discussion there. > > As usual thoughts, and feedback regarding this proposal are very welcomed. > > Best, > Stamatis > > [1] https://lists.apache.org/thread/w5ty0tl7wqjmyvvyw2zr8knmo7o83t17 > [2] https://issues.apache.org/jira > [3] > https://issues.apache.org/jira/plugins/servlet/project-config/HIVE/issuesecurity >
