I created https://issues.apache.org/jira/browse/INFRA-26050.
On Fri, Aug 16, 2024 at 8:41 PM Sai Hemanth Gantasala <gsaihema...@apache.org> wrote: > > +1 on the idea. > > On 2024/08/16 09:42:36 Stamatis Zampetakis wrote: > > Hi all, > > > > Yesterday the security team raised concerns about the security health > > of the Hive project [1]. I started going over the > > secur...@hive.apache.org list to find pending issues/reports but I > > realised that there are few problems with this approach. > > > > First, it's not easy to navigate through the discussions and have a > > holistic view for the progress of each report due to noise, > > overlapping threads, and lack of structure. > > > > Second, there is no clear owner/assignee for each issue/report. This > > leads to issues trailing forever, uneven distribution of work between > > the team, and credit buried into email threads. > > > > Third, when someone volunteers to help it is tricky to point them to > > specific issues and get them up to speed fast. > > > > To overcome this, I would propose to track every incoming report using > > JIRA issues [2]. Obviously, the security related issues should remain > > private and hidden from the general public till the CVE is published. > > To achieve this we can create a new JIRA project (eg., HIVESEC) where > > everything is restricted by default or use the existing JIRA project > > (i.e., HIVE) with appropriate security configurations [3] enabled. > > Both approaches have been implemented by other Apache projects so it > > just requires some INFRA ticket(s) to put this in place. > > > > Personally, I am leaning towards using the existing JIRA project and > > tuning issue security so that security issues are only visible to Hive > > committers (or another custom group). For each report that we receive > > in security@hive we should log a JIRA ticket immediately, find an > > owner, and continue the discussion there. > > > > As usual thoughts, and feedback regarding this proposal are very welcomed. > > > > Best, > > Stamatis > > > > [1] https://lists.apache.org/thread/w5ty0tl7wqjmyvvyw2zr8knmo7o83t17 > > [2] https://issues.apache.org/jira > > [3] > > https://issues.apache.org/jira/plugins/servlet/project-config/HIVE/issuesecurity > >
